Академический Документы
Профессиональный Документы
Культура Документы
Where 21 CFR Part 11 and Annex 11 Meet Whitepaper From Montrium
Where 21 CFR Part 11 and Annex 11 Meet Whitepaper From Montrium
Gianna De Rubertis
Director of Professional Services
Montrium
Stephanie Tanguay
Director of Quality Assurance
Montrium
Michael Zwetkow
Chief Innovation Officer
Montrium
1
OVERVIEW
Introduction ���������������������������������������������������������������������������������������������������������������������������������������������������������������������� 3
Conclusion ���������������������������������������������������������������������������������������������������������������������������������������������������������������������� 24
References ��������������������������������������������������������������������������������������������������������������������������������������������������������������������� 24
Glossary �������������������������������������������������������������������������������������������������������������������������������������������������������������������������� 24
2
Where 21 CFR Part 11 & Annex 11 Meet
Introduction
3
Where 21 CFR Part 11 & Annex 11 Meet
criteria under which electronic records and 2003 – “Scope and Application” Guidance
electronic signatures are considered to be 2004 – Draft Computerized Systems Used in
trustworthy, reliable and generally equivalent Clinical Trials Guidance
to paper records and handwritten signatures. 2007 – Final Guidance Published
21 CFR Part 11 fundamentally allows the
replacement of any paper record and
handwritten signature with an electronic one.
Figure 1 – Illustration of how 21 CFR Part 11 oversees other Title 21 chapters.
Overview of Annex 11
In the European Union (EU), EudraLex is the systems within GMP-regulated activities. When
collection of rules and regulations governing used in conjunction with Chapter 4, Annex 11
medicinal products (for human use as well as for provides guidance for the use of electronic
veterinary use). documents (electronic records and electronic
signatures) within a GMP environment.
EudraLex consists of 10 volumes, of which only
Volume 1 (concerning medicinal products for The relationship between Annex 11 and the
human use) and Volume 5 (concerning medicinal EudraLex volumes and chapters is depicted in
products for veterinary use) present official Figure 2.
legislation. The basic legislation is supported by a
series of guidelines that are published within the Annex 11 was revised and issued in 2011 as a result
other eight volumes. of the increased use and increased complexity
of computerised systems. It is applicable to EU
EudraLex Volume 1 and Volume 5 both embody program areas as well as foreign manufacturers
a series of Directives issued by the European wishing to obtain EU market approval. Moreover,
Commission (the executive body responsible for while Annex 11 is defined for all member states of
proposing legislation in the EU). Particularly, two the European Union, other countries that are PIC/S
directives laying down principles and guidelines of members (like Australia and Canada) have also
good manufacturing practice (GMP) for medicinal embraced Annex 11 as defining requirements for
products were adopted: the use of Computerised Systems in regulated
GxP environments
•D
irective 2003/94/EC laying down
the principles and guidelines of good Figure 2 - Relationship between Annex 11 and the EudraLex
manufacturing practice in respect of medicinal volumes and chapters.
products for human use and investigational
medicinal products for human use EudraLex Volume 1: EudraLex Volume 5:
Pharmaceutical Legislation Pharmaceutical Legislation
•D
irective 91/412/EEC laying down Medicinal Products for Medicinal Products for
Human Use Veterinary Use
the principles and guidelines of good
manufacturing practice for veterinary
medicinal products
Directive 2003/94/EC Directive 91/412/EEC
These Directives are the focus of EudraLex Volume
4, which contains guidance for the interpretation
of the principles and guidelines of GMP. Although
Volume 4 is not legislation in and of itself, the
European Commission has stated that the guide EudraLex Volume 4:
to GMP will be used in assessing applications for Guide to GMP
manufacturing authorizations and as a basis for
inspection of manufacturers of medicinal products.
