Tag: compliance

Building a Part 11/Annex 11 Course

I have realized I need to build a Part 11 and Annex 11 course. I’ve evaluated some external offerings and decided they really lack that applicability layer, which I am going to focus on.

Here are my draft learning objectives.

21 CFR Part 11 Learning Objectives

  1. Understanding Regulatory Focus: Understand the current regulatory focus on data integrity and relevant regulatory observations.
  2. FDA Requirements: Learn the detailed requirements within Part 11 for electronic records, electronic signatures, and open systems.
  3. Implementation: Understand how to implement the principles of 21 CFR Part 11 in both computer hardware and software systems used in manufacturing, QA, regulatory, and process control.
  4. Compliance: Learn to meet the 21 CFR Part 11 requirements, including the USFDA interpretation in the Scope and Application Guidance.
  5. Risk Management: Apply the current industry risk-based good practice approach to compliant electronic records and signatures.
  6. Practical Examples: Review practical examples covering the implementation of FDA requirements.
  7. Data Integrity: Understand the need for data integrity throughout the system and data life cycles and how to maintain it.
  8. Cloud Computing and Mobile Applications: Learn approaches to cloud computing and mobile applications in the GxP environment.

EMA Annex 11 Learning Objectives

  1. General Guidance: Understand the general guidance on managing risks, personnel responsibilities, and working with third-party suppliers and service providers.
  2. Validation: Learn best practices for validation and what should be included in validation documentation.
  3. Operational Phase: During the operational phase, gain knowledge on data management, security, and risk minimization for computerized systems.
  4. Electronic Signatures: Understand the requirements for electronic signatures and how they should be permanently linked to the respective record, including time and date.
  5. Audit Trails: Learn about the implementation and review of audit trails to ensure data integrity.
  6. Security Access: Understand the requirements for security access to protect electronic records and electronic signatures.
  7. Data Governance: Evaluate the requirements for a robust data governance system.
  8. Compliance with EU Regulations: Learn how to align with Annex 11 to ensure compliance with related EU regulations.

Course Outline: 21 CFR Part 11 and EMA Annex 11 for IT Professionals

Module 1: Introduction and Regulatory Overview

  • History and background of 21 CFR Part 11 and EMA Annex 11
  • Purpose and scope of the regulations
  • Applicability to electronic records and electronic signatures
  • Regulatory bodies and enforcement

Module 2: 21 CFR Part 11 Requirements

  • Subpart A: General Provisions
  • Definitions of key terms
  • Implementation and scope
  • Subpart B: Electronic Records
  • Controls for closed and open systems
  • Audit trails
  • Operational and device checks
  • Authority checks
  • Record retention and availability
  • Subpart C: Electronic Signatures
  • General requirements
  • Electronic signature components and controls
  • Identification codes and passwords

Module 3: EMA Annex 11 Requirements

  • General requirements
  • Risk management
  • Personnel roles and responsibilities
  • Suppliers and service providers
  • Project phase
  • User requirements and specifications
  • System design and development
  • System validation
  • Testing and release management
  • Operational phase
  • Data governance and integrity
  • Audit trails and change control
  • Periodic evaluations
  • Security measures
  • Electronic signatures
  • Business continuity planning

Module 4: PIC/S Data Integrity Requirements

  • Data Governance System
    • Structure and control of the Quality Management System (QMS)
    • Policies related to organizational values, quality, staff conduct, and ethics
  • Organizational Influences
    • Roles and responsibilities for data integrity
    • Training and awareness programs
  • General Data Integrity Principles
    • ALCOA+ principles (Attributable, Legible, Contemporaneous, Original, Accurate, Complete, Consistent, Enduring, and Available)
    • Data lifecycle management
  • Specific Considerations for Computerized Systems
    • Qualification and validation of computerized systems
    • System security and access controls
    • Audit trails and data review
    • Management of hybrid systems
  • Outsourced Activities
    • Data integrity considerations for third-party suppliers
    • Contractual agreements and oversight
  • Regulatory Actions and Remediation
    • Responding to data integrity issues
    • Remediation strategies and corrective actions
  • Periodic System Evaluation
    • Regular reviews and re-validation
    • Risk-based approach to system updates and maintenance

Module 5: Compliance Strategies and Best Practices

  • Interpreting regulatory guidance documents
  • Conducting risk assessments
  • Our validation approach
  • Leveraging suppliers and third-party service providers
  • Implementing audit trails and electronic signatures
  • Data integrity and security controls
  • Change and configuration management
  • Training and documentation requirements

Module 6: Case Studies and Industry Examples

  • Review of FDA warning letters and 483 observations
  • Lessons learned from industry compliance initiatives
  • Practical examples of system validation and audits

Module 7: Future Trends and Developments

  • Regulatory updates and revisions
  • Impact of new technologies (AI, cloud, etc.)
  • Harmonization efforts between global regulations
  • Continuous compliance monitoring

The course will include interactive elements such as hands-on exercises, quizzes, and group discussions to reinforce the learning objectives. The course will provide practical insights for IT professionals by focusing on real-world examples from our company.

EMA GMP Plans for Regulation Updates

Like one does, I watch upcoming regulations like a hawk. Here are a few of the forthcoming GMP changes coming from the 3-year work plan for the Inspectors Working Group.

DocumentIntended ChangesWhenMy Thoughts
GMP Guide: Chapter 4 (Documentation)Assure data integrity in the context of GMP. This would be in parallel with similar consideration of Annex 11 (Computerised Systems).Q1 2026An update is needed to align with current thinking. Data Integrity has advanced significantly in the last five years, and Chapter 4 could benefit from alignment with the PIC/S guidance.
GMP Guide: Annex 11 (Computerised Systems)Assure data integrity in the context of GMP. This would be in parallel with similar consideration of Chapter 4 (Documentation).Q1 2026A necessary update. Will be curious to see how it aligns with the FDA’s CSA approach (which isn’t really all that new).

