Wolfgang Winter
T
he electronic records and Neither Part 11 itself nor any
electronic signatures previous guidance documents
(ERES) rule, 21 CFR differentiated between systems with
Part 11 (Part 11), became high risk to product quality and
effective in 1997. It was safety, such as chromatographic data
intended to protect public health systems used for QC analysis of final
while enabling the use of drugs, and low risk systems such as
technology unavailable when the word processors used to generate a
original predicate rules (the GxPs) laboratory SOP. In some cases,
were developed. Part 11 defines a companies decided against the use
framework for the technical and of new technologies and kept paper-
behavioral controls that must exist based systems just to avoid ERES.
in order for electronic records and For instance, the implications of the
electronic signatures to become the guidance on “Maintenance of
legally binding equivalent of Electronic Records” (1) and
traditional paper records and “Electronic Copies of Electronic
handwritten signatures. Records” (2) raised serious concerns DIGITAL VISION (WWW.DIGITALVISION.COM)
because the required technology to
fulfill those requirements is not 2002 (6), the FDA announced the
PRODUCT FOCUS: ALL FDA- always available. In some cases, the reexamination of Part 11 (7) and
REGULATED PRODUCTS MADE USING estimated cost outweighs the added published a new draft guidance,
CHROMATOGRAPHY DATA SYSTEMS AND value. withdrawing the previous guidance
LABORATORY INFORMATION It has been extremely difficult for documents (1, 2, 8–11).
MANAGEMENT SYSTEMS the industry (and its suppliers) to
find a correct balance between A RISK-BASED
PROCESS FOCUS: VALIDATION, doing just enough and doing too APPROACH TO CGMP
REGULATORY COMPLIANCE, METHOD much (3), so industry groups began In August 2002, the FDA
AND PROCESS DEVELOPMENT, QA/QC to work on concrete and pragmatic announced an initiative to merge
implementation plans for Part 11 science-based risk management with
WHO SHOULD READ: IT, METHOD compliance. For example, the an integrated quality systems
AND PROCESS DEVELOPMENT,
Parenteral Drug Association (PDA) approach (6). This risk-based
MANUFACTURING, AND QA/QC
and the Good Automated approach will help the industry,
PERSONNEL
Manufacturing Practice (GAMP) industry suppliers, and regulatory
KEYWORDS: 21 CFR PART 11, Forum developed valuable agencies focus resources on critical
CHROMATOGRAPHY DATA SYSTEMS guidelines for implementing Part issues for public health and
(CDS), COMPUTER NETWORK 11, such as Good Electronic consumer safety, while adopting
INFRASTRUCTURE, QUALIFICATION Records Management (GERM) and innovations made in pharmaceutical
the GAMP4 guide published by the engineering.
LEVEL: BIOTECH BASICS ISPE (4, 5). In line with a new Assessment versus Management:
cGMP initiative launched in August Practical guidelines for conducting
34 BioProcess International JULY 2003
risk assessments have been published Ludwig Huber recently published
in appendix M3 of the GAMP4 a helpful guidebook on the
guide (5). However, it is important development of risk management
to note that risk assessment is very master plans (12). Enforcement
different from risk management. discretion does not
The goal of risk assessment is IS SOFTWARE A GXP mean that
analysis and qualification ELECTRONIC RECORD?
(evaluation) of risks viewed from a The ISPE submitted a white paper TECHNICAL
specific angle, such as risk for the on a risk-based approach to C O N T R O L S for
consumer and commercial risk to a computer system validation to the audit trails or
business. FDA in December 2002 (13). The
Risk assessments result in a “risk paper was based on concepts
processes and
register” along with a classification emphasized by the FDA’s new procedures for
of each particular risk. The cGMP initiative. This white paper record retention
classification typically assigns a risk appears to have triggered (or at least are no longer
severity based on its impact (high, accelerated) the process for issuing required.
medium, or low impact on the the new draft guidance on Part 11.
effort required to meet the defined The paper concluded that internal
objective) and its probability of system information not identified by
occurring (high if the probability is any predicate rule was likely to be of benefit, as well as discouraging firms
greater than 60%, low if is less than low impact. In this case, it was from adopting innovative
10%). acceptable not to have additional technological solutions” (13).