Chapter 4:
EudraLex Volume 4 consists of three Parts Documentation
and a series of nineteen Annexes. Within Part
1, guidelines pertaining to Documentation are
presented in Chapter 4. Moreover, Annex 11 Annex 11:
Computerised Systems
includes guidelines for the use of computerised
5
Where 21 CFR Part 11 & Annex 11 Meet
Figure 3 – Components of a Computerized System The focus of Annex 11 is broad and covers
in its Operating Environment.
covers e-records, e-Signatures, and entire
computerised systems. Annex 11 is structured
with the following sections:
Operating Environment
• Principle
• General
Computerized System • Risk Management
• Personnel
• Suppliers and Service Providers
Computer Controlled
System Process • Project Phase
• Validation
Hardware Operating • Operational Phase
(Physical or Procedures and
Virtual) Trained People • Data
• Accuracy Checks
Controlled • Data Storage
Software
Equipment
• Printouts
• Audit Trails
• Change and Configuration Management
• Periodic Evaluation
• Security
Electronic Records,
Electronic Signatures • Incident Management
• Electronic Signature
• Batch release
• Business Continuity
• Archiving
6
Where 21 CFR Part 11 & Annex 11 Meet
• Computerized systems that are used to create/manage electronic records must be validated.
• Persons must be qualified to perform tasks within computerized systems that are used to create/
manage electronic records.
• Persons must be authorized to access computerized systems that are used to create/manage
electronic records.
• Electronic records (data) should be protected and should be readily retrievable throughout the
required retention period. It should be possible to obtain legible, printed copies of electronic data.
• Audit trails should capture the creation, change, or deletion of an electronic record.
• Electronic records may be signed electronically. Electronic signatures are understood to be equally
binding as handwritten signatures. Electronic signatures should be linked to their respective
electronic record.
In Table 1, Annex 11 guidelines are mapped to 21 CFR Part 11 requirements. This highlights the areas
where Annex 11 intersects 21 CFR Part 11.
7
Where 21 CFR Part 11 & Annex 11 Meet
8
Where 21 CFR Part 11 & Annex 11 Meet
User Requirements
Specifications (URS):
• Required functions of
computerised system
• Based on risk assessment
and GMP impact
• Traceable
Development
• Ensure computerised system
has been developed in
accordance with appropriate
quality management system
Customized Computerised
Systems
Formal assessment and
reporting of quality and
performance measures
Data migration
(transferring data to
another format or system)
• Checks to ensure data
remains unaltered during
migration process
9
Where 21 CFR Part 11 & Annex 11 Meet
6. Accuracy Checks Critical data entered 11.10 (h) • Use of device checks.
manually 11.30 • Controls for open systems
• Additional checks (manual or to ensure the authenticity,
electronic) on accuracy integrity, and,
of data the confidentiality of
• Risk management for electronic records.
criticality and potential
consequences of erroneous
or incorrectly entered data
7, Data Storage • Physical and logical security 11.10 (c) • Protection of records
of data to enable their retrieval
• Regular verification of throughout the
stored data retention period.
• Access to data throughout
the retention period
• Regular back-ups of data
• Verification of back-up data
10
Where 21 CFR Part 11 & Annex 11 Meet
12. Security • Physical and logical controls 11.10 (d) • Limiting system access to
to restrict system access 11.10 (e) authorized individuals.
authorized persons 11.10 (g) • Use of secure, computer
• Methods of preventing 11.10 (k)(1), (2) generated,
unauthorized entry (Keys, 11.200 time-stamped audit trails to
Pass cards, Personal codes 11.300 record the date and time of
with passwords, Biometrics) operator entries and actions
• Extent of controls based on that create, modify, or delete
criticality of system electronic records.
• Record of the creation, • Use of authority checks.
change, and cancellation of • Systems documentation:
access authorisations Controls for distribution,
• Record of the identity, access and use of
date and time of operators documentation for system
entering, changing, operation and maintenance;
confirming or deleting data Document revision and
change control.
• Electronic signature
components and controls.
• Controls for identification
codes/passwords.
11
Where 21 CFR Part 11 & Annex 11 Meet
15. Batch Release Periodic evaluation of 11.10 (g) • Use of authority checks.
computerised systems
• Only Qualified Persons
• Clearly identify and record
person releasing or certifying
the batches
• Done by electronic signature
16. Business Continuity No equivalence No equivalence No equivalence
12
Where 21 CFR Part 11 & Annex 11 Meet
13
Where 21 CFR Part 11 & Annex 11 Meet
14
Where 21 CFR Part 11 & Annex 11 Meet
System does not have a built-in user authentication process. Integrate the system with a third-party user authentication and
management system. Validate this system integration.
Underlying infrastructure is not qualified. For on-premise systems: qualify the infrastructure.
For cloud-based systems: perform a supplier assessment to
evaluate the capabilities of the supplier.
