Documente Academic
Documente Profesional
Documente Cultură
2003 Colm OSuilleabhain PDF
Încărcat de
Surakrai SomsaksriTitlu original
Drepturi de autor
Formate disponibile
Partajați acest document
Partajați sau inserați document
Vi se pare util acest document?
Este necorespunzător acest conținut?
Raportați acest documentDrepturi de autor:
Formate disponibile
2003 Colm OSuilleabhain PDF
Încărcat de
Surakrai SomsaksriDrepturi de autor:
Formate disponibile
A strategy for the use of electronic records and electronic signatures in accordance with FDA ruling 21 CFR part 11
Colm O Suilleabhain School of Computing Dublin Institute of Technology Kevin Street, Dublin 8, Ireland cosuilleabhain@hotmail.com Abstract This paper seeks to identify strategies for achieving compliance with the food and drug associations (FDA) regulation 21 CFR (code of federal regulation) part 11 on electronic records and signatures and for realising the organizational benefits that can be obtained from the use of electronic records. The paper starts with a background chapter that provides an introduction to the FDA, the background to the regulation and an overview of the ruling. The various requirements of the ruling are categorised under a number of headings and discussed. Two of the tools used to achieve compliance, system validation and risk management are investigated in the context of the regulation. A multi step framework for compliance is produced that emphasises both the technical and organizational aspects of compliance. Achieving compliance is discussed in an organizational context. A framework is produced containing a number of critical success factors for achieving compliance and for successfully implementing electronic records and some of the technologies that might enable organizations to achieve these critical success factors. Keywords - FDA, 21 CFR part 11, organizational change, critical success factors, enabling technologies CFR part 11 allows the FDA to accept electronic submissions without an accompanying paper archival copy. Becoming compliant with this ruling has caused many problems for FDA regulated industries particularly in the pharmaceutical sector. While there has been much discussion about achieving technical compliance with the ruling very little literature has focussed on the implementation of electronic records at the organizational level. This paper addresses compliance with the ruling on both a technical and on an organizational level. The paper would be of interest to both IT managers and strategic manners in FDA regulated industries. Research methods included the use of journals, textbooks, industry white papers and some commercial websites. Section 2 of the paper introduces the topic and contains subsections that investigate the role of the FDA, discuss the background of 21 CFR part 11 and briefly describe the issues covered by the regulation and the reasons why compliance with the ruling has caused such difficulties. Section 3 categorises the requirements of 21 CFR part 11 under a number of headings and discusses each of those requirements in more detail. Section 4 of the paper investigates two of the most importance processes used in achieving compliance in FDA regulated industries in the context of 21 CFR part 11; that is system validation and risk management. Section 5 extends an existing framework for achieving compliance by considering compliance with the ruling as an organizational issue. Section 6 continues to look at the issue of compliance as an organizational issue and investigates the use of electronic records as a possible source of competitive advantage. This section also adapts a generic framework to include both critical success factors for the successful implementation of electronic records and the technologies that will be required for these will be required for these critical success factors to be achieved. The paper finishes with a conclusion.
1 Introduction
The aim of this paper is to investigate organizational strategies for compliance with FDA regulation 21 CFR part 11 for electronic records and electronic signatures The FDA (Food and Drug Association) is a branch of the United States government that is responsible for regulating a number of industries including those involved in the production of pharmaceuticals, foodstuffs, cosmetics and medical devices. Regulation 21
____________________________________________________________________
1
Using electronic records and signatures with FDA ruling 21 Colm o Suilleabhain __________________________________________________________________________________
2 Background to FDA and 21 CFR part 11
This section introduces the topic and provides background on the FDA and on 21 CFR parts 11. The section starts with a brief synopsis of the function and role of the FDA. The importance of FDA regulation in a global context is emphasised and the industries that are regulated by the FDA are listed. The background to the ruling is discussed along with an overview of some of the key requirements in the ruling. The section concludes with a discussion on both the risk associated with failure to comply with the ruling and the difficulties faced by organizations in trying to comply
Although the FDA is a branch of the United Sates government FDA regulations effect any organization that imports FDA regulated goods into the United States so the influence of FDA regulations is often global in scope (Miklovic & Rozwell, 2002). The body of FDA regulations changes as products and technologies evolve (Arling & Worling, 2002). In general the regulatory approach of the FDA is dependent on the risks associated with the product. In the pharmaceutical industry different regulations are concerned with different stages of the product life cycle. These regulations range from those concerned with good laboratory practices (GLP) at the discovery and drug development stage, through those associated with good clinical practices (GCP) at the clinical trials stage and finally regulations which deal with good manufacturing practices (GMP) at the manufacturing and distribution stages. In practice the FDA regulations are commonly regarded from a cross functional viewpoint often called GxP where GCP + GMP + GLP = GxP (Arling & Worling, 2002). In the pharmaceutical sector the risks associated with non-compliance with FDA regulations include FDA 483s, which are lists of inspectional observations, warning letters and consent decrees (Arling & Worling, 2002). The consequences of these actions include the non-approval of new products, loss of United States government contracts and import restrictions. Legal penalties can include fines, sanctions and imprisonment (Miklovic & Rozwell, 2002). FDA enforcement uses regulations and guidance documents as a framework but the final ruling may often be dependent on the judgement of the inspectors (FDA 3, 2003)
2.1 FDA background
The food and drug association (FDA) is the oldest consumer agency in the United States of America; it monitors more than 100,000 companies producing products valued in excess of a trillion dollars. FDA regulated products account for around 25 cents of every consumer dollar spent in the U.S.A. (FDA 1, 2003). Currently the FDA has a staff of approximately 9100 employees made up of chemists, pharmacologists, physicians, biochemists, lawyers and many others and has a yearly budget in access of a billion dollars (FDA 1, 2003). In its own words the FDAs mission is to promote and protect the public health by helping safe and effective products reach the market in a timely way and monitoring products for continued safety after they are in use (FDA 2, 2003). Some of the areas for which the FDA has regulatory responsibility include (FDA 1, 2003) Food products (other than meat and poultry) The manufacturing, development and distribution of human and animal drugs The blood bank and plasma industries The manufacture of medical and surgical devices Radiation emitting consumer and medical products Animal feed Cosmetics
2.2 The background to 21 CFR part 11
21 CFR part 11 electronic records, electronic signatures final rule allows the FDA to accept electronic submissions without an accompanying paper archival copy. Electronic signatures on electronic records that comply with the regulation are considered equivalent to hand written signatures on paper records (FDA 4, 2003) Computer system validation has been required under good manufacturing practice regulation since the 1980s (FDA, 1987). Today there are
____________________________________________________________________
2
Using electronic records and signatures with FDA ruling 21 Colm o Suilleabhain __________________________________________________________________________________
few operations within the pharmaceutical process that do not involve the use of computers. As the use of computers and automated processes has become more prevalent in the pharmaceutical industry so too has the use of electronic records. 21 CFR part 11 grew out of industry concerns with the regulatory approach towards the use of electronic records and signatures (Fields, 2001). In 1991 the FDA, after meeting with members of the pharmaceutical industry, set up a task force on electronic identification and signatures to promote the development of a consistent approach to the regulation of electronic records and electronic signatures. In March 1997 the FDA published the final rule after twice publishing advance notices of proposed rulemaking (ANPRM) to obtain public comment on the issues involved (FDA 1, 1997) Subsequently there was much discussion between the FDA, industrial sources and contractors regarding the implementation and interpretation of the rule (FDA 3, 2003). As industry groups encountered difficulties with the implementation of the regulation the FDA issued further guidance relating to 21 CFR part 11 including the following. FDA, Guidance for industry, 21 CFR Part 11; Electronic Records; Electronic Signatures Validation, August 2001. (FDA 1, 2001) FDA, Guidance for industry, 21 CFR Part 11; Electronic Records; Electronic Signatures, Glossary of terms, August 2001. (FDA 2, 2001) FDA, Guidance for industry, 21 CFR Part 11; Electronic Records; Electronic Signatures, Time Stamps, February 2002. (FDA 1, 2002) FDA, Guidance for industry, 21 CFR Part 11; Electronic Records; Electronic Signatures, Maintenance of Electronic Records, May 2002. (FDA 2, 2002) FDA, Guidance for industry, 21 CFR Part 11; Electronic Records; Electronic Signatures Electronic Copies of Electronic Records, August (FDA 3, 2002) FDA Guidance for industry: Computerized Systems used in Clinical Trials, US Department of Health and Human Services, April 1999 (FDA, 1999)
Reacting to concerns raised about 21 CFR part 11 the FDA has recently issued a draft guidance for industry concerning the scope and application of 21 CFR part 11 (FDA 3, 2003). These concerns included (FDA 3, 2003). That the ruling would restrict the use of electronic technology in a manner which would conflict with the FDAs intent in issuing the ruling That the ruling would greatly increase the cost of compliance That the ruling discourages the innovative use of technology On the February the 4th 2003 the FDA announced the withdrawal of other Part 11 draft guidance documents on validation, glossary of terms, time stamps, maintenance of electronic records and electronic records and electronic copies. Currently the FDA is reexamining 21 Part 11 and has stated that certain parts of the regulation may be revised (FDA 3, 2003).