The task of risk management is to Part 11 controls for those records
define how identified risks can be provided that adequate procedures ENFORCEMENT VERSUS
controlled and minimized or were in place and the required paper ENFORCEMENT DISCRETION
compensated, as shown in the records were kept. In its new guidance, the FDA
following box: It should be noted that reemphasizes requirements for
compliance policy guide (CPG) records mandated by the predicate
7132a.11, CGMP Applicability to rules. The new draft guidance
RISK MANAGEMENT Hardware and Software, is still in defines no new Part 11
effect. It explicitly mandates that requirements, but it suggests that
Risk management typically asks software be considered as a GxP fewer records will be considered
the following questions: electronic record: “Where a subject to Part 11. Clearly, the
What are the risks, how do they computer system is performing a intent is to redirect the focus to
affect us, and how do we function covered by the cGMP critical aspects for product quality
manage them? regulations then, in general, and public health, which remain
hardware will be regarded as governed by predicate rules such as
Risk Triggers: Risk Mitigation: equipment and applications software GCP, GLP, and cGMP. The final
What is the What are we will be regarded as records” (14). guidance (expected some time after
trigger for us to doing now to The authors of the white paper May 2003) is likely to result in less
change the risk avoid or reduce strongly opposed an existing emphasis on the technically complex
severity (mitigate) the interpretation that software be and validation-intensive aspects of
classification? risk? considered GxP electronic records audit trails, time-stamps, record
that are subject to Part 11. The retention, and record copying,
What will we do if the risky authors viewed this as unnecessary especially for systems that were put
situation occurs? mostly because industry (in in place before Part 11 became
Risk Contingency Plans: collaboration with the FDA) had effective (so-called “legacy”
What actions will we take if the already developed “approaches for systems).
risk is triggered? dealing with hardware and software The new guidance will narrow
in the GxP environment based on the interpretation scope for Part 11.
The risky situation occurred — validation of systems, configuration At the same time, the agency
management, change control, and intends to “exercise enforcement
how do we deal with it?
adequate procedures and plans for discretion with respect to certain
What actions do (did) we take?
maintaining the validated state. Part 11 requirements” such as
What is the impact of the risky
These approaches have been widely “validation, audit trails, record
situation so far?
adopted and very successful in retention, and record copying” (7),
meeting GxP requirements. areas where extraordinary efforts
Considering software as GxP were made, resulting in enormous
electronic records has little practical
JULY 2003 BioProcess International 35
Figure 1: Distributed networked data system with instrumentation connected to the local
area network (LAN) and a central database server (GRAPHIC REPRODUCED WITH PERMISSION FROM • Records required to be
AGILENT TECHNOLOGIES). maintained by the predicate rule
and maintained in electronic format
and paper format, when electronic
records are relied on to perform
regulated activities (such as
quantification results from a
chromatography sequence leading
to the release of a production batch)
• Records electronically
submitted to the FDA under the
predicate rules (such as clinical
study protocols)
• Electronic signatures intended
to be equivalent to handwritten
signatures, initials, and other general
signings required by predicate rules
(such as electronic signatures to
sign-off data entry changes for
samples, sequence information,
technical complexity with little • System validation methods, and calculations in a
return. Enforcement discretion does • System access limited to chromatography data system).
not mean that technical controls for authorized individuals Records no longer subject to Part 11
audit trails or processes and • Operational system checks include the following:
procedures for record retention are • Authority checks • Records that are maintained in
no longer required. Companies • Device checks electronic format but that are not
must base their decision whether to • Determination that persons required by any predicate rule
implement a certain control on a who develop, maintain, or use (instrument diagnostics files,
justified and documented risk electronic systems have the presentations or business reports)
assessment along with the education, training, and experience • An electronic record that is not
consideration of the record required to perform their assigned tasks itself submitted and is not required
by the corresponding predicate • Accountability for signatures. to be maintained by a predicate rule
rules. but is used in generating a
The new draft guidance strongly REQUIREMENTS RELATED submission (a batch file or script for
emphasizes the importance of TO ELECTRONIC SIGNATURES collating the submission package for
record requirements outlined in the Areas now designated for a new drug application from the
predicate rules, especially regarding “enforcement discretion” are Part individual source documents).
