Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 21 CFR Part 11 – A Risk Management Perspective November 13, 2003.

Published byBertina Carr Modified over 9 years ago

Similar presentations

Presentation on theme: "1 21 CFR Part 11 – A Risk Management Perspective November 13, 2003."— Presentation transcript:

1 1 21 CFR Part 11 – A Risk Management Perspective November 13, 2003

2 2 Proposed Agenda  21 CFR Part 11 Baseline  Recent 21 CFR Part 11 Developments  Integration with other Legislation  Lessons Learned  Risk Management Perspective  An Example  Considerations

3 3 21 CFR Part 11 Baseline  Regulation Established August 1997  “All required controls that make e-record keeping trustworthy, reliable and compatible with FDA role”, Paul Motisse  The controls that were in place for paper records and handwritten signatures translated to an electronic environment  Control Requirements:  Device Checks  Change Control  Document Control  Computer Systems Validation  Security  Archiving  Audit Trails  Copy Controls  Sequencing Controls

4 4 Recent Developments  All previous Part 11 guidance has been withdrawn  New final guidance has been provided  Final guidance acknowledges that: –Statements made by agency staff may have been misinterpreted as policy – The use of technology has been restricted, contrary to the agency’s intent – The cost of compliance far exceeds the agency’s expectations – Part 11 has discouraged innovation without a significant public health benefit

5 5 Recent Developments  Part 11 is being re-examined and may be revised  Certain areas will be subject to enforcement discretion (validation, audit trails, record retention and record copying)  All other areas will continue to be enforced  Narrow Scope – Part 11 applies when persons choose to use records in electronic format in place of paper records  Decisions to rely on paper or electronic records should be documented

6 6 Recent Developments  There are wide ranging opinions regarding what these changes mean  Key messages: –Part 11 is not going to go away –One size does not fit all –Focus on risk management – an effective internal control structure that protects product safety, quality and efficacy

7 7 Integration with Other Legislation – Connected Thinking  Annex 11  EPA  HIPAA  State Privacy Law  EU Data Protection Direction  ISO  Basel II Accord  Cadbury Turnbull  Sarbanes-Oxley

8 8 Where are They Similar and Different? FDA21 CFR Part 11EPAAnnex 11HIPAASarbanes-Oxley Security OrganizationXXX Audit TrailsXXXX Electronic SignaturesXX ArchivingXX ValidationXXXX Backup and RecoveryXXX Record RetentionXXX Disaster Recovery PlanningXXX Access ControlsXXXXX TrainingXXX

9 9 Lessons Learned – Key Challenges How does Part 11 rank in importance to other business priorities and regulations? What are acceptable remediation timeframes? Who decides? What does the final guidance mean given where my Company is in the process? How do we embed compliance into the business and system development lifecycle? How do we realize value from this compliance initiative?

10 10 Business Unit Team Members Business Unit Project Managers Steering Committee Members / Business Unit Sponsors Executive Committee Program Director Compliance Program Steering Committee Business Unit Team Members (across functional and site locations) Manufacturing, QA, QC, Compliance, Validation, System Owner Program Sponsors Chief Information Officer and Corporate Quality Business Unit Coordinator R&DSupply Chain Sales & Marketing ITProcurement Example Program Structure

11 11 Compliance Program Office Assessment Prioritization Remediation Project Management Office Inventory

12 12 Lessons Learned  Executive Sponsorship – Information Technology – Quality Assurance – Business Leadership – Steering Committee – Active Involvement  Roles and Responsibilities – Program Management – Business – Information Technology – Quality Assurance – Validation – Internal/External Audit  Program Management – Project Planning – Risk and Issue Management – Templates, Processes and Procedures – Training – Monitoring – Reporting – Financial Management – Stakeholder Management – Portfolio Prioritization – Benefits Realization – Transition Plan

13 13 Lessons Learned  Overlooked Areas –Technology Infrastructure –Procurement Process –Third Parties (Vendors, Suppliers, etc.) –Standard Operating Procedures  Inventory Process –Methodology –Training –Monitoring –Change Control –Ownership  Assessment Process – Methodology –Linkage to Remediation Plan and Requirements – Training – Monitoring – Change Control – Compliance Score

14 14 Lessons Learned  Prioritization – Determine risk profile: Compliance Score System Lifecycle Stage Inspection History (Company and Industry) Impact on Quality, Safety, Efficacy, financial statements, operational objectives Complexity Standalone vs. Networked Customized vs. Off-the-Shelf –Identity Common Systems and Consolidation Targets – Identify preliminary remediation approach (repair, replace or procedural) – Calculate Budget – Establish Compliance Based Remediation Targets and Timelines – Confirm prioritization with relevant stakeholders – Capture Benefits

15 15 Lessons Learned  Remediation - Risk Assessment – Focus on Business Process – Everything is not important – only those things that impact quality decisions – Product quality, safety and efficacy – Data Integrity, Confidentiality and Availability –An Risk Based Approach Analyze Business Process Understand Quality Related Objectives What are the risks that could impact the objectives? What controls must be established to mitigate the risks? Controls become requirements Validation provides evidence that the controls are in place and operating effectively

16 16 Procurement - Example

17 17 Procurement & Vendor Qualification Vendor Evaluation and Qualification Vendor Master Maintenance Material or Service Master Maintenance Contracts and Pricing Vendor Confirmation Create Purchase Requisitions and Purchase Order (PO) Goods Receipt and Reconciliation Return to Vendor NO Payment to Vendor YES Material Qualification ** MT: Material Traceability must be defined after a material is accepted and qualified. This includes the assignment of unique lot numbers after receipt at a manufacturing site. ** MT