2.3 Overview of ruling
21 CFR Part 11 was introduced as a result of the FDA belief that the use of electronic records and signatures is becoming more pervasive and will inevitably become universal (Phan, 2002). The ruling is divided up under the subparts and subheadings identified in table 2.1 (FDA 1, 1997). Subpart A --- General Provisions Section Title 11.1 Scope 11.2 Implementations 11.3 Definitions Subpart B ---Electronic records Section Title 11.10 Controls for closed systems 11.30 Controls for open systems 11.50 Signature manifestations 11.70 Signature/record linking Subpart C---Electronic Signatures Section Title 11.100 General requirements 11.200 Electronic signature components and controls 11.300 Controls for identification codes/passwords
____________________________________________________________________
3
Using electronic records and signatures with FDA ruling 21 Colm o Suilleabhain __________________________________________________________________________________
Table 2.1 Section headings for 21 CFR part 11(FDA 1,1997) The regulation applies to records in electronic form that are created, modified, archived, retrieved or transmitted under any records requirement set forth in FDA regulations (FDA 1, 1997). The regulation does not enforce the use of electronic records or signatures but merely outlines the requirements that must be met for those organizations that do chose to use them within the context and enforcement parameters of the regulation (Phan, 2002). Where electronic signatures and their associated records meet the requirements of the ruling they are considered the equivalent of full hand written signatures or initials by the FDA (FDA 1, 1997). Electronic records are defined by the FDA as: any combination of text, graphics, data, audio, pictorial or other information in digital form that is created, modified, maintained, archived, retrieved or distributed by a computer system (FDA, 1997). The ruling separates the systems in which electronic records might be used into two environments (RSA security 2002): Closed system where access is controlled by individuals who are responsible for the content of electronic records that are on the system Opened system where access is not controlled by individuals who are responsible for the content of electronic records that are on the system Those who use closed systems to create, modify maintain and transmit electronic records are required to use procedures and controls to ensure authenticity integrity and confidentiality while enforcing nonrepudiation (Dillon et al., 2002). These controls include System validation (FDA 1, 1997). Records management (FDA 1, 1997). System security management including operational, device and authority checks. Systems must have both physical and logical controls limiting access to authorised and trained personnel (Fields, 2002). Systems must have computer generated audit trails to authenticate and confirm the integrity of electronic records and signatures.
Recorded changes should not obscure previously recorded information (Dillon et al., 2002). System documentation management. Documentation must be controlled throughout the documentation lifecycle (Dillon et al., 2002). Controls over system documentation should include distribution, access and use of documentation for system maintenance and operation. Revision and change control procedures should also be in place to ensure that audit trails are maintained that document all modifications to system documentation (FDA 1, 1997).
Controls for open systems should include the controls identified for closed systems and should also include additional measures such as encryption, to protect data and safeguard system integrity, and the use of digital rather than electronic signatures (FDA 1 1997). An example of an open system is the Internet. Signed electronic records should clearly contain the following (FDA 1, 1997) 1. The printed name of the signaturee 2. The date and time when the signature was executed 3. The meaning associated with the signature (such as review, approval or responsibility) Controls for electronic signatures include (FDA 1, 1997) Electronic signatures should be linked to electronic records to ensure that signatures cannot be excised, replicated or transferred to falsify the record Non biometric signatures must contain two different identification components such as password and used ID Controls of user Ids and passwords including their issuing recall and disablement Employees should be trained so that they understand the legal and regulatory implications of electronic signatures i.e. electronic signatures are considered to be the equivalent of hand written signatures
____________________________________________________________________
4
Using electronic records and signatures with FDA ruling 21 Colm o Suilleabhain __________________________________________________________________________________
The linking of non biometric signatures to their owners so that their use by other individuals IDs is impossible without the collaboration of at least two individuals Testing of devices that produce or maintain identification codes and passwords Controls to ensure that each combination of identification code and password is unique
Companies found in a state of non-compliance may receive a warning letter or a more severe penalty including fines, the delaying of a product launch or the prevention of shipping a product (Miklovic & Rozwell, 2002). To illustrate the severity of penalties that may be issued for non-compliance with FDA regulation; in May 2002 drug maker ScheringPlough Corp agreed to pay the FDA $500 million dollars in fines as a result of quality control problems at four of its facilities (Greenemeier, 2003). Despite the possibility of large penalties many companies are facing difficulties in becoming 21 CFR part 11 compliant. A few of the areas that are causing problems for companies in their efforts to become compliant are listed below Cost. It has been estimated that in total the pharmaceutical industry may spend as much as $5 billion to comply 21 CFR part 11. This roughly amounts to a cost of $100 million per pharmaceutical company, which is more than twice the industry average of $45 million for the implementation of Y2K compliance. However unlike Y2K 21 CFR part 11 compliance is not considered significant by many executives thus limiting funding and resource allocation (Miklovic & Rozwell, 2002). The electronic audit trails that are required by 21 CFR part 11 are very difficult to apply to most legacy systems. Many legacy systems eliminate electronic trails by overwriting (Allen & Brands, 2002). Although the FDA has stated that it intends to exercise enforcement discretion regarding computer generated time stamped audit trails in the agencies latest guidance to industry pertaining to the rule it has also stated that in many cases audit trails may be necessary to ensure the trustworthiness and reliability of records (FDA 3, 2003) Pharmaceutical companies increasingly rely upon collaborations with outside organizations such as Contract Research Organizations (CRO) to conduct clinical research. Consequently many of the electronic records that companies use to document the safety of their products
2.4 Consequences of non-compliance
Although 21 CFR part 11 has been effective since August 20th, 1997 many pharmaceutical and biotechnology are having difficulties complying with the ruling (Gambrill, 2002 & Phan, 2002). Confusion still abounds as to what compliance with the ruling really means. There appears to be a misconception that the FDA is not serious about enforcing the legislation (Miklovic & Rozwell, 2002). Companies that are effected by the legislation are worried that the ruling would create large and expensive IT projects in industries not noted for devoting a lot of resources to IT (Miklovic & Rozwell, 2002). Although the FDA held off on enforcement until 1999 since then the FDA has issued non-compliance citations. A review of warning letters issued by the FDA concerning non-compliance with 21 CFR part 11 was carried out in 2002. As can be seen from figure 2.1 most faults were in the area of systems validation and record protection (Phan 2002).
