21 CFR Part 11 –

A Risk Management Perspective

November 13, 2003

1
 Proposed Agenda

 21 CFR Part 11 Baseline

 Recent 21 CFR Part 11 Developments
 Integration with other Legislation
 Lessons Learned
 Risk Management Perspective
 An Example
 Considerations

2
 21 CFR Part 11 Baseline

 Regulation Established August 1997

 “All required controls that make e-record keeping trustworthy, reliable

and compatible with FDA role”, Paul Motisse

 The controls that were in place for paper records and handwritten
signatures translated to an electronic environment
 Control Requirements:
 Security  Device Checks
 Archiving  Change Control
 Audit Trails  Document Control
 Copy Controls  Computer Systems Validation
 Sequencing Controls

3
 Recent Developments

 All previous Part 11 guidance has been withdrawn

 New final guidance has been provided
 Final guidance acknowledges that:
– Statements made by agency staff may have been misinterpreted as
policy
– The use of technology has been restricted, contrary to the agency’s
intent
– The cost of compliance far exceeds the agency’s expectations
– Part 11 has discouraged innovation without a significant public
health benefit

4
 Recent Developments

 Part 11 is being re-examined and may be

revised
 Certain areas will be subject to enforcement
discretion (validation, audit trails, record
retention and record copying)
 All other areas will continue to be enforced
 Narrow Scope – Part 11 applies when
persons choose to use records in electronic
format in place of paper records
 Decisions to rely on paper or electronic
records should be documented

5
 Recent Developments

 There are wide ranging opinions

regarding what these changes mean
 Key messages:
– Part 11 is not going to go away
– One size does not fit all
– Focus on risk management – an
effective internal control structure
that protects product safety, quality
and efficacy

6
Integration with Other Legislation – Connected Thinking

 Annex 11
 EPA
 HIPAA
 State Privacy Law
 EU Data Protection Direction
 ISO
 Basel II Accord
 Cadbury Turnbull
 Sarbanes-Oxley

7
 Where are They Similar and Different?

FDA 21 CFR Part 11 EPA Annex 11 HIPAA Sarbanes-Oxley

Security Organization X X X

Audit Trails X X X X

Electronic Signatures X X

Archiving X X

Validation X X X X

Backup and Recovery X X X

Record Retention X X X

Disaster Recovery Planning X X X

Access Controls X X X X X

Training X X X

8
Lessons Learned – Key Challenges

• How does Part 11 rank in importance to

other business priorities and regulations?
• What are acceptable remediation
timeframes? Who decides?
• What does the final guidance mean given
where my Company is in the process?
• How do we embed compliance into the
business and system development lifecycle?
• How do we realize value from this compliance
initiative?

9
 Example Program Structure

Executive Committee

Program Sponsors Steering Committee Members /

Compliance Program
Steering Committee Business Unit Sponsors
Chief Information Officer
and Corporate Quality

Program Director

Business Unit Coordinator

Business Unit
Project Managers Sales &
R&D Supply Chain IT Procurement
Marketing

Business Unit Business Unit Team Members (across functional and site locations)
Team Members Manufacturing, QA, QC, Compliance, Validation, System Owner

10
 Compliance Program Office

Project
Assessment Remediation
Management Inventory
Prioritization
Office

11
 Lessons Learned

 Executive Sponsorship  Program Management

– Information Technology
– Project Planning
– Quality Assurance
– Risk and Issue Management
– Business Leadership
– Steering Committee – Templates, Processes and Procedures
– Active Involvement – Training
– Monitoring
 Roles and Responsibilities
– Reporting
– Program Management
– Business – Financial Management
– Information Technology – Stakeholder Management
– Quality Assurance
– Portfolio Prioritization
– Validation
– Benefits Realization
– Internal/External Audit
– Transition Plan

12
 Lessons Learned

 Overlooked Areas  Assessment Process

– Technology Infrastructure – Methodology
– Procurement Process – Linkage to Remediation Plan and
– Third Parties (Vendors, Requirements
Suppliers, etc.)
– Training
– Standard Operating
Procedures – Monitoring

