Welcome to our E-Seminar:
Risk-based Approach to Part 11 and
GxP Compliance
Chairperson: John Vis
�In
tro
Common Discussion
Q: Do I really need to do this?
Possible Answers
A: Of course! (QA)
B: Who cares, I have work to do! (Engineering)
C: No way! (IT)
D: It depends! (FDA)
Source:Neil McClenney, SEC Associates, Inc., Presentation at IVT Philadelphia Conference, October 2003
Chairperson: John Vis
�eg
ul
at
io
ns
R
Pharmaceutical cGMPs for the
21st Century
Announced August 21, 2002
Two year program
Merges science-based risk management with an
integrated quality system approach
Will not interfere with current enforcement
Will be implemented in multiple steps
Changes to part 11 were pre-announced in late
2002
Chairperson: John Vis
�eg
ul
at
io
ns
R
Part 11 is NOT Going Away!!
Risk-based compliance approach FDA will scrutinize
areas with high impact on product quality according to
existing GxP
FDA will continue enforcing predicate rules (GxP)
Validation, change control and training are required for
GxP-relevant systems
Access security, device checks, operational checks for
trustworthy and reliable records are still mandatory
technical controls
Audit trail, copies of electronic records, record retention,
legacy systems are not a key focus area for FDA
enforcement
Electronic signature requirements are unchanged
Chairperson: John Vis
�eg
ul
at
io
ns
R
Predicate Rule Requirements
Description
Production, control, laboratory records to assure that drug products
adhere to established specifications. Records for components, drug
product containers, labeling etc.
Equipment cleaning and use log
Master production and control records
Batch production and control records
Production record review
Laboratory records
Protocol for a non-clinical laboratory study
Reporting of non-clinical laboratory results
Raw data, documentation, protocols, final reports, QA inspection
records and samples, job descriptions, training records, instrument
maintenance, calibration and inspection records
Supporting records for INDA and records described by ICH GCP
Guidelines
Ensure that the systems are designed to permit data changes in such a
way that the data changes are documented and that there is no
deletion of entered data
List of individuals authorized to make data changes
Chairperson: John Vis
Category Predicate Rule
Reference
GMP
21 CFR 211.180
GMP
GMP
GMP
GMP
GMP
GLP
GLP
GLP
21 CFR 211.182
21 CFR 211.186
21 CFR 211.188
21 CFR 211.192
21 CFR 211.194
21 CFR 58.120
21 CFR 58.185
21 CFR 58.195
GCP
21 CFR 312.57
21 CFR 312.62
ICH GCP 5.5.3 c)
European GMP
Guide Annex 11 10
ICH GCP 5.5.3 e)
GCP
GMP
GCP
�eg
ul
at
io
ns
R
Part 11 Requirements
Section
Requirement
Responsibility*
11.10a
Systems must be validated
Proc.
11.10b
Accurate and complete copies
Tech.
11.10c
Protection of records
Proc., Tech.
11.10d
Proc., Tech.
11.50
Access limited to authorized
individuals
Secure, computer-generated,
time-stamped audit trail
Checks (device, authority,
system checks)
Signature Manifestations
11.70
Signature/Record Linking
Tech.
11.100
Uniqueness of e-sig to the
individual
E-Sig Components and Controls
Proc., Tech.
Controls for identification codes
and passwords
Proc., Tech.
11.10e
11.10f/g/h
11.200
11.300
Tech.
Tech.
Tech.
Proc., Tech.
* Proc. = Pharmaceutical company is usually responsible to develop procedural controls
Tech. = Supplier is usually responsible to implement technical controls
= Enforcement Discretion (August 2003 Guidance)
Chairperson: John Vis
�eg
ul
at
io
ns
R
New Part 11 Guidance Summary
New guidance is most relevant for low
risk systems (e.g word processor typewriter excuse)
Minor changes for high risk systems,
e.g. Chromatography Data Systems
Requirement for long term reprocessing
(>5 years) may go away
Users are required to perform risk
assessments for just about everything
Chairperson: John Vis
�eg
ul
at
io
ns
R
When Part 11 Applies
GxP
Requirement?
???
no
???
