Q. I'm looking at complying to regulations, in order to validate some lab software collecting data from an ICP. Anyone have any ideas on attacking this? The software claims to be "part 11 capable" but it's pretty soft. E-sigs are 'loose' and audit trails are also 'loose'. For something like this do you feel attaching a risk assessment to each part of the regs to determine what level of testing to perform?
A. The reality is that with the 2003 Scope and Appplication guidance introducing a risk-based approach to e-records, the ability to use digital, electronic or no signatures (the latter being conditional on predicate rule requirements) and with the risk-based approach in Annex 11, taking anything other than a risk-based approach makes no sense.
You should therefore conduct a risk assessment against each of the applicable parts of Part 11, and also for each applicable records and signatures. The latter because the risks impact associated with different records/signatures may well be different (in terms of risk to the subject and subsequent risk to the wider patient population) and also because different technical controls may be applied to different areas of the system.
This will allow you to assess the risk impact, likelihood and detectability for each record/signature and to determine whether the in-built controls are appropriate to the risk. If they are not you can either find alternative solutions e.g. print out the records and sign them, or validate a process to copy data/records to an external, secure system and signing them there or introducing additional procedural controls. If there are no alternative control that are acceptable then you may well need to be looking at an alternative piece of software.
Showing posts with label Annex 11. Show all posts
Showing posts with label Annex 11. Show all posts
Thursday, August 23, 2012
Wednesday, August 22, 2012
When are e-Signatures Required?
We answer a lot of questions submitted to us by e-mail or in various on-line groups. We thought that some of these deserve a wider audience, so from now on we're going to publish the best questions (and answers) here on the Life Sciences Blog.
Q. I had a question regarding 21 CFR Part 11 Electronic records. If a system has electronic records but no electronic signature but does contain the Audit trail does it mean that each record that is created within the system has to be printed in hard copy and signed so as to associate that record with the signature.
A. The fact the system has an Audit trail which links the user name and action on that records is sufficient enough to meet the 21 CFR Electronic Records criteria. If the record requires no signature (either explicit or implied from a predicate rule perspective) then there is no need to print and sign anything (either copies of the record or the audit trail).
The (secure) recording of what, (optionally who) and why (inferred from the transaction) will be sufficient to demonstrate compliance with the predicate rule.
A good example would be a training record. The predicate rule does not require training records to be signed, but you would still want to record what (training was undertaken), who (who was trained) and why (the training topic or syllabus). Even though an audit trail would be maintained for the training record, there would be no need to print and sign it because the predicate rule requires no signature.
Tuesday, September 20, 2011
GAMP® Conference: Cost-Effective Compliance – Practical Solutions for Computerised Systems
A very interesting and useful conference held here in Brussels over the past two days, with a focus on achieving IS compliance in a cost effective and pragmatic way. It's good to see ISPE / GAMP® moving past the basics and getting into some more advanced explorarations of how to apply risk-based approaches to projects and also the operational phase of the system life cycle.
There was understandably a lot of discussion and highlighting of the new Annex 11 (Computerised Systems), with many of the presenters tying their topics back to the new guidance document, which has now been in effect for just two and a half months.
One of the most interesting sessions was when Audny Stenbråten, a Pharmaceutical Inspector of the Norwegian Regulator (Statens Legemiddelverk) provided a perspective of Annex 11 from the point of view of the regulator. It was good to see an open approach to the use of pragmatic risk-based solutions, but as was highlighted throughout the conference, risk-based approaches require a well-documented rationale.
Chris Reid of Integrity Solutions presented a very good session on Managing Suppliers and Service Providers and Tim Goossens of MSD outlined how his company is currently approaching Annex 11.
Siôn Wyn, of Conformity, provided an update on 21 CFR Part 11, which was really ‘no change’. The FDA are continuing with their add-on Part 11 inspections for the foreseeable future, with no planned end date and no defined plans on how to address updates or any changes to Part 11.
On the second day, after yours truly presented some case studies on practical risk management in the Business & Decision Life Sciences CRO and our qualified data center, Jürgen Schmitz of Novartis Vaccines and Diagnostics presented an interesting session on how IT is embedded into their major projects.
Mick Symonds of Atos Origin presented on Business Continuity in what I thought was an informative and highly entertaining presentation, but which was non-industry specific and was just a little too commercial for my liking.
