Embed Size (px)
Citation preview
Slide 1Chairperson: Rita Willis
Welcome to our E-Seminar:
Validation Strategies for Equipment from Multiple Vendors
Slide 2Chairperson: Rita Willis
Agenda for Today’s Session
1. Update on Part 11 scope according to the FDA guidance released in August 2003 and recent FDA warning letters.
2. Overview and discussion of technical controls mandated by 21 CFR Part 11, using examples from a real world system (Cerity for Pharmaceutical QA/QC).
Slide 3Chairperson: Rita Willis
New Part 11 Approach
1
Assess Risk - Evaluate Level of Controls Appropriate to Risk
Narrow Scope - Identify Electronic Records that Require Part 11 Compliance
Determine Predicate Rule Requirements
Implement Appropriate Part 11 Controls
Part 11 Records Not Part 11 Records
2
3
4
5
Ref: Famulare - Murray - McIntire
Slide 4Chairperson: Rita Willis
“Enforcement Discretion”!?
“While the re-examination of Part 11 is under way, we intend to exercise enforcement discretion with respect to certain Part 11 requirements. That is, we do not intend to take enforcement action to enforce compliance with the validation, audit trail, record retention, and record copying requirements of Part 11 as explained in this guidance. However, records must still be maintained or submitted in accordance with the underlying predicate rules, and the Agency can take regulatory action for noncompliance with such predicate rules. ”
Slide 5Chairperson: Rita Willis
Overview: Part 11 Technical ControlsSection Requirement Responsibility*
§11.10a Systems must be validated Proc.
§11.10b Accurate and complete copies Tech.
§11.10c Protection of records Proc., Tech.
§11.10d Access limited to authorized individuals
Proc., Tech.
§11.10e Secure, computer-generated, time-stamped audit trail
Tech.
§11.10f/g/h Checks (device, authority, system checks)
Tech.
§11.50 Signature Manifestations Tech.
§11.70 Signature/Record Linking Tech.
§11.100 Uniqueness of e-sig to the individual
Proc., Tech.
§11.200 E-Sig Components and Controls Proc., Tech.
§11.300 Controls for identification codes and passwords
Proc., Tech.
* Proc. = Pharmaceutical company is usually responsible to develop procedural controls Tech. = Supplier is usually responsible to implement technical controls
= Enforcement discretion (Part11 Guidance Aug.03)
Slide 6Chairperson: Rita Willis
Mandatory Technical Controls
• Limited System Access• Operational Systems Checks• Authority Checks, Device Checks• Training• Policies (e.g. E-signature accountability)• System Documentation
Slide 7Chairperson: Rita Willis
Warning Letters Speak Louder than Ever
• "Warning letters will speak louder than ever now because when industry receives a warning letter they will know that it is not just the view of a particular investigator of a particular district or even of a particular region. It means that the center has determined that these are significant enough violations that, if they are not corrected, an enforcement action will follow and that means the chief council has been involved and also agrees with that“. (Horowitz, May 2003)
Slide 8Chairperson: Rita Willis
Recent FDA 483 cGMP Warning Letter (1)
• “… Laboratory records do not include complete data derived from all tests including a record of all calculations performed in connection with the test [21 CFR 211.194(a)(5)]. For example, in process tablet weights and calculations generated during friability testing are recorded on scrap paper and transferred to the batch record. The original raw data is then discarded and could not be verified.”
Source: File No.: 04-NWJ-02, www.fda.gov
Slide 9Chairperson: Rita Willis
Recent FDA 483 cGMP Warning Letter (2)
• …”Out-of-specification (OOS) results were invalidated, without a thorough investigation, supporting data, documentation, or justification. For example: Confirmed OOS results, …, were invalidated by Quality Assurance, that concluded that the chromatographs were incorrectly integrated. The Chromatographs were reprocessed with adjusted baseline parameters, yielding acceptable results, and the lots were released for distribution. However, the laboratory investigation concluded that the results could not beinvalidated and that no problems were observed during the chromatographic run.”
Source: Warning Letter No. 2004-NOL-03, www.fda.gov
Slide 10Chairperson: Rita Willis
Recent FDA 483 cGMP Warning Letter (3)
• “Failure to maintain records of the inspections of automatic, mechanical or electronic equipment, including computers or related systems. [211.68(a)].
For example, the firm failed to maintain any background data to verify that testing of laboratory HPLC’s (…) had been performed or produced acceptable results. Also, written and approved protocols for testing of these HPLC's were not maintained.”
Source: File No. 04-NWJ-01, www.fda.gov
Slide 11Chairperson: Rita Willis
Break Number 1
For questions, at break please dial 1 on your phone, or type onto the chat screen at any time during the presentation.
