Presentation by Daniel E.Worden March 25, 1999 Barnett International Workshop London

1. 21 CFR Part 11 Electronic Signatures / Records Strategies for Implementation and Compliance Presentation by Daniel E.Worden March 25, 1999 Barnett International Workshop London

2. AN OPENING THOUGHT "We are much more likely to act our way into a new way of thinking than think our way into a new way of acting"

3. PROGRESSIVE APPLICATION OF REGULATIONS Paper Electronic Records Signature None Handwritten Non-Biometric Biometric N / A Sec. 11.10 Sec. 11.10 Sec. 11.10 Sec. 11.10 + Sec. 11.70 + Sec. 11.70 + Sec. 11.70 + Sec. 11.50 + Sec. 11.100 + Sec. 11.200b + Sec. 11.50 + Sec. 11.100 + Sec. 11.200a + Sec. 11.300 Closed Systems Open Systems +Sec. 11.30 +Sec. 11.30 +Sec. 11.30 Sec. +11.30

4. APPLICABILITY OF PART 11 -GXP Training -GXP Tracking -SOP Systems GXP [ quality management systems ] GLP GCP GMP GISP * -Data Acquisition -Laboratory Information Management (LIMS) -Laboratory Robotics -Toxicology Systems -Stability Systems -Environmental Impact -Centralized Laboratory -Data Acquisition & Reporting -Remote Data Entry -Case Report Form Systems -Clinical Data management -Adverse Event Reporting -Clinical Supply Systems -Statistical Analysis Systems -Manufacturing Execution (MES) -Maintenance Management (MMS) -Calibration Management (MCS) -Facility Management Systems -Enterprise Resource Plan ( ERP) -SCADA Systems -Supply Chain Planning (SCP) -Internet Applications -EDI -PLC Systems -Document Management -Quality Management -Computer Assisted NDA (CANDA) *GISP- Good Information System Practices

5. THE FOUNDATION “The Agency believes that if it is important enough that a record be signed, human readable displays of such records must include the printed name of the signer, the date and time of signing, and the meaning of the signature”. Example: a message from a firm’s management to employees instructing them on a particular course of action may be critical in litigation.

6. THE DEFINITION Electronic record is defined as “any combination of text, graphics, data, audio, pictorial or other information representation in digital form that is created, modified, maintained, archived, retrieved or distributed by a computer system.”

7. ADVANTAGES / CHALLENGES • Electronic Batch records can eliminate mountains of paper work, speed processing and allow for statistical and trend analyses. • NDA’s and other submissions can be submitted electronically in place of paper submission. • Increases the speed of information exchange. • Cost savings from reduced need for storage space. • Manufacturing process streamlining. • Job creation in industries involved in electronic record and electronic signature technologies. • Firms planning on using electronic signatures in FDA regulated environments will be required to validate the computer related systems. • Design of systems must be well thought out and tested thoroughly. • Critical control points must be identified which can be monitored through electronic audit trails. • Adequate testing of security. • Fraud Detection

8. POTENTIAL ISSUES - THE AGENCY • GLOBAL • For geographically dispersed systems, inspections would extend to operations, procedures and controls at one location and the agency would inspect other locations of the network in a separate but coordinated manner. • OPERATIONAL • The word “ensure” is used in the regulations. It is usually defined as “to make certain”. How will this be interpreted by a field inspector? • It may be necessary to inspect hardware and software used to generate and maintain electronic records to determine if the provisions of part 11 are being met.” • The assessment of adequacy of systems validation will include inspection of hardware to “determine if it matches the system documentation description of the hardware.”

9. POTENTIAL ISSUES - INDUSTRY • GLOBAL • Is the implementation of an electronic system significant enough in manufacturing to require an NDA supplement prior to going live? • Wide spread implementation of time date stamped audit trails executed objectively and automatically and controls for limiting access to the database search software may change a company’s current practices. • Part 11 does not apply to paper records that are or have been transmitted by electronic means but it does apply to records in electronic form that are created, modified, maintained, archived, retrieved under any record requirement regulated by FDA. Documents generated in foreign facilities? • Record retention requirements for software and hardware used to create records that are retained in electronic form are subject to part 11. Legacy systems and obsolete hardware/ storage medium may need to be maintained indefinitely. • “Unique nature of passwords”. How is uniqueness determined and what are “good password practices”?

10. POTENTIAL ISSUES - INDUSTRY (Cont’d) • OPERATIONAL • As of August 20, 1997 firms that used hybrid systems had the choice of maintaining the hybrids or converting to an electronic environment, in whole or in part, to meet FDA maintenance record requirements. The transition to paperless systems has proven to be gradual and potentially very expensive. Industry, therefore, has opted to maintain hybrid systems because many systems currently in use in R&D and Manufacturing are not able to comply with the electronic signature section of Part 11. • The final rule does not establish numerical standards for levels of security or validation (persons have the option of determining the frequency). • “As the agency’s experience with part 11 increases certain records may need to be limited to paper if there are problems with the electronic versions of such records.” • Dial-in access over public phone lines can be a closed system if access to the system is under the control of the persons responsible for the content of the record. When an organization’s electronic records are stored on systems operated by third parties the agency would consider this to be an open system.

