Upgrading a Pharmaceutical Laboratory to Part 11 Compliance

FDA's regulation 21 CFR Part 11 on Electronic Records and Electronic Signatures provides industry with the requirements that allow electronic records and signatures in computerized systems in place of paper records and handwritten signatures.¹

Since the introduction of the final rule in 1997, however, its implementation has been relatively slow -mainly due to questions surrounding the scope and interpretation of these regulations, the high costs anticipated by industry, and the absence of acceptable and commercially available technical solutions.

The following case study provides an overview of the efforts by the Liquid Products Supply (LPS) site at AstraZeneca Sweden Operations to bring its quality control (QC) laboratory into compliance with Part 11. It describes a strategy for both procedural and technical solutions within the broader context of AstraZeneca's corporate project for Part 11 compliance.

The Corporate Level ER/ES Project

AstraZeneca started its Electronic Records and Electronic Signatures (ER/ES) project immediately after the 1999 merger between Astra and Zeneca. Obvious differences existed between the two companies' interpretation and implementation of Part 11 compliance. Because the newly merged company had many disparate sites, remedial actions were expected to be costly.

In June 1999, the company filed a corporate ES-certification letter with FDA and simultaneously formulated its corporate project for ER/ES. The project's main tasks were to produce a corporate-compliance framework (including the company's policy, interpretation, guidelines, training, website, and documentation and reporting) and to establish the process for compliance throughout the organization.

A corporate steering committee included senior management for global compliance, information systems and information technology (IS/IT), operations and R&D. The corporate project team consisted of a smaller group of experts from compliance, regulatory affairs, and IS/IT.

Management also assigned to each site an ER/ES ambassador - with expert knowledge of quality assurance (QA) and compliance - who promoted the compliance project locally and reported its status to the corporate project team. A corporate project team supervised the local projects through on-site visits and inspections. Although originally planned to last only about one year, the corporate project was active from 2000 through 2002.

A Site-Specific ER/ES Project

The site-specific project at AstraZeneca Liquid Products Supply (LPS) closely followed the working model described in the International Society for Pharmaceutical Engineering's GAMP Forum Part 11 guidance.

²

A strategically selected local steering committee ensured the active involvement of the site's senior management in the project. The steering committee for the site-specific project consisted of the head of LPS, managers for the three main production units, the head of QA, and the IS demand manager. Regular meetings between the ER/ES ambassador and the steering committee allowed for continuous high-level management support and handling of vital questions such as priorities and budget issues.

Figure 1. AstraZeneca's ER/ES Project as Applied to the LPS Site

The major tasks for the ER/ES project at the LPS site were:

• train the staff to ensure common interpretation and practices

• bring existing systems into compliance

• establish processes to implement compliance of new systems.

At the local level, the project was divided into six different areas: the three production units, media systems (facility and media monitoring), laboratory systems, and administrative systems. For a small organization with only a few systems, such division may not be necessary. For large organizations like LPS (with over 2,000 employees), however, the number of systems that can be effectively coordinated is limited (up to 30 or 40).

The ER/ES ambassador, a group of specialists for interpretation of Part 11 issues, the project leader for the whole project, and sub-project leaders for the six areas formed a forum for coordination and common strategies.

Within each of the six project areas, the system-specific projects had a project leader, system owner (who is usually the manager of the department or unit using the system), QA representative, and IT support.

Figure 1 shows the members of the laboratory project team, which is typical of all six area teams.

Common interpretation and quality system. In addition to management commitment, another key issue for ER/ES compliance is reaching a consensus on the interpretation of Part 11 and updating the quality system SOPs accordingly. A corporate compliance toolkit was used, which included AstraZeneca's international guidelines for the interpretation of 21 CFR Part 11 (written by the corporate project experts) and a corresponding ER/ES training package.

The corporate toolkit contributed to the assurance of common interpretation, work practices, and compliance documentation throughout the company. It also included templates for documenting system-specific gap analyses, infrastructure gap analyses, corrective action plans, site action plans, and close-out assessments. To include ER/ES requirements for new systems, a job aid for user-requirements specifications was introduced, as well as reporting and follow-up templates.

Figure 2: Strategy to Upgrade Existing Systems

Information and training. Communication was key to promoting the importance of the ongoing ER/ES project, as well as fostering a common interpretation of the regulations. To draw attention and gain commitment to the ER/ES project within the organization, meetings with system owners, their managers, and project leaders were held; e-mail and intranet and ER/ES websites also disseminated information.

For each significant phase of the ER/ES project (such as gap analyses, action plans, and new systems projects), the company performed project-related training with hundreds of participants. This extensive training effort resulted in a better understanding of the project's compliance goals throughout the organization.

