Conducting A 21 CFR Part 11 Electronic Records Electronic Signatures Gap Assessment

Download as pdf or txt
Download as pdf or txt
You are on page 1of 8
At a glance
Powered by AI
The key takeaways are that a gap assessment is used to identify weaknesses and strengths within a system to achieve compliance with 21 CFR Part 11. It should accomplish the same objective consistently and use a checklist or template that addresses each requirement of Part 11.

A gap assessment is a preplanned, thorough, orderly, and methodical approach that will uncover the gaps within a system to determine the level of compliance and identify weaknesses and strengths.

Some key elements of conducting a gap assessment include determining the level of compliance, identifying weaknesses and strengths, determining if the system must comply with Part 11, and using a checklist or template.

Conducting a 21 CFR Part 11

Electronic Records; Electronic


Signatures Gap Assessment
compelled to comply with the pro-

T
his article will address
the planning, develop- visions set forth by the regula-
…of the thirty-six ment, execution, and fol- tions.
low up of a 21 CFR Part 11 gap The Part 11 Final Rule went
Part 11-related is- assessment for manufacturers in into effect on August 20, 1997.
FDA-regulated industry. Strategic We have had more than four
sues referenced in planning precedes the gap assess- years to achieve, and hopefully,
ment, and is a must and a pre- maintain compliance with our sys-
483s and requisite. A gap is a void, defi- tems. Docket Number 92N-0251
ciency, or a systemic breakdown (Final Rule) was implemented to
Warning Letters, within a system or component. create criteria for electronic re-
approximately half The assessment is a preplanned, cordkeeping technologies, while
thorough, orderly, and methodical preserving the Agency’s ability to
of the citations approach that will uncover the protect and promote public health.
gaps within a system. Many com- We now know that Part 11 has
were related or at- panies plan to fail because they become a “Good Manufacturing
fail to plan. Gap assessments are Practice (GMP) lifestyle” for many
tributable to secu- dictated and governed by effec- companies. These companies
tive planning and strategy, deliv- know that they have to implement
rity and integrity- erables, execution, due diligence, the technical and procedural con-
timely follow-up, and yes, a de- trols that must be met if these
related issues… fensible position with your Part 11 companies choose to maintain
compliance program. records electronically and use
As many in Industry know or electronic signatures.
are aware of, compliance is not However, we also know that
black and white. It is purported, many companies are struggling
alleged, and even confirmed, that with Part 11. Recently, a poll
a gray area does in fact exist. We was conducted by a software
have heard statements like, “com- vendor that reported that Part 11
pliance is the luck of the draw,” or compliance remains idle. The re-
by “compliance means I passed this sponse to this recent poll is
David R. Dills time.” Remember the Generic shown in Figure 1.
Currently, Director of Drug Scandal from years’ past? Ironically, Part 11 was devel-
Publications, Regulatory & Look at how many compliant oped in conjunction with industry
Compliance for the Institute of companies suddenly became over a period of six years. As we
Validation Technology & non-compliant or out-of-control. know, virtually all of the rule’s re-
Advanstar Communications, Inc. Part 11 is a force to be reckoned quirements had been suggested
At the time of the original with because it’s here to stay, just by industry comments to that “fa-
printing Corporate Director of like the other predicate rules, i.e, mous” July 21, 1992 Advance No-
Technical and Regulatory Part 210 and 211, Part 820, and tice of Proposed Rulemaking.
Compliance Serentec, Inc. Part 606, whereby industry is Amazingly, FDA only received 49

