Page | 1

21 CFR part 11_1997

PART 11ELECTRONIC RECORDS &ELECTRONIC SIGNATURES
Subpart AGeneral Provisions

Subpart BElectronic Records

Subpart CElectronic Signatures

11.1 Scope.

11.10 Controls for closed systems

11.100 General requirements

11.2 Implementation.

11.30 Controls for open systems

11.3 Definitions

11.50 Signature manifestations

11.200 Electronic signature components and

controls.
11.300 Controls for identification codes/
passwords

11.70 Signature/record linking.

(a) The regulations in this part set forth the criteria, under which the agency considers electronic records, electronic
signatures, and handwritten signatures executed to electronic records to be trustworthy, reliable, and generally equivalent to
paper records and handwritten signatures executed on paper.
(b)11.1 Scope. This part applies to records in electronic form that are

1. Created,
2. modified,
(CMMART)
3. Maintained,
4 Archived,
5. Retrieved, or transmitted.
This part does not apply to paper records that are, or have been, transmitted by electronic means.
c) Where electronic signatures and their associated electronic records meet the requirements of this part, the agency will
consider the electronic signatures to be equivalent to full handwritten signatures, initials, and other general signings as
required by agency regulations, unless specifically excepted by regulation(s) effective on or after August 20, 1997.
d) Electronic records that meet the requirements of this part may be used in lieu of paper records, in accordance with 11.2,
unless paper records are specifically required.
(e) Computer systems (including hardware and software), controls, and attendant documentation maintained under this part
shall be readily available for, and subject to, FDA inspection.
11.2 Implementation.

(a) For records required to be maintained but not submitted to the agency, persons may use electronic records in lieu
of paper records or electronic signatures in lieu of traditional signatures, in whole or in part, provided that the
requirements of this part are met.
(b) For records submitted to the agency, persons may use electronic records in lieu of paper records or electronic
signatures in lieu of traditional signatures, in whole or in part, provided that:
(1) The requirements of this part are met; and
(2) The document or parts of a document to be submitted have been identified in public docket No. 92S 0251 as being the
type of submission the agency accepts in electronic form. This docket will identify specifically what types of documents or
parts of documents are acceptable for submission in electronic form without paper records and the agency receiving unit(s)
(e.g., specific center, office, division, branch) to which such submissions may be made. Documents to agency receiving
unit(s) not specified in the public docket will not be considered as official if they are submitted in electronic form; paper
forms of such documents will be considered as official and must accompany any electronic records. Persons are expected to
consult with the intended agency receiving unit for details on how (e.g., method of transmission, media, file formats, and
technical protocols) and whether to proceed with the electronic submission.
(e) Computer systems (including hardware and software), controls, and attendant documentation maintained under this part
shall be readily available, for, and subject to, FDA inspection.
11.3 Definitions.

(3) Biometrics means a method of verifying an individuals identity based on measurement of the individuals physical
feature(s) or repeatable action(s) where those features and/or actions are both unique to that individual and
measurable.

Page | 2
(4) Closed system means an environment in which system access is controlled by persons who are responsible for the
content of electronic records that are on the system.
(5) Digital signature means an electronic signature based upon cryptographic methods of originator authentication,
computed by using a set of rules and a set of parameters such that the identity of the signer and the integrity of the data
can be verified.
(6) Electronic record means any combination of text, graphics, data, audio, pictorial, or other information
Representation in digital form that is created, modified, maintained, archived, retrieved, or distributed by a computer
system.
(7) Electronic signature means a computer data compilation of any symbol or series of symbols executed, adopted, or
authorized by an individual to be the legally binding equivalent of the individuals handwritten signature.
(8) Handwritten signature means the scripted name or legal mark of an individual handwritten by that individual and
executed or adopted with the present intention to authenticate writing in a permanent form. The act of signing with a
writing or marking instruments such as a pen or stylus is preserved. The scripted name or legal mark, while
conventionally applied to paper, may also be applied to other devices that capture the name or mark.
(9) Open system means an environment in which system access is not controlled by persons who are responsible for
the content of electronic records that are on the system.

