21 CFR Part 11

Rules for complying with

the rules
Marilyn M. Marshall QAO
Office of the Vice-President for Research
Lindy Brigham
March 30, 2006

The Rules

The rules and your lab

The rules and your business
The rules
Your role in interpreting the rules

Rules and Research Labs

Good research requires good

laboratory practices
Ho, experimental design, proceedures
Equipment maintenance
Employee training
Data Collection
Record keeping

Rules and Business

The same concepts apply to industry

research PLUS

Safety issues for consumers

Efficacy expectations

But the time and money constraints are very

different in industry
From industrys perspective, it is a big
challenge to understand how it can combine
compliance with improving business
performance

The Business of Compliance

How you bring new products to market, how

you produce your existing product offerings
and how you maintain your competitive
advantage will all be impacted by the
timeliness of your reaction to 21CFR11.
The drama will be played-out in both the
medicine cabinets of consumers and in the
boardrooms of Wall Street.
21CFR11 & Better Business Practices: Moving Beyond Compliance by Robert Yeager,
President, Intellution Inc.

Intellution wants YOUR business

The FDA tells you that you MUST comply

with 21CFR11

Intellution shows you why youll WANT TO

comply

Compliance Requirements

Record keeping
Submissions to the Regulatory
Agencies to show compliance
The Government Paperwork
Elimination Act

The Government Paperwork

Elimination Act

The focus of the GPEA is to promote the

doing of business electronically, with the
public and otherwise.
The GPEA (P.L. 105-277) took effect on
October 21, 1998.
Under the GPEA persons required to submit
information to the government, or maintain
information, must be given the option to do
so electronically when practicable.

21 CFR Part 11

21 CFR 11 defines the criteria under

which the FDA will accept electronic
records and electronic signatures as
equivalent to paper-based records and
handwritten signatures.
ERES Everybody Run, Everybody
Scream

Intent

The 21 CFR 11 criteria are designed

to:

prevent accidental alterations to

electronic records
deter deliberate falsification
and help detect such changes when they
do occur.

Subpart A scope, implementation,

definitions
Subpart B electronic records
Subpart C electronic signatures

Scope

applies to records in electronic form that are

created,

modified,

maintained,

archived,

retrieved, or

transmitted, .

under any records requirements set forth in

agency regulations

Electronic Record

any combination of text, graphics,

data, audio, pictorial, or other
information in digital form that is
created, modified, maintained,
archived, retrieved, or distributed by a
computer system

Electronic Signature

a computer data compilation of any

symbol or series of symbols executed,
adopted, or authorized by an individual
to be the legally binding equivalent of
the individuals handwritten signature

Applicability of 21CFR11

Is the record or signature electronic?

Is the record or signature required by
an existing FDA regulation (predicate
rule), or by an SOP
Is the record or signature for
submission to the Agency, or in
support of that submission?

Predicate Rules

Any requirements set forth in the Act (Federal Food,

Drug and Cosmetic Act), the PHS Act (Public Health
Service Act), or any FDA regulation (GxP: GLP,
GMP, GCP, etc.).
The predicate rules mandate what records must be
maintained; the content of records; whether
signatures are required; how long records must be
maintained, etc.
If there is no FDA requirement that a particular
record be created or retained, then 21 CFR Part 11
most likely does not apply to the record.

The term Predicate Rule is NOT

used in the 21 CFR Part 11 Final Rule.

The term Predicate Rule is used in

the Part 11 Guidance for Industry
document(s)

Your role in interpreting the rules

The FDA has acknowledged that a one size

fits all interpretation of regulations, such as
21FCR11, is not feasible.
The onus of regulatory interpretation is on
the organization being regulated
Organizations must now justify their course
of action based on their interpretation of the
regulations, as well as any risk associated
with those actions

Are you in compliance?

Risk-Based Assessment

Definition of Risk (IEEE)

A measure of the probability and

severity of undesired effects, often
as the simple product of probability
and consequence.