52 I n s t i t u t e o f Va l i d a t i o n Te c h n o l o g y
David R. Dills

Figure 1 Background
Software Vendor Part 11 The gap assessment should be a straightforward
Compliant Poll Statistics process if a team-based approach is employed. It is
important that key personnel from Quality Assurance
Percentage Response
(QA), Information Technology (IT), operations, Reg-
75 Percent Had begun putting in place measures to ulatory Affairs (RA), and other areas deemed appro-
become compliant with the regulation, priate be active participants in this process.
but are only in the early stages. The gap assessment is not considered a true
11 Percent Had most or all systems 21 CFR Part audit per se. However, some companies do use the
11-compliant. Respondents also believe
term assessment and audit interchangeably. An
compliance with Part 11 is an enormous
undertaking, procedurally, administra- audit is a planned, independent, and documented
tively, and financially. assessment to determine whether agreed upon re-
61 Percent The estimated economic impact on their quirements are being met.2 A quality audit is a sys-
organizations of total Part 11 compliance tematic and independent examination and evalua-
would be substantial.1 tion to determine whether quality activities and re-
lated results comply with planned arrangements,
comments on the proposed rule at that time. Many and whether these arrangements are implemented
industry comments were received with the recent re- effectively and are suitable to achieving objectives.2
leases of the Part 11 guidance documents, e.g., glos- Nonetheless you are looking for gaps, i.e., voids or
sary, validation, and time stamps. It appears that deficiencies within your system or program, and
there is now significantly more collaboration and in- then defining and implementing the necessary re-
terfacing with the Agency on this subject matter. medial actions. This is similar to quality auditing,
because the results are reported to management,
Introduction and are used to make managerial or executive de-
cisions concerning potential corrective actions. The
Be cognizant of the fact that many companies purpose is to assess all computer-related systems
will have different approaches for defining, develop- that support GMP areas for compliance with the
ing, implementing, and conducting a gap assess- company’s computer validation policy and opera-
ment. However, the gap assessment should accom- tional procedures, i.e., Standard Operating Proce-
plish the same objective consistently, identifying dures (SOPs). Then you assess all computer-related
the weaknesses, as well as the strengths within systems that support GMP areas for compliance
your system. Here is a truncated version of the key with Part 11. After this step, you initiate and imple-
elements involved: ment remedial action plans, and do what is neces-
sary and required to make the system compliant.
• Determine the level of compliance One approach that can be taken and pursued by
• Identify the weaknesses and strengths in the a company is the following series of events for con-
information available on the computerized sys- ducting a gap assessment. However, these assess-
tem or area of focus ments are customizable, as well as the checklists
• Determine if the computerized system must that will be used. One should tailor these assess-
comply with Part 11 ments to the individuality of the system or facility:
• Use a checklist or comparable documentation
for conducting the gap assessment • Team formation
• Provide documented justification (substantiate • Review of Part 11: review documentation and
your rationale) why some systems are or may the regulations
be exempt from Part 11 • Assessment: conducted by a specific depart-
• Follow up with remediation and appropriate ment, the team approach, or by sites if it’s a
corrective actions multi-site company
• The gap assessment report will usually have • Remediation: this requires planning, execution,
an introduction, background, scope, accep- and follow-up
tance criteria, identified systems, summary of • Quality and project plan: companies often de-
findings, and other comparable elements. velop and use these plans

C o n d u c t i n g Au d i t s, G A P A s s e s s m e n t s, & C o r r e c t i ve A c t i o n s 53
David R. Dills