Out of
scope
yes
Used for regulated
activity?
no
Out of
scope
yes
Maintain
e-records
for business?
no
Out of
scope
yes
PART 11
Chairperson: John Vis
�The Regulators Product
Centric View
Drug Product Quality
The regulatory concern is product
quality and safety
Data and Records
The regulations specify the data and
records required to assure product quality
Instruments and
Systems
The validation and qualification of
systems assures data and record quality
Systems Infrastructure
The validation and qualification of
infrastructure assures system reliability
Chairperson: John Vis
�FD
Validation
We recommend that you base your
approach on a justified and documented
risk assessment and a determination of
the potential of the system to affect
product quality and safety and record
integrity
For instance, a word processor used
only to generate SOPs would most likely
not need to be validated.
Validate all automated computer systems that
affect GxP type records (old and new systems).
Chairperson: John Vis
10
�FD
Audit Trail
Audit trail is required by some predicate
rules.
We recommend that your decision on whether to apply audit
trails, or other appropriate measures, be based on the
need to comply with predicate rule requirements, a
justified and documented risk assessment, and a
determination of the potential impact on product quality
and safety and record integrity.
Audit trails are particularly important where the users are
expected to create, modify, or delete regulated records
during normal operation.
Chairperson: John Vis
11
�A
FD
Inspectional Observation
The program runs across a LAN The firm presented a
diagram in support in support o the validation status for
this LAN. The diagram provides graphical representation
of the current I/O wiring (node lists) for each of the various
devices of this LAN. Regarding this diagram
The diagram lacks review by the quality unit
The diagram has not been maintained following
established document control procedures
The diagram has been produced using I/O data
contained within the non-validated excel node list
database, which is not a controlled record
Ref: O.Lopez, Philadelphia 2002
Chairperson: John Vis
12
�A
FD
FDA Warning Letters
The firm utilizes a Wide Area Network (WAN) to connect
all Local Area Networks (LAN's). The WAN is not
validated as described below.
The Quality unit has failed to ensure that procedures are in
place, which define all system definition documentation, which
must be maintained for the WAN.
The Quality unit has failed to ensure that complete WAN
system definition documentation is included in WAN
documentation. For example, the Quality unit has failed to
ensure that the WAN validation documentation includes WAN
site diagrams.
When requested, the firm could produce no approved WAN site
diagrams. The Quality unit has failed to put in place
procedures, which define that WAN site diagrams are
maintained.
Chairperson: John Vis
13
�FD
Warning Letters/
Networked System -
(Networked) system testing was not conducted
to ensure that each system as configured could
handle high sample rates.
Validation of the (networked) system did not
include critical system tests such as volume,
stress, performance, boundary, and compatibility
Ref: www.fdawarningletter.com
Chairperson: John Vis
14
�A
FD
Examples From Network
Related 483 Observations
Wide Area Network diagrams (WAN) with appropriate
definition documentation identifying corporate sites on the
network that use XXX have not been included in any XXX
validation documents
Validation of the system did not include critical system
tests such as volume, stress, performance, boundary, and
compatibility
Validation documentation failed to include complete and
updated design documentation, and complete
wiring/network diagrams to identify all computers and
devices connected to the ... system
Chairperson: John Vis
15
is
k
Key Focus Areas for FDA
Enforcement
Before August 2003
Part 11 applies to all
systems that manage erecords in a regulated firm
High Priority
High
risk
Medium
risk
After August 2003
Predicate rule
requirements, documented
risk assessment and
business use determine
whether part 11 applies
Low risk systems may fall
out of scope for part 11
Low
risk
No
risk
Low priority
Chairperson: John Vis
16
�Break Number 1
Chairperson: John Vis
17
�is
k
R
Risk The Magic Word
A risk is a potential problem,
but a problem is a risk that
really happened.
Chairperson: John Vis
18
is
k
Risk Management
O
Risk Evaluation
Identify the system
Identify hazards and
possible harms
Estimate, justify and
document risk level
(probability/severity)
Risk Mitigation/Control
O
On-going Evaluation
O
O
O
Risk assessment
Risk Analysis
Estimate costs of
mitigation
vs. non-mitigation
Define and take actions for
mitigation
Monitor for new harms
Monitor risk levels
Update plan and take
actions
Key criteria: product quality (public health), business continuity
www.labcompliance.com/books/risk
Chairperson: John Vis
19
is
k
Documenting Risk
Assessment
Use tables with description of risks, severity,probability
and the rationale behind
Calculate overall risk factor (severity, probability)
Classify factors in high, medium and low
Risk
description
Severity
Justification Probability
Chairperson: John Vis
Justification Risk factor
20
�is
k
R
Risk Prioritization Example:
QC Lab Data System
Production control
Records????