18 18 People, Process and TechnologyProcessesPeopleTechnology New Vendors are selected Purchasing Personnel New Vendors are Qualified by QM Personnel Procurement of Raw Materials Receipt of Goods Material Qualification Material Traceability- Assign Lot Numbers Vendor Payments SOP SOP SOP Quality Management Personnel Quality Management Personnel Purchasing Personnel Warehouse Personnel Warehouse or Operations Personnel Purchasing Personnel System records Vendor Qualification details System records Material Qualification details Material lot numbers and tracking recorded in the system Vendor Setup in system Payment generated from system

19 19 Example ID No. ProcessRiskCOSO Component COSO Control Objective COSO Control Objective Category (C,F,O) Contr ol Type (C,A, V,R) Control Requirements 1Vendor Maintena nce Changes to standing data are not completely and accurately input increasing the risk of improper payment to unauthorized or incorrect suppliers. Control Activity Changes to standing data are completely and accurately input. Operational Financial C,A1)On-line edit and validation checks exist in the payables system to verify the accuracy of key vendor master data fields are entered. 2)2) Key data fields are required during vendor maintenance. 3)The system will check for duplicate vendor names, addresses, or other key data fields and flag the transaction for review before processing further. 2Vendor Maintena nce Purchase orders are released with an invalid material vendor combination resulting in material that is purchased from an unqualified vendor Control Activity Vendors are qualified before updating the vendor master file Operational Compliance (CFR 820.50 (a) (3)) C, A, V 1)Vendor Qualification SOP is in place, approved and effective 2)Vendor master controls shall be established to prevent sourcing materials to vendors that are not qualified

20 20 Considerations – How connected are your Company’s efforts with respect to addressing related regulations? – Does your Company have a consistent point of view regarding the appropriate level of compliance and associated documentation? – Does your Company have a consistent risk management approach to focus compliance efforts? – Are risk based decisions documented and linked to the compliance approach? – Does your Company have a process to prioritize processes, systems and compliance projects based on risk? – Does your Company have a system development lifecycle and validation methodology that is focused on key risk areas to assure compliance objectives?

Download ppt "1 21 CFR Part 11 – A Risk Management Perspective November 13, 2003."

Similar presentations

PRINCIPLES OF A CALIBRATION MANAGEMENT SYSTEM

PRINCIPLES OF A CALIBRATION MANAGEMENT SYSTEM
Effective Contract Management Planning

Effective Contract Management Planning
Program Management Office (PMO) Design

Program Management Office (PMO) Design
Radiopharmaceutical Production

Radiopharmaceutical Production
The New GMP Annex 11 and Chapter 4 Deadline for coming into operation: 30 June 2011.

The New GMP Annex 11 and Chapter 4 Deadline for coming into operation: 30 June 2011.
USG INFORMATION SECURITY PROGRAM AUDIT: ACHIEVING SUCCESSFUL AUDIT OUTCOMES Cara King Senior IT Auditor, OIAC.

USG INFORMATION SECURITY PROGRAM AUDIT: ACHIEVING SUCCESSFUL AUDIT OUTCOMES Cara King Senior IT Auditor, OIAC.
Ensure Vendor/Engineer of Choice Product Quality

Ensure Vendor/Engineer of Choice Product Quality
GMP Document and Record Retention

GMP Document and Record Retention
ISO 9001 : 2000.

ISO 9001 : 2000.
How to Document A Business Management System

How to Document A Business Management System
Tax Risk Management Keeping Up with the Ever-Changing World of Corporate Tax March 27, 2007 Tax Services Bryan Slone March 27, 2007.

Tax Risk Management Keeping Up with the Ever-Changing World of Corporate Tax March 27, 2007 Tax Services Bryan Slone March 27, 2007.
Cheryl McCarthy Manager, Quality Assurance MBC Session October 3, 2008 GCP Compliance in our Vendors.

Cheryl McCarthy Manager, Quality Assurance MBC Session October 3, 2008 GCP Compliance in our Vendors.
Coping with Electronic Records Setting Standards for Private Sector E-records Retention.

Coping with Electronic Records Setting Standards for Private Sector E-records Retention.
The Islamic University of Gaza

The Islamic University of Gaza
OMB Circular A-123 – Management’s Responsibility for Internal Control Policy Applicability Sources of Information Assessment, Documentation and Reporting.

OMB Circular A-123 – Management’s Responsibility for Internal Control Policy Applicability Sources of Information Assessment, Documentation and Reporting.
Security Controls – What Works

Security Controls – What Works
Internal Control Concepts Knowledge. Best Practices for IT Governance IT Governance Structure of Relationship Audit Role in IT Governance.

Internal Control Concepts Knowledge. Best Practices for IT Governance IT Governance Structure of Relationship Audit Role in IT Governance.
Chapter 5 IT Processes Presented by Dr. Mohamed Sammouda.

Chapter 5 IT Processes Presented by Dr. Mohamed Sammouda.
Managing the Information Technology Resource Jerry N. Luftman

Managing the Information Technology Resource Jerry N. Luftman
© 2006 IBM Corporation Introduction to z/OS Security Lesson 9: Standards and Policies.

© 2006 IBM Corporation Introduction to z/OS Security Lesson 9: Standards and Policies.

Similar presentations

Ads by Google