21 CFR Part 11 A Risk Management Perspective

Transcription

1 21 CFR Part 11 A Risk Management Perspective Patrick D. Roche 07 March 2003, Washington D.C.

2 Proposed Agenda Recent 21 CFR Part 11 Developments Risk Management Perspective Potential Integration with other Legislation Examples Conclusion

3 Recent Developments CDER is now responsible for enforcement of 21 CFR Part 11 All previous Part 11 guidance has been withdrawn New draft guidance has been provided Draft guidance acknowledges that: Statements made by agency staff may have been misinterpreted as policy The use of technology has been restricted, contrary to the agency s intent The cost of compliance far exceeds the agency s expectations Part 11 has discouraged innovation without a significant public health benefit

4 Recent Developments Part 11 is being re-examined and may be revised Certain areas will be subject to enforcement discretion (validation, audit trails, record retention and record copying) All other areas will continue to be enforced

5 Recent Developments Narrow Scope Part 11 applies when persons choose to use records in electronic format in place of paper records Decisions to rely on paper or electronic records should be documented Audit Trail A risk-based approach should be followed where audit trails are not required by predicate rules Focus on adds, changes or deletions of records that impact quality, safety and efficacy Validation A risk-based approach should be followed where validation is not required by predicate rules Word processing software that is used to create paper-based SOPs would likely not require validation Copies of records Record Retention - Risk Assessment driven

6 Recent Developments There are wide ranging opinions regarding what these changes mean Key messages: Part 11 is not going to go away The changes should not significantly modify your approach One size does not fit all Focus on risk management an effective internal control structure that protects product safety, quality and efficacy

7 Risk Management Perspective Everything is not important only those things that impact quality, safety or efficacy Risk anything that can prevent an objective from being met Consider an ORCA Approach Analyze Business Process Understand Quality Related Objectives What are the Risks that could impact the objectives? What Controls must be established to mitigate the risks? Validation provides evidence that the controls are in place and Aligned with objectives and risks If system based controls are not in place, what other mitigating controls can be established? Document risk assessment and decision process

8 Linkage of 21 CFR Part 11 with COSO and Sarbanes Oxley COSO Structure COSO Component Business Process Transaction Control Objective Risk Control Activities Transaction Control Objective Risk Control Activity Testing Issue Action Plan

9 Examples Business Process Procurement Function Sub- Process Objective Risks Impact Procurement Create a purchase order Purchases can only be sourced to qualified vendors Appropriate controls are not established to ensure that vendors are qualified. Vendor master file controls have not been established to prevent purchases from unqualified vendors No Vendor Audit Program in Place Variation in quality of product Rejection of product Inventory shortages Impact on quality and safety IT Infrastructure

10 Procurement - Example

11 Procurement & Vendor Qualification Vendor Evaluation and Qualification Vendor Master Maintenance Create Purchase Requisitions and Purchase Order (PO) Vendor Confirmation Material or Service Master Maintenance Goods Receipt and Reconciliation Material Qualification NO Return to Vendor Contracts and Pricing YES MT Payment to Vendor ** MT: Material Traceability must be defined after a material is accepted and qualified. This includes the assignment of unique lot numbers after receipt at a manufacturing site. **

12 People, Process and Technology Processes People Technology New Vendors are selected New Vendors are Qualified by QM Personnel Procurement of Raw Materials SOP Purchasing Personnel Quality Management Personnel Purchasing Personnel Vendor Setup in system System records Vendor Qualification details Receipt of Goods Material Qualification Material Traceability- Assign Lot Numbers Vendor Payments SOP SOP Warehouse Personnel Quality Management Personnel Warehouse or Operations Personnel Purchasing Personnel System records Material Qualification details Material lot numbers and tracking recorded in the system Payment generated from system

13 Procurement & Vendor Qualification Vendor Evaluation & Qualification Controls: Audit Trails for Vendor Qualification are established, including appropriate electronic record and signature requirements to meet 21 CFR Part 11 Vendor Qualification policies and procedures have been established and implemented Vendor Qualifications are restricted to authorized personnel Materials must be procured only from qualified vendors Quality procedures are distributed to approved vendors on a regular basis and are included as part of the negotiations for new external sourcing arrangements Associated Risk/Consideration: Unauthorized vendors may be found in the Master Vendor File Materials may be procured from unqualified vendors Approved vendors may not meet FDA requirements Regulatory exposure Records of vendor qualification reviews and results may be inappropriate or not exist

14 Address Book Controls Vendor Address Book Maintenance Controls: Restricted access to Vendor Master File Vendor Master File changes are tracked via an associated audit trail Electronic signatures and records are maintained as appropriate for all Vendor Master Changes in accordance 21 CFR Part 11 Associated Risk/Consideration: Unauthorized purchases may result Unauthorized payments to vendors may occur Duplicate Vendor Master records may exist Changes to vendor Master files may not be cgmp compliant as accurate, traceable and approved Regulatory exposure

15 Example IT Infrastructure

16 IT Infrastructure Example Authorizations and Security Legacy System Interfaces Testing, Conversion & project management Physical Security Operating System Security Database server Application server Database Management Integrity Change Control Enterprise Security Policies & Procedures Presentation server Business Process Controls Internet Firewalls Backup, Recovery and Contingency Planning

17 Conclusion Don t stop your Part 11 efforts Re-examine your approach in light of the new guidance Don t over complicate the process Think process and then technology Incorporate risk management concepts wherever possible Document risk assessment and decision processes

18 Contact Information Patrick D. Roche, Florham Park, NJ (973)

19