21 CFR Part 11
Rules for complying with
the rules
Marilyn M. Marshall QAO
Office of the Vice-President for Research
Lindy Brigham
March 30, 2006
The Rules




The rules and your lab
The rules and your business
The rules
Your role in interpreting the rules
Rules and Research Labs






Good research requires good
laboratory practices
Ho, experimental design, proceedures
Equipment maintenance
Employee training
Data Collection
Record keeping
Rules and Business

The same concepts apply to industry
research PLUS




Safety issues for consumers
Efficacy expectations
But the time and money constraints are very
different in industry
“From industry’s perspective, it is a big
challenge to understand how it can combine
compliance with improving business
performance”
The Business of Compliance



How you bring new products to market, how
you produce your existing product offerings
and how you maintain your competitive
advantage will all be impacted by the
timeliness of your reaction to 21CFR11.
The drama will be played-out in both the
medicine cabinets of consumers and in the
boardrooms of Wall Street.
21CFR11 & Better Business Practices: Moving Beyond Compliance by Robert Yeager,
President, Intellution Inc.
Intellution wants YOUR business

The FDA tells you that you MUST comply
with 21CFR11

Intellution shows you why you’ll WANT TO
comply
Compliance Requirements



Record keeping
Submissions to the Regulatory
Agencies to show compliance
The Government Paperwork
Elimination Act
The Government Paperwork
Elimination Act



The focus of the GPEA is to promote the
doing of business electronically, with the
public and otherwise.
The GPEA (P.L. 105-277) took effect on
October 21, 1998.
Under the GPEA persons required to submit
information to the government, or maintain
information, must be given the option to do
so electronically when practicable.
21 CFR Part 11


21 CFR 11 defines the criteria under
which the FDA will accept electronic
records and electronic signatures as
equivalent to paper-based records and
handwritten signatures.
ERES – Everybody Run, Everybody
Scream
Intent

The 21 CFR 11 criteria are designed
to:



prevent accidental alterations to
electronic records
deter deliberate falsification
and help detect such changes when they
do occur.



Subpart A – scope, implementation,
definitions
Subpart B – electronic records
Subpart C – electronic signatures
Scope

applies to records in electronic form that are

created,

modified,

maintained,

archived,

retrieved, or

transmitted, .
 under any records requirements set forth in
agency regulations
Electronic Record

any combination of text, graphics,
data, audio, pictorial, or other
information in digital form that is
created, modified, maintained,
archived, retrieved, or distributed by a
computer system
Electronic Signature

a computer data compilation of any
symbol or series of symbols executed,
adopted, or authorized by an individual
to be the legally binding equivalent of
the individual’s handwritten signature
Applicability of 21CFR11



Is the record or signature electronic?
Is the record or signature required by
an existing FDA regulation (predicate
rule), or by an SOP
Is the record or signature for
submission to the Agency, or in
support of that submission?
Predicate Rules



Any requirements set forth in the Act (Federal Food,
Drug and Cosmetic Act), the PHS Act (Public Health
Service Act), or any FDA regulation (GxP: GLP,
GMP, GCP, etc.).
The predicate rules mandate what records must be
maintained; the content of records; whether
signatures are required; how long records must be
maintained, etc.
If there is no FDA requirement that a particular
record be created or retained, then 21 CFR Part 11
most likely does not apply to the record.

The term “Predicate Rule” is NOT
used in the 21 CFR Part 11 Final Rule.

The term “Predicate Rule” is used in
the Part 11 Guidance for Industry
document(s)
Your role in interpreting the rules



The FDA has acknowledged that a “one size
fits all” interpretation of regulations, such as
21FCR11, is not feasible.
The onus of regulatory interpretation is on
the organization being regulated
Organizations must now justify their course
of action based on their interpretation of the
regulations, as well as any risk associated
with those actions
Are you in compliance?