Definition of Risk Assessment

A systematic evaluation of the risk of a

process by determining

what can go wrong (risk identification)

how likely is it to occur (risk estimation)

and what the consequences are.

Part 11
Scope and Application Guidance
We (FDA) recommend that you base your approach
on a justified and documented risk assessment
and a determination of the potential of the system
to affect product quality, safety, & record integrity.

Part 11
Scope and Application Guidance
We (FDA) suggest that your decision
on how to maintain records be based on
predicate rule requirements and on a
justified and documented risk assessment and
a determination of value of the records over time.

Good Practices For Computerised Systems

In Regulated GXP Environments

A risk-based approach is one way to

demonstrate that you have applied a
controlled methodology, to determine the
degree of assurance that a computerised
system is fit for its intended purpose.

Consequences (Severity) of Risk

If a system should fail to be fit for its intended use,
what would be the impact:

Public Health and Safety Death, Injury, Illness

Product Quality and Safety Adulteration, Defective

Compliance Warning Letter, 483, Study Non-compliance

Business Continuation Out of Business, Loss of Business

Operation Delay of project, Operator frustration

Risk Impacts

Critical/ Non-critical

Low/ Medium/ High

Defined and Quantifiable number (e.g. 1-3 or 1-10)

Examples of Systems
High Risk:

Manufacturing Batch Records

Patient Records

Laboratory Test Results

LIMS and QA systems

Low Risk:

Environmental Monitoring Records (not affecting

product quality)

Training Records

Master Schedule System

Methods of Determining Risk

High Level Risk
Failure of the system

May cause harm to patients, and there is no correction possible

Has significant impact on business operations for several days

Medium Level Risk

Failure of the system

Can cause harm to patients, but the failure is likely to be able to be corrected

Has potential impact on business operations for a few days

Low Level Risk

Failure of the system

Will not cause harm to patients

Will cause negligible impact to business operations

Methods of Determining Risk

Probability

Impact

Low

Low

Medium

High

Medium

High

Methods of Determining Risk

Failure Mode Effects Analysis (FMEA) Type Method
Severity

3 = High Impact

2 = Medium Impact

1 = Low Impact

Occurrence

3 = High Probability of Occurring

2 = Medium Probability of Occurring

1 = Low Probability of Occurring

Detection

3 = High Probability of Going Undetected

2 = Medium Probability of Going Undetected

1 = Low Probability of Going Undetected (Failure will be easily detected)

Methods of Determining Risk

Risk Value = Severity X Occurrence X Detection

e.g. High Severity X High Occurrence X Low Chance of Detection (High Risk)
Risk Value = 3 X 3 X 3 = 27
Med Severity X Med Occurrence X Low Chance of Detection (High Risk)
Risk Value = 2 X 2 X 3 = 12
Low Severity X Low Occurrence X High Chance of Detection (Low Risk)
Risk Value = 1 X 1 X 1 = 1
Med Severity X High Occurrence X High Chance of Detection (Low Risk)
Risk Value = 2 X 3 X 1 = 6

This Methods Makes It Easier To Prioritize &

Clearly Identifies The Higher Risk Systems!

Evaluating Risk Factors

Need for Validation:

High Level Risk Assessment

Major Functionalities of the System

Identified Associated Risk

Extent of Validation:

More Detailed Assessment

Sub-functions and User Requirements

Impact of Risk related to those Functions

Need and Extent of Audit Trail:

Impact of Risk Resulting from Accidental or Intentional Adverse Events

Traceability and Integrity of Records

Method of Record Retention:

Impact from Loss of Record vs. Impact on Record Retrievability (by not using
electronic capabilities).

Examples of Justification of Risk Factors

Risk to Human Health & Safety = Low

<Company> is not involved in the analysis of final drug or

biological product, drug substance, active pharmaceutical
ingredients (APIs), or in the final testing of medical device
performance or combination products. The direct risk to human
health and safety therefore is determined to be minimal.