To assure ongoing compliance, AstraZeneca established a job function-related training program, now part of the company's ongoing GMP training. This modular program includes basic training for all personnel and a higher level of training for QA personnel, project leaders, and system owners. A similar model for training is described in the Good Electronic Records Management (GERM) Guidance for Part 11 by ISPE and the Parenteral Drug Association.³

Strategy for Compliance of Existing systems

One of the key tasks of the site-specific ER/ES project was to bring existing systems into compliance. The company's strategy for existing systems, see Figure 2, was very similar to the model described for Part 11 by the GAMP guidance.

²

This strategy was followed for all project areas.

System inventory and classification. The ER/ES project group made an inventory of all equipment and systems at the site that could be affected by Part 11. The responsible IT department managed the inventory for IT-infrastructure components. Then, systems were classified by whether they fell under the scope of Part 11 according to the company's current corporate interpretation.

Figure 3: Map of QC Laboratory Systems for Data Handling

Gap analyses and corrective action plans. Gap analyses for ER/ES systems were performed according to templates similar to those given in the GAMP Part 11 Guidance.² Corrective action plans summarized the gap analysis results for individual systems and corresponding IT infrastructure. In some cases, this resulted in immediate action towards compliance, including both procedural and technical measures for urgent problems or gaps.

System owners were responsible for their systems and for approving all resulting documentation. To maintain the same interpretation throughout the organization, the ER/ES ambassador and a QA representative also approved all critical documents such as gap analyses, corrective action plans, and exemption documents (for systems out of scope of Part 11).

Procedural and administrative controls. Establishing procedural controls often included updating or writing new SOPs. This work can lead to benefits beyond compliance. The potential advantages include the harmonization of SOPs, avoidance of duplication of SOPs at different organizational units, standardization of business processes through promoting best practices, and the re-evaluation or establishment of a common glossary of terms and definitions.

The NuGenesis SDMS Project

To realize any of these benefits, the quality system needs to be strongly coordinated and monitored. For example, a closer look at several system-specific SOPs (such as backup routines) can reveal similar routines within an entire application area, allowing for simplification and increased efficiency in both administrative work and training.

One of the important practical results of introducing administrative controls was the formalization of system description documents. These documents are beneficial for a general overview of the computerized system's functionality, as a central reference for all system-related documentation, in defining the creation and use of electronic records and paper records, as baseline information for technical projects to improve the system, and in the daily work of collecting system information during inspections.

The descriptions include information on the computerized system's classification, hardware, software, and security and a definition of the business process. They also refer to the support organization and its responsibilities, system-specific SOPs, and other documents.

The descriptions also include an important section identifying the GMP-related records and their lifecycle. The identity, metadata, and content of required records are described in detail, along with the records' different lifecycle phases. The motivation for why systems and records do or do not fall under the scope of ER/ES is also documented here. Refer to the GERM guideline for more information on the identification of the components of electronic records and their lifecycle model.³

Technical controls. Technical controls are important to ensure the integrity and availability of electronic records. Sometimes, technical controls can be introduced by changing security settings to limit system access to authorized users. Other controls, such as audit trail and identification of invalid or altered records, require that new functionality be built into the respective applications.

FDA's Part 11 Guidance

Updating applications or developing new solutions to replace old systems requires resources and commitment from vendors. In September 2000, the Industry Coalition for Part 11 submitted a report to FDA's docket for comments on FDA's Part 11 guidance. The report correctly pointed out, "Vendors typically take 18 to 36 months to provide new major software releases" and "they must be given sufficient time to respond with mature products."⁴

As anticipated, vendors have made progress in including Part 11 functionality in their products in the last few years. However, there are still many systems that require extra manual and procedural controls because proper technical solutions are not available yet.

In order to prioritize systems for full technical remediation at the LPS QC laboratory, we used criteria such as criticality of the tasks performed, whether many similar systems were involved, and availability of commercial solutions.

It is often the responsibility of QA, system administrators, and participating users to establish procedural controls. Technical projects to upgrade or replace systems always require the additional involvement of IT representatives and vendors. It is important that all parties are represented from the very beginning of the technical project. QA has a key role in interpreting Part 11 when user- requirement specifications are set. Differences in understanding between the customer and vendor can result in unsatisfactory results.

Case study: Technical Remediation at a QC Laboratory

AstraZeneca's work to update the computerized analytical systems at the LPS QC laboratory will be used as an example of the strategies and technical solutions required to establish Part 11 compliance. The QC laboratory is a large organization with over 200 computerized systems from more than 50 different vendors. Most are hybrid systems producing paper and electronic data, and the laboratory itself has limited IT resources.

At the project's beginning, system owners were assigned the responsibility of finding technical solutions for each individual system. Due to the number of small systems and vendors, this resulted in uncoordinated efforts. While updating many small systems, we faced new challenges.

