A Risk-Based Approach to

Compliant Electronic Records

and Signatures

Rob Stephenson

R
S

Independent IT Systems Validation Consultant

Rob Stephenson Consultancy
info@robstephensonconsultancy.co.uk
Rob Stephenson
Consultancy

A Risk-Based Approach to
Compliant Electronic Records
and Signatures
GAMP
Good Practice Guide
ISPE 2005
www.ispe.org

R
S

Rob Stephenson
Consultancy

A Risk-Based Approach to Compliant

Electronic Records and Signatures
Agenda

Introduction to GPG & GAMP Guidance

Regulatory Overview
Putting it into Practice
ERES Risk Management Process
Record and Signature Controls
ERES Governance:
Applying the Risk Management Process

R
S

Rob Stephenson
Consultancy

Purpose of ERES Good Practice Guide

To provide comprehensive guidance on
meeting current regulatory expectations
for compliant electronic records and
signatures
GAMP ERES Guide 2005

R
S

Rob Stephenson
Consultancy

Purpose of GAMP Guidance

To safeguard patient safety, product quality,
and data integrity, while also delivering
business benefit.
To provide a cost effective framework of good
practice to ensure that computerized systems
are fit for intended use and compliant with
applicable regulations
GAMP5 2009
R
S

Rob Stephenson
Consultancy

Scope of ERES Guide

New and Existing
GxP Computerised
Systems:
Electronic Records
Electronic Signatures
Handwritten signatures
applied to electronic
records
R
S

Rob Stephenson
Consultancy

Laboratory
Process Control

IT Applications

Infrastructure

Objectives
A consistent risk management
approach
Simple and effective effort
must not outweigh benefits
Consistent with international
regulations
Enabling the use of technology
R
S

Rob Stephenson
Consultancy

Benefits
Simple and pragmatic approach
Controls appropriate to risks to patient
safety and product quality
Innovation encouraged
Unacceptable risks avoided

R
S

Rob Stephenson
Consultancy

Acceptance - Regulatory
Acceptance of GAMP Guidance by regulators
worldwide
Endorsed by FDA, PIC/S, EMEA, MHRA, IGZ
Basis for internal training
Participation in GAMP Steering Committees
Referenced from FDA and PIC/S documents
Used in practice by regulators

R
S

Rob Stephenson
Consultancy

Acceptance Industry
Widespread incorporation of GAMP concepts
and methods into policies and procedures of
pharmaceutical manufacturing companies
worldwide

R
S

Rob Stephenson
Consultancy

10

Acceptance Suppliers
Many suppliers have adopted the GAMP approach
as the cornerstone of their quality systems
Discusses good practice - not just compliance
guides

R
S

Rob Stephenson
Consultancy

11

Regulatory Overview

R
S

Rob Stephenson
Consultancy

Regulatory Overview: FDA

August 1997: 21 CFR Part 11 (Part 11): Electronic
Records; Electronic Signatures
The regulation that sets forth the criteria under which the
agency considers electronic records, electronic
signatures, and handwritten electronic signatures, and
handwritten electronic signatures, and handwritten
signatures executed to electronic records to be
trustworthy, reliable, and generally equivalent to paper
records and handwritten signatures executed on paper.

R
S

Rob Stephenson
Consultancy

13

What is an Electronic Signature?

Part 11 Definition:
Electronic signature means a computer data
compilation of any symbol or series of symbols
executed, adopted, or authorized by an
individual to be the legally binding equivalent of
the individuals handwritten signature.

R
S

Rob Stephenson
Consultancy

14

Regulatory Overview: FDA

September 2003: Scope and Application
Guidance
Definition of Overall Part 11 Approach
Narrow interpretation of Scope
Enforcement Discretion/Risk-based Approach

R
S

Rob Stephenson
Consultancy

Validation
Audit Trail
Record Retention
Copies of Records
Legacy Systems
15

What is an electronic record?

