Date: 23 February 2012
Link FDA 483 (New Window)
Showing posts with label 21 CFR Part 11. Show all posts
Showing posts with label 21 CFR Part 11. Show all posts
10 Apr 2012
9 Jan 2012
Definition of Raw Data
Within EU Chapter 4 – Documentation there is a clear definition of Raw Data and the requirements to retain the raw data.
Records: Provide evidence of various actions taken to demonstrate compliance with instructions, e.g. activities, events, investigations, and in the case of manufactured batches a history of each batch of product, including its distribution. Records include the raw data which is used to generate other records. For electronic records regulated users should define which data are to be used as raw data. At least, all data on which quality decisions are based should be defined as raw data
Electronic Raw Data
This provides clear definition of raw data and the regulatory requirements.Where paper based records are maintained the regulated company should determine whether all the raw data is presented within the paper record or whether the record is a summary of the data. If it is a summary of the decision (for example within Laboratory Analytical test systems where the samples are taken, interpreted and a final result included) then the electronic raw data must be maintained to assure the integrity. Where the paper record is the complete record then the electronic data may be removed (see Deleting Electronic Data).
Raw Data will exist in many computerised systems and should be identified during the initial impact or validation determination statement. Examples of raw data maintained by computerised systems include
- Quality critical process data from instruments stored within data historian
- Alarm logs from automation systems
- Event logs and audit trails
- Laboratory instrument data
- Environmental monitoring data
Following from the final guidance from the FDA for 21 CFR Part 11, Electronic Records Electronic Signatures the regulated company must identify all raw data associated with making GMP decisions and determine what format (paper / electronic) that the data will be maintained. If the raw data is to be maintained in electronic format then the integrity of the record must be assured.
28 Mar 2011
EU Annex 11 - Electronic Signatures
Electronic Signatures
This is a continuation of a review of the update to EU Annex 11 and Chapter 4 (Documentation) that was issued in January 2011 to become effective on the 30 June 2011.
As stated in the previous article the EU Annex 11 update does not directly reference Electronic Records this is included in the update to EU Chapter 4 (Documentation).
The update to EU Annex 11 however does state the following relating to Electronic Signatures.
4 Mar 2011
CSV FDA Warning Letters : Electronic Records
Date: 28 Jan 11
Link: FDA Warning Letter (New Window)
Observation
In addition, we remain concerned that your (b)(4) adverse drug experience reporting system has not been fully validated, and may have resulted in inaccurate assessment and untimely submission of 15-day alerts. The current application was released into production on November 9, 2009 using an Interim Validation report (IVR) that is still not final. Critical issues (deviations) identified in your interim validation report during the inspection included the following, but is not limited to: lack of training for your (b)(4)support team, incomplete SOPs and Work Instructions, and inaccurate data migration of legacy adverse experience cases from your previous adverse drug experience database, (b)(4). Currently, your (b)(4) system does not display accurate clock dates on MedWatch forms for cases which were initially entered in (b)(4) and later entered into (b)(4) due to the receipt of additional information (follow-up) for the same cases. MedWatch forms printed out from (b)(4) for these migrated cases are documented as initial 15-day reports, instead of follow-up reports. Also, the report date in Block B5 of the MedWatch form is the print date, not the actual date of submission. Shortcomings such as these affect the accuracy, reliability, consistency of the system and your firm’s ability to discern invalid or altered electronic records or make timely submissions to FDA as required.Comment
This audit observation (FDA 483) was made during an inspection of a pharmaceutical facility by the FDA focusing on the compliance with Postmarketing Adverse Drug Experience (PADE) reporting requirements. These are critical electronic records for any pharmaceutical company.This observation relates to 21 CFR Part 11 and the integrity of electronic records. There are three interesting parts to this observation.
Validation
The validation of the system was criticised for not being complete and that critical issues (deviations) had not been closed. We have all been involved in projects where the system must go live due to project constraints and yet the system is either not finished or has not successfully completed the validation. Understanding the issues, documenting within a risk assessment with respects to patient safety and record (data) integrity to make an informed decision as to whether the system can be released to production.
If the system fails to meet the acceptance criteria, where significant risks to patient safety or record integrity cannot be controlled (technically or procedurally) then the quality unit must ensure that the system does not go in to production.
