21 CFR Part 11 and NetDimensions Please note: McDowall Consulting is the

source of much of the vertical specific domain information.

Agenda •  Background & Context •  Compliance & Quality Assurance •  What is 21 CFR Part 11 •  Single Vs Multi – The hype & the truth… •  Where does NetD fit in •  NetDimensions Validation Process •  The Good Practice Regulations •  GAMP •  GAMP & Computer Software Validation •  The Competition •  How to sell in this vertical •  Research Sources

Our Market Focus

What is Compliance Training? Is it Quality Management? •  Compliance training is mandated training. There may be multiple

sources for mandatory training. The requirement may be an internally mandated policy or one to cover principles of legislation such as EU Data Protection or German Labour Law. The requirement may be a law or regulation enforced by a government agency such EASA, FDA, FSA etc.

•  Mandated training may have several actions . A course, visual observation (Supervisory Assessment) or an action that must be observed or tested. It may be a test or exam as in the case of Recurrent Training in aviation, which imposes High Stakes Examinations. It may be a document that must be read and formally acknowledged as in the case of Standard Operating Procedures (SOPs).

•  Compliance training must be documented. The completion of the training must be tracked and reported. The completion may be measured by attendance, progress through a course, test results, or a learner or supervisor’s signature (e-signature).

Key Principles of Compliance

1.  Say what you do – Have a written procedure that states what you do

2.  Do what you say – Follow the procedure –  If there is a deviation – write what was done – Do you need to revise the procedure?

3.  Document it – Written or electronic evidence is needed to

demonstrate that the procedure was followed

Compliance Training is part of a systematic approach for an organisation to prove it is controlling and recording a documented process in line with the regulations.

Compliance in Highly-Regulated Industries 1.  Authenticity - validated identity authentication (e.g. e-

signatures or physical identification) 2.  Integrity - secure infrastructure (e.g. ISO 27001) 3.  Confidentiality - data privacy & control (e.g. Secure

SaaS) 4.  Availability - system architecture (e.g. intrusion/DOS

detection & prevention) 5.  Auditability - tracking & reporting 6.  Regulations (e.g. 21 CFR Part 11, EU GMP

equivalent)

Context - What is 21 CFR ? •  Title 21 CFR Part 11 of the

Code of Federal Regulations deals with the Food and Drug Administration (FDA) guidelines on electronic records and electronic signatures. Part 11, as it is commonly called, defines the criteria under which electronic records and electronic signatures are considered to be trustworthy, reliable and equivalent to paper records

•  (Title 21 CFR Part 11 Section 11.1 (a)). –  http://en.wikipedia.org/wiki/Title_21_CFR_Part_11 –  http://www.accessdata.fda.gov/scripts/cdrh/cfdocs/

cfcfr/CFRSearch.cfm?CFRPart=11

What is 21 CFR •  Organisations wishing to submit electronic

evidence to the FDA, must have the appropriate policies, procedures, and technical controls in place to be Part 11 compliant.

•  This involves audits, system validations, audit trails, electronic signatures, and documentation for software and systems that are involved in the processing of data as part of their business practices and product development –  Operator Activity Vs User Activity

•  Predicate Rule does not apply

Where do we fit in? US 21 CFR 58 > GLP Non –clinical Environmental Drug Metabolism Pharmacokinetics

21 CFR 210 21 CFR 211 Finished products

21 CFR 820 (ISO 13485 EU) Device manufacturing

21 CFR Part 11

Where do we fit in? User Verification Use Case Biometric Software Used in

Medical Devices Digital Signature Software Used in

Manufacture of Medical Devices

Electronic Signature Part of Quality Management Systems (QMS) (21 CRF 820)

LMS, QMS, Assessments, CMS all form part of QMS.

Learning Management Software •  ...is VALIDATED as part of a process - not

Certified Technical

Administration

Procedure

SaaS Vs on-premise & Single Vs Multi Tenant •  Single tenant versus multi-tenant a debate in the GxP/

CSV market. CSOD is making a big play into this vertical but there is a lot of concern by buyers of the suitability of multi-tenant software to act as the Training Record for the Quality Management process.

•  All Plateau clients are being forced to move from being Single Tenant to Multi-Tenant in the SuccessFactors/SAP SaaS infrastructure, their existing on premise systems are being End of Life-ed. NetD is very unusual in that it supports on-premise and also provides a GxP Hosting infrastructure (Secure SaaS), all on a single code base.