• Update inventory: comprehensive inventory of factor is a business approach, with some of the
all computerized systems, e.g., laboratory op- same motivators that we see repeatedly; faster,
erations, Research & Development (R&D), better, and cheaper. Companies also need to rec-
quality, manufacturing, IT, and other required ognize that SOPs will not solve every problem.
areas There are many questions a company must ask.
• Develop an assessment questionnaire to all The risk of doing nothing is obvious, e.g., loss of
system users data, data changed unknowingly, or system fail-
• Provide a detailed summary and executive ures. This is why the two key words – integrity and
summary security – are such critical and pivotal components
• Remediation and corrective action plan of Part 11. You have to look at risk, and the price of
• Status reporting: should be conducted in a timely compliance versus price of noncompliance for your
manner to ensure that deliverables are met company. How much risk is the company willing to
assume, and is the big question: “Do you have a
As the gap assessment process evolves, here defensible position?”
are some fundamental questions that should be Retirement of data is another concern. Some
considered to help facilitate the decision-making questions come to mind, such as: What do you do
process that is Part 11 compliant or even applica- with existing data? Archive it? What will be the
ble in certain cases: medium for storage? Who will have access? What
are your policies for access? Another key decision
• Does the system perform or is it involved in a is whether to pursue data migration, or to explore a
GMP function? total replacement. The cost of data migration can
• Does the system interface with other GXP be more than the original system cost in certain
(GMP, [Good Manufacturing Practice], GCP cases. If replacement is the choice, then the vendor
[Good Clinical Practice], and GLP [Good Lab- should have a compliance statement and the com-
oratory Practice]) systems? pany should not hesitate to request it. The compli-
• Does the system capture GMP data? ance statement may include validation of the hard-
• Is the system used to make GMP decisions? ware and software used, and possibly details of
• Does the system store GMP data? customization and training. Compliance statements
• Is the GMP task confirmed electronically? will vary from vendor-to-vendor.
• Does the system generate “printed” data? A remediation process might also require a modi-
• Are the data and document(s) signed after fication of a company’s SOPs or the creation of new
being printed? SOPs. System codes may have to be changed to
• Does the system allow for data to be transmit- make it compliant. A software’s lifecycle is certainly
ted and viewed? relevant. One positive benefit of the Y2K process,
over two years ago, was that it created a myriad of
A logical, orderly, and strategic execution is criti- ways to go through your system and identify errors.
cal to remediating “legacy” computer systems follow- An additional option is to add codes to such soft-
ing a gap assessment. The goal is to be honest and ware to record and/or monitor your system. Different
thorough in your analysis, and in the steps taken to codes and monitoring techniques will vary with com-
remedy any gaps. Areas that need to be reviewed panies. Determining the cost of remediation is also
include a budget, sufficient security, i.e., whether an multi-faceted. Costs can involve additions to the
audit trail is necessary, and, the validity of electronic database such as; new hardware, customization of
signatures and archives. Hopefully, the gap analysis software, validation, training, and development. It’s
has revealed what you need to investigate. If the in- quite possible you will run through several scenarios
formation is not available electronically, then maybe to determine costs. Hopefully, the gap analysis has
it should be. Is it in a database? If not, make it. Cre- revealed what you need to investigate.
ate reports on how systems exist – and where and Some companies will employ and use this
how they fail. model or approach for conducting a gap assess-
In addition, identify common problems. Once ment. Again, companies determine the best and
you have identified a solution, you will be required most practical, effective, and suitable approach to
to make an investment in the remediation and the meet their objectives. Before we go any further,
costs associated with this endeavor. The driving let’s look at the big picture.

54 I n s t i t u t e o f Va l i d a t i o n Te c h n o l o g y
David R. Dills

Four major areas of concern include: • Develop lists, such as a questionnaire, work-
sheet, and other templates that will facilitate
❶ Conduct a comprehensive inventory of your the process. Some companies use a proce-
computerized systems dural matrix or spreadsheet listing all com-
❷ Identify the systems that support GMP areas puter-related policies and procedures.
❸ Conduct the gap assessment (or analysis) • Perform gap analysis (assessment)
❹ Develop and execute the remediation plan • Identify remedial options
• Develop “interim” remedial actions
For the gap assessment approach in the pre- • Develop a master plan
ceding paragraph, a company will desire or require
that the gap assessment cover or expand on the It’s becoming clearer that a conventional gap
following elements: assessment approach uses comparable or equiva-
lent terminology, and even the same prescribed
• Documented system functionality and its in- methodology and technique. The checklist or spread-
tended use sheet shown in Figure 2, which is a brief example,
• Documented evidence how the system works should be used as the tool for facilitating the
• Documenting the specific areas subject to Part 11 process for determining whether Part 11 require-
• Reviewing all test plans and test results, which ments are being met. If not, then assigning the ap-
need to ensure traceability propriate corrective action or actions to remedy the
• Validation, which means, documented proof situation is required.
and evidence that Installation Qualification Why has Part 11 become such a hot topic in the
(IQ), Operational Qualification (OQ), and any industry? Here are two examples of some of the
other validation testing was performed, and reasons why:
the documentation is current and accurate.
Recent Warning Letters have shown a blood
Other documentation that will be targeted during bank that transferred electronic information to a
the gap assessment after the company observes hospital that did not have a validated electronic
gaps within the system may include: records system. During the process, codes for the
blood donations were transposed, indicating the
• SOPs: design and development (system devel- units had passed contamination testing and were
opment lifecycle), security, backup, disaster, usable, when in fact they had not been tested. As a
contingency planning, operations, training, and result, seven units of untested blood were released
configuration management to the public. Another example cited in the Warning
• Organizational flowcharts to ensure that per- Letter is that the company’s computer system,
sonnel have the necessary education, training, called the XYX, lacked proper validation protocols,
and experience and complete and accurate records of the results
were not maintained. Inadequate system security
Nonetheless, another approach may include the also was observed during the recent inspection,
following elements: and one employee was observed, “to have utilized