We have an electronic record
...when persons choose to use records in electronic
format in place of paper format

We do not have an electronic record

R
S

when persons use computers to generate paper

printouts of electronic records, those paper records
meet all the requirements of the applicable predicate
rules, and persons rely on the paper records to
perform their regulated activities, the merely
incidental use of computers in those instances would
not trigger Part 11.
Rob Stephenson
Consultancy

FDA Guidance for Industry: Part 11, Electronic Records; Electronic Signatures Scope and Application (2003)
16

N.B. It is an Electronic Record if

it is required to be maintained under predicate rules
is maintained in electronic format in addition to paper
format
and that [the electronic format] is relied on to perform
regulated activities.
Accordingly we recommend that, for each record required
to be maintained under predicate rules, you determine in
advance whether you plan to rely on the electronic format
or paper record to perform regulated activities.
R
S

Rob Stephenson
Consultancy

FDA Guidance for Industry: Part 11, Electronic Records; Electronic Signatures Scope and Application (2003)

17

Current Regulatory Situation:

FDA Inspection Assignments (2010-?)
Objectives:
Evaluate the current pharmaceutical industry
understanding of, and compliance with, 21 CFR 11
(Part 11) regulation and guidance
Gather information to help determine the pathforward with regards to Part 11 re-evaluation

R
S

Rob Stephenson
Consultancy

Current Regulatory Situation: Other ERES

JAPAN: Regulatory Guidance (2005)
PIC/S: Inspection of Computerised Systems (2007)
EU: Revised Chapter 4 and Annex 11(2011)

R
S

Rob Stephenson
Consultancy

19

EU Guide to GMP
Chapter 4: Documentation
E-records are acceptable
Records kept as e-records
must be defined
Controls in Annex 11...

R
S

Rob Stephenson
Consultancy

20

EU Guide to GMP
Annex 11: Computerised Systems
Risk Management
Risk management should be applied
throughout the lifecycle of the
computerised system taking into
account patient safety, data integrity
and product quality. As part of a risk
management system, decisions on the
extent of validation and data integrity
controls should be based on a justified
and documented risk assessment of the
computerised system.
R
S

Rob Stephenson
Consultancy

21

EU Guide to GMP
Annex 11: Computerised Systems
Electronic Signature
Electronic records may be signed
electronically. Electronic
signatures are expected to:
a) have the same impact as hand-written
signatures within the boundaries of the
company,
b) be permanently linked to their respective
record,
c) include the time and date that they were applied

R
S

Rob Stephenson
Consultancy

22

Examples of Records and Signatures

Required by GxP Regulations
ERES Guide Appendix 6
contains an analysis of US,
EU and ICH Q7A GxP
regulations with records
and record authentication
references identified:
R
S

Rob Stephenson
Consultancy

23

Putting it into Practice

R
S

Rob Stephenson
Consultancy

Signatures Required

Initial Review Sign Off

Awaiting Quality Assurance

Initial Review

Status:
Waiting Documentation

Documents Completed

Full Workflow Complete

Computerisation of a
process drives RACI:
Responsible
Accountable
Consult
Inform

Audit Trail

ERES Risk Management

Process

R
S

Rob Stephenson
Consultancy

GAMP Guidance Key Concepts

R
S

Process and Product Understanding

Life Cycle Approach Within a QMS
Scaleable Life Cycle Activities
Science-Based Quality Risk Management
Leveraging Supplier Involvement

Rob Stephenson
Consultancy

33

Life Cycle Approach

R
S

Rob Stephenson
Consultancy

34

Relationship between Impact, Risk and

Rigour of Controls
Increasing
Rigour of
Controls

Increasing
Impact on
Safety,
Quality and
Compliance

Increasing Risk to Record

R
S

(Error, Corruption, Loss)

Rob Stephenson
Consultancy

35

ERES Risk Management

5-Step Process:

1. Identify Regulated Electronic Records and

Signatures
2. Assess Impact of Electronic Records
3. Assess Risks to Electronic Records based on
Impact
4. Implement Controls to Manage Identified Risks
5. Monitor Effectiveness of Controls
R
S

Rob Stephenson
Consultancy

36

Step 1: Identify Regulated Electronic

Records and Signatures
Based on regulatory records
See GPG appendix 6 for records and
signatures required by GxP Regulations.
A documented determination should be made
of whether the electronic or paper record (or
both) will be relied upon to perform regulated
activities.
1

R
S

Rob Stephenson
Consultancy

5
37

Step 2: Assess Impact of Electronic

Records
High Impact direct impact on product quality
or patient safety
Medium Impact supporting evidence of
compliance
Low Impact negligible impact on product
quality or patient safety
1

R
S

Rob Stephenson
Consultancy

38

Step 2: Assess Impact of Electronic

Records
Must be determined by the regulated company
driven by an overall risk assessment of the
business or facility
GPG contains a table showing typical impact of
records by record type:

R
S

Rob Stephenson
Consultancy

39

Example Typical Impact of

Records
High Impact
Batch Release Records
Adverse Event Reports

Medium Impact
Validation Documentation
Training Records

Low Impact
Calibration Schedule
R
S

Rob Stephenson
Consultancy

40

Step 3: Assess Risks to Electronic

Records based on Impact
Approach for records Identified as
Low Impact
Good Practice Controls, security
management, back-up.