Examples of Justification of Risk Factors

Part 11 Applicability = Low

<> has identified the hardcopy paper records as the primary raw
data. Only in cases where reprocessing is necessary will the
electronic raw data file be used. Electronic records maintained
in non-instrument related databases (e.g. sample tracking
system, sample labeling, training documentation) are entered
from original paper documentation which is maintained and
archived in secure facility files.

Examples of Justification of Risk Factors

Risk of Data Corruption = Low

The risk and probability of unintentional corruption of electronic

records is considered to be low based on the level of education,
skill, and training of the staff. Computerized systems are
qualified and validated to assure proper performance of the
system for its intended use. In most cases, paper records are
available for the reconstruction of the data.

References
Guidance for Industry
Part 11, Electronic Records; Electronic Signatures Scope and Application,
CDER, August 2003
www.fda.gov/cder/guidance/5667fnl.pdf
Guidance for Industry
Quality Systems Approach to Pharmaceutical Current Good Manufacturing Practice Regulations
DRAFT, September 2004
www.fda.gov/cber/gdlns/qualsystem.pdf
Good Practices For Computerised Systems In Regulated GXP Environments
PIC/S GUIDANCE PI 011-21 July 2004
www.picscheme.org/BAK/docs/pdf/PI%20011-2%20Recommendation%20on%20Computerised%20Systems
.pdf
FDA Glossary of Computerized System and Software Development Terminology
www.fda.gov/ora/inspect_ref/igs/gloss.html
The Impact of the Guidance for Industry Part 11 , Electronic Records, Electronic Signatures
Scope and Application White Paper, Robert J. Finamore CSSC, Inc Sept 4, 2003
www.csscinc.net/company/Impact%20of%20New%20Part%2011%20Guidance.pdf
ISPE Risk-Based Approach to 21 CFR Part 11
www.ispe.org/Template.cfm?
Section=Search&CONTENTID=9020&TEMPLATE=/ContentManagement/ContentDisplay.cfm

References (cont)
Guidance for Industry
Part 11, Electronic Records; Electronic Signatures Scope and Application,
CDER, August 2003
www.fda.gov/cder/guidance/5667fnl.pdf
Guidance for Industry
Quality Systems Approach to Pharmaceutical Current Good Manufacturing Practice Regulations
DRAFT, September 2004
www.fda.gov/cber/gdlns/qualsystem.pdf
Good Practices For Computerised Systems In Regulated GXP Environments
PIC/S GUIDANCE PI 011-21 July 2004
www.picscheme.org/BAK/docs/pdf/PI%20011-2%20Recommendation%20on%20Computerised
%20Systems.pdf
FDA Glossary of Computerized System and Software Development Terminology
www.fda.gov/ora/inspect_ref/igs/gloss.html
The Impact of the Guidance for Industry Part 11 , Electronic Records, Electronic Signatures
Scope and Application White Paper, Robert J. Finamore CSSC, Inc Sept 4, 2003
www.csscinc.net/company/Impact%20of%20New%20Part%2011%20Guidance.pdf
ISPE Risk-Based Approach to 21 CFR Part 11
www.ispe.org/Template.cfm?
Section=Search&CONTENTID=9020&TEMPLATE=/ContentManagement/ContentDisplay.cfm

Risk Management

Risk Assessment - Assess Potential Risks and Consequences

Risk Identification Identify the Potential Risks

Risk Estimation Determine the Likelihood that the Risk will Occur

Risk Impact Determine the Potential Impact of the Risk

Risk Detection Determine the Detectibility of the Risk

Risk Classification Define & Quantify Risk Level

Risk Analysis Determine Cost/Benefit Analysis

Risk Mitigation/Avoidance Determine Risks which can be Lessened or

Avoided

Risk Strategy - Determine and Document Strategies for Managing Risk

Risk Monitoring Monitor Changes, New Risks, Risk Levels & Update
Risk Plans