Validation
Record protection
System access
Audit trails
Other
Figure 2.1 Areas of Part 11 noncompliance cited in FDA warning letters (Phan, 2002)
____________________________________________________________________
5
Using electronic records and signatures with FDA ruling 21 Colm o Suilleabhain __________________________________________________________________________________
are not created within the sponsor organization itself. However, the compliance of these records with FDA regulations will still ultimately be the responsibility of the sponsor organization. This may cause difficulties when the institution that generates the data lacks experience in dealing with FDA regulations (Berns, 2002; Fields, 2002). 21 CFR part 11 is open to a lot of interpretation. As a result of this companies effected by the regulation have been cautious in implementing initiatives for fear of misinterpretation (Gambrill, 2002) Another daunting aspect of 21 CFR part 11 compliance is the volume of hardware and software that needs to be validated to ensure compliance. If documents or data ever have passed through or are likely to pass through a device or computer with the possibility of being modified then that device or computer needs to be validated (Budihandojo & Huber 2001). Many of the applications used in the pharmaceutical industry routinely create and modify records and so require 21 CFR part 11 validation (McDowall, 2002). These systems include Enterprise Resource Planning (ERP) systems, Manufacturing Execution Systems (MES), Laboratory Information management Systems (LIMS) and Chromatography Data Systems (McDowall, 2002). A more complete list of the applications and the systems used in the pharmaceutical industry that will be effected by the ruling is given in section 5
3 Categorisation of 21 CFR part 11 requirements
Table 3.1 lists the key requirements of 21 CFR part 11 and the sections of the ruling to which they apply. Each of the requirements is then discussed in more detail. Requirement Validation System security Audit trails Electronic signature management Electronic record management Open Systems validation Documentation control Training of personnel Management of codes and passwords Section of rule 11.10 (a) 11.10 (d), 11.10 (f), 11.10 (g) 11.10 (e), 11.10 (k2) 11.5, 11.70, 11.100, 11.200 11.10 (b), 11.10 (c) 11.30 11.10 (k1), 11.10(k2) 11.10 (i), 11.10(j) 11.300
Table 3.1 Requirements of 21 CFR part 11 Validation: The ruling requires that all relevant systems be validated. The issue of systems validation in FDA environments is discussed in section 4.1. System Security: Section 11.10(d) of 21 CFR part 11 states that system access should be limited to authorised individuals (FDA, 1997). This could be achieved by implementing authentication and access control procedures (RSA security, 2002). System security can be achieved by a mixture of physical and logical measures and can be divided into four levels as illustrated in table 3.2 (Phan, 2003)
Security Level Facility
Room User Function
Security Controls Restricting access to employees. Limiting access of visitors to general-access areas. This can be achieved by physical features such as combinations of lock and key, security guards, a check in desk, identification cards and electronic- access cards. Physical access to individual system components restricted to authorised personnel. This can also be implemented by the measures used at facility level Access to individual applications limited to appropriate user groups by the use of an access control list and of network operating system security features Access to individual functions of the application is restricted by the use of security features of the application itself
____________________________________________________________________
6
Using electronic records and signatures with FDA ruling 21 Colm o Suilleabhain __________________________________________________________________________________
Table 3.2 Security levels (Phan, 2003) For electronic signatures with Audit trails: Section 11.10 (e) requires the biometric links it should be ensured use of secure computer generated audit trails that system design prohibits use by for record changes and key operator entries anyone but the owners and activities (FDA 1, 1997). Even though the Measure to ensure that electronic FDA has stated that it intends to exercise signatures are only issued to persons enforcement discretion regarding audit trails whose identification has been (FDA 4, 2003), they can greatly enhance the verified and that each electronic security and integrity of data (ISPE, 2002). signature is unique The use of audit trails can identify the history of use and can identify the user performing the Electronic records management: Controls action. Information can include the date, time, need to be in place to ensure that electronic user event and the success or failure of an records can be accurately generated retained, event (Dickson, 2002). Audit trails may protected and readily retrieved in human generate large amounts of data, which can readable and electronic form (FDA 1, 1997). result in storage and information retrieval Some of the mechanisms available to achieve difficulties. Therefore it is often pertinent to compliance with this part of the ruling include question if there is a regulatory or business Using industry standard portable need to add audit trails to electronic records formats for electronic records (ISPE, before doing so (Lopez, 2002). 2002) Using automated conversion methods Electronic Signature Management: where possible to make copies in a Electronic signatures are unique identifiers common format assigned to each individual using or Using an archival mechanism that maintaining the system (Allen & Brands, allows data that is no longer required 2002). Electronic signatures can be any to migrate to various media with all combination of user names, passwords, token necessary part 11 controls maintained based authentication or biometrics. An (Canale, 2002) electronic signature system addresses a records integrity, user authentication and nonDocumentation control: These controls repudiation. Associating a user with both a include controls over, distribution of, access to private and a public key does this. When the and use of standard operating procedures record is signed the private key is used to (SOPs) and other documentation used in produce an encrypted message digest that is system operation and maintenance. They appended to the record. The recipient of the should also include a change control system to message can decrypt the message using the maintain an audit trail that provides records of senders public key. This allows the recipient changes to system documentation (FDA, to verify that the record has not been modified 1997). since being signed and that the private key used in the signing of the record corresponds Training of personnel: Training should take to the public key used for the verification place on all SOPs that are applicable to the (Lopez, 2000). 21 CFR part 11 requires that ruling for all personnel using electronic the following controls be put in place for signatures or systems that generate electronic electronic records (FDA 1, 1997). records including SOPs that address (Lopez, Measures are provided to ensure that 2000) they are only used by their owners User authentication That for electronic signatures without Access control biometric links two or more distinct Management of records and audit identification mechanisms are trails included. Physical security Both of these distinct identification Disaster recovery mechanisms should be used at initial Protection of remote access points signing and subsequently at least one Protection of external electronic form of identification should be used communications during each signing during the same Personnel responsibilities session
____________________________________________________________________
7
Using electronic records and signatures with FDA ruling 21 Colm o Suilleabhain __________________________________________________________________________________
Ongoing monitoring of computer systems As well as the technical training required to ensure that workers perform their job in a manner consistent with FDA regulations specific regulatory training should be undertaken to ensure that employees fully understand how regulatory requirements relate to their jobs (Mikhola & Rios, 2002). Management of codes and passwords: Controls in this area include (RSA, 2002) That each identification code and password be unique Periodic checks of identification codes and passwords Loss management techniques Transaction safeguard to prevent unauthorised use of passwords or identification codes Tests of devices that generate identification code or password information
4.1 System validation
The FDAs current good manufacturing practice has always required computer systems validation (Halls & Matlis, 2002). FDA investigators evaluate computer systems used by the manufacturers of pharmaceuticals, medical devices, biological products and diagnostic tools against the highest available standards. The FDA has defined validation as confirmation by examination and provision of objective evidence that the particular requirement for a specific intended use can be consistently fulfilled (FDA 4, 2002) 4.1.1 Software validation in a FDA regulated environment The FDAs view is that manufacturers have the ultimate responsibility for software validation whether it is developed by the manufacturer, by a contractor or is commercial off-the-shelf software (Brower, 2000). Therefore manufacturers should be aware of the necessity to properly configure and validate software systems with the capability for 21 part 11 compliance (Allen & Brands 2002). Although a detailed discussion of FDA software validation requirements is beyond the scopes of this paper table 4.1 summarises the procedures that in the view of the FDA should be carried out to ensure that software is validated at each step of a typical software life cycle model (FDA 5, 2002)
4 Techniques used to achieve compliance
This section discusses two of the procedures commonly used to achieve compliance with 21 CFR part 11. Both system validation and risk management are procedures that are identified by the FDA as being essential for achieving compliance (FDA 1, 1997; FDA 3, 2003) thus a discussion of both these procedures was deemed to be warranted. Software Life cycle step Quality Planning Requirements Design Coding Testing
Procedures Risk management plan, change control plan, software quality assurance plan Risk analysis, traceability analysis, description of user characteristics, software requirements evaluation, system test plan generation Update risk analysis, traceability analysis design, software design evaluation, module test plan generation, integration test plan generation, test design generation Source code traceability analysis, test case generation, source code and source code documentation evaluation Test planning, functional test case identification, structural test case identification, traceability analysis testing, unit test execution, integration test execution, functional test execution, system test execution, acceptance test execution, test results evaluation, error evaluation/resolution, final test report Acceptance test execution, test results evaluation, error evaluation/resolution, final test report Problem identification and resolution, anomaly evaluation, proposed change assessment, task iteration, documentation updating,
User site testing Maintenance and software changes
Table 4.1: Procedures for ensuring software validation in a FDA environment (FDA 5, 2002)
____________________________________________________________________
8
Using electronic records and signatures with FDA ruling 21 Colm o Suilleabhain __________________________________________________________________________________
4.1.2 System validation for 21 CFR part 11 21 CFR part 11 requires that systems be validated if they are used to create, modify, maintain or transmit electronic records required under any FDA record requirement (Fields, 2002). The key principles identified by the FDA that should be considered when validating electronic record keeping systems are listed below (FDA 5, 2001). System Requirements Specification Documentation of validation activity Equipment installation Dynamic testing Static verification techniques Extent of validation Independence of review Change control (configuration management) Some of the key aspects of these principles are discussed below. System Requirements Validation: Current enforcement trends indicate that system requirements are a major source of FDA observations (Halls & Matlis, 2002). End user needs and intended uses should be established and evidence obtained that the computer system implements those needs correctly and that they are traceable to system design requirements and specifications (FDA 1, 2001; FDA 5, 2002). This can be complex when validating networked systems where individual components can impact on each other (Budihandojo & Huber 2001). Documentation of validation activity: This includes documentation for the validation of both new and existing systems (Fields, 2001). Documentation is considered extremely important by the FDA for the success of validation efforts (FDA1, 2001). Documentation should include both project specific documentation describing validation for the individual project and generic documentation describing policies, master plans and processes (Budihandojo & Huber 2001). Documentation should include a validation project plan, user requirements specifications, test plans, design specification, test results change control procedures, a traceability matrix and validation procedures (FDA 1, 2001; FDA 5, 2002; Halls & Matlis, 2002; Brower, 2000; Lopez, 2002)