Clock
Within the FDA 483 it was observed that
Currently, your (b)(4) system does not display accurate clock dates on MedWatch forms for cases which were initially entered in (b)(4) and later entered into (b)(4) due to the receipt of additional information (follow-up) for the same cases.
The accuracy of clocks used within electronic record systems is imperative to ensuring accurate records. Within 21 CFR Part 11 the inclusion of date and time is quoted, including for creation, modification and deletion of records, audit trails and electronic signatures.
To ensure the accuracy of the time source for meeting electronic record requirements the computer time must be synchronised with a master clock. Where multiple countries are involve the time should also include the time zone.
Record Integrity
Although not citing against 21 CFR Part 11 directly this observation brings in to question the integrity of the record. The quote your firm’s ability to discern invalid or altered electronic records or make timely submissions to FDA as required is a direct quote from 21 CFR Part 11 (validation).
Care must be taken with electronic record systems to ensure that the integrity of the record is not compromised. The clock issue is one that should be simple to fix, synchronising PC clocks across the IT network.
The reporting of the migrated data should have been picked up during the testing prior to the system going live either with controls put in place to ensure that the records were accurate or the system not released for use until the issue was resolved.
2 Mar 2011
CSV FDA Warning Letters : Laboratory Systems Security
Date: 20 April 2010
Link: FDA Warning Letter (New Window)
Observation
This is a follow up letter from an inspection in 2009 where the security of laboratory systems had been raised within the FDA 483.6. Your firm has failed to exercise appropriate controls over computer or related systems to assure that changes in master production and control records, or other records, are instituted only by authorized personnel [21 C.F.R § 211.68(b)].
a) Your firm's laboratory analysts have the ability to access and delete raw chromatographic data located on the (b)(4) of (b)(4) used to conduct HPLC testing. Due to this unrestrictive access, there is no assurance that laboratory records and raw data are accurate and valid.
b) Your firm's laboratory analysts have the ability to access and modify the formulas in the Excel spreadsheets used to calculate assay results for Guaifenesin and (b)(4) drug products. Due to this unrestricted access, there is no assurance that the formulas in the Excel spreadsheets are accurate and valid.
Your response appears to be adequate, but the effectiveness of the security features on your laboratory equipment will be verified at the next inspection.
Comment
This is a regular theme that pharmaceutical companies fail to have appropriate security controls over laboratory equipment. This again links with the approach in 2009 not to cite against 21 CFR Part 11 but against 21 CFR 211. As discussed in a previous post the FDA are planning to perform investigations against 21 CFR Part 11.In part (a) of the observation the requirement is to ensure that users of laboratory systems do not have access to the operating system, to ensure that the raw data is secure.
In part (b) is is interesting that spreadsheets get a direct mention in the observation. Security controls over the spreadsheets should be employed to ensure that the formulas within them cannot be modified (either accidently or maliciously). A general rule should be to avoid using spreadsheets as much as possible, but where they are used they must be controlled and validated (see Spreadsheet Validation post).
As part of an inspection readiness program or periodic review a review of security controls within the laboratory areas should be performed. Ensure that controls are in place and that they are followed. Technical controls must be in place to ensure that users of the system do not have access to the operating system which would give them in turn access to the electronic records.
Comments are always welcome.
6 Dec 2010
Deleting Electronic Data
Hybrid Systems (Deleting Electronic Data)
In Hybrid systems the computerised system is used to generate a record which is printed and hand signatures applied. The decision for the regulated company is whether the electronic record (or raw data) should be kept or deleted from the system.In the FDA Guidance “Part 11, Electronic Records; Electronic Signatures — Scope and Application” under record retention the following is stated:
FDA does not intend to object if you decide to archive required records in electronic format to nonelectronic media such as microfilm, microfiche, and paper, or to a standard electronic file format (examples of such formats include, but are not limited to, PDF, XML, or SGML). Persons must still comply with all predicate rule requirements, and the records themselves and any copies of the required records should preserve their content and meaning. As long as predicate rule requirements are fully satisfied and the content and meaning of the records are preserved and archived, you can delete the electronic version of the records. In addition, paper and electronic record and signature components can co-exist (i.e., a hybrid situation) as long as predicate rule requirements are met and the content and meaning of those records are preserved.