Other Regulations & Acronyms •  21 CFR Part 11 820 as well 210 & 211 •  ISO 13485 •  ISO 14387 •  GAMP 5 – (ISPE) – Guide on how to satisfy regulatory

requirements. –  Good Automated Manufacturing Practice

•  EU GMP – Annex 11 = 21 CFR Part 11 –  Good Manufacturing Practice

•  ISO 1994 (8402) – verification & validation are separate Each manufacturer shall provide adequate resources,

including the assignment of trained personnel, for management, performance of work, and assessment activities, including internal quality audits, to meet the

requirements of this part.

Other Regulations & Acronyms •  The GxPs – Collective noun for Good

Laboratory Practice (GLP), Good Clinical Practice (GCP) & Good Manufacturing Practice (GMP)

•  The Qs – Design Qualification (DQ), Installation Qualification (IQ), Operational Qualification (OQ) & Production Qualification. See next slide.

NetDimensions Validation

Bob McDowall – NetD’s exocet

•  PhD in forensic toxicology •  15 years pharma industry experience •  19 years self employed •  32 years software specification experience •  26 years CSV validation experience •  1997 LIMS Award •  Writer & presenter on regulations and CSV •  Advisor to C&L / PwC pharma group

www.rdmcdowall.com

Validation Overview

•  LMS linked to QA process •  Fresenius Medical Care & Kabi in Germany

– Core system validation – Local additions separately validated

•  Time line: – Start 25th June 2012 – End 24th August 2012 – 9 weeks to validate the system – Time line achieved – BUT > depends on user knowledge of system

System Risk Assessment •  Determines if system needs validation

– Modification of SQA risk assessment questionnaire

– Closed questions •  Determines extent of validation

– GAMP software categories v

– Record impact •  Outcome: validated via full life cycle

Validation Control and Reporting •  Validation Plan

–  Plan of intent –  Life cycle phases and documented evidence defined –  Roles and responsibilities defined

•  Amendments for planned changes •  Validation Report

–  Report of delivered project including amendments –  Discussion of amendments –  Discussion of testing issues –  Requirements traceability –  (Release of system)

Supplier Assessment

•  Conducted by client – Recused from this task as conflict of interest

•  Assessment of NetD QMS and product development and support – Remote questionnaire – Follow up via TC and WebEx –  Internal report for project

•  NB: standard practice for regulated healthcare

Key Validation Documents •  Validation Master Plan (VMP) •  Validation Plan (VP) / Master Validation Plan (MVP) •  User Requirements Specification (URS) •  Functional Specification (FS) •  Design Qualification (DQ) •  Design Specification (DS) •  Installation Qualification (IQ) •  Operational Qualification (OQ) •  Performance Qualification (PQ) •  Validation Summary Report (VSR)

Some more Pharma Terminology •  Qualification: Action of proving that any equipment works

correctly and actually leads to the expected results (EU GMP).

•  Design Qualification (DQ) –  Specifying the intended use of the system

•  Installation Qualification (IQ) –  Are components installed correctly and integrated together?

•  Operational Qualification (OQ) –  Does the system work as IDBS expects?

•  Performance Qualification (PQ) –  Does it work as the customer expects: tested against the

URS (e.g. User Acceptance Testing)

The Good Practice Regulations

Good Practice Regulations

•  Good Laboratory Practice (GLP) •  Good Clinical Practice (GCP) •  Good Manufacturing Practice (GMP) •  Collectively called GXPs

Good Practice Regulations •  Good Laboratory Practice (GLP)

– 21 CFR 58 – OECD GLP Regulations

•  Good Clinical Practice (GCP) – Tripartite GCP (EU and Japan) – 21 CFR 50, 54, 56, 312, 314

•  Good Manufacturing Practice (GMP) – 21 CFR 210, 211 – EU GMP – 9 chapters and 20 annexes

Regulatory Agencies •  Each country has own regulatory agency:

– US – Food and Drug Administration (FDA) – UK – Medicines and Healthcare Products Regulatory

Agency (MHRS) –  Japan – Ministry of Health, Welfare and Labour

(MHWL) •  Each Agency polices own country via

inspections – Facility inspections – Pre-approval inspections (PAI) – For cause inspections

•  Pharmaceutical Quality Systems inspection approach

21 CFR 211.25 Personnel Qualifications •  (a) Each person engaged in the manufacture, processing,

packing, or holding of a drug product shall have education, training, and experience, or any combination thereof, to enable that person to perform the assigned functions. Training shall be in the particular operations that the employee performs and in current good manufacturing practice (including the current good manufacturing practice regulations in this chapter and written procedures required by these regulations) as they relate to the employee's functions. Training in current good manufacturing practice shall be conducted by qualified individuals on a continuing basis and with sufficient frequency to assure that employees remain familiar with CGMP requirements applicable to them.