Equipment Installation: Prior to testing it should be ensured that both hardware and software are properly installed and that all necessary documentation (e.g. SOPs and user manuals) is available. (FDA 1, 2001; Budihandojo & Huber 2001) Dynamic testing: Dynamic analysis is concerned with demonstrating the softwares run time response to selected inputs and conditions (Brower, 2000). Tests should be carried out both at normal values and under stress conditions. Some testing should be performed using simulators outside the actual environment in which the system operates. Testing should also be carried out in the environment in which the system operates in such a manner that the system will encounter a wide range of conditions and events in order to detect any faults that are not triggered by normal activities. (FDA 1, 2001) Static verification testing: Static analysis is defined by the FDA as analysis of a program that is performed without executing the program(Lopez, 2000). This includes manual inspections of code, running software tools against code and documentation reviews. According to FDA draft guidance due to the complexity of software dynamic analysis alone may be insufficient to show that software is correct, fully functional and free of defects (FDA 2, 1997). Therefore static approaches and methods should be used to offset this crucial limitation of dynamic analysis (FDA 2, 1997) Extent of validation: Factors which should be considered when determining to what extent validation should be carried out include (FDA 1, 2001) The risk that the system poses to product safety and quality The risk that the system poses to data integrity, authenticity and confidentiality The complexity of the system The risk that the system poses to safety Independence of review: The FDA regards objective self-evaluation as extremely difficult and encourages evaluation of computer systems by persons other than those responsible for building the system (FDA 1, 2001; FDA 5, 2002)
____________________________________________________________________
9
Using electronic records and signatures with FDA ruling 21 Colm o Suilleabhain __________________________________________________________________________________
Change Control: A procedure should be in place to control changes and to determine the amount of revalidation required as a result of changes (FDA 1, 2001). A change control program should ensure that the full impact of any change is known (Beck, 2000). If the change causes the system to operate outside of previously validated operating limits there may be a strong case for revalidation. Change control management is of particular importance in the development of software; where a seemingly small local change can have an impact throughout the system (FDA 5, 2002).
4.2 Risk Management
Risk management has been defined as planning and acting to avoid, contain, or lessen potential negative outcomes for a project or product (Beck, 2000). A compliance risk management strategy is required to successfully ensure that an organization and its people are protected from regulatory sanctions without using an extreme approach which might lead to excessive cost and use of organizational resources (Beck, 2000; Noferi et al, 2002). Effective risk management processes have the following characteristics (Beck, 2000) Identification of risks early in the project Risks are quantified as and prioritised according to the product of the probability an undesirable event occurring and the cost associated with the event (Redmill, 1992) Plans are developed to avoid, contain or lessen each risk. The process has a person assigned whose purpose is to coordinate and administer the risk management process In the case of 21 CFR part 11 effective risk management needs to be carries out in the following areas (ISPE, 2002) Categorisation of importance of electronic records. The focus should be on records that have a high impact on quality. For example batch production records and laboratory test results. Copies of electronic records. Copies of electronic records should be available to investigators during an inspection. This can provide technical challenges and is best
overcome by using industry standard portable formats Retention and Maintenance of Records. The archiving of electronic records can cause difficulties both in terms of processability and in terms of volume. A risk assessment of data can be used to determine whether to retain processability of older data. Audit trails. Risk analysis can be used to identify the electronic records where the addition of an audit trail is required to guarantee data integrity. If adequate data integrity can be accomplished by security controls a risk assessment can be used to justify the decision that audit trails do not provide significant benefit Electronic signatures. Risk analysis should be used to decide where signatures need to be applied based on the FDA regulation, importance of the process and risk to the product.
5. Framework for achieving 21 CFR part 11 compliance
This section extends an existing framework for achieving 21 CFR compliance and introduces some organizational aspects to a primarily technical model. Many of the techniques and processes for achieving compliance with 21 CFR part 11 that were discussed in previous sectors are included in the framework. The following framework is mainly based on one designed by Tuan T. Phan (Phan, 2002). Although the model provided by Phan provides an excellent technical overview for achieving 21 CFR part 11 compliance, the author thinks that more emphasis should have been placed on management of organizational culture and on incorporating modern change management techniques. Therefore the following framework differs from the one provided by Phan both at the first two steps, where more emphasis is put on developing a guiding coalition for change, and by including an extra step to ensure that the changes made are institutionalised within the organization. The framework is presented in figure 5.1and is followed by a brief discussion on each step of the framework
____________________________________________________________________
10
Using electronic records and signatures with FDA ruling 21 Colm o Suilleabhain __________________________________________________________________________________
Establishing a sense of urgency and creating a guiding coalition
Establishing a culture for compliance with 21 CFR part 11
Defining policies and procedures
is not regarding at senior executive level as being of the highest priority (Miklovic & Rozwell, 2002). A sense of urgency is required at the highest levels of an organization in order for it to be communicated throughout the organization (Kotter, 1996). The establishment of a sufficiently powerful guiding coalition is essential for success organizational change to occur. A strong guiding coalition should have the right composition, have a level of trust established between its individual members and have a shared objective (Kotter, 1996). The individuals who make up the coalition should provide four key characteristics: position power, expertise, credibility and leadership (Kotter, 1996) Aligning the strategy for compliance with the corporate culture: The methods of achieving the changes required to successfully comply with the ruling should be consistent with the existing organizational culture. Changes that are consistent with the organizations beliefs, behaviours and assumptions are generally more likely to be successfully (Conner, 1998). In as far as it is possible the processes used to achieve compliance with 21 CFR part 11 should be consistent with existing organizational processes as in general it is much easier to align a change with an existing culture than to change the culture to be more supportive of the change (Conner, 1998) Defining policies and procedures: Policies and procedures required to achieve 21 CFR part 11 compliance should be established next. Many companies combine internal resources with third party experts at this stage as the experience of consultants in developing policies and procedures for other companies can speed the process and ensure that it is complete (Allen & Brandt, 2002). The policies and procedures should include system validation, development and deploying systems according to a formal methodology, physical and logical security, backup and recovery, system operations, staff training, change control, contingency planning, and use of purchased systems (Grunbaum, 2002). Once an organization has a framework of policies and procedures in place it should be disseminated throughout the company by meetings and training classes (Phan, 2002) Inventorying systems and prioritising the inventory: Inventorying systems involves
Inventorying systems and prioritizing the inventory
Performing gap analysis
Applying risk management techniques to the gap analysis
Formulating and implementing a plan for bringing systems into compliance
Remaining compliant
Figure 5.1 Framework for achieving 21 CFR part 11 compliance (adapted from Phan, 2002) Establishing a sense of urgency and creating a guiding coalition. Establishing a sense of urgency is essential to obtain cooperation throughout an organization when managing any change. Transformations will always fail to meet their objectives when complacency levels are low (Kotter, 1995). There is evidence in the pharmaceutical industry that compliance with 21 CFR part 11
____________________________________________________________________
11
Using electronic records and signatures with FDA ruling 21 Colm o Suilleabhain __________________________________________________________________________________
both an inventory of system hardware and software and network architecture documentation, After all computerised systems have been inventoried those systems that fall under the requirement to comply with 21 CFR Part 11 should be identified (Grunbaum, 2002). Two criteria are used to establish if a system is governed by the ruling The process or the applicable data is covered under an existing FDA regulation. The computer system is being used to create, modify, maintain, archive, retrieve, or transmit data that is governed by the ruling. The task of establishing the systems that are governed by the ruling is by no means trivial Name of system EDMS WMS MRP and ERP SCADA PLC and DCS LIMS CTMS Maintenance and calibration Manufacturer
as the number of computer systems used to process electronic records in FDA governed industries is vast. These include electronic document management systems (EDMS); warehouse management systems (WMS); materials resource planning (MRP) and enterprise resource planning (ERP) systems; programmable logic control (PLC), data control system (DCS), and supervisory control and data acquisition (SCADA) reporting systems; laboratory information management systems (LIMS); clinical trial management systems (CTMS); and maintenance and calibration systems as can be seen in table 5.2 (Phan, 2002)
Quality and Manufacturing Information Management System (Pilgrim Software Inc.); Documentum 4i; and DocControl Manager (Documentum Corp.) MARC System (TRW Inc.); Visual Distribution -WMS (Lilly Software Associates Inc.) MFG/Pro (QAD Corp.); SAP R/3 and mySAP.com (SAP AG); BPCS (SSA Global Technologies Inc.); Navision XAL (Navision a/s) CIMScan (CIMTechniques Inc.); Intellution iFix (Emerson Corp.) ;InTouch, InBatch, and InSQL (Wonderware Corp.) SIMATIC Series (Siemens AG); Allen-Bradley PLC 5 and SLC Series (Rockwell Automation Inc.) Fisher-Rosemount Delta V (Emerson Corp.); Advant (ABB Corp.) Millennium (Waters Corp.); Agilent ChemStation (Agilent Corp.) InForm, InFusion, Clintrial, and Clintrace (Phase Forward Inc.); PMX-CTM (Propack Data Corp.) Advanced Maintenance Management System (Microwest Software Systems); Calibration Manager (Blue Mountain Quality Resources Inc.); GAGEtrak Calibration Management Software (CyberMetrics Corp.)