Risk-Based Assessment
Definition of Risk (IEEE)

A measure of the probability and
severity of undesired effects, often
as the simple product of probability
and consequence.
Definition of Risk Assessment

A systematic evaluation of the risk of a
process by determining

what can go wrong (risk identification)

how likely is it to occur (risk estimation)

and what the consequences are.
Part 11
Scope and Application Guidance
“We (FDA) recommend that you base your approach
on a justified and documented risk assessment
and a determination of the potential of the system
to affect product quality, safety, & record integrity.”
Part 11
Scope and Application Guidance
“We (FDA) suggest that your decision
on how to maintain records be based on
predicate rule requirements and on a
justified and documented risk assessment and
a determination of value of the records over time.”
Good Practices For Computerised Systems
In Regulated “GXP” Environments

A risk-based approach is one way to
demonstrate that you have applied a
controlled methodology, to determine the
degree of assurance that a computerised
system is fit for it’s intended purpose.
Consequences (Severity) of Risk
If a system should fail to be fit for its intended use,
what would be the impact:

Public Health and Safety – Death, Injury, Illness

Product Quality and Safety – Adulteration, Defective

Compliance – Warning Letter, 483, Study Non-compliance

Business Continuation – Out of Business, Loss of Business

Operation – Delay of project, Operator frustration
Risk Impacts

Critical/ Non-critical

Low/ Medium/ High

Defined and Quantifiable number (e.g. 1-3 or 1-10)
Examples of Systems
High Risk:

Manufacturing Batch Records

Patient Records

Laboratory Test Results

LIMS and QA systems
Low Risk:

Environmental Monitoring Records (not affecting
product quality)

Training Records

Master Schedule System
Methods of Determining Risk
High Level Risk
Failure of the system

May cause harm to patients, and there is no correction possible

Has significant impact on business operations for several days
Medium Level Risk
Failure of the system

Can cause harm to patients, but the failure is likely to be able to be corrected

Has potential impact on business operations for a few days
Low Level Risk
Failure of the system

Will not cause harm to patients

Will cause negligible impact to business operations
Methods of Determining Risk
Probability
Impact
Low
Medium
High
L
L
M
L
M
H
M
H
H
Low
Medium
High
Methods of Determining Risk
Failure Mode Effects Analysis (FMEA) Type Method
Severity

3 = High Impact

2 = Medium Impact

1 = Low Impact
Occurrence

3 = High Probability of Occurring

2 = Medium Probability of Occurring

1 = Low Probability of Occurring
Detection

3 = High Probability of Going Undetected

2 = Medium Probability of Going Undetected

1 = Low Probability of Going Undetected (Failure will be easily detected)
Methods of Determining Risk

Risk Value = Severity X Occurrence X Detection
e.g. High Severity X High Occurrence X Low Chance of Detection (High Risk)
Risk Value = 3 X 3 X 3 = 27
Med Severity X Med Occurrence X Low Chance of Detection (High Risk)
Risk Value = 2 X 2 X 3 = 12
Low Severity X Low Occurrence X High Chance of Detection (Low Risk)
Risk Value = 1 X 1 X 1 = 1
Med Severity X High Occurrence X High Chance of Detection (Low Risk)
Risk Value = 2 X 3 X 1 = 6

This Methods Makes It Easier To Prioritize &

Clearly Identifies The Higher Risk Systems!
Evaluating Risk Factors
Need for Validation:

High Level Risk Assessment

Major Functionalities of the System

Identified Associated Risk
Extent of Validation:

More Detailed Assessment

Sub-functions and User Requirements

Impact of Risk related to those Functions
Need and Extent of Audit Trail:

Impact of Risk Resulting from Accidental or Intentional Adverse Events

Traceability and Integrity of Records
Method of Record Retention:

Impact from Loss of Record vs. Impact on Record Retrievability (by not using
electronic capabilities).
Examples of Justification of Risk Factors
Risk to Human Health & Safety = Low

<Company> is not involved in the analysis of final drug or
biological product, drug substance, active pharmaceutical
ingredients (APIs), or in the final testing of medical device
performance or combination products. The direct risk to human
health and safety therefore is determined to be minimal.
Examples of Justification of Risk Factors
Part 11 Applicability = Low