Sample receipt
and log in
Release
Packaging
Labeling
Sample
analysis
Review and
approval
Impact on product quality: DIRECT
Regulated activity based on: E-Records
Chairperson: John Vis
21
is
k
Infrastructure Risks and
Mitigation
Data Loss
(network failure)
Data Corruption
(operational errors,
transmission errors due to outof-spec components)
Data Insecurity
(inadequate controls)
Redundant setup
Continuous health monitoring
Compliance with technical
standards
Physical and logical
segregation of subnets
Security procedures (security
policies, password policies)
Technical security (firewalls,
virus protection, access control
lists)
Chairperson: John Vis
22
is
k
Example: GAMP Risk Level
Categories
Probability of
Detection
WAN
GAMP Risk Level
Severity
Likelihood
WAN
High Vulnerability Systems
Medium Vulnerability Systems
Low Vulnerability Systems
GAMP Risk Level 1 System
GAMP Risk Level 2 System
GAMP Risk Level 3 System
Source: ISPE GAMP Forum
Chairperson: John Vis
23
is
k
Validation Rigor Increases
with Vulnerability
Class of System
Custom Software
Application
COTS Application
Infrastructure
Vulnerability/Val
idation Rigor
Plan/Report
High
Design Phases
Qualification Phases
-URS (business and regulatory
needs)
-FS (Full functionality of the
system)
-Validation Plan and Report
-Detailed Risk Assessment
-Design down to module
Development
aginst operational aspects
-SOPs Supplier Audit -Project specifications
-Comprehensive positive
-Design Review Process -Audits
functional testing
Source Code Reviews
-Periodic Review
-risk-focused negative
-Change Control
Traceability Matrix
functional testing
-URS (business and regulatory
needs)
-FS (Full functionality of the
system)
-High level Risk Assessment
-Design documents
aginst operational aspects of
(application configuration
processes
aspects only)
-Positive functional testing
-Design Review Process --risk-focused negative
Traceability Matrix
functional testing
Medium
-Validation Plan and Report Development SOPs
-Supplier Audit
-Periodic Review
-Change Control
Low
-High level Risk Assessment
aginst operational aspects of
processes
-SLA
-Network topology diagram
-risk-focused functional
-Quality and Compliance Plan -Network definition (list of
-Work SOPs
supported applications,
testing (e.g. Security
-Periodic Review
network performance, security controls, data integrity,
backup and recovery)
-Change Control
requirements)
Source: ISPE GAMP Forum (Pharmaceutical Engineering, May/June 2003, Volume 23 (3), page 24
Chairperson: John Vis
24
�is
k
R
Example: Networks as System
Components
Network Communication is Integral to Modern Systems
Design
Network Performance Directly Affects Application
Performance
Point Errors Can Affect Your Ability to Complete Critical
Tasks
If Critical Tasks Slowed There is a Business Cost
Regulators View Data at Risk as Product Quality at Risk
Business Impact can be High
Chairperson: John Vis
25
�is
k
R
Specifying a Networked
System
To be answered by the anticipated users
Operating environment
Security requirements (physical and logical
controls, authentication, encryption, biometrics?)