Figure 2
Part 11 Gap Assessment Checklist or Spreadsheet – Example
Requirement Assessment Result Corrective Action
11.10(a) Validation of systems to System XYZ for the clinical trials Validate the system and document
ensure accuracy, reliability… database is still pending validation rationale why system was not
because… validated per the master plan
11.10(e) Computer-generated, time- System ABC has audit trail and None
stamped audit trails exist… record changes, and not obscure
previously recorded information.
11.50(3) Signature manifestation – System 1-2-3 was observed not Modify to ensure that “meaning”
meaning (review, approval, authorship, to have a meaning associated is linked to the signature at all
etc.) with the signature times.

C o n d u c t i n g Au d i t s, G A P A s s e s s m e n t s, & C o r r e c t i ve A c t i o n s 55
David R. Dills

another person’s computer access to enter data” tems to ensure accuracy, reliability, consistent in-
into the recordkeeping system. tended performance, and the ability to discern in-
Some of the general problem areas that FDA valid or altered records. This is why you validate
has observed related to Part 11 include, but are first and then pursue Part 11 compliance.
not limited to, the following: Nonetheless, when preparing to conduct a gap
assessment, a company should consider the fol-
• Legacy e-systems less secure than traditional lowing activities, which is another approach, but
paper similar to what we have already discussed:
• Record integrity principles and forgotten practices
• Falsifications facilitated • Discuss the positive and negative experiences
• Barriers erected to FDA inspections associated with Part 11 at your company, espe-
• Implementation given to IT alone (now known cially the “I” word – interpretation.
as the “disconnect syndrome”) • Discuss the items learned (or assumed) since
• Failure to keep current with standards and en- the regulation and guidance documents were
abling technologies released.
• Blind acceptance of shrink-wrap • Management support is critical
• Resistance to change • Develop and implement a Part 11 training and
• Poor network security (passwords posted to educational program for the Part 11 task team
directory, network administrator unqualified, all • Review company policies, operational proce-
users have system “admin” privileges) dures, SOPs, and FDA updates (review the
• Poor password controls Preamble)
• Unvalidatable systems • Develop a Part 11 plan (legacy plan in this case)
• No audit trail
• Failure to record laboratory data As with any plan, you must have a purpose,
scope, deliverables, approvals, etc., and maybe ac-
Again, this is a non-inclusive list of areas of ceptance criteria. Some companies will identify and
concern. However, it can be asserted that over the assess legacy systems subject to Part 11. Develop
past four years, of the thirty six Part 11-related is- a remediation plan, obtain management and QA
sues referenced in 483s and Warning Letters, ap- approval, monitor and report progress and bottle-
proximately half of the citations were related or at- necks, and then control all changes to the plan –
tributable to security and integrity-related issues, treat it as a controlled document subject to revision
which are real concerns and issues. control. An example of a progress report may re-
The gap assessment will (or should) identify the semble the table shown in Figure 3.
voids and weaknesses within your system or com- A gap assessment checklist or spreadsheet can
pany. However, one area that deserves honorable be quite simple to develop. The emphasis is that if
mention is that of validation. Software validation is a Part 11 requirement does not apply, one should
establishing by objective evidence that all software not denote the space or area with just the famous,
requirements have been implemented correctly and “N/A” response. You should clarify in writing why
are traceable to system requirements. This defini- Part 11 does not apply for the official record. This
tion has been observed at various industry confer- is also viewed as being prudent and analyzing your
ence presentations. Another well known FDA defini- process or system. This conveys assurance and
tion is as follows: confidence that you understand your system.
When conducting a gap assessment, one has
“Software validation is confirmation and provi- to be cognizant of the fact that any software-driven
sion of objective evidence that software specifica- process or application controlling the quality and
tions conform to user needs and intended uses, production system, needs to be included within the
and that the particular requirements implemented scope of the assessment. The following are just
through software can be consistently fulfilled.” 3 some of the examples that need to be taken under
consideration:
It’s a foregone conclusion that Part 11 and vali-
dation are inseparable for the most part. Why? Be- • Programmable Logic Controllers (PLCs)
cause you need to validate the computerized sys- • Distributed Control Systems (DCS)