This statement is key to the determination of whether the system falls under the FDA electronic record ruling (21 CFR Part 11). For systems where a paper record is produced the decision of the regulated company is whether to keep the electronic record, or the associated raw data. Care has to be taken in making this decision and the rationale documented.
Removing (deleting) the electronic record removes the need to maintain the record and the additional overhead (effort) required to maintain the record compliantly. However the regulated company must ensure that the record is complete (that is does not rely on the electronic data).
Where the record is maintained, then the following from the guidance should be considered.
In some cases, actual business practices may dictate whether you are using electronic records instead of paper records under § 11.2(a). For example, if a record is required to be maintained under a predicate rule and you use a computer to generate a paper printout of the electronic records, but you nonetheless rely on the electronic record to perform regulated activities, the Agency may consider you to be using the electronic record instead of the paper record. That is, the Agency may take your business practices into account in determining whether part 11 applies.
Summary
Deleting data is a big step to take for a regulated company. The regulated company must determine and document the decision as to whether the electronic data will be used for making GxP decisions.If the electronic data is to be kept but the regulated company does not want to maintain compliance with 21 CFR Part 11, then steps must be taken to demonstrate that the data is NOT used for any GxP decisions. This can be difficult to demonstrate or control.
If you need to keep the data (for any purposes) and you cannot demonstrate that the information is not used for making GxP decisions then the record and associated data is maintained compliant with 21 CFR part 11.
Where data is not required to be kept then the data can be immediately removed from the system or archived so that it is not available for users / quality to make quality related decision on it.
Leave a comment to share your thoughts and experience on Hybrid systems and electronic data and whether you maintain these records or not.
21 Jul 2010
FDA Announce Part 21 CFR 11 Inspections
Image via WikipediaPublished on the FDA website the agency states:
The Agency (FDA) will be conducting a series of inspections in an effort to evaluate industry’s compliance and understanding of Part 11 in light of the enforcement discretion described in the August 2003 ‘Part 11, Electronic Records; Electronic Signatures — Scope and Application’ guidance (Guidance). The Agency intends to take appropriate action to enforce Part 11 requirements for issues raised during the inspections that do not fall under the enforcement discretion discussed in the Guidance.
Links
Full announcement - FDA Website
Part 11 Comment - Blog
Electronic Records Article Risk Based Approach - CSV-QA.COM
7 Jun 2010
21 CFR Part 11 Warning Letters
From the review of the FDA Warning Letters I could not find any observations for pharmaceutical or biotechnology companies directly citing non compliance against 21 CFR Part 11.
21 CFR Part 11 - The next step
From the review of the published FDA Warning letters the observations relating to the security and electronic records have not been cited against 21 CFR part 11 however the agency selected 21 CFR 211.68 for the violation.In an e-mail to GAMP Americas Leadership, Robert Tollefsen, a consumer safety officer and national expert on computers at the FDA’s division of field investigations wrote
“CDER will begin an inspectional assignment of 21 CFR 11 (Part 11) requirements as described in the Part 11 Scope and Application guidance published in August of 2003. This effort will be part of CDER’s effort to evaluate industry’s compliance and understanding of Part 11 in light of the enforcement discretion described in the scope and application guidance. CDER intends to use the inspectional findings to help assess how to proceed with regard to the possible modification of Part 11. CDER intends to take appropriate action to enforce Part 11 requirements for issues raised during the inspections” [Source : Pharmalot]
Comment
Regulated companies must ensure the integrity of Electronic Records following the FDA Guidance (2003), implement a risk based approach to demonstrate and provide documented evidence that electronic records (including raw data) are trustworthy and reliable.Immediately after the publication of 21 CFR part 11 by the FDA there was a considerable amount of effort put in to the assessing and making systems compliant. However after the publication of Guidance to Industry in 2003, I believe that there has been a real complacency in the industry to compliance.
Although as we have seen from the FDA warning letters, while there has been a reluctance to cite directly against 21 CFR part 11, the FDA through the inspections has continued to assess the integrity of the electronic records and signatures, and the expectations such as documented Risk Analysis, Security and Audit Trails to demonstrate compliance.
I have written an introduction to a Risk Based Approach to Electronic Records on my web site.
Subscribe to:
Posts (Atom)