From: David Stokes [David.Stokes@mi-services.com]
Sent: Monday, May 03, 2004 11:16 PM
To: fdadockets@oc.fda.gov
Subject: Comments on Docket No. 2004N-0133

Dear Sirs, 

With respect to specific comments sought toDocket No 2004N-0133:

 

A. Part 11 Subpart A--General Provisions

 

Current Regulations are subject to interpretation by individual manufacturers (of products regulated by FDA), with respect to those records that are critical to different product profiles and device classes (etc). This is understandable given the general nature of the predicate rules and the wide variety of manufacturing and business processes employed by various manufacturers.

 

Similarly, the use of terminology such as 'approved' and 'established specification' within various Regulations often infers the use of signatures without explicitly mandating such. It could therefore be argued that there is a responsibility on the manufacturers to determine and document which other approvals may also be considered as critical to product quality and/or patient health/safety/confidentiality, and within the scope of Part 11.

 

In additional, any attempt by the Agency to provide specific guidance on the scope of Part 11 with respect to individual Predicate Rules can only be given in the light of current manufacturing and business processes and may discourage the use of innovative new technology and processes, which the Agency has stated it does not seek to do.

 

Given the above, while it would seem difficult to provide further clarification on scope within a revised Rule, further guidance can be given to manufacturers with respect to their own determination of scope.

 

As part of the process of clarification, the Agency may wish to recognize the value of providing guidance to manufacturers on how they should determine and document:
- Those critical records they consider within the scope of Part 11
- Those critical signatures they consider within the scope of Part 11

 

Furthermore, the Agency may wish to consider issuing guidance recommending that such determination of scope be included in system documentation (user requirements, functional requirements and detailed design specifications)

 

Such documentation would enable the Agency to more easily determine the intended use of a system or application with respect to the Predicate Rules (and the resulting scope of Part 11), and thereby effect more efficient and effective inspection of such systems.


B. Part 11 Subpart B--Electronic Records

 

1. Based upon planning remedial actions to correct strict non-compliances against the various sub-parts of Part 11 on multiple systems, it is the experience of Mi Services that Risk Assessment can be successfully used to identify appropriate controls for all parts of the Rule. These include a combination of technical and procedural controls as well as physical and logical security.

 

Experience suggests that reliance on a limited number of technical and procedural controls (currently interpreted as requirements of Part 11) compromises data integrity when such controls fail. A multi-layered approach to data integrity (as outlined in ISO 17799) with measures appropriate to the assessed risk often provides a greater degree of assurance.

 

The Agency are therefore encouraged to extend a flexible approach to assessing compliance with all parts of the Rule, with the emphasis on manufacturers documenting such risk assessments and justifying appropriate controls relative to the assessed risk.

 

2. Additional clarity with respect to predicate rule compliance would be useful.

 

Experience in mapping the functionality of various systems and applications against the various subparts of the predicate rules (using techniques such as swim lane diagrams and other workflow based diagrams - see Request for Oral Presentation below) has shown that this can be achieved as part of the system or application design.

 

Furthermore, such diagrams can be used during challenge and functional testing to verify adherence to the predicate rules.

 

It is therefore suggested that the Agency encourage the use of such techniques, thereby allowing manufacturers to more clearly understand the requirements of the various predicate rules as they apply to specific systems and applications.

 

3. The significant number of records submitted to the Agency will be also be maintained by the manufacturer under the requirements of various Predicate Rules. Making a distinction in this case would therefore seem to add little value.

 

However, where records included in submissions are not required to be maintained by the manufacturer the Agency will review the records (data) in what is assumed to be a secure environment. While it is appropriate to require that systems processing such data for submission are validated (to assure the validity of the records), it is not necessary to require that the records are subject to Part 11 since the Agency will review the resulting output and will be responsible for the secure management of those records within the Agency.

 

It is therefore felt useful to distinguish between those records that will and will not continue to be maintained by the manufacturer following submission to the Agency.

 

4. It is felt that the distinction between open and closed systems is a useful, but many security controls fall between these two absolutes. In addition, the controls currently required for open systems are both limited and overly proscriptive in nature.