<> has identified the hardcopy paper records as the primary raw
data. Only in cases where reprocessing is necessary will the
electronic raw data file be used. Electronic records maintained
in non-instrument related databases (e.g. sample tracking
system, sample labeling, training documentation) are entered
from original paper documentation which is maintained and
archived in secure facility files.
Examples of Justification of Risk Factors
Risk of Data Corruption = Low

The risk and probability of unintentional corruption of electronic
records is considered to be low based on the level of education,
skill, and training of the staff. Computerized systems are qualified
and validated to assure proper performance of the system for its
intended use. In most cases, paper records are available for the
reconstruction of the data.
References
Guidance for Industry
Part 11, Electronic Records; Electronic Signatures — Scope and Application,
CDER, August 2003
www.fda.gov/cder/guidance/5667fnl.pdf
Guidance for Industry
Quality Systems Approach to Pharmaceutical Current Good Manufacturing Practice Regulations
DRAFT, September 2004
www.fda.gov/cber/gdlns/qualsystem.pdf
Good Practices For Computerised Systems In Regulated “GXP” Environments
PIC/S GUIDANCE PI 011-21 July 2004
www.picscheme.org/BAK/docs/pdf/PI%20011-2%20Recommendation%20on%20Computerised%20Systems.pdf
FDA Glossary of Computerized System and Software Development Terminology
www.fda.gov/ora/inspect_ref/igs/gloss.html
The Impact of the Guidance for Industry Part 11 , Electronic Records, Electronic Signatures –
Scope and Application White Paper, Robert J. Finamore CSSC, Inc Sept 4, 2003
www.csscinc.net/company/Impact%20of%20New%20Part%2011%20Guidance.pdf
ISPE Risk-Based Approach to 21 CFR Part 11
www.ispe.org/Template.cfm?Section=Search&CONTENTID=9020&TEMPLATE=/ContentManagement/ContentDis
play.cfm
References (con’t)
Guidance for Industry
Part 11, Electronic Records; Electronic Signatures — Scope and Application,
CDER, August 2003
www.fda.gov/cder/guidance/5667fnl.pdf
Guidance for Industry
Quality Systems Approach to Pharmaceutical Current Good Manufacturing Practice Regulations
DRAFT, September 2004
www.fda.gov/cber/gdlns/qualsystem.pdf
Good Practices For Computerised Systems In Regulated “GXP” Environments
PIC/S GUIDANCE PI 011-21 July 2004
www.picscheme.org/BAK/docs/pdf/PI%200112%20Recommendation%20on%20Computerised%20Systems.pdf
FDA Glossary of Computerized System and Software Development Terminology
www.fda.gov/ora/inspect_ref/igs/gloss.html
The Impact of the Guidance for Industry Part 11 , Electronic Records, Electronic Signatures –
Scope and Application White Paper, Robert J. Finamore CSSC, Inc Sept 4, 2003
www.csscinc.net/company/Impact%20of%20New%20Part%2011%20Guidance.pdf
ISPE Risk-Based Approach to 21 CFR Part 11
www.ispe.org/Template.cfm?Section=Search&CONTENTID=9020&TEMPLATE=/ContentManagement/Content
Display.cfm
Risk Management

Risk Assessment - Assess Potential Risks and Consequences

Risk Identification – Identify the Potential Risks

Risk Estimation – Determine the Likelihood that the Risk will Occur

Risk Impact – Determine the Potential Impact of the Risk

Risk Detection – Determine the Detectibility of the Risk

Risk Classification – Define & Quantify Risk Level

Risk Analysis – Determine Cost/Benefit Analysis

Risk Mitigation/Avoidance – Determine Risks which can be Lessened or
Avoided

Risk Strategy - Determine and Document Strategies for Managing Risk

Risk Monitoring – Monitor Changes, New Risks, Risk Levels & Update
Risk Plans