 Inventory Process – Change Control

– Methodology – Compliance Score
– Training
– Monitoring
– Change Control
– Ownership
13
 Lessons Learned

 Prioritization – Identity Common Systems and

Consolidation Targets
– Determine risk profile:
• Compliance Score – Identify preliminary
remediation approach (repair,
• System Lifecycle Stage replace or procedural)
• Inspection History (Company and – Calculate Budget
Industry)
– Establish Compliance Based
• Impact on Quality, Safety, Remediation Targets and
Efficacy, financial statements, Timelines
operational objectives
• Complexity – Confirm prioritization with
relevant stakeholders
• Standalone vs. Networked
– Capture Benefits
• Customized vs. Off-the-Shelf

14
 Lessons Learned

 Remediation - Risk Assessment

– Focus on Business Process
– Everything is not important – only those things that impact
quality decisions
– Product quality, safety and efficacy
– Data Integrity, Confidentiality and Availability
– An Risk Based Approach
• Analyze Business Process
• Understand Quality Related Objectives
• What are the risks that could impact the objectives?
• What controls must be established to mitigate the risks?
• Controls become requirements
• Validation provides evidence that the controls are in place
and operating effectively

15
 Procurement - Example

16
 Procurement & Vendor Qualification

Vendor Vendor Master

Evaluation Maintenance Create Purchase Vendor
and Requisitions and Confirmation
Qualification Purchase Order
(PO)

Goods Receipt
and
Reconciliation
Material or
Service Master
Maintenance
Material Return
Qualification NO to
Vendor

YES
Contracts and
Pricing MT

Payment
to
Vendor

** MT: Material Traceability must be defined after a material is

accepted and qualified. This includes the assignment of unique
lot numbers after receipt at a manufacturing site. **

17
 People, Process and Technology

Processes People Technology

New Vendors Purchasing Personnel Vendor Setup in system

are selected

SOP Quality Management System records Vendor

New Vendors are Personnel Qualification details
Qualified by QM Personnel

Procurement of Purchasing Personnel

Raw Materials

Warehouse Personnel
Receipt of Goods

SOP Quality Management

Personnel System records Material
Material Qualification
Qualification details

SOP Warehouse or Material lot numbers

Material Traceability- Operations Personnel and tracking recorded
Assign Lot Numbers
in the system

Purchasing Personnel Payment generated

Vendor Payments from system

18
 Example

ID Process Risk COSO COSO COSO Contr Control Requirements

No. Component Control Control ol
Objective Objective Type
Category (C,A,
(C,F,O) V,R)
1 Vendor Changes to standing Control Changes to Operational C,A 1) On-line edit and
Maintena data are not Activity standing validation checks exist
nce completely and data are Financial in the payables system
accurately input completely to verify the accuracy
increasing the risk of and of key vendor master
improper payment accurately data fields are entered.
to unauthorized or input. 2) 2) Key data fields are
incorrect suppliers. required during vendor
maintenance.
3) The system will check for
duplicate vendor
names, addresses, or
other key data fields
and flag the transaction
for review before
processing further.
2 Vendor Purchase orders are Control Vendors Operational C, A, 1) Vendor Qualification
Maintena released with an Activity are V SOP is in place,
nce invalid material qualified Compliance approved and effective
vendor combination before (CFR 820.50 2) Vendor master controls
resulting in material updating (a) (3)) shall be established to
that is purchased the vendor prevent sourcing
from an unqualified master file materials to vendors
vendor that are not qualified

19
 Considerations

– How connected are your Company’s efforts with respect to

addressing related regulations?
– Does your Company have a consistent point of view regarding the
appropriate level of compliance and associated documentation?
– Does your Company have a consistent risk management approach to focus
compliance efforts?
– Are risk based decisions documented and linked to the compliance
approach?
– Does your Company have a process to prioritize processes, systems and
compliance projects based on risk?
– Does your Company have a system development lifecycle and
validation methodology that is focused on key risk areas to assure
compliance objectives?

20