21 CFR Part 11 Revisited.

A Risk-Based Approach for

Networked Data System Compliance and the Role of
Network Qualification

Peter Harrison
Informatics Consultant on behalf
of Agilent Technologies

ISPE Philippines
May 2015
1
Agenda For Today’s Discussion

1. Review the history of the FDA’s 21 CFR Part 11

requirements.
2. Examine requirements for compliance with today’s,
networked chromatography data systems.
3. Overview of networks as part of the compliance picture.

ISPE Philippines
May 2015
2
Original Intent of 21 CFR Part 11 and the Reality

Original Intent (1997) Reality by 2003

Define Technical Controls for electronic records used Industry became paranoid after seeing Part 11
in lieu of paper enforced by the FDA
Enable the use of new technology Some firms went back to paper to avoid Part 11

Speed up the submission process Validation efforts escalated – firms were trying to
validate operating systems, word processors, air
Get the paper process under control conditioning systems etc.

ISPE Philippines
May 2015
3
21 CFR Part 11 compliance today

• Implementation of the technical controls is defined by the

company in a documented risk analysis.
• Risk viewpoint is dictated by any impact on product
quality, data integrity and public health.
• FDA continues to enforce predicate rule requirements for
systems that are subject to Part 11, such as Validation
and Training, Security, Data Integrity and Accountability

ISPE Philippines
May 2015
4
Impact on Networked Chromatography Data Systems

• The use of Chromatography Data Systems for QC

analysis of final drugs represents a high risk on product
quality and safety and so little has changed from a
compliance perspective!
• FDA will scrutinize areas with high impact on product
quality according to existing GxPs

ISPE Philippines
May 2015
5
Agilent OpenLAB CDS and ECM technology today.

Current CDS technology is

scalable from a single workstation
to …

ISPE Philippines
May 2015
6
Agilent OpenLAB CDS and ECM technology today.

Multi-site Enterprise networked

solutions.

ISPE Philippines
May 2015
7
Centralised Administration and Data Storage

Agilent uses a Shared Services Server for central administration

of instruments, user security, user roles, data storage
configuration and more.

ECM is a scientific data management system which provides

capabilities for compliance with electronic record storage which
includes data security, revision management, e-signatures, data
archival and data searching.
ISPE Philippines
May 2015
8
Electronic Record Life Cycle
OpenLAB ECM supports hierarchical storage management and
multiple retention policies

Metadata

File Storage

Raw Data
Database
File Transfer Services

Retention Policy
Time

ISPE Philippines
May 2015
9
Networks are part of the Compliance Picture!

“With the proliferation of client/server systems in laboratories subject to GxP

and 21 CFR Part 11, the operation and qualification of the network
infrastructure needs to be an integral part of a company’s validation
strategy.” Agilent Technologies Wolfgang Winter

“The validated status of GxP applications that are dependent upon

underlying IT infrastructure is compromised if the IT infrastructure is not
maintained in a demonstrable state of control and regulatory compliance.

The consequences of the IT infrastructure being out of effective control can

be significant. Depending on the nature of a failure, an entire site or
geographic region of operations could be brought to a standstill while the
problem is resolved.”
GAMP Good Practice Guide – IT Infrastructure Control and Compliance

ISPE Philippines
May 2015
10
Computer Network Infrastructure (CNI)
Problem Statement
•Networks are heterogeneous: containing a multitude of hardware
components and communication protocols

•A change to a network component has the potential to affect many

other components and applications

•Many people (with “business tasks”) who may not be trained on

GxP’s will have access to the network

•The CNI must be compliant, but many components (cabling, utilities,

etc) won’t have validation plans.

•The network requires frequent changes, additions and repairs, but it

can not be taken out of service
ISPE Philippines
May 2015
11
Computer Network Infrastructure (CNI)
Risk Assessment

•Risk assessment can be undertaken in two phases:

Risk or Hazard Identification
Risk Analysis and prioritization
•It has been suggested that these may be subdivided into
a further 9 steps ref NIST Guide to Risk Management for Information Technology
•For this discussion we will use the GAMP two stage
approach.

ISPE Philippines
May 2015
12
Risk Assessment – Input to the process

•Platform specifications (hardware and software)

•Architecture / topology diagrams
•Applied or planned security policies or requirements
•Requirements from the application (system/data) owners
•Levels of staff training and experience
•Current or planned controls that may prevent, detect or
mitigate harm before serious damage occurs

ISPE Philippines
May 2015
13
Risk Assessment – Output from the analysis process

•Identification of the infrastructure objects scoped by the

process
•The hazards threatening the infrastructure’s ability to
meet critical requirements
•The vulnerabilities that may require further consideration
•A list of critical controls

ISPE Philippines
May 2015
14
GAMP Risk Assessment – Stage 1
•Input to this step can be
largely subjective if little
qualitative data exists to
Likelihood of Occurrence
support the assessment.

•It is really important that

Hazard / Impact

Risk Classification
experienced people with a High

well balanced understanding Medium

of the subject matters are
involved. Low

Level 1
Level 2
Level 3

ISPE Philippines
May 2015
15
GAMP Risk Assessment – Stage 2
•In this step we map the level of the
risk against the likelihood that it
will be detected to determine a risk
priority. Probability of Detection

•Again it is really important that

Risk Classification
Subject Matter Experts and

Risk Priority
knowledgeable stake holders are Level 1
involved.
Level 2
•Once a risk is prioritized it should
be evaluated to determine what Level 3

controls need to be in place to

mitigate the risk to an acceptable High Priority
level. Medium Priority
Low Priority

ISPE Philippines
May 2015
16
Examples using the GAMP Risk Assessment Approach

of Detection
Occurrence
Hazard Risk Scenario Controls

Probability
Likelihood

Priority
Impact

Risk
of
Incorrect No function or malfunction High Med Med Med Network Diagrams
Physical IQ
connection
Failure of a Performance degradation High Low High Low Defined problem management
component or loss of connection process
eg. Network Defined alarm logs
interface card
Access Unauthorized modifications High Med Low High Security procedures and
security to data/records policies.
compromised IQ/OQ
Insufficient Applications run slowly Low Med High Low Performance Monitoring
network routines
bandwidth
Installation of Interference with operation High High Low High Configuration management
unauthorized of existing software process
software Periodic review

ISPE Philippines
May 2015
17
Summary

• The use of Chromatography Data Systems for QC

analysis of final drugs represents a high risk on product
quality and safety and so little has changed from a
compliance perspective!
• FDA will scrutinize areas with high impact on product
quality according to existing GxP’s
• Network infrastructure can have a direct impact on
laboratory data systems and must be maintained in a
demonstrable state of control and meet compliance
requirements.

ISPE Philippines
May 2015
18
Thank you for your attention!

ISPE Philippines
May 2015
19
References

1. 21 CFR 11 Revisited - Wolfgang Winter, Agilent Technologies July 2003

2. Validation of Equipment and Computer Systems in Laboratories - Ludwig
Huber, Compliance Fellow for Agilent Technologies February 2004
3. ISPE GAMP Good Practice Guide - IT Infrastructure Control and
Compliance 2005

ISPE Philippines
May 2015
20