Slide 12Chairperson: Rita Willis
Agilent Cerity for Pharmaceutical QA/QC
• Models the way analysts work in pharmaceutical QA/QC
• Implements 21 CFR Part 11 technical controls (e-records and e-signatures)
• Fully scaleable, failure resilient client/server system
• Eliminates external calculations
• “Level 4”-instrument control for Agilent 6890/6850, 1100 (3D), 35900E
• Full instrument control for Waters Alliance
• Suite of computer-based compliance protocols and services, including network qualification
The failure resilient networked data system that fully supports the everyday tasks of pharmaceutical QA/QC laboratories.
Slide 13Chairperson: Rita Willis
Cerity Client/Server System
• Networked chromatography instruments (GC, LC2D and LC3D)
• Fully scaleable from one to hundreds of users and instruments
• Central data repository (Oracle 9i RDBMS)
• Networked client PCs (access to any instruments from anywhere)
Slide 14Chairperson: Rita Willis
Protection of Records
11.10 (c): “Procedures and controls shall include: Records must be protected to enable accurate and ready retrieval throughout the record retention period”
Implementation Examples from Agilent Cerity:• Strict revision control of records in the database • Ensure record uniqueness (globally unique identifiers, GUIDs)• Security services protect against intentional/accidental modification• Migration from legacy systems (instruments and data)
Sign Keep Secure Maintain Integrity Retrieve Safely
Slide 15Chairperson: Rita Willis
Protection of Records/Version Control (§11.10c)
Calibration TableRevision
Sample Result Revisions quantified
with thisrevision of the
Calibration Table
Previous results shall not be overwritten
Slide 16Chairperson: Rita Willis
Limited System Access (§11.10d)
11.10 (d): “Procedures and controls shall include: Limiting system access to authorized individuals.”
Implementation Examples from Agilent Cerity: All Cerity utilities require mandatory loginAuthentication leverages operating system authenticationNo duplicate user account system needs to be maintained for Cerity
Slide 17Chairperson: Rita Willis
Leveraging Operating System Security
IT Policies
IT implements
User Accounts
Operating System (OS)
Security, Password Policies
OS Authentication
Slide 18Chairperson: Rita Willis
Leveraging Operating System Security
User Accounts
Security, Password Policies
OS Authentication
Check User’s Capabilities in Cerity
IT PoliciesCerity Login
IT implements Authenticate User
Cerity DB
Operating System (OS) Application (leveraging OS)
Slide 19Chairperson: Rita Willis
Notification of Unauthorized Access (§11.10d)
•Win2k Audit Policy and resulting audit trail
Slide 20Chairperson: Rita Willis
Controls for Identification Codes and Passwords (§11.300)
Cerity reuses operating system (OS) security system
Cerity reuses password policies (security policies) defined for the operating system
Slide 21Chairperson: Rita Willis
Leverage from Operating System (OS) Security
Manage users in system administration console using a standard IT tool (“MMC”)
Authenticated OS users are granted access rights to the Cerity applications
Directly reuse password and security policies defined by IT group
Slide 22Chairperson: Rita Willis
Computer-Generated Audit Trail (§11.10e)
• Part 11: “(…) Computer generated, time-stamped, audit trails to independently record the date and time of of operator entries and actions (…)”
• New Guidance: “We recommend that you base your decision on whether to apply audit trails, or other appropriate measures, on the need to comply with predicate rule requirements, a justified and documented risk assessment (…).”
Example Screen: Logbook fields available in the report layout editor.
Slide 23Chairperson: Rita Willis
Device Check (§11.10h): Early Maintenance Feedback “EMF”
LEVEL 4 Instrument Control
• Tracks critical wear&tear parameters of the instrument
• Software documents EMF alerts in the instrument Logbook before something breaks
Slide 24Chairperson: Rita Willis
System Check (§11.10g) Example: Formal Results Review/Approval
11.10 (g): “Operational system checks to enforce permitted sequencing of steps and events as appropriate .”