56 I n s t i t u t e o f Va l i d a t i o n Te c h n o l o g y
David R. Dills

Figure 3 a state of compliance. The total number of pages


comprising this plan was more than 75. Figure 4 is a
Example of a Progress Report for section from that plan with purged confidential and
a Part 11 Gap Assessment sensitive information. However, the outline will look
Overall Schedule Assessments Remediation very similar to what has been written thus far.
Plan Completed Gap assessments may also help with the legal
concerns associated with Part 11. This assessment
Analytical Labor- 1/5/02 2/25/02
atory System process can and does provide a vehicle or tool to
train and educate key personnel involved in the Part
Production 2/17/02 4/2/02
System 11 compliance strategy process. Some of the con-
cerns or general comments include the following:
Research & Devel- 3/9/02 5/23/02
opment Laboratory
• Companies wishing to use e-signatures must
Quality Assurance 6/5/02 7/23/02
Data/Inspect/Test “certify” that the e-signatures used in their sys-
System tem are intended to be the legally binding
equivalent of the signer’s handwritten signa-
Systems Number Number Number
of Systems Assessed Compliant ture. FDA requires that companies make a sin-
gle certification for all current and future em-
Analytical 30 20 15 ployees. This will have implications for the de-
Laboratory
partment with responsibility for certification.
Production 50 24 8 Employees will need to appreciate that their e-
Research & 10 4 2 signature on company records could carry a
Development
criminal penalty under 18 U.S.C. §1001 if the
Laboratory
information is later determined to be false.
Quality Assurance 20 11 7
• Part 11 will also present challenges for compa-
Data/Inspect/
Test System nies in the context of FDA inspections. The first
challenge will be in providing timely access to
• Supervisory Control and Data Acquisition records for an investigator. However difficult it
(SCADA) may be to locate and produce old paper re-
• Laboratory Information Management Systems cords in a timely fashion, older versions of e-
(LIMS) records may present significantly more difficult
• Clinical trials management database systems challenges. The Part 11 preamble indicates
• Electronic Documentation Management Sys- that FDA may need to inspect hardware and
tems (EDMS) software – this may cause headaches for com-
• Building Automation Systems (BAS) panies that move to new systems.
• Enterprise Resource Planning (ERP) • FDA expects companies to have computer sys-
• Materials Resource Planning (MRP) tems that allow investigators to review e-records
• MP-2 (Facilities/practice maintenance system) for as long as they are retained, which could be
• Complaint handling software systems a long time. Companies will need to ensure that
• Calibration management systems those records can be located and accessed with
• Commercial Off-the-Shelf (COTS) software appropriate technology. Failure to turn over re-
programs quired records can have serious consequences,
• Special inspection and testing equipment including criminal penalties.
• Laboratory equipment and testing instrumen-
tation Gap assessments should help achieve Part 11
compliance for most companies if conducted in ac-
This author reviewed a computer system valida- cordance with the company’s game plan, with prede-
tion project and compliance plan last year for a fined and preapproved procedures, and the required
major pharmaceutical manufacturer. This company buy-in by all parties and approvals. Unfortunately,
demonstrated that they knew exactly what they had there are no guarantees. However, as stated earlier,
within their system, and what necessary actions compliance is not black and white, which is why
were required to bring the system and company into companies need to be in compliance, and operating