15
Where 21 CFR Part 11 & Annex 11 Meet
16
Where 21 CFR Part 11 & Annex 11 Meet
17
Where 21 CFR Part 11 & Annex 11 Meet
18
Where 21 CFR Part 11 & Annex 11 Meet
19
Where 21 CFR Part 11 & Annex 11 Meet
20
Where 21 CFR Part 11 & Annex 11 Meet
21
Where 21 CFR Part 11 & Annex 11 Meet
Upon analysis of Part 11 and Annex 11, the following controlled processes are essential for achieving
and maintaining compliance. Policies, Procedures and/or Work Instructions should be followed
for each.
22
Where 21 CFR Part 11 & Annex 11 Meet
Although the responsibility for compliance with regulations governing computerized systems lies
with the regulated company, the cloud-service provider may have considerable involvement in
the process. The relationship between a cloud-service provider and a regulated company will vary
significantly depending upon the product, application, or service being provided.
Cloud-service provider are expected to operate within a Quality Management System (QMS).
Quality planning should define the activities, procedures, deliverables, and responsibilities for
establishing delivery and monitoring of the service. Such a plan is a contractual document, and as
such, should be approved for use by both the supplier and the regulated company. The required
information may be satisfactorily covered by other contractual documents such as a Service Level
Agreement or Quality Agreement. However, the final responsibility lies with the regulated company
to ensure that the shared responsibility between the supplier and the regulated user satisfactorily
complies with the governing regulations. The regulated user may ensure the effectiveness of
controls in the supplier’s QMS by performing periodic audits or leveraging the documents provided
by the supplier after being periodically audited by independent third-party auditors.
23
Where 21 CFR Part 11 & Annex 11 Meet
Conclusion
Annex 11 and 21 CFR Part 11 are fundamentally different in legislative authority. Annex 11 is a
guideline that should be strictly observed in order to be compliant, whereas 21 CFR Part 11 is law.
It follows that Annex 11 is interpretive while 21 CFR Part 11 is explicit. Despite these differences,
some organizations may need to comply with both these regulatory directives. By ensuring that
the system meets 21 CFR Part 11 requirements and by applying a risk-based approach to system
validation such as the approach outlined within GAMP® 5, the requirements set forth within
Annex 11 can be demonstrated as being met by the system.
References
Ref. [1] EudraLex, The Rules Governing Medicinal Products in the European Union, Volume 4, Good
Manufacturing Practice, Medical Products for Human and Veterinary Use, Annex 11: Computerised
Systems, 2011.
Ref. [2] U.S. Food and Drug Administration, Code of Federal Regulation, Title 21 Part 11: Electronic
Records; Electronic Signatures, 1997.
Ref. [3] ISPE, GAMP 5 - A Risk-Based Approach to Compliant GxP Computerized Systems, 2008.
Ref. [4] U.S. Food and Drug Administration, Guidance for Industry: Part 11, Electronic Records;
Electronic Signatures – Scope and Application, 2003.
Ref. [5] Pharmaceutical Engineering, ISPE GAMP COP Annex 11 Interpretation, July/August 2011.
Glossary
Acronym Definition
CFR Code of Federal Regulations
COTS Commercial off-the-shelf
EU European Union
FDA Food and Drug Administration
GMP Good Manufacturing Practice
A general term for Good (x) Practice quality guidelines and regulations, where (x) is a placeholder such as:
C: Clinical
GxP D: Distribution
L: Laboratory
M: Manufacturing
IT Information Technology
US(A) United States (of America)
PIC/S The Pharmaceutical Inspection Co-operation Scheme
ISPE International Society for Pharmaceutical Engineering
GAMP Good Automated Manufacturing Practice
24
Where 21 CFR Part 11 & Annex 11 Meet
About Montrium
Montrium is a knowledge-based company that leverages a deep understanding of GxP processes
and technologies to provide cost-effective solutions to life science organizations� Montrium’s
industry leading platform Montrium Connect, offers a truly collaborative and compliant document
and quality management environment in the cloud�
Our team is composed of seasoned engineers and scientists who have extensive experience in
the life sciences� Montrium is committed to investing in innovation to build dynamic, powerful and
intuitive solutions which enable our clients to improve their operational processes�
For more information about Montrium’s products and services please visit www�montrium�com
25