Slide 25Chairperson: Rita Willis
Automated System Checks: Limit Checking
Automated result evaluation against user-defined limits
Limits per compound
Automated notification of limit check result
User defined limit check action
Limits per sample group
Slide 26Chairperson: Rita Willis
Automated System Checks:Spectral Compound Confirmation
• Easy graphical representation of the results
• Color coding allows for quick visual result inspection
• Spectra results review of overlaid and residual spectra
• Parameter change requires reprocessing – no interactive modification
Slide 27Chairperson: Rita Willis
Automated System Checks:Spectral Compound Purity NEW
spectral compound
purity analyses using
DAD and FLD data
• Residual window
replaces similarity curve
• New warning level
• New setting of noise
threshold and minimum
response range
simplifies result
interpretation
• Interactive mode
• Automated modePurity result displayin the spectra window
New: Spectra residuals window shows the spectra difference
Automatic audit trail of all purity modifications in table and audit-trail
Slide 28Chairperson: Rita Willis
Summary Part 11 Controls – Real World Examples
Required Technical Control Examples for Resulting User Requirements • Limiting system access to authorized
individuals • Mandatory login screens • Security policies • Password policies (password strength, password
aging, account lockout etc.) • Inactivity timeout
• Use of authority checks to verify authorization of the user to perform a certain function
• Configurable user access rights based on training and job responsibility
• Use of device checks to check the validity the source of input
• Syntax and value checks for entry dialogs • Bi-directional instrument communication and control
(“Level 4 control”) • Instrument logbooks • Network monitoring • Early Maintenance Feedback (EMF)
• Use of operational system checks that enforce the sequence of permitted steps
• Automated custom calculations, spectra compound confirmation, spectra peak purity and limit checking
• Enforce result review process (analyst review, peer review, QA approval)
• Requirements related to electronic signatures
• Electronic sign-off for critical system tasks • Electronic review/rejection/approval of results
Slide 29Chairperson: Rita Willis
Summary
• Implementation of the technical controls for 21 Part 11 has manyaspects (technical, procedural, educational)
• New Guidance is more diligent regarding some Part 11 requirements such as audit trails and remediation of legacy systems
• Provisions for access security, record integrity, device and system checks continue to be strong Part 11 requirements
• Your implementation decisions must be based on predicate rule requirements and documented risk assessment
• This presentation discussed how appropriate technical controls can be implemented using existing technology
Slide 30Chairperson: Rita Willis
References and Recommended Reading
• L. Huber: Risk Management Plan, Labcompliance Best Practices Series, www.labcompliance.com/books/risk, 2003
• L. Huber: Standard Operating Procedure Risk Assessment for 21 CFR Part 11, Labcompliance Best Practices Series, www.labcompliance.com/books/risk, 2003
• W. Winter: 21 CFR 11 revisited: Risk-based approach for networked system compliance and the role of network qualification, Bioprocess International 1 (7) July 2003
• W. Winter, L. Huber: Instrument Control in Pharmaceutical Laboratories— Compliance with 21 CFR Part 11 and the New Draft Guidance, Pharmaceutical Technology Europe, Special Issue “21 CFR PART 11: COMPLIANCE AND BEYOND” MARCH 2003`,
Slide 31Chairperson: Rita Willis
References and Recommended Reading (2)
• ISPE GAMP Forum, Risk Assessment for Use of Automated Systems Supporting Manufacturing Processes Part 1 – Functional Risk (Pharmaceutical Engineering, May/June 2003, Volume 23 (3), page 16-26
• www.ispe.org and www.pda.org: Good Practice and Compliance for Electronic Records and Signatures:
• Part 1: Good Electronic Records Management (GERM),July 2002
• Part 2: Complying with 21 CFR Part 11, Electronic Records and Signatures September 2001.
• GAMP 4 Guide for Validation of Automated Systems, December 2001 www.ispe.org
Slide 32Chairperson: Rita Willis
References and Recommended Reading (3)
• Wolfgang Winter, Electronic records are here to stay, Biopharm Europe, Special Issue September 2002, 29-31
• L. Huber, Implementing 21CFR Part 11 - Electronic Signatures and Records in Analytical Laboratories Part 1, - Overview and Requirements, Biopharm 12 (11), 28-34, 1999
• W. Winter, L. Huber, Implementing 21CFR Part 11 - Electronic Signatures and Records in Analytical Laboratories, Part 2 –Security Aspects for Systems and Applications, BioPharm 13 (1), 44-50, 2000; reprinted in Pharmaceutical Technology 24 (6), 74-87, June 2000
• W. Winter and L Huber: Implementing 21CFR Part 11 - Electronic Signatures and Records in Analytical Laboratories, Part 3 –Data Security and Data Integrity BioPharm 13 (3), 2000, pages 45-49
Slide 33Chairperson: Rita Willis
References and Recommended Reading (4)
• L. Huber and W. Winter: Implementing 21CFR Part 11 - Electronic Signatures and Records in Analytical Laboratories, Part 5 –The Importance of Instrument Control and Data Acquisition BioPharm 13 (9), 2000, Agilent publication number 5988-0946EN
• W. Winter and L. Huber: Implementing 21CFR Part 11 - Electronic Signatures and Records in Analytical Laboratories, Part 6, Biopharm and LCGC North America November 2000 Supplement