Table 5.2 Systems for managing electronic records in FDA regulated industries (Phan, 2002) Once an inventory of systems is produced the individual components in the inventory can be prioritised on the basis of the criticality of the system with regard to product risk, business risk and data risk. Where business risk is the risk to the organization of being cited by the FDA for failing to achieve compliance, product risk is the impact on product quality and data risk is the risk to the authenticity, integrity or other aspects of data quality (Phan, 2002) Gap analysis: Gap analysis is defined as an analysis of a process, product or set of products to determine if they are missing elements in that process (Brower, 2002) Both computer controls and company procedural controls should be addressed as a part of the gap analysis. Approaches to gap analysis that have proved effective in the past include the use of a matrix of 21 CFR part 11 requirements versus how those requirements are implemented (Brower, 2002). The use of such assessment tools enforces consistency and ultimately accelerates and optimises the gap analysis (Phan, 2002). The tools used to aid the gap analysis should address the existence and adequacy of the following items for systems affected by the ruling (Grunbaum, 2002). Documentation relating to functional requirements
____________________________________________________________________
12
Using electronic records and signatures with FDA ruling 21 Colm o Suilleabhain __________________________________________________________________________________
Documentation relating to technical specifications Documentation on the applicability of 21 CFR part 11 to the system and on how the requirements occurring as a result of the ruling are being addressed Test plans and test results Evidence of validation
covered by 21 CFR part 11 and on system functions that might have been affected by technical changes implemented to achieve compliance (Phan, 2002) Remaining compliant: Two of the major mistakes identified as a reason for the failure of transformations in organizations are managers declaring victory too soon and a failure to anchor the changes in the organizational culture (Kotter, 1995). In the case of managing changes occurring as a result of 21 CFR part 11 these errors can be avoided by ensuring that systems, controls and procedures are put in place to ensure the organization remains compliant (Grunbaum, 2002). Once compliance is achieved it is important to make certain that momentum is not lost. Successful transformations use initial success to change systems and structures that are not consistent with the transformation culture and that have not been confronted before (Kotter, 1996). Most of the issues discussed in relation to becoming compliant with 21 CFR part 11 were technical in nature however, maintaining compliance requires the implementation of controls that address issues of organizational culture and personnel issues as well as technical issues. The issues that need to be addressed to ensure compliance is maintained include (Grunbaum, 2002). The management of SOPs pertaining to the ruling Training of employees who interact with 21 CFR part 11 systems Ensuring that only qualified individuals perform or have responsibility for regulated processes The establishment of an internal quality assurance auditing and inspection mechanism for the detection of areas of non compliance
Applying risk management techniques to the gap analysis: The purpose of this step is to prioritise the gap analysis findings in order to identify the systems posing the greatest risk to the organization. The risk posed can be categorised by the extent of a systems deviation from 21 CFR part 11 requirements, the importance of the quality of the data generated by the system and the importance of the system to product quality and safety. The categorisation of systems at this stage, using risk management techniques, allows companies to devote the most resources to systems posing the highest levels of risk to the organization (Phan, 2002) Formulating and implementing a plan for bringing systems into compliance: The plan should specify a corrective action for each issue identified by the previous steps. Formulation of the plan should identify roles and responsibilities, resource requirements, short and long-term goals and target dates. Before implementation the plan should be reviewed by representatives of company management, quality assurance and information technology (Grunbaum, 2002). Five approaches have been identified in bringing systems into compliance (Phan, 2002). 1. Discontinue using the affected system 2. Use a paper based approach for affected processes 3. Implement additional procedural and administrative controls until a technical solution can be implemented 4. Upgrade a non compliant system to a compliant by the use of technical solutions such as software patches and system upgrades 5. Purchase or develop compliant replacement systems Once the plan for compliance has been fully implemented the system should be requalified. The requalification should focus on key areas
6. A framework for identifying critical success factors in achieving 21 CFR part 11 compliance
This section looks at compliance with 21 CFR part 11 in an organizational context, identifies the advantages to organizations in complying with the ruling and in successfully utilising electronic records and extends a generic framework to include both critical success factors for the successful implementation of electronic records and the technologies that will be required for the these critical success factors to be achieved.
____________________________________________________________________
13
Using electronic records and signatures with FDA ruling 21 Colm o Suilleabhain __________________________________________________________________________________
6.1 Compliance with 21 CFR part 11 as a strategic issue
Although the bulk of current literature on compliance with 21 CFR part 11 is concerned with the technological challenges of becoming compliant change of such a fundamental nature will pose challenges that cannot be overcome by merely technical solutions (Noferi et al., 2002). At the strategic level the regulation should be viewed as an opportunity rather than as a threat. The compliance process gives organizations the opportunity to implement process alterations that can change them into more efficient organizations. If a compliance strategy is developed with a key business context it could provide the impetus for FDA regulated enterprises to remould
existing practices and design procedures that take full advantage of electronic technology (Brant & Rozwell, 2002). Compliance can be the catalyst for the reengineering and restructuring of processes that would not be possible with manual systems (Miklovic & Rozwell, 2002). To understand how the compliance with 21 CFR part 11 can be an organizational opportunity rather than a threat it is necessary to view an organization from a sociotechnological point of view. Sociotechnical theory divides an organization into four interrelated elements tasks, people, structure and technology as shown in figure 6.1 (Lucey 1997)
Technology
Structure
People
Tasks
Figure 6.1 Socio-technical view of an organization (Lucey, 1997) (Greenemeier, 2003). 21 CFR part 11 while it As mentioned previously current literature has is another challenge could be an opportunity focussed on merely the technology sub-system for organizations to realise the strategic when discussing compliance with 21 CFR part benefits and business value of their 11 with the other three sub-systems mainly information systems and their information being ignored. However, the socio-technical technology architecture. The regulation can be approach emphasises that processes should be seen as symptomatic of the changes occurring both technically and organizationally valid as a result of the transformation from the Old (Rai & Ravichandran, 2000). This approach Economy, with its emphasis on tangible assets looks at both the sub-systems and their intersuch as capital, land and labour, to the New relationships thus providing a comprehensive Economy where the emphasis is primarily on view of the impact of any process on an information, knowledge and technology .The organization (Lucey, 1997) pharmaceutical industry is not alone in failing to adapt to era where competitive advantage is The pharmaceutical industry has faced many based on knowledge creation and most value challenges in recent years relating to added in the majority of businesses is in the information technology including the form of knowledge, not materials. In most integration of disparate technologies occurring organizations more management time and as a result of mergers and acquisitions, the attention is still devoted to tangibles (Lang, deployment of state of the art enterprise se 2000). This slowness to adapt is having a resource planning applications and the detrimental affect on competitiveness of the management of the vast amounts of data pharmaceutical industry (Uehling 2002). To generated as part of the business successfully adapt to the changes occurring as
____________________________________________________________________
14
Using electronic records and signatures with FDA ruling 21 Colm o Suilleabhain __________________________________________________________________________________
a result of the switch to the new economy organizations need to establish a knowledge architecture that meets changing needs, ensures compliance with regulations and creates suitable conditions for the management and use of information (Noferi et al., 2002).