Subpart BElectronic Records

11.10 Controls for closed systems.

Persons who use closed systems to create, modify, maintain, or transmit electronic records shall employ procedures and controls
designed to ensure the authenticity, integrity, and, when appropriate, the confidentiality of electronic records, and to ensure that
the signer cannot readily repudiate the Signed record as not genuine. Such procedures and controls shall include the following:
(a) Validation of systems to ensure accuracy, reliability, consistent intended performance, and the ability to discern invalid or
altered records.
(b) The ability to generate accurate and complete copies of records in both human readable and electronic form suitable for
inspection, review, and copying by the agency. Persons should contact the agency if there are any questions regarding the ability
of the agency to perform such review and copying of the electronic records.
(c) Protection of records to enable their accurate and ready retrieval throughout the records retention period.
(d) Limiting system access to authorized individuals.
(e) Use of secure, computer-generated, time-stamped audit trails to independently record the date and time of operator entries and
actions that create, modify, or delete electronic records. Record changes shall not obscure previously recorded information. Such
audit trail documentation shall be retained for a period at least as long as that required for the subject electronic records and shall
be available for agency review and copying.
(f) Use of operational system checks to enforce permitted sequencing of steps and events, as appropriate.
(g) Use of authority checks to ensure that only authorized individuals can use the system, electronically sign a record, access the
operation or computer system input or output device, alter a record, or perform the operation at hand.
(h) Use of device (e.g., terminal) checks to determine, as appropriate, the validity of the source of data input or operational
instruction.
(i) Determination that persons who develop, maintain, or use electronic record/electronic signature systems have the education,
training, and experience to perform their assigned tasks.
(j) The establishment of, and adherence to, written policies that hold individuals accountable and responsible for actions initiated
under their electronic signatures, in order to deter record and signature falsification.
(k) Use of appropriate controls over systems documentation including:
(1) Adequate controls over the distribution of, access to, and use of documentation for system operation and maintenance.
(2) Revision and change control procedures to maintain an audit trail that documents time-sequenced development and
modification of systems documentation.

Page | 3
11.30 Controls for open systems.

Persons who use open systems to create, modify, maintain, or transmit electronic records shall employ procedures and
controls designed to ensure the authenticity, integrity, and, as appropriate, the confidentiality of electronic records from the
point of their creation to the point of their receipt. Such procedures and controls shall include those identified in 11.10,
as appropriate, and additional measures such as document encryption and use of appropriate digital signature standards to
ensure, as necessary under the circumstances, record authenticity, integrity, and confidentiality.

11.50 Signature manifestations.

(a) Signed electronic records shall contain information

associated with the signing that clearly indicates all
of the following:
(1) The printed name of the signer;
(2) The date and time when the signature was executed;
and
(3) The meaning (such as review, approval,
responsibility, or authorship) associated with the
signature.

(b) The items identified in paragraphs (a)(1), (a)(2), and (a)(3)

of this section shall be subject to the same controls as for
electronic records and shall be included as part of any human
readable form of the electronic record (such as electronic
display or printout).

11.70 Signature/record linking.

Electronic signatures and handwritten signatures executed to electronic records shall be linked to their respective electronic
records to ensure that the signatures cannot be excised, copied, or otherwise transferred to falsify an electronic record by
ordinary means.

Subpart CElectronic Signatures

11.100 General requirements

(a) Each electronic signature shall be unique to one individual and shall not be reused by, or reassigned to, anyone
else.
(b) Before an organization establishes, assigns, certifies, or otherwise sanctions an individuals electronic signature, or
any element of such electronic signature, the organization shall verify the identity of the individual.
(c) Persons using electronic signatures shall, prior to or at the time of such use, certify to the agency that the electronic
Signatures in their system, used on or after August 20, 1997, are intended to be the legally binding equivalent of traditional
handwritten signatures.
(1) The certification shall be submitted in paper form and signed with a traditional handwritten signature, to the Office of
Regional Operations (HFC100), 5600 Fishers