Yves Samson (Kereon AG) and Chris Reid led some useful workshops looking at the broader impacts of IT Change Control and the scope, and scalability of Periodic Evaluations. These were good, interactive sessions and I’m sure that everyone benefitted from the interaction and discussion.
In the final afternoon René Van Opstal, (Van Opstal Consulting) gave an interesting presentation on aligning project management and validation and Rob Stephenson (Rob Stephenson Consultancy) presented a case study on Decommissioning which, although it had previously been presented at a GAMP UK meeting, was well worth airing to a wider audience.
All in all it was a good couple of days with some useful sessions, living up to its billing as suitable for intermediate to advanced attendees. On the basis of this session I’d certainly recommend similar sessions to those responsible for IS Compliance in either a QA or IT role and I’m looking forward to the next GAMP UK meeting, and to presenting at the ISPE UK AGM meeting and also the ISPE Global AGM meeting later in the year.
There was understandably a lot of discussion and highlighting of the new Annex 11 (Computerised Systems), with many of the presenters tying their topics back to the new guidance document, which has now been in effect for just two and a half months.
One of the most interesting sessions was when Audny Stenbråten, a Pharmaceutical Inspector of the Norwegian Regulator (Statens Legemiddelverk) provided a perspective of Annex 11 from the point of view of the regulator. It was good to see an open approach to the use of pragmatic risk-based solutions, but as was highlighted throughout the conference, risk-based approaches require a well-documented rationale.
Chris Reid of Integrity Solutions presented a very good session on Managing Suppliers and Service Providers and Tim Goossens of MSD outlined how his company is currently approaching Annex 11.
Siôn Wyn, of Conformity, provided an update on 21 CFR Part 11, which was really ‘no change’. The FDA are continuing with their add-on Part 11 inspections for the foreseeable future, with no planned end date and no defined plans on how to address updates or any changes to Part 11.
On the second day, after yours truly presented some case studies on practical risk management in the Business & Decision Life Sciences CRO and our qualified data center, Jürgen Schmitz of Novartis Vaccines and Diagnostics presented an interesting session on how IT is embedded into their major projects.
Mick Symonds of Atos Origin presented on Business Continuity in what I thought was an informative and highly entertaining presentation, but which was non-industry specific and was just a little too commercial for my liking.
Yves Samson (Kereon AG) and Chris Reid led some useful workshops looking at the broader impacts of IT Change Control and the scope, and scalability of Periodic Evaluations. These were good, interactive sessions and I’m sure that everyone benefitted from the interaction and discussion.
In the final afternoon René Van Opstal, (Van Opstal Consulting) gave an interesting presentation on aligning project management and validation and Rob Stephenson (Rob Stephenson Consultancy) presented a case study on Decommissioning which, although it had previously been presented at a GAMP UK meeting, was well worth airing to a wider audience.
All in all it was a good couple of days with some useful sessions, living up to its billing as suitable for intermediate to advanced attendees. On the basis of this session I’d certainly recommend similar sessions to those responsible for IS Compliance in either a QA or IT role and I’m looking forward to the next GAMP UK meeting, and to presenting at the ISPE UK AGM meeting and also the ISPE Global AGM meeting later in the year.
Monday, April 11, 2011
Interesting GAMP UK Meeting
As usual, last week's GAMP UK meeting (Help at Perkin Elmer) was informative and useful, especially in terms of the discussions that took place.
The formal agenda included a presentation on the use of Business Process Markup Notation (BPMN) for defining user requirements by Jenni Sanders (something we've been leveraging at Business & Decision for years) and a case study on the validation of a cell culture counter changed from non-GxP to GLP use, by Richie Fraser at Pfizer.
From a business perspective the most interesting session looked at the use of GAMP in the blood banking industry, with Janet Samson from Welsh Blood Service describing some of the cultural and organisational issues faced in the sector. In the last five years all blood banks in Europe now come under direct regulatory oversight but it is clearly a challenge to be part of a government led health service but regulated by a different part of the same government. With a number of projects in this sector this is no real surprise to everyone at Business & Decision , but it does prove that many of the real issues around validation are related to people and organisations, not technology.