 

Specifically, the concept of 'control' by those persons responsible for the content of electronic records that are on the system is useful, but manufacturers should be encouraged to consider 'openness' as a relative term.

 

It is therefore suggested that the Agency provide further guidance on appropriate controls for open systems, as part of a risk based approach to compliance with Part 11

 

 

 

[[Page 18593]] 1. Although some existing Predicate Rules include a specific requirement to validate systems, many (mostly older) Rules do not include this requirement, often due to the fact that Rule pre-dates current understanding on the relative importance of computer systems validation.

 

The Agency is recommended to encourage a risk based approach to computer systems validation, especially in program areas where the potential issues in failing to appropriately validate systems are less well understood (such those manufacturers regulated by the Center for Food Safety and Applied Nutrition and the Center for Veterinary Medicine).

 

While the relative risk in these areas of enforcement can be considered less critical that in others (such as those regulated by CDER and CDRH), a small number of computer systems in these industries may represent a real threat to product quality and consumer health and safety.

 

Unless the requirement to validate systems is retained in 21CFR Part 11, the only other way to encourage appropriate risk based computer systems validation is the wholesale review of the current Regulations in these areas, which is clearly a significant undertaking.

 

The Agency is therefore recommended to retain subpart 11.10(b), and provide additional guidance on the appropriate risk based validation of critical computer systems in all program areas.

 

2. Most regulations were written at a time when the use of paper based records meant that the context and meaning of records (and any associated signatures) where relatively obvious and simple to understand.

 

This is not always the case with computer-based records (and signatures). Whilst wholesale rewriting of the Predicate rules could clarify a requirement for retaining the meaning of such records this would again be a significant undertaking. It is therefore suggested that this requirement be incorporated into a revised Part 11, which will apply to all Predicate Rules.

 

3. Regrettably, fraudulent acts still take place and audit trail requirements SHOULD include safeguards designed and implemented to deter, prevent, and document unauthorized record creation, modification, and deletion. The nature and extent of such controls should again be based upon the risk associated with the audit trail.

 

4. Falsification or accidentally corruption/deletion of system configuration and documentation would usually have only an indirect impact upon product quality and patient safety/confidentiality.

 

Applying the same controls to such electronic files and datasets (as applied to Records defined by the Predicate Rules) would require significant changes to many systems and the cost of such controls would be disproportionate to the risk.

 

A risk-based approach should again be taken to ensure the integrity of such files and datasets, with a requirement to establish appropriate technical and procedural controls.

C. Part 11 Subpart C--Electronic Signatures

 

With respect to investigations and follow-up when security breaches occur, Part 11 should place the emphasis on prevention, detection and correction (in that order).

 

Because many breaches in security are indicative of systematic errors in the use of common technology (infrastructure) or procedures which may apply to more than one system or application, there should be a requirement for security breaches to be investigated, root causes to be identified and corrective actions planned and implemented.

 

D. Additional Questions for Comment

 

1. Wholesale review of the Predicate Rules solely to address issues of electronic records and signatures would be costly to both the Agency and industry and should be avoided. Wherever possible, revisions should be made to Part 11 and supporting guidance, with an emphasis on the risk based application of Part 11 in all program areas.

 

A non-proscriptive approach to Part 11 will reduce the likelihood of unnecessary expenditure and the use of a risk based approach to Part 11 compliance will help ensure that costs are appropriate to the risk to patient health and safety

 

2. The emphasis should be placed upon manufacturers to determine, justify and document their interpretation of the Predicate Rules. See comments above

 

3. As noted above, an overly proscriptive approach to defining the scope of Part 11 (and the interpretation of the Predicate Rules) may discourage the use of innovative technology and processes.

 

4. Allowing manufacturers to define, justify and document their interpretation of the Predicate Rules (as applied to specific system/application requirements and specifications) would allow manufacturers to use new and innovative technology and processes, but would also allow the Agency to determine whether or not such technology and processes comply with the intent of the Predicate Rules.