6.2 Organizational benefits of compliance
Several benefits of compliance were identified by industry sources in comments on the advance notices of proposed rulemaking these included the increased speed of information exchange, cost savings from reducing storage space, reduced errors, data integration, product improvement, manufacturing process streamlining, improved process control and reduced vulnerability of electronic signatures to fraud and abuse. Another comment said that successful adoption of compliance with part 11 would have a significant effect on future competitiveness (FDA 1, 1997). Some of the key advantages that can be realised with the successful adaptation to the FDAs ruling on electronic records and signatures are listed below. The use of electronic records will allow increased time for data analysis and will reduce the time that is required to be spent on data capture and cleansing (Miklovic & Rozwell, 2002). Automated databases will enable more advanced and speedier analysis of data, will allow information to be viewed from multiple perspectives and will enable the identification of trends, patterns and behaviours (FDA 1, 1997) The use of electronic records in accordance with 21 CFR part 11 can help establish the authenticity of the record and thus allows for the record to be admissible as evidence in a legal disputes (Noferi et al., 2002). The use of electronic records can reduce the likelihood of litigation because enhanced management of data produced by clinical trials could result in the detection of problems with products earlier. To illustrate the financial implications of mishandled data at the clinical stage American Home Products spent $3.75 billion dollars resolving a class-action settlement when its diet
drug Fen-Phen killed 31 patients (Uehling, 2002). Since electronic records can be searched more accurately and completely than paper records product recalls can be done quickly and accurately. This protects against both the possibility of litigation due to inadequate response times and against over recalling the product (Miklovic & Rozwell, 2002). Compliance with the ruling will reduce errors from misfiling (Miklovic & Rozwell, 2002). For instance in clinical trials software can be used to alert relevant personnel if a patient is signed up who breaches the rules of the trial, for example on the basis of weight or age, as a result of a misfiling. This may seem trivial but such a misfiling error would result in major documentation changes in order to prove to the FDA that the initial recording was an error. It must also be proven that the personnel who discovered, investigated and corrected the error did so properly (Uehling, 2002). The use of electronic records rather than traditional paper based systems will greatly reduce the amount of storage space required and will reduce the cost of shipping costs for transmission of data to the FDA (FDA1, 1997). The amount of storage space required for paperbased records is large and costly. The use of electronic records will both reduce the cost of storage and free up organizational space for more productive usages (Schank & Torres, 2002)
6.3 A framework for the identification of critical success factors for the use of electronic records
The framework in figure 6.2 was adapted from a framework designed by Michael J. Earl (Earl, 1989) The original framework was more generic and addressed a number of business objectives (Earl, 1989) however, in this case the framework has been tailored specifically for the use of electronic records and compliance with 21 CFR part 11.
____________________________________________________________________
15
Using electronic records and signatures with FDA ruling 21 Colm o Suilleabhain __________________________________________________________________________________
Organizational Objectives Achieve compliance with 21 CFR part 11 Successful implementation and use of electronic records throughout the organization
Critical Success factors Develop corporate strategy for effective management of data Improve new drug time to market by achieving rapid regulatory approval Improve efficiency of mechanism for product recalls Achieve full compliance with 21 CFR part 11 Maximise business value from technology installed to achieve compliance Improved information transfer and availability throughout the organization
Technologies and processes required Knowledge management Technologies Creation of steering committee to manage changes Technologies for electronic validation and global compliance Technologies for achieving compliance with 21 CFR part 11 Technologies and processes to guarantee security of data Data mining technologies
Figure 6.2 Framework for the identification of critical success factors and enabling technologies for the successful organizational implementation of electronic records As can be seen from figure 6.2 organizational compliance should involve more than just minimising regulatory risk. The use of electronic records can provide business and management opportunities by acting as a strategic weapon to gain competitive advantage, to improve productivity and performance and by enabling new ways of managing and organising the business (Earl, 1989). The critical success factors listed for achieving the two objectives in the framework are those factors that determine if compliance with 21 CFR part 11 has been achieved and if the changes occurring as a result are being used for the strategic advantage of the organization. The enabling technologies and processes that are listed in figure 6.2 are generic in nature and are by no means complete. The number of specific technologies and processes that could be used
____________________________________________________________________
16
Using electronic records and signatures with FDA ruling 21 Colm o Suilleabhain __________________________________________________________________________________
for organizations to achieve the critical success factors is numerous and is beyond the scope of this paper. The critical success factors used in the framework were discussed in section 6.2. The enabling technologies and process used to achieve these critical success factors are discussed below Knowledge management technologies have been identified as a tool that supports the changes in the drug discovery process necessary to achieve improvements in speed, efficiency and cost-effectiveness. The use of knowledge management techniques to aid the drug discovery process will require the tailoring of existing knowledge management techniques to the pharmaceutical industry-specific processes and issues (Sumner-Smith, 2000). The creation of a steering committee sends a signal throughout an organization that old ways are redundant and increases the visibility of change (Earl, 1989) The make up of the steering committee its members should reflect the crossfunctional effect of changes and have representatives from senior management the quality assurance and information technology department (Phan, 2002) Electronic validation allows for the use of electronic validation records signed with electronic signatures. The controls used to ensure the security of e-validation are similar to those used in the implementation of 21 CFR part 11. Although this technology is in its infancy and is expensive and difficult to implement it is likely that as it becomes increasingly used in the pharmaceutical industry costs will drop and the difficulties of implementation will lessen (Schank & Torres, 2002). New technologies can be used to ensure safe and cost effective global compliance. For example enterprise calibration management systems can be hosted centrally while using a distributed web architecture to allow world wide access to separate departments and facilities (Erickson, 2002) The technologies for achieving compliance with 21 CFR part 11 have been discussed previously and
include such features as audit trails, security features and biometrics As FDA regulated industries shift from paper-based records to electronic records the security of the records will become more a cause for organizational concern (FDA1, 1997). The security and privacy risks that organizations are willing to accept involve trade-offs between the level of protection, the cost and inconvenience. Senior managers in the firm should decide on these trade offs and data security should be regarded as an organizational rather than an information technology issue (Ross & Weill, 2002). Some of the technologies and processes used to maximize data security have been discussed in sections 3 and 4 and include the use of firewalls, encryption, digital signatures and biometrics. As stated previously pharmaceutical companies generate large quantities of data. Data mining methods can be used to extract information from the large bodies of data that will be available in electronic form following compliance with 21 CFR part 11. This information can be used to improve manufacturing efficiency and quality control and to accelerate product development (Smith, 2002)
7 Conclusions
21 CFR part 11 electronic records, electronic signatures final rule allows the FDA to accept electronic submissions without an accompanying paper archival copy. The ruling legislates for the use of electronic records and signatures in FDA regulated environments it requires the use of such controls as system validation, system security, documentation management, the control of user passwords and identification and the use of audit trails. This seemingly trivial piece of legislation has caused major difficulties for many FDA regulated organizations. Among the many issues causing problems for organizations in becoming compliant are the cost, the volume of systems that have to be brought into compliance, the training of personnel, bringing legacy systems into compliance and ensuring that the data generated by external organizations during clinical trials is compliant with the ruling.
____________________________________________________________________
17
Using electronic records and signatures with FDA ruling 21 Colm o Suilleabhain __________________________________________________________________________________
Two of the main processes used to achieve compliance with the ruling are system validation and risk management techniques the FDA recommends that both these processes can be used to assist in becoming 21 CFR part 11 compliant. Existing frameworks for achieving compliance with 21 CFR part 11 have concentrated on the technical aspects of compliance. This paper took both an organizational and a technical view of compliance. Two existing frameworks were extended in order to highlight the organizational and strategic aspects for implementing electronic records and signatures in FDA regulated environments. The first framework was a multi step process for achieving compliance with 21 CFR part 11. Steps for managing the implementation of electronic records and signatures as an organizational change were included. These addressed the alignment of changes with the organizational culture, the creation of a sense of urgency, and the creation of an organizational culture for maintaining compliance. The second framework that was adapted contained both critical success factors for achieving compliance and implementing electronic records and technologies that enable organizations to achieve these critical success factors. The critical success factors identified in this framework go beyond compliance with the ruling and address the successful use of electronic records to achieve competitive advantage. Further research is required to identify the metrics and key performance indicators, which could be used to confirm when organizations have achieved these critical success factors, and to investigate emerging technologies that could be used to maximise the business benefit of electronic records. In conclusion this paper although acknowledging that there are many difficulties achieving 21 CFR part 11 compliance argues that it should primarily be viewed as an organizational issue. Regarding 21 CFR part 11 and the implementation of electronic records as an organizational opportunity rather than as a technical threat will enable organizations to maximise the business value of information technology and to move towards a knowledge based economy.