There was also the usual regulatory round up with some feedback on the FDA's "Part 11 (Electronic Record, Electronic Signature) inspections, but to date it appears that the non-specialist inspectors who have been asking about the implementation of Part 11 have been learned more from the companies they have been inspected. There were however US and European based inspections and it would be interesting to hear how the 'overseas' portions of this program are progressing.
In areas of other regulatory news the tendency for the faster escalation of observations and the expectation to address any issues at all sites continues. It was also noted that there is a continued background of enforcement actions being taken around website content.
Chris Reid presented on the new Annex 11, but to be honest the experienced audience was generally aware of the new Annex 11 and the general feeling is that it will have minimal impact on those Life Sciences companies already following GAMP Good Practices (as we suggested in our "Annex 11, Changes to Computerised System Guidelines in the EU" webcast back in February). There was a feeling that some consultancies are over-inflating the issues associated with the new Annex 11, but our view continues to be that there are a significant number of companies who didn't comply with the old Annex 11 and that's where the trouble lies. The issue won't really be the new Annex 11 (which comes into effect in June 30th 2011) but the really issue will be the enforcement of Annex 11.
Matthew Theobald also presented on the work of the 'Leveraging Supplier Involvement' Special Interest Group and this was the topic that sparked the greatest debate. There is certainly growing regulatory interest in the outsourcing of IT services and regulatory concern when this is done badly. However, outsourcing can work an Matthew's group are trying to provide some good models on how the involvement of suppliers can be justified and how it can be done well.
A big thanks again to the GAMP UK organising committee for another interesting and successful meeting. For anyone who hasn't been to a GAMP meeting, it's well worth getting along to a meeting an finding out what really is happening in the industry - it's much better to the at the forefront of these trends that trying to play catch-up.
The formal agenda included a presentation on the use of Business Process Markup Notation (BPMN) for defining user requirements by Jenni Sanders (something we've been leveraging at Business & Decision for years) and a case study on the validation of a cell culture counter changed from non-GxP to GLP use, by Richie Fraser at Pfizer.
From a business perspective the most interesting session looked at the use of GAMP in the blood banking industry, with Janet Samson from Welsh Blood Service describing some of the cultural and organisational issues faced in the sector. In the last five years all blood banks in Europe now come under direct regulatory oversight but it is clearly a challenge to be part of a government led health service but regulated by a different part of the same government. With a number of projects in this sector this is no real surprise to everyone at Business & Decision , but it does prove that many of the real issues around validation are related to people and organisations, not technology.
There was also the usual regulatory round up with some feedback on the FDA's "Part 11 (Electronic Record, Electronic Signature) inspections, but to date it appears that the non-specialist inspectors who have been asking about the implementation of Part 11 have been learned more from the companies they have been inspected. There were however US and European based inspections and it would be interesting to hear how the 'overseas' portions of this program are progressing.
In areas of other regulatory news the tendency for the faster escalation of observations and the expectation to address any issues at all sites continues. It was also noted that there is a continued background of enforcement actions being taken around website content.
Chris Reid presented on the new Annex 11, but to be honest the experienced audience was generally aware of the new Annex 11 and the general feeling is that it will have minimal impact on those Life Sciences companies already following GAMP Good Practices (as we suggested in our "Annex 11, Changes to Computerised System Guidelines in the EU" webcast back in February). There was a feeling that some consultancies are over-inflating the issues associated with the new Annex 11, but our view continues to be that there are a significant number of companies who didn't comply with the old Annex 11 and that's where the trouble lies. The issue won't really be the new Annex 11 (which comes into effect in June 30th 2011) but the really issue will be the enforcement of Annex 11.
Matthew Theobald also presented on the work of the 'Leveraging Supplier Involvement' Special Interest Group and this was the topic that sparked the greatest debate. There is certainly growing regulatory interest in the outsourcing of IT services and regulatory concern when this is done badly. However, outsourcing can work an Matthew's group are trying to provide some good models on how the involvement of suppliers can be justified and how it can be done well.
A big thanks again to the GAMP UK organising committee for another interesting and successful meeting. For anyone who hasn't been to a GAMP meeting, it's well worth getting along to a meeting an finding out what really is happening in the industry - it's much better to the at the forefront of these trends that trying to play catch-up.
Subscribe to:
Posts (Atom)
Posts