 

5. See above for comments regarding the use of Risk Assessment

 

6. Experience in the assessment and remediation of multiple systems and applications has demonstrated that a risk based approach to remediation can be employed to cost effectively mitigate risk

 

Issues of changes to legacy systems made since 1997 may be considered less significant if the emphasis for legacy systems is placed upon:

 

(i) Compliance with the predicate rules

(ii) Appropriate risk-based validation

(iii) Risk assessment and mitigation of any non-compliances (with an appropriate plan of corrective actions)

(iv) Establishment of controls to maintain compliance (technical and procedural)

 

Part of the risk assessment should also include a determination of appropriate measures to detect, report and act upon product quality and patient safety issues arising as a result of the use of such systems (for instance, where products manufactured by a legacy system are still being used by patients)

 

On a related issue, while present day compliance with the Predicate Rules can be assessed, very few manufacturers conducted such assessments prior to 1997 and the only proof of past compliance is effectively a lack of findings during internal audit or Agency Inspection (proving a negative).

 

The Agency are therefore encouraged to review and remove their recent guidance with respect to the requirement that legacy systems were compliant with the Predicate Rules prior to August 20, 1997 (as a prerequisite to the relaxation of all Part 11 requirements for such systems).

 

7. The ability to retrieve records is impacted by record conversion and is an issue that should be addressed by Part 11. 

 

A risk-based approach should again be taken, and guidance provided on appropriate methods of validation or (manual) verification.

 

8. Part 11 should state requirements that are independent of specific technology. Unless this approach is taken there is a risk that Part 11 will become outdated as new technology is introduced and old technology becomes redundant.

 

Emphasis should be placed on the use of risk assessment to determine the impact of non-compliance (with respect to product quality and patient safety/confidentiality). The use of current security best practice (such as ISO 17799) should be encouraged in order to determine risk likelihood and improve the probability of detection.

 

This approach will allow security risks to be assessed and determined, no matter what the current state of technological advances.

 

V. Requests for Oral Presentation

 

Based upon comments above, we would request the opportunity to present practical methods for documenting compliance with the Predicate Rules and determining the system / application specific scope of Part 11.

 

(1) This would specifically address the issue of how manufacturers can determine the scope of Part 11 (and the application of the Predicate Rules) to specific systems and applications and how this can be documented as part of the system/application requirements and specifications.

 

(2) This presentation would be made by David Stokes, of Mi Services Group, who is an active member of the GAMP Forum (current Chair of the GAMP Testing Shared Interest Group and Steering Committee member of GAMP European Suppliers Group)

 

(3) In a period not exceeding fifteen minutes, an approach to determining and documenting the scope of Part 11 and the Predicate Rules would be presented.

 

This would include the use of high-level risk assessment to determine whether or not system functionality is within the scope of the Predicate Rules.

 

The presentation would also outline an approach by which User and Functional Specifications can be enhanced by workflow diagrams annotated with requirements for Electronic Records and Electronic Signatures (based upon work published in 2002, based upon practical experience)

 

Examples will be given where such Requirements are deconstructed down to detailed system Design Specifications, identifying specific database tables and fields determined to be within the scope of Part 11.

 

Using the example of a large, complex configurable system (SAP R/3) and actual project documentation it would be demonstrated that such an approach:

 

- Allows manufacturers to clearly determine and document the scope of Part 11

- Provide traceability of Part 11 requirements through the system Requirements and Specifications

- Provide traceability from subparts of applicable Predicate Rules to the technical controls applied within the manufacturers specific implementation

- Allows manufacturers to demonstrate that the scope of their technical controls are appropriate to their interpretation of the Predicate Rules

- Allows manufacturers to demonstrate that the functionality of their systems and applications enforces compliance with the Predicate Rules

- Allows the Agency to quickly determine the intended use of a system with respect to the Predicate Rules, and to assess the scope of Part 11 controls

 

 

 

 

David Stokes

Principal Consultant /

Life Sciences Industry Manager

 

for and on behalf of Mi Services Group

 

900 West Valley Road

Wayne

PA 19087