Capacity (sites, users, volumes)
Performance (response times, latency)
Reliability (risks, up-time, redundancy, data
integrity)
Standards to be used: Protocols, cabling, design
considerations, operating procedures)
Chairperson: John Vis
26
�n
Q
ua
lif
ic
at
io
Qualification Phases
O
Design Qualification
O
O
Installation Qualification
Operational
Qualification
Performance
Qualification
O
O
O
O
O
O
O
User requirement specifications
Functional specifications
Vendor qualification
Check arrival as purchased
Check installation of hardware and
software
Test of key functions
Requalification
Test for specified application
Preventive maintenance
On-going performance tests
Reference: L.Huber,
Validation of Computerized Analytical and Networked Systems, 2002, Interpharm Press
Detailed content and ordering: www.labcompliance.com/books/validation3
Chairperson: John Vis
27
�n
Q
ua
lif
ic
at
io
DQ
Example: Qualification Phases
for Networks
The network is suitable for the applications
The design matches the intended use
IQ
Verifying and documenting static network
topology
The implementation matches the design
OQ
Dynamic topology verification and capacity
testing
The implementation operates properly
PQ
Measuring the network in use
Determining that the risk of failure in use is low
Chairperson: John Vis
28
�n
Q
ua
lif
ic
at
io
Documentation
The Four Cs of a Quality
Network
Connection
Each device can connect as the application requires
Communication
The devices can communicate through the connection
Capacity
The network has sufficient capacity for quality
communication
Control
The network will continue to enable quality
communication
Chairperson: John Vis
29
�n
Q
ua
lif
ic
at
io
Measurement Based Network
Qualification
Direct Measurement Reduces Risk Faster than
Documentation Alone
Direct Measurement Verifies the Actual Network
Quality
End to End Communication Quality is the Key Metric
Look Inside Your Network!
Chairperson: John Vis
30
�on
cl
us
io
n
C
Flashback
Q: Do I really need to do this?
Possible Answers
A: Of course! (QA)
B: Who cares, I have work to do! (Engineering)
C: No way! (IT)
D: It depends! (FDA)
Source:Neil McClenney, SEC Associates, Inc., Presentation at IVT Philadelphia Conference, October 2003
Chairperson: John Vis
31
�on
cl
us
io
n
C
Conclusion
Part 11 is not going away
You need to understand the regulatory requirements that affect
your work-area
You need to develop a gap and risk analysis
Which Trouble Areas are the Greatest Risks
What Remediation is Required
The results affect your overall validation plan
Validate applications, qualify infrastructure
Ask your suppliers for help if you lack resources or expertise
Chairperson: John Vis
32
�ra
pU
p
W
References and
Recommended Reading
www.ispe.org and www.pda.org: Good Practice
and Compliance for Electronic Records and
Signatures:
Part 1: Good Electronic Records Management
(GERM),July 2002
Part 2: Complying with 21 CFR Part 11, Electronic
Records and Signatures September 2001.
GAMP 4 Guide for Validation of Automated
Systems, December 2001 www.ispe.org
Chairperson: John Vis
33
�ra
pU
p
W
References and
Recommended Reading (2)
W. Winter, L. Huber: Instrument Control in Pharmaceutical
Laboratories Compliance with 21 CFR Part 11 and the New
Draft Guidance [submitted to Pharmaceutical Technology
Europe, Special Issue 21 CFR PART 11: COMPLIANCE AND
BEYOND MARCH 2003]
Wolfgang Winter, Electronic records are here to stay, Biopharm
Europe, Special Issue September 2002, 29-31
L. Huber, Implementing 21CFR Part 11 - Electronic Signatures
and Records in Analytical Laboratories Part 1, - Overview and
Requirements, Biopharm 12 (11), 28-34, 1999
W. Winter, L. Huber, Implementing 21CFR Part 11 - Electronic
Signatures and Records in Analytical Laboratories, Part 2
Security Aspects for Systems and Applications, BioPharm 13
(1), 44-50, 2000; reprinted in Pharmaceutical Technology 24 (6),
74-87, June 2000
Chairperson: John Vis
34
�ra
pU
p
W
References and
Recommended Reading (3)
W. Winter and L Huber: Implementing 21CFR Part 11 Electronic Signatures and Records in Analytical
Laboratories, Part 3 Data Security and Data Integrity
BioPharm 13 (3), 2000, pages 45-49
L. Huber and W. Winter: Implementing 21CFR Part 11 Electronic Signatures and Records in Analytical
Laboratories, Part 5 The Importance of Instrument Control
and Data Acquisition BioPharm 13 (9), 2000, Agilent
publication number 5988-0946EN
W. Winter and L. Huber: Implementing 21CFR Part 11 Electronic Signatures and Records in Analytical
Laboratories, Part 6, Biopharm and LCGC North America
November 2000 Supplement
Chairperson: John Vis
35