References ALLEN, P. W. and BRANDS, C. (2002) 21 CFR Part 11 --- Moving beyond planning to compliance Pharmaceutical Technology IT innovations 2002 BECK, J. (2000) Beyond validation: the competitive advantage of software process excellence Journal of Validation Technology, November 2000 BERNS, A. (2002), Conducting sponsor audits and evaluations of clinical service providers for compliance with 21 CFR part 11 American Pharmaceutical Review, Winter 2002 BRANT, K. and ROZWELL C. (2002), The Keys to 21 CFR part 11 Compliance, The Gartner group http://www4.gartner.com/DisplayDocume nt?id=357755&ref=g_search Accessed on 16/03/2003 BROWER, G.N. (2002) Performing a part 11 gap analysis: a case study Journal of Validation Technology, August 2002 BUDIHANDOJO, R. and Huber L. (2001) Qualification of network components and validation of networked systems Biopharm, October 2001 CANALE, M. (2002) Practical solutions for 21 CFR part 11 compliance in the laboratory Pharmaceutical Technology IT innovations, 2002 DICKSON, J. (2002) Configuring software for compliance with 21 CFR part 11 audit trail requirements Pharmaceutical Technology IT innovations, 2002 DILLON, R., NOFERI, J. F. and WORDEN, D. E. (2002) 21 CFR part 11: (Un) Expected added value, Biopharm October, 2001 EARL, M.J. (1989) Management strategies for information technology Prentice Hall ERICKSON, J. (2002) Establishing global GMP compliance with an enterprise calibration management system Pharmaceutical Technology IT Innovations 2002
____________________________________________________________________
18
Using electronic records and signatures with FDA ruling 21 Colm o Suilleabhain __________________________________________________________________________________
FDA 1, (1997) 21, CFR part 11 electronic records, electronic signatures; Final rule electronic submissions; Establishment of public docket notice February 1997 FDA 2, (1997) Medical device software validation, guidance for industry, General principles of software validation, June 1997 FDA, (1999) Guidance for industry: Computerized Systems used in Clinical Trials, US Department of Health and Human Services April 1999 FDA 1, (2001) Guidance for industry, 21 CFR Part 11; Electronic Records; Electronic Signatures Validation, August 2001. FDA 2 (2001) Guidance for industry, 21 CFR Part 11; Electronic Records; Electronic Signatures Glossary of terms, August 2001. FDA 3, (2002) Guidance for industry, 21 CFR Part 11; Electronic Records; Electronic Signatures Electronic Copies of Electronic Records, August 2002 FDA 4, (2002) 21 CFR part 820 Quality System Regulation, August 2002 FDA 5, (2002) General principles of software validation; Final guidance for industry and FDA staff US Department of health and human services, Food and drug association FDA 1, (2003) FDA overview. URL: http://www.fda.gov/opacom/fda101/fda10 1text.html. Accessed on 21/03/03 FDA 2, (2003) History of the FDA URL: http://www.fda.gov/oc/history/historyoffda /default.htm Accessed on 21/03/2003 FDA 3, (2003) Guidance for industry Part 11, Electronic Records, Electronic Signatures Scope and Application. February 2003. FIELDS, M. H. (2002), The implications of 21 CFR part 11 for clinical research, American Pharmaceutical Review, Spring 2002 GAMBRILl, S. (2002), The (Un) Expected outcome of 21 CFR part 11 compliance Centerwatch June 2002
GREENEMEIER, L. (2003), Managing Documents: The Pharmaceutical Challenge, InformationWeek, April 2 2003 GRUNBAUM, L.A. (2002) Remaining in a 21 CFR Part 11 Compliant State, Journal of GXP compliance, April 2002 HALLS, P.D. and MATLIS, D.R. (2002) Evaluating legacy computer systems for compliance with the quality system regulation Journal of validation technology, March 2002 ISPE, (2002) Risk based approach to 21 CFR part 11 URL: http://www.ispe.org/02pdf/pt11WhitePape r.pdf Accessed on 14/04/2003 KOTTER, J.P. (1995) Leading change why transformation efforts change Harvard business review, March-April 1995 KOTTER, J.P. (1996) Leading change Harvard Business School Press LANG, J. C. (2002) Managing in knowledge based competition Journal of Organizational Change Management, Vol 14 Issue, 6 LOPEZ, O. (2000) Implementing software application compliant with 21 CFR part 11 Pharmaceutical Technology, March 2000 LOPEZ, O. (2002) Implementing software applications compliant with 21 CFR part 11 Pharmaceutical Technology, March, 2002 LUCEY, T. (1997) Management Information Systems Continuum MCDOWELL, R.D. (2002) Electronic Signatures: Systems or Applications? American Pharmaceutical Review, Spring 2002 MIKHOLA, C. and RIOS, M. (2002) Regulatory compliance training who needs it Pharmaceutical Technology IT innovations, 2002 MIKLOVIC, D. and ROZWELL, C. (2002) Truth and misconceptions: The Federal
____________________________________________________________________
19
Using electronic records and signatures with FDA ruling 21 Colm o Suilleabhain __________________________________________________________________________________
electronic records statute, The Gartner group URL: http://www.gartnerg2.com/resaerch/rpt0502-0077.asp Accessed on 16/03/2003 PHAN, T. (2002) 21 CFR part 11: How and why to comply, MX information technologies, Sept/Oct 2002. PHAN, T. (2003) Technical considerations for the validation of electronic spreadsheets for complying with 21 CFR part 11 Pharmaceutical Technology, January 2003 RAI, A. and RAVICHANDRAN T. (2000) Quality Management in systems development: an organizational system perspective, MIS Quarterly, September 2000 RSA security (2002) 21 CFR part 11: Meeting the FDAs requirements for electronic records and electronic signatures used in the pharmaceutical industry ROSS, J. W. and WEILL P. (2002) Six IT decisions your IT people shouldnt make Harvard Business Review, November 2002 SCHANK, P.N, and TORRES, C.M. (2002) Evalidation a method for electronic validation protocol generation, approval and execution Pharmaceutical Technology IT Innovations 2002 SMITH, K. (2002) Analytical data management and archiving 21 CFR part 11 compliance and beyond Pharmaceutical Technology Asia, April 2002 SUMNER-SMITH, M. (2000) Practical knowledge management for drug discovery Scientific computing and instrumentation August 2002 UEHLING, M.D. (2002) Clinical trial data management tortured by paper Bio-IT World, August 13, 2002
Copyright 2003 Colm O Silleabhin The author assigns to Dublin Institute of Technology a non-exclusive licence to use this document for personal use and in courses of instruction provided that the article is used in full and this copyright statement is reproduced. The author also grants a non-exclusive licence to Dublin Institute of Technology to publish this document in full on the World Wide Web (prime sites and mirrors) and in
printed form within Dublin Institute of Technology publications. Any other usage is prohibited without the express permission of the author
____________________________________________________________________
20
S-ar putea să vă placă și