We pretty much know what will be in it from the concept paper. At least it will solidify this requirement for cloud systems “Regulated users should
26 have access to the complete documentation for validation and safe operation of a system and be able to present this during regulatory inspections, e.g. with the help of the service provider.”
Guidelines on GMP specific to ATMPSReview the Guidelines in collaboration with CAT and the European Commission
following the publication of a new regulation on standards of quality and safety for substances of human origin intended for human application and need to update legal references and definitions.
Review the Guidelines in the light of new Annex 1 Manufacture of Sterile Medicinal Products and consider whether any updates are necessary.		Q4 2026This is a fast area of change, and this update is called for.

Aligning to Annex 1 is overdue.
GMP Guide: Annex 3 Manufacture of RadiopharmaceuticalsA review and update of the Annex to reflect current state of the art.Q4 2026I’ve never worked in radiopharmaceuticals. Maybe someday.
GMP Guide: Annex 15 Qualification and ValidationIn the context of new technology in facilities, products and processes and following
up on LLE recommendations, and extend the scope to APIs.		Q4 2025LLE is the EMA’s lessons learnt report (LLE) on Nitrosamines.

I’d love to see significant changes to finally align with ATSM E2500 and other recent challenges in validation.
GMP Guide: Annex 16 Certification by a Qualified Person and Batch ReleaseFollowing up on LLE recommendations.Q4 2025I’m not a massive fan of QPs as structured. Not expecting that to change.
GMP and Marketing Authorisation HoldersTo revise the paper in line with recommendations from the Nitrosamines LLE, to strengthen guidance for MAHs in terms of having adequate quality agreement with manufactures.Q4 2025Anything to strengthen quality agreements is probably a good thing.

Anytime we see a major chapter update in the Eudralex Volume 4 is an exciting year, and the next few promise to be big. Maybe not Annex 1 big, but maybe the EMA and PIC/S will surprise us.

The GxPs – a brief definition

Jargon is something we should work hard to avoid, and yet there is an awful lot of it we find difficult to let go. Right at the top is the GxPs.

GxP is a general abbreviation for the “good practice” quality guidelines and regulations. The “x” stands for the various fields, including the pharmaceutical and food industries, for example good manufacutiring practice, or GMP.

There are a lot of GxPs, though we tend to focus on 5(ish), depending on where you are.

We tend to argue a lot about them. Even to the GxP vs GXP. Or GPvP vs GVP. Or GdocP or GDP (so damn confusing, there is another GDP – Good Distribution Practices). Or if Good Storage Practice is its own body or part of the GMPs and GDPs. And…and…and.. The arguing can be fun.

The Five big ones in pharma and medical devices are GLP, GCP, GMP, GDP and GPvP. Some of the others like GACP are pretty intesting in their application.

Some like GDocP and GAMP are more specific threads that go across the GxPs.

By nature the GxPs are tied to the phase of the pharmaceutical pipeline.

The GxPs are all about ensuring compliance and are informed from a wide range of sources, starting with law and regulations.

Being in the age of globalization, there are many many sources to draw from.

This can also draw from beyond the health authorities (for example in the US USDA for GACP or the DEA for parts of the GDPs).

At the end of the day, GxPs answer to five important criteria.

EMA Publishes 2021 GCP Compliance Report

The EMA has published the Annual Report of the Good Clinical Practice (GCP) Inspectors Working Group (IWG) 2021.

Beyond wishing for an 11 month cycle of writing and approval on my annual reports, there is some valuable information there.

In 2021, three CHMP GCP inspections were conducted entirely remotely, and three inspections were conducted in a hybrid setting. A total of 286 deficiencies, comprising 24 critical, 152 major and 110 minor findings were recorded for the 27 CHMP requested inspections conducted in 2021. This represents an average of 10-11 findings per site inspected. The three top categories were: “General”, “Trial Management” and “Computer System”. An increase in findings related to computer systems (e. g. Audit Trail and Authorized Access, Computer Validation, Physical Security System and Backup) is noted compared to the last reports.

More information is available at EMA´s Good Clinical Practice Inspectors Working Group website.

Under organisation and personel we see “Delegation of tasks to inappropriate team members.” This reinforces the needs for strong cv and job descriptions, and linking to both hiring and personnel qualification.

The computer systems observations are the greatest hits of data integrity, and should be a wakeup call to any company that treats GCP and GMP computer systems differently.

Let the 2022 annual GCP training development begin. And make sure you get that training done on time!

The Great Man Fallacy and Pharmaceutical Quality

Primary Investigator, Study Director, Qualified Person, Responsible Person – the pharmaceutical regulations are rife with a series of positions that are charged with achieving compliance and quality results. I tend to think of them as a giant Achilles heel created by the regulations.

The concept of an individual having all the accountability is nowhere near universal, for example, the term Quality Unit is a nice inclusive we – though I do have some quibbles on how it can end up placing the quality unit within the organization.

This is an application of the great man fallacy – the idea that one person by the brunt of education, experience, and stunning good looks can ensure product safety, efficacy and quality, and all the other aspects of patient and data integrity of trials.

That is, frankly, poppycock.

People only perform successfully when they are in a well-built system. Process drives success and leverages the right people at the right time making the right decisions with the right information. No one person can do that, and frankly thinking someone can is setting them up for failure. Which we see, a lot in the regulatory space.

Sure, the requirement exists, we need to meet it failing the agencies waking up and realizing the regulations are setting us up for failure. But we don’t need to buy into it. We build our processes to leverage the team, to democratize decisions, and to drive for reliable results.

Let’s leave the great man theory in the dustbins where it belongs.

dissolving crown