C o n d u c t i n g Au d i t s, G A P A s s e s s m e n t s, & C o r r e c t i ve A c t i o n s 57
David R. Dills

Figure 4
Computer System and Validation Project and Compliance Plan Example
Section XX. Electronic Record/Electronic Signature (ERES) Sub Team

Team Leader: John Doe


Principle Objective: Harmonization of ERES guidelines across the site.
Key Milestones: The milestones listed below are essential to the completion of this sub-project-{referring to?}.
Key activities are listed for each milestone, however, this does not represent an all-encompass-
ing list. Please refer to the Sub Team Gantt Chart for all activities.
Milestone A: Identify all existing ERES procedures
Activity 1: Collect information from all departments in technical operations, IT, and quality management to
identify all ERES methods in use.
Prerequisites: None
Deliverable: List all current ERES guidelines, procedures, and standards.
Activity 2: Establish one ERES assessment process
Prerequisite: Activity 1 (one) complete
Deliverable: One company XXX ERES assessment procedure, including an ERES assessment tool
Activity 3: Train users of assessment process
Prerequisites: Activities 1 (one) and 2 (two) complete
Deliverable: Training records, trainer users
Milestone B: Assessment phase
Activity 1: Create master site ERES assessment plan
Prerequisites: None
Deliverable: Site master ERES assessment plan
Activity 2: Create individual assessment teams in each organization and assign members
Prerequisites: Assignment of team members by management (Trained team members [A-3])
Deliverables: None
Activity 3: Create individual organization assessment plan
Prerequisites: Activities 1 (one) and 2 (two) complete
Deliverable: ERES assessment plan
Activity 4: Assess systems using approved ERES assessment tool
Prerequisites: QA approved assessment tool and procedure (A-2)
Deliverables: Individual systems assessments
Activity 5: Write a remediation plan for each non-compliant system
Prerequisites: Activities 1 (one) and 2 (two) complete
Deliverable: ERES action plan assessment templates
Milestone C: Remediation process
Activity 1: Develop remediation plan
Prerequisites: Compliance summary for individual organizations
Deliverable: Plan for the remediation of non-compliant systems

Note: There are details and other background information associated with this plan. This example was provided to
demonstrate the degree of planning and execution required by this pharmaceutical manufacturer.

in a state of control. FDA is scrutinizing computerized issued, 36 seizures, one civil penalty, 3, 716 recalls,
systems now more than ever. Industry has to be pro- 44,612 detentions, two prosecutions, and 421 arrests
active. This past fiscal year ending September 2001, with 353 convictions. Industry needs to understand
FDA had conducted 18,649 inspections and audits. that there is a price to be paid for noncompliance,
In the fiscal year 2000, FDA conducted 15,146 in- and if a company’s systems are out-of-control, then
spections and this equated to 1,154 warning letters the company is out-of-control.