21 CFR 11: Electronic Records; Electronic Signatures Final Rule •  US regulation but multinational companies

must comply if selling products in the US •  Scope of Part 11 – 1997

– Sub parts A, B & C in overview –  Integrated regulation: requirements for e-

signatures in e-records sub-part and vice versa •  Scope and application guidance 2003

– Narrow scope and emphasises the interpretation of the applicable predicate rules

Inspection Observations & Deficiencies •  At end of each inspection report

generated: – Observations e.g. FDA 483 of non

compliances Example: KV Pharma 2009

– Graded e.g. critical, major, other > MHRA Example: Annual deficiency report

– FDA if serious findings issue a warning letter Example – Earlham College 2002

Interaction of Part 11 with Predicate Rules

GLP GCP GMP

US Predicate Rules

Predicate rule is an FDA term meaning existing regulations defined under the Food, Drug & Cosmetic (FD&C) Act

Interaction of Predicate Rules and Part 11

21 CFR 11: Electronic Records and Electronic Signatures

GLP GCP GMP

US Predicate Rules

Interaction between predicate rules and Part 11

GMP predicate rule: 211.194(a) (7) The initials or signature of the person who performs each test and the date(s) the tests were performed.

(8) The initials or signature of a second person showing that the original records have been reviewed for accuracy, completeness, and compliance with established standards.

Three Types of Part 11 Controls

Who is responsible for which control?

NetD: Technical controls

Customer: Procedural & Administrative controls

Technical controls built into the application: e.g. security, audit trails, data integrity features

Procedural controls: SOPs and training to use the system

Administrative controls: company requirements e.g. verify identities, register with the FDA

Part 11 compliance only comes when all three controls work together

Technical

Procedural Administrative

Annex 11 (EU) & Part 11 (USA) •  Similar technical and procedural controls to

for computerised systems, records and electronic signatures

•  Technical controls: – Security – Audit trail – Etc

•  Key requirement of both regulations: data integrity

GAMP

Good Automated Manufacturing Practice (GAMP) Guidelines

•  Volunteers from UK pharma started writing guidance for manufacturing suppliers 20 years ago

•  Now a global effort •  Guidance based on regulatory

interpretation by industry with input from regulators

Key Points of a Computerised System

•  Regulations require that equipment be properly installed and meets the intended purpose

•  Therefore elements that need to be under control: –  IT Infrastructure is qualified and IT staff are trained –  Application is suitably installed –  Application is interfaced to instruments and other

computerised systems –  SOPs to use and support the system are available –  Users are trained to use the system via SOPs –  Overall system is defined: intended purpose –  Overall system is tested: demonstrates that it meets

intended purpose

Computerised System

People

Standard Operating Procedures

Network

Software: OS Applications

Hardware &

Peripherals

Computer System

Controlled Process

Computerized System

Standard Operating Procedures

Instrument (Firmware)

Operating environment

GAMP Software Classification and System Risk

Risk & GAMP 5 Software Categories

Category 1: Infrastructure software Category 2: Firmware – discontinued in GAMP 5 Category 3: Non-Configurable Software Category 4: Configured Software Category 5: Custom Software

Notes: – The same software package can be in two categories e.g. Excel – More than one software category can exist in a system e.g. database and application software

Category 1 Software

•  Category 1: Infrastructure Software •  Established or Commercially Available

Layered Software e.g. – Operating systems, languages, databases,

ladder logic, office products spreadsheets etc – Open source general purpose products –  Infrastructure Software Tools e.g. Network

management, backup, help desk etc

Category 2 Software

•  Category 2: Firmware – Discontinued in GAMP 5 – Now treated as software in category 3, 4 or 5.

Category 3 Software

•  Category 3: Non-Configured Products – Off the shelf products used for business

purposes –  Includes systems that cannot be configured to

conform to business processes – Configuration to run in your environment only – Also Category 4 software that can be

configured but only the default configuration is used

Category 4 Software

•  Configured Commercial Products – Configured products provide standard interfaces

and functions that enable configuration of the application to meet user specific business processes.

– Configuration using a vendor supplied language should be handled as custom components (Category 5).

Category 5 Software

•  Custom Applications – These systems or subsystems are developed

to meet the specific needs of a regulated company.

