Upload
nicholas-hodges
View
215
Download
0
Embed Size (px)
Citation preview
21 CFR Part 11 – A Risk Management
Perspective
Patrick D. Roche
07 March 2003, Washington D.C.
PricewaterhouseCoopers
Proposed Agenda
• Recent 21 CFR Part 11 Developments
• Risk Management Perspective
• Potential Integration with other Legislation
• Examples
• Conclusion
PricewaterhouseCoopers
Recent Developments•CDER is now responsible for enforcement of 21 CFR Part 11
•All previous Part 11 guidance has been withdrawn
• New draft guidance has been provided
• Draft guidance acknowledges that:
• Statements made by agency staff may have been misinterpreted as policy
• The use of technology has been restricted, contrary to the agency’s intent
• The cost of compliance far exceeds the agency’s expectations
• Part 11 has discouraged innovation without a significant public health benefit
PricewaterhouseCoopers
Recent Developments
•Part 11 is being re-examined and may be revised
• Certain areas will be subject to enforcement discretion (validation, audit trails, record retention and record copying)
• All other areas will continue to be enforced
PricewaterhouseCoopers
Recent Developments
•Narrow Scope – Part 11 applies when persons choose to use records in electronic format in place of paper records
•Decisions to rely on paper or electronic records should be documented
• Audit Trail– A risk-based approach should be followed where audit trails are not required by
predicate rules– Focus on adds, changes or deletions of records that impact quality, safety and efficacy
•Validation– A risk-based approach should be followed where validation is not required by predicate
rules– Word processing software that is used to create paper-based SOPs would likely not
require validation
•Copies of records
•Record Retention - Risk Assessment driven
PricewaterhouseCoopers
Recent Developments
•There are wide ranging opinions regarding what these changes mean
• Key messages:
• Part 11 is not going to go away
• The changes should not significantly modify your approach
• One size does not fit all
• Focus on risk management – an effective internal control structure that protects product safety, quality and efficacy
PricewaterhouseCoopers
Risk Management Perspective• Everything is not important – only those things that impact quality, safety or efficacy
• Risk – anything that can prevent an objective from being met
• Consider an ORCA Approach
• Analyze Business Process
• Understand Quality Related Objectives
• What are the Risks that could impact the objectives?
• What Controls must be established to mitigate the risks?
• Validation provides evidence that the controls are in place and Aligned with objectives and risks
• If system based controls are not in place, what other mitigating controls can be established?
• Document risk assessment and decision process
PricewaterhouseCoopers
Linkage of 21 CFR Part 11 with COSO and Sarbanes Oxley
COSO Structure
COSO Component
Business Process
Transaction
Control Objective
Risk
Control Activities
Transaction
Control Objective
Risk
Control Activity
Issue
Action Plan
Testing
PricewaterhouseCoopers
Examples
•Business Process – Procurement
•IT Infrastructure
Function Sub-Process
Objective Risks Impact
Procurement Create a purchase order
Purchases can only be sourced to qualified vendors
Appropriate controls are not established to ensure that vendors are qualified. Vendor master file controls have not been established to prevent purchases from unqualified vendors No Vendor Audit Program in Place
Variation in quality of product Rejection of product Inventory shortages Impact on quality and safety
Procurement - Example
PricewaterhouseCoopers
Procurement & Vendor Qualification
Vendor Evaluation
and Qualification
Vendor Master Maintenance
Material or Service Master Maintenance
Contracts and Pricing
Vendor Confirmation
Create Purchase Requisitions and Purchase Order (PO)
Goods Receipt and Reconciliation
Return to Vendor
NONO
Payment to Vendor
YESYES
Material Qualification
** MT: Material Traceability must be defined after a material is accepted and qualified. This includes the assignment of unique lot numbers after receipt at a manufacturing site. **
MTMT
PricewaterhouseCoopers
People, Process and Technology
ProcessesProcesses PeoplePeople TechnologyTechnology
New Vendors are selected Purchasing Personnel
New Vendors areQualified by QM Personnel
Procurement ofRaw Materials
Receipt of Goods
Material Qualification
Material Traceability-Assign Lot Numbers
Vendor Payments
SOPSOP
SOPSOP
SOPSOP
Quality ManagementPersonnel
Quality ManagementPersonnel
Purchasing Personnel
Warehouse Personnel
Warehouse or Operations Personnel
Purchasing Personnel
System records VendorQualification details
System records MaterialQualification details
Material lot numbers and tracking recorded
in the system
Vendor Setup in system
Payment generated from system
PricewaterhouseCoopers
Procurement & Vendor Qualification
Vendor Evaluation & Qualification Controls:Vendor Evaluation & Qualification Controls:
Audit Trails for Vendor Qualification are established, including appropriate electronic record and signature requirements to meet 21 CFR Part 11
Vendor Qualification policies and procedures have been established and implemented
Vendor Qualifications are restricted to authorized personnel Materials must be procured only from qualified vendors Quality procedures are distributed to approved vendors on a regular
basis and are included as part of the negotiations for new external sourcing arrangements
Associated Risk/Consideration:Associated Risk/Consideration:
Unauthorized vendors may be found in the Master Vendor File Materials may be procured from unqualified vendors Approved vendors may not meet FDA requirements Regulatory exposure Records of vendor qualification reviews and results may be
inappropriate or not exist
PricewaterhouseCoopers
Address Book Controls
Vendor Address Book Maintenance Controls:Vendor Address Book Maintenance Controls:
Restricted access to Vendor Master File Vendor Master File changes are tracked via an associated audit
trail Electronic signatures and records are maintained as appropriate
for all Vendor Master Changes in accordance 21 CFR Part 11
Associated Risk/Consideration:Associated Risk/Consideration:
Unauthorized purchases may result Unauthorized payments to vendors may occur Duplicate Vendor Master records may exist Changes to vendor Master files may not be cGMP compliant as
accurate, traceable and approved Regulatory exposure
Example – IT Infrastructure
PricewaterhouseCoopers
IT Infrastructure Example
Database server
Application server
Presentationserver
Business Process Controls
Authorizations and Security
Testing, Conversion & project management
Operating System Security
Change Control
Backup, Recovery and Contingency
Planning
Physical Security
Database Management
Integrity
Enterprise Security
Policies & Procedures
Internet Firewalls
Legacy System Interfaces
PricewaterhouseCoopers
Conclusion
• Don’t stop your Part 11 efforts
• Re-examine your approach in light of the new guidance
• Don’t over complicate the process
• Think process and then technology
• Incorporate risk management concepts wherever possible
• Document risk assessment and decision processes
PricewaterhouseCoopers
Contact Information
• Patrick D. Roche,
• Florham Park, NJ
• (973)236-4844