their impact on product quality. 11-specific requirements: e-audit An important question is whether
This means specifically that key trails, validation, record an electronic record kept in addition
technical controls for access security, maintenance, and e-copies with no to a paper record will be subject to
operational system and device or low impact on product quality Part 11 requirements. The answer is
checks, open system controls, and according to documented risk yes, if the electronic record is relied
electronic signatures are still assessment and Part 11 enforcement on to perform regulated activities.
required along with appropriate staff for legacy systems (those installed The FDA may take business
training, documentation, and before 2 August 1997). practices into account to determine
change control. Some predicate Records subject to Part 11 include whether an electronic record is used
rules (such as GCP and GLP) the following: instead of a paper record. It is
explicitly require audit trails for • Records required to be therefore recommended to
traceability of changes when users maintained by the predicate rule determine and document in advance
can create, modify, or delete maintained in electronic format in whether the electronic record or the
regulated records during normal lieu of paper records (examples paper record will be used to
operation. include original observations; perform regulated activities.
The majority of original Part 11 instrument raw data laboratory Networked or chromatography data
technical controls will continue to worksheets; instrument calibration systems (NDS, CDS), laboratory
be enforced for records that are records; metadata to prove that the information management systems
subject to Part 11. Therefore, the specified sampling, testing, and (LIMS), and enterprise resource
following elements are still required inspection procedures were actually planning (ERP) systems manage
and enforced by the new guidance: carried out; test results of materials critical decision-support data and
and bulk and finished products) continue to be in the limelight for
36 BioProcess International JULY 2003
GxP enforcement. The examples for the resulting user Operational checks are still
trustworthiness and reliability of the requirements. As illustrated, the required to enforce the permitted
data managed by these systems is following key Part 11 requirements sequencing of steps, for example, for
highly dependent on efficient have not changed at all: results review and results approval.
technical controls that ensure access System access must be limited to Electronic signature requirements
security, data integrity, and authorized personnel, and the have not changed with the new
traceability. Figure 1 shows the system needs to perform authority guidance.
conceptual structure of a networked checks where appropriate.
data system with instruments Appropriate technical controls need METADATA: THE IMPORTANCE OF
directly connected to the local area to ensure that “impersonation” by LEVEL-4 INSTRUMENT CONTROL
network (LAN). ordinary means is prevented. In Electronic records generated by an
modern systems, this is analytical instrument are reliable and
TECHNICAL CONTROLS FOR PART 11 implemented based on the security trustworthy only if the
In the following section, key Part mechanisms (security policies) of the communication between the
11 requirements are detailed in underlying operating system to instrument and a system controller
reference to the new draft guidance, easily align access control to the is reliable and trustworthy.
along with a number of examples of CDS with general IT practices. A regulatory agency may ask for
the resulting user requirements for Device checks continue to be a documented evidence of instrument
data systems to be deployed in key mechanism for ensuring the parameters for acquiring raw data,
analytical laboratories operating validity of the data source (source of for example in a pharmaceutical
under GxP and Part 11. Examples input). Level-4 instrument control quality control laboratory for testing
are provided from the perspective of (15–18) available with some NDSs finished drug products. If a
chromatography data systems. implements this requirement company relies on the electronic raw
Figure 2 identifies the key Part effectively and efficiently. data to perform “regulated
11 requirements and provides activities” such as QA/QC testing
Figure 2: Required technical controls (blue ellipses) for Part 11-compliant systems and examples (white boxes) of resulting user requirements.
ILLUSTRATION BY C.A. SCOTT
NETWORK MONITORING
AND NETWORK QUALIFICATION
Client-server data systems are
proliferating in regulated laboratories
and manage large amounts of critical
data. It is obvious that the operation
and qualification of the network
infrastructure needs to be an integral
NovaSeptum Autoclavable
Sampling Unit
www.novaseptic.com
Circle Reader Service No. 127