– Highest risk software – Spreadsheet with macro – NetD: Custom extensions for customers

integrated into releases of the product – now category 4

The Competition

The Competition is shrinking •  Saba (rumour about MT SaaS) •  Sum T (Vista Equity – client satisfaction issue) •  AI Talent (Cobent) •  CertPoint (bought by Infor) •  Syberworks •  Silkroad (Greenlight) •  LearnerWeb •  golighthouse •  OutStart (Eedo)/Kenexa (move to MT SaaS IBM) •  Immedius (Generation 21) •  Intralearn •  ISOtrain/Softek •  CSOD

Key Requirements (AI Talent) •  Delivering FDA compliance training and well-documented

Standard Operating Procedures (SOPs) are keys to ensuring business success and compliance with FDA regulations.

•  Leading life sciences organisations use AITalent’s validated electronic Learning Compliance Solution (LCS) to deliver SOP and GxP training compliant to FDA’s 21 CFR Part 11 guidance for electronic records, documents and signatures.

•  AITalent’s Learning Compliance Suite streamlines processes and helps to ensure "audit ready" FDA regulatory compliance by enabling you to:

•  Create training from current approved SOP documentation •  Quickly publish online learning courses and assessments •  Manage e-documents using revision and workflow controls •  Track on-the-job training, competencies and proficiencies •  Capture evidence of training with e-signatures and audit trails •  Centralise and track all GxP, GMP, GCP and GLP training •  Ensure FDA compliance with 21 CFR Part 11 for electronic records •  Automate re-training or re-certification notifications and alerts to users •  Automatically assign and notify users of SOP and procedural changes •  Accelerate knowledge transfer across sales and marketing organisations •  Integrate with quality or document management systems

Case Study

Compliance - FDA 21 CFR Part 11 in Life Sciences •  CLIENT

–  A global health-care company based in Europe with products and services for hospitals as well as inpatient and outpatient medical care

–  2011 revenues of €16.5bn •  CHALLENGE

–  Global training and employee development platform –  Over 135,000 users worldwide (initial rollout to 30,000 users in 24

countries) –  21 CFR Part 11 & EU GMP Annex 11 requirements

•  DIFFERENTIATORS –  Solution: NetDimensions Learning + Performance (on premise) –  Best TCO for customizations that are carried forward –  NetDimensions validated in September 2012 for 21 CFR Part

820/211 and Part 11 as well as for EU GMP Annex 11 requirements at Fresenius Medical Care’s environment

How to sell into this vertical

Requirements On Premise or Secure SaaS (Single tenant or

MT) Pre-validation Security (security audits engineering, QA &

hosting) SOPs Test Scripts Flexibility E-Signatures Must be able to carry out the validation process

LMS Compliance and Quality Management features •  Security

– Hosting – infrastructure (the role of Secure SaaS)

•  Single Tenant infrastructure – User verification – tokens, IP address, etc. – Application security – vendor audit

•  Audit Trail – Evidence of behavior

•  E-Signatures •  Certifications – exams, training & SOPs •  Reporting & Analytics

How to Sell into this vertical •  Learn the basics (in this presentation) •  Understand the problems the prospect faces

(reporting, compliance, audits, certification SOP tracking usually done on paper or bespoke in house software platforms)

•  Understand the EXTREMELY conservative nature of this industry

•  Understand and quote legislation changes (FDA) •  Know when to involve the experts (Dr Bob) •  Be ready to articulate not only what their pain is

but how we would go about addressing this (soup to nuts)

Areas of Functionality to Demonstrate/Discuss •  Accessibility

–  Mobile: Slate App with Supervisor Assessments •  Compliance

–  Exams & Evaluations –  e-Signatures –  Certification (expiration/renewals/grace periods) –  Auditing Log

•  Organisational profiling –  Onboarding/Offboarding: Auto/group enrol –  Programme management –  Job profiles and competencies including Learning

Path

Areas of Functionality to Demonstrate/Discuss •  Integration

– Portals / HR-ERP transfers –  3rd Party compliance/screening systems

•  Reporting – Exams, Learning, Certification & Compliance

Reports – Dashboards – Compliance Analytics – NetDimensions Analytics

Key Principles of Compliance

1.  Say what you do – Have a written procedure that states what you do

2.  Do what you say – Follow the procedure –  If there is a deviation – write what was done – Do you need to revise the procedure?

3.  Document it – Written or electronic evidence is needed to

demonstrate that the procedure was followed

Compliance Training is part of a systematic approach for an organisation to prove it is controlling and recording a documented process in line with the regulations.

Research Sources

•  RM McDowell Consulting •  http://www.labmanager.com/business-

management/2011/04/learning-management-systems#.U8PHJ6i6m0E

•  http://www.businessdecision-lifesciences.com/ •  http://www.fda.gov/iceci/enforcementactions/

WarningLetters/default.htm •  http://www.uleduneering.com/solutions/enterprise-

learning-management/learning-management-system/compliancewire/