- The Subtle Art of Not Giving a F*ck: A Counterintuitive Approach to Living a Good LifeDe la EverandThe Subtle Art of Not Giving a F*ck: A Counterintuitive Approach to Living a Good LifeEvaluare: 4 din 5 stele4/5 (5794)
- The Gifts of Imperfection: Let Go of Who You Think You're Supposed to Be and Embrace Who You AreDe la EverandThe Gifts of Imperfection: Let Go of Who You Think You're Supposed to Be and Embrace Who You AreEvaluare: 4 din 5 stele4/5 (1090)
- Never Split the Difference: Negotiating As If Your Life Depended On ItDe la EverandNever Split the Difference: Negotiating As If Your Life Depended On ItEvaluare: 4.5 din 5 stele4.5/5 (838)
- Hidden Figures: The American Dream and the Untold Story of the Black Women Mathematicians Who Helped Win the Space RaceDe la EverandHidden Figures: The American Dream and the Untold Story of the Black Women Mathematicians Who Helped Win the Space RaceEvaluare: 4 din 5 stele4/5 (894)
- Grit: The Power of Passion and PerseveranceDe la EverandGrit: The Power of Passion and PerseveranceEvaluare: 4 din 5 stele4/5 (587)
- Shoe Dog: A Memoir by the Creator of NikeDe la EverandShoe Dog: A Memoir by the Creator of NikeEvaluare: 4.5 din 5 stele4.5/5 (537)
- Elon Musk: Tesla, SpaceX, and the Quest for a Fantastic FutureDe la EverandElon Musk: Tesla, SpaceX, and the Quest for a Fantastic FutureEvaluare: 4.5 din 5 stele4.5/5 (474)
- The Hard Thing About Hard Things: Building a Business When There Are No Easy AnswersDe la EverandThe Hard Thing About Hard Things: Building a Business When There Are No Easy AnswersEvaluare: 4.5 din 5 stele4.5/5 (344)
- Her Body and Other Parties: StoriesDe la EverandHer Body and Other Parties: StoriesEvaluare: 4 din 5 stele4/5 (821)
- The Sympathizer: A Novel (Pulitzer Prize for Fiction)De la EverandThe Sympathizer: A Novel (Pulitzer Prize for Fiction)Evaluare: 4.5 din 5 stele4.5/5 (119)
- The Emperor of All Maladies: A Biography of CancerDe la EverandThe Emperor of All Maladies: A Biography of CancerEvaluare: 4.5 din 5 stele4.5/5 (271)
- The Little Book of Hygge: Danish Secrets to Happy LivingDe la EverandThe Little Book of Hygge: Danish Secrets to Happy LivingEvaluare: 3.5 din 5 stele3.5/5 (399)
- The World Is Flat 3.0: A Brief History of the Twenty-first CenturyDe la EverandThe World Is Flat 3.0: A Brief History of the Twenty-first CenturyEvaluare: 3.5 din 5 stele3.5/5 (2219)
- The Yellow House: A Memoir (2019 National Book Award Winner)De la EverandThe Yellow House: A Memoir (2019 National Book Award Winner)Evaluare: 4 din 5 stele4/5 (98)
- Devil in the Grove: Thurgood Marshall, the Groveland Boys, and the Dawn of a New AmericaDe la EverandDevil in the Grove: Thurgood Marshall, the Groveland Boys, and the Dawn of a New AmericaEvaluare: 4.5 din 5 stele4.5/5 (265)
- A Heartbreaking Work Of Staggering Genius: A Memoir Based on a True StoryDe la EverandA Heartbreaking Work Of Staggering Genius: A Memoir Based on a True StoryEvaluare: 3.5 din 5 stele3.5/5 (231)
- Team of Rivals: The Political Genius of Abraham LincolnDe la EverandTeam of Rivals: The Political Genius of Abraham LincolnEvaluare: 4.5 din 5 stele4.5/5 (234)
- On Fire: The (Burning) Case for a Green New DealDe la EverandOn Fire: The (Burning) Case for a Green New DealEvaluare: 4 din 5 stele4/5 (73)
- The Unwinding: An Inner History of the New AmericaDe la EverandThe Unwinding: An Inner History of the New AmericaEvaluare: 4 din 5 stele4/5 (45)
- How To Sell On ScribdDocument2 paginiHow To Sell On ScribdHugiies TydedÎncă nu există evaluări
- Swap RevisedDocument36 paginiSwap RevisedrigilcolacoÎncă nu există evaluări
- The Page Cannot Be Found: Custom Error MessagesDocument14 paginiThe Page Cannot Be Found: Custom Error MessagesMuhammad Umar AshrafÎncă nu există evaluări
- 10th Henry Dunant Regional Moot Memorial RulesDocument13 pagini10th Henry Dunant Regional Moot Memorial RulesRajat DuttaÎncă nu există evaluări
- Institutions in KoreaDocument23 paginiInstitutions in Koreakinshoo shahÎncă nu există evaluări
- Chapter06 ProblemsDocument2 paginiChapter06 ProblemsJesús Saracho Aguirre0% (1)
- Jurnal Deddy RandaDocument11 paginiJurnal Deddy RandaMuh Aji Kurniawan RÎncă nu există evaluări
- ACT-Act No. 3110 (Reconstitution of Judicial Records)Document10 paginiACT-Act No. 3110 (Reconstitution of Judicial Records)xteriyakixÎncă nu există evaluări
- Commencement of A StatuteDocument110 paginiCommencement of A StatutePrasun Tiwari80% (10)
- How To File Motionin in New JerseyDocument11 paginiHow To File Motionin in New Jerseyrajinusa100% (1)
- M. C. Mehta V. Union of IndiaDocument14 paginiM. C. Mehta V. Union of Indiashort videosÎncă nu există evaluări
- Evidence Drop: Hawaii DOH Apparently Gave Obama Stig Waidelich's Birth Certificate Number - 3/27/2013Document62 paginiEvidence Drop: Hawaii DOH Apparently Gave Obama Stig Waidelich's Birth Certificate Number - 3/27/2013ObamaRelease YourRecords100% (3)
- Business Combination AccountingDocument3 paginiBusiness Combination AccountingBrian PuangÎncă nu există evaluări
- Graph and MatricesDocument17 paginiGraph and Matricessanjay975Încă nu există evaluări
- CAF608833F3F75B7Document47 paginiCAF608833F3F75B7BrahimÎncă nu există evaluări
- Case Digests On Libel CM 217 - Mass Media Law: Gossip Tabloid Had A Nationwide CirculationDocument18 paginiCase Digests On Libel CM 217 - Mass Media Law: Gossip Tabloid Had A Nationwide CirculationJacquelyn RamosÎncă nu există evaluări
- Factoring FSDocument13 paginiFactoring FSAvinaw KumarÎncă nu există evaluări
- Iem GM Form PDFDocument2 paginiIem GM Form PDFAbdul KarimÎncă nu există evaluări
- Technical Report 2014 0055Document25 paginiTechnical Report 2014 0055Trisno SupriyantoroÎncă nu există evaluări
- Group Ii - Answers To Guide Questions No. 4Document30 paginiGroup Ii - Answers To Guide Questions No. 4RayBradleyEduardoÎncă nu există evaluări
- Santhosh Kumar .A: Covering LetterDocument4 paginiSanthosh Kumar .A: Covering LetterenvsandyÎncă nu există evaluări
- Eltek FP2 IndoorDocument1 paginăEltek FP2 IndoorDmiÎncă nu există evaluări
- Case No. 13 - ROBERTO S. BENEDICTO and HECTOR T. RIVERA vs. THE COURT OF APPEALSDocument2 paginiCase No. 13 - ROBERTO S. BENEDICTO and HECTOR T. RIVERA vs. THE COURT OF APPEALSCarmel Grace KiwasÎncă nu există evaluări
- Title Pages 1. 2: 22167 Sexuality, Gender and The Law STUDENT ID: 201604269Document21 paginiTitle Pages 1. 2: 22167 Sexuality, Gender and The Law STUDENT ID: 201604269Joey WongÎncă nu există evaluări
- Caoile EFT Authorization Form - EnglishDocument2 paginiCaoile EFT Authorization Form - EnglishSaki DacaraÎncă nu există evaluări
- Summary of Grades of Grade 10 OrchidsDocument2 paginiSummary of Grades of Grade 10 OrchidsFarinasIsisAngelicaPÎncă nu există evaluări
- 90 Cameron Granville V ChuaDocument1 pagină90 Cameron Granville V ChuaKrisha Marie CarlosÎncă nu există evaluări
- 2020.11.30-Notice of 14th Annual General Meeting-MDLDocument13 pagini2020.11.30-Notice of 14th Annual General Meeting-MDLMegha NandiwalÎncă nu există evaluări
- TeSys D - LC1DWK12M7Document3 paginiTeSys D - LC1DWK12M7anm bÎncă nu există evaluări
- The Medical Act of 1959Document56 paginiThe Medical Act of 1959Rogelio Junior RiveraÎncă nu există evaluări