• Validation is expensive due to new Part 11 functionalities and more explicit requirements for qualifying and documenting the IT infrastructure.

• Having many systems from different vendors results in different technical solutions, decreasing the usability of electronic records due to differences in information format and structure.

• The need for skilled and properly trained system administrators increases.

• Hybrid systems combining electronic and paper-based records preserve the paper-based workflow. Realizing the full benefits of working electronically requires the implementation of electronic signatures.

We changed the project objectives for the QC laboratory to not only comply with Part 11 but also to optimize direct costs of investment, validation, and system administration. Consequently, a common strategy was needed for compliance and for IT-technical remediation - not just for bringing individual systems into compliance.

The main elements of the strategy were

• limiting the number of systems and projects through prioritization

• advancing centralized solutions utilizing a common, standard IT infrastructure and central system administration

• planning for record maintenance from the beginning and considering improvements to workflow during planning and implementation.

The QC laboratory project. In order to coordinate resources and implement a common strategy, a formal QC laboratory project including all systems was started. Figure 3 shows a map covering the main laboratory systems that forward data (usually in paper form) to the laboratory information management system (Sample Manager). Based on the strategy and priorities discussed above, the major projects involved updating the following systems:

• System: Sample Manager (Thermo Electron) Task: upgrade to new version

• System: robotic systems (developed by AstraZeneca) Task: upgrade custom solution to new version for about 40 systems

• System: chromatography data system (ChemStation, Agilent Technologies) Task: upgrade to ChemStation Plus with Security Pack for nearly 100 chromatographic systems (HPLC, GC, CE)

• System: Scientific Data Management System (NuGenesis Technologies) Task: new system implementation; pilot project includes five types of laboratory systems

These major projects cover the technical remediation of about 70% of all computerized laboratory systems. The common features of these solutions are

• high criticality in providing analytical results

• similar technical platform (Oracle database, client-server architecture) with possible centralized system-administration

• availability of technical solutions (either commercially or, for the robotic systems, through internal development).

The vendors played a key role in providing products with functionality supporting Part 11 compliance and in providing validation support. Because records often must be retained for many years, partnership with the vendor is a long-term commitment.

The common benefits beyond Part 11 compliance of the upgraded systems are

• secure archiving of data (no local backups needed)

• controlled access limited to authorized users

• ready availability of data and reports in common depositories

• a common, central system administra-tion (supported and managed by a professional IT organization) with a pool of available skilled specialists

• simplifications in workflow (with the ability to implement electronic signatures).

One of the challenges was ensuring that the IT department had its quality system in place and understood its responsibilities under GxPs. This challenge was met by formally defining the expectations of the laboratory (with the service level agreement) and by communication and follow up (both informal and formal, such as audits).

Another challenge was the compliance, usability, and administration of the remaining pool of diverse laboratory systems not connected to the central systems. The NuGenesis Scientific Data Management System (SDMS) was selected because of its ability to electronically store data and printed reports from analytical systems of different vendors (see "The NuGenesis SDMS Project"). This umbrella solution allows electronic records to be secured in a central system. After completing the connection of five pilot systems, many individual laboratory systems are candidates to be connected to SDMS.

Summary

There are many factors contributing to the success of Part 11 compliance projects. Through its own ER/ES Project, AstraZeneca discovered the following key factors:

• Management commitment to the project is essential, and there must be cooperation among business, QA, and IT units.

• The company must have a common interpretation of the regulations, which is communicated to all involved parties.

• Staff training for Part 11 is key, both during the remediation project and as a continuous activity to ensure ongoing compliance.

• Coordinated procedural remediations can be effected through common toolkits, templates, and SOPs. System descriptions and documentation, including identification of records and their lifecycle, are especially important and useful.

• Having a compliance and IT strategy for centralized technical solutions can create a common infrastructure and allow central administration by a professional IT organization, leading to more effective and economical solutions.

• Business benefits beyond Part 11 compliance can be realized by replacing hybrid systems with electronic workflow and utilizing electronic record maintenance practices.

References

1. FDA. Code of Federal Regulations, Title 21 Part 11 electronic records; electronic signatures; final rule. Federal Register 1997; 62(54):13429-13466.

2. ISPE. Good practice and compliance for electronic records and signatures, part 2: Complying with 21 CFR Part 11. ISPE; 2001 Sep.

3. ISPE and PDA. Good practice and compliance for electronic records and signatures, part 1: good electronic records management. ISPE and PDA; 2002 Jul.

4. Industry coalition on Part 11: recommendations for achieving compliance with the electronic records and signatures regulation. 2000 Aug 29. Available at URL: http://www.fda.gov/ohrms/dockets/00d1542/rpt0001.PDF.