R
S

Rob Stephenson
Consultancy

41

Step 3: Assess Risks to Electronic

Records based on Impact
Approach for records Identified as
Medium Impact
Generic Hazards should be considered and
appropriate controls implemented. The
analysis should be documented.

R
S

Rob Stephenson
Consultancy

42

Step 3: Assess Risks to Electronic

Records based on Impact
Approach for records Identified as
High Impact
Potential hazards should be identified and the
associated consequences assessed.
Consideration should be given to severity,
probability of occurrence and likelihood of
detection.
1

R
S

Rob Stephenson
Consultancy

43

Step 3: Assess Risks to Electronic

Records based on Impact
Hazards should be formally identified and
analysed by a cross-functional team
Use of a simple FMEA tool
e.g.: GAMP 4/5 Appendix M3: Guideline for Risk Assessment

R
S

Rob Stephenson
Consultancy

44

Step 4: Implement Controls to

Manage Identified Risks
Objective of control measures are
Reducing the probability of occurrence
Reducing the severity of harm
Increasing the probability of detection

R
S

Rob Stephenson
Consultancy

45

Step 4: Implement Controls to

Manage Identified Risks
Risk control measures include:

Modifying the process

Modifying the system design
Applying technical controls
Applying procedural controls

R
S

Rob Stephenson
Consultancy

46

Step 4: Implement Controls to

Manage Identified Risks
Residual risks?
Traceability
Hazards Control Measures.

R
S

Rob Stephenson
Consultancy

47

Step 5: Monitor Effectiveness of

Controls
Periodic Review
Internal Audit etc.

R
S

Rob Stephenson
Consultancy

48

Record Controls

R
S

Rob Stephenson
Consultancy

Record Controls
May be Procedural or
Technical
Controls may be implemented
in different ways and with
differing degrees of rigour,
e.g.:
R
S

security and access controls

backup and restore
Rob Stephenson
Consultancy

50

Signature Controls
Unique to signer
Information recorded on signing
Name of signer
Date and time of execution
Meaning of signature

Part of signed record

Irrefutable link
Shown if record displayed or printed (in human
readable format)
R
S

Rob Stephenson
Consultancy

51

Relationship between Impact, Risk and

Rigour of Controls
Decreasing
Impact on
Safety,
Quality and
Compliance
Decreasing
Rigour of
Controls
Decreasing Risk to Record

R
S

(Error, Corruption, Loss)

Rob Stephenson
Consultancy

52

ERES Governance:
Applying the Risk Management
Process

R
S

Rob Stephenson
Consultancy

Applying the Risk Management

Process
Corporate Level Activities
Applying the Process to New/Existing
Systems

R
S

Rob Stephenson
Consultancy

54

Corporate Level Activities

Get Endorsement/Agree Objectives
Create a risk-based interpretation of applicable
regulations
Communicate interpretation to all
Certify with the FDA that they regard electronic
signatures as legally binding equivalents of
traditional handwritten signatures.
R
S

Rob Stephenson
Consultancy

55

Applying the Process to

New/Existing Systems

R
S

Educate Project Team

Determine if ERES Regulations apply
Assess/Reassess System
Document in Validation/Remediation Plan
Implement Controls
Monitor effectiveness of controls during
operation

Rob Stephenson
Consultancy

56

Summary

R
S

Rob Stephenson
Consultancy

A Risk-Based Approach to Compliant

Electronic Records and Signatures
In Conclusion
Needs to have management endorsement
and the appropriate cross-functional
participation (knowledge & experience)
Should not be over-complex
Needs to integrated into all lifecycle activities,
project, operation etc
R
S

Rob Stephenson
Consultancy

58

Thank you

Any Questions?
R
S

Rob Stephenson
Consultancy

59