11. IS INDUSTRY BEING TOO CAUTIOUS ? • The FDA is being lenient in enforcing the rule unless the investigator has reason to question the integrity of the data - For now ! • PhRMA feels that FDA’s interpretation of the electronic record portion of the rule is flawed since many computer systems in use in R&D, clinical and QC lack the capability of generating time-date audit trails (e.g.SAS and HPLC). • 21CFR11 has evolved from an approach to facilitate a paperless system into an FDA enforcement tool . • PhRMA claims that the FDA definition of raw data has changed. Previous to the rule, raw data was considered to be paper documents with a handwritten signature. If the data were generated from a computer, the printout was signed and archived as the official record. • FDA is considering additional guidance to try to create a procedure to ensure that electronic records can not be changed after a hardcopy has been signed. • FDA would like to obtain a copy of each electronic file, manipulate it, study it, and pick out trends.

12. CRITICAL SUCCESS FACTORS • Validation activities in manufacturing, toxicology, clinical, regulatory and perhaps marketing (label approval) will need to be better process focussed, requiring definition of inputs and outputs with, procedural controls governing the process activities and standards dictating the format and content of inputs and outputs and well documented. • Configuration management, security management and periodic review and quality management must be a continual process. • Record retention and record disposal practices need to be revised to reflect company requirements to comply with new regulatory requirements. • Documentation standards and practices should be created that systematize the processes for creating and maintaining documents. • Planning will have to take into consideration re-engineering, replacement, or retirement of a computer system when operating costs increase or business process changes. • Requires effective change control.

13. FORMULATE AN INFORMATION STRATEGY ENTERPRISE GOALS Time to Market “Quality” of Development Link to Market & Customer Information Organizational Effectiveness Cross-functional process flows Cross-functional Information flows Continuous Process Improvement Global resource management Process Validation Regulatory Interface Accelerated Review & Approval Standardized Submissions Computer Validation STRATEGIC PLAN DRUG DEVELOPMENT INFORMATION MANAGEMENT INFORMATION STRUCTURE & REGULATORY REQUIREMENTS DEVELOPMENT PROCESS Global Information Architecture Application Portfolio Enabling Technologies/Tools Legacy Systems INFORMATION SYSTEMS TECHNOLOGY

14. QUESTIONS AND ANSWERS --FDA’s PAUL MOTISE [1] Questions and answers from Paul Motise at various industry meetings, as well as conversations and his e-mail updates Q: Can a firm which maintains regulatory records in computer files be exempt from FDA’s signature rule if periodically the firm prints paper hard copies of all documents as it’s official record? A: Paul Motise says no. On 10/22/97 US District Judge Paul Friedman nullified a National Archives Regulation authorizing all Government Agencies to erase electronic documents if paper is archived. Example: Spreadsheet shows results but not the algorithm. Q: What must the audit trail contain? A: Date/time of operator entries that create, modify, or delete information and who did what, wrote what, and when. Q: Can an audit trail be paper? A: No. It must be a computer generated electronic record. Q: Must an audit trail be signed? A: No. It must be independent of the operator and operators must not be able to sign the audit trail.

15. QUESTIONS AND ANSWERS --FDA’s PAUL MOTISE [2] Q: Will an electronic signature with only a date stamp be acceptable or does the time of day need to be included? A: Time is vital and must be included. Q: Do you really expect to have certifications from every regulated company as in part 11.100, even if they are only using electronic signatures for open systems (such as e-mail) and are not using electronic signatures for collecting original data, authorizing documents or electronic submissions? A: Yes. We are asking for that certification from every company that is using an electronic signature to meet FDA signature requirements. It doesn’t matter if it is open or closed. Q: In the GLPs [Part 58.81(a)] the requirement is that changes to SOPs “be authorized in writing by management”. Does 21CFR11 broaden the meaning of “in writing” to include “be authorized in writing or electronically by management”? A. In GLPs, if you have a particular record, then Part 11 applies to the record. If you are going to create an endorsement electronically, then Part 11 applies. If a record is required by FDA then Part 11 applies. Q: If I scan in CRFs to get into a report and I will be signing the final report as the preparer of the submission, would that be acceptable to the agency? A. Yes. This is a hybrid system, but for the electronic record you will apply an electronic signature to the entire thing. What is signed should be protected so that later on nothing can be switched.

16. MORE FROM THE FDA Field Notice FMD 146 10/22/97 tells investigators to check the ORA Intranet site to determine if an electronic signature certification has been filed prior to arriving at the inspection site. Guidance to FDA Inspectors for Making and Maintaining Copies of Electronic Records: 1) Use digital signature software to authenticate your copy file; signature verification would detect any post signing record changes. 2) Obtain an affidavit from the firm confirming that the copy is accurate and complete. 3) Place the disk or tape holding your electronic copy in a container under official seal and documenting a chain of custody for the container in a manner similar to official samples.