58 I n s t i t u t e o f Va l i d a t i o n Te c h n o l o g y
David R. Dills

This article introduced some of the most funda- Corporate/Operations Management on behalf of well-known
mental steps and activities involved and associated manufacturers and service providers. His areas of expertise in-
clude, defining and implementing validation programs, supplier
with Part 11 gap assessments. We have learned
certification programs, Quality System, cGMP and validation
that companies have different approaches for con- training, auditing, policy and procedure development and deploy-
ducting gap assessments. However, we also share ment activities, project management, risk management and
common denominators with our gap assessment analysis, ISO 9001/13485, Gap Assessments, Computer and
approaches. We must conduct the following activi- Software Validation/IT Network, Part 11 Gap Assessments and
ties: Remediation, MDD 93/42/EEC, change control, quality tools,
statistical techniques, design control programs, CAPA, risk man-
agement/assessment, regulatory submissions, international reg-
• Strategic planning ulations, FDA Mock and PAI Inspections, compliance activities
• Determine the level of compliance that we are with sample accountability, worked with companies under con-
seeking sent decree and CIA (corporate integrity agreements) under
• Identify the weaknesses and strengths in our OIG, and other FDA-related activities. He also provides advisory
input to companies to determine if the systems are designed,
computerized systems
deployed and maintained in a sustainable compliance and vali-
• Conduct an inventory of our systems dation environment. He currently serves on the Faculty Advisory
• Determine if the system must comply with Part 11 Board for the Pharmaceutical Training Institute and Editorial Ad-
• Conduct the assessment using a checklist or visory Boards for Software Quality Professional and the Institute
spreadsheet of Validation Technology (IVT), publisher of the Journal of GXP
• Provide documented justification if certain sys- Compliance and Journal of Validation Technology. He serves on
the Readers’ Board for Medical Device & Diagnostic Industry
tems are exempt from Part 11 and Medical Product Manufacturing News and was nominated
• Implement and execute a remediation plan and accepted for inclusion into the 2004-2005 Strathmore’s
• Conduct the required follow-up as warranted. Who’s Who of Professionals. He has authored and published nu-
merous validation and regulatory/compliance-related articles,
Furthermore, focus on assessment and analysis commentaries and technical guides, and is an accomplished
global industry speaker and presenter. He has academic de-
where specifics are more integral to the process.
grees in Environmental Science and Biology. He currently serves
Project stages are logical and sequential to an ex- as Advisor for the American Society of Quality’s Section 1506
tent, going from assessment to analysis to remedi- and as a former Chair and Co-Chair and is an active member of
ation to production to maintaining compliance. Ini- the Biomedical Division, RAPS, PDA, ISPE, and other industry
tially in an assessment, the original inventory may groups. He may be contacted at 904-519-8040 or cell at 904-
be quite large, and then it will become more man- 614-3220. The fax number is 904-519-9810 and e-mail is
[email protected].
ageable. An assessment is a team effort and a re-
flection of corporate policy. Communication, of References
course, is key. A template should be established 1. Genetic Engineering News, November 15, 2001.
that addresses each and every sentence of Part 2. J.P. Russell. The Quality Auditing Handbook. ASQ
11. Your assessment should prioritize, and then Quality Audit Division. 1997.
3. General Principles of Software Validation; Final Guid-
create a master plan with reliable data. FDA is very
ance for Industry and FDA Staff, issued on January 11,
concerned that companies have such a plan. The 2002 (supersedes Version 1.1, dated June 9, 1997).
plan should be realistic, as you have seen in some
of the Warning Letters. Gap assessments are tools Suggested Reading
that should work for the company and not against, 1. Validation Times (Insight on GMP Validation: News,
in order to achieve your Part 11 compliance goals 483/warning letter analysis, compliance tips) – multiple
and objectives. ❏ issues in 2001.
2. FDA. Code of Federal Regulations, Title 21, Part 11.
About the Author “Electronic Records; Electronic Signatures: Final Rule.”
David R. Dills is Director of Publications, Regulatory & Compli- Federal Register, (March 20, 1997).
ance for the Institute of Validation Technology, a division of Ad- 3. Fields, T. “Impact of 21 CFR Part 11 on Computer-Re-
vanstar Communications, Inc. and serves on advisory boards for lated System Validation.” Journal of Validation Technol-
other trade groups. He has served as an Industry Consultant, ogy. Vol. 7, No. 4 (August) 2001.
with emphasis on validation, training, assessments, regulatory 4. Grunbaum, L. “Remaining in a 21 CFR Part 11 Com-
affairs, inspections, submissions, and compliance. He has been pliant State.” Journal of GXP Compliance. Vol. 6, No. 3
involved within the FDA-regulated industry for more than nine- (April) 2002.
teen years in the areas of Quality Assurance, Quality Engineer- 5. FDA. Fiscal Year 2001 Report, Office of Regulatory Af-
ing, Validation, Regulatory Affairs/Compliance, and fairs.

Originally published in the July 2002 issue of the Journal of GXP Compliance

C o n d u c t i n g Au d i t s, G A P A s s e s s m e n t s, & C o r r e c t i ve A c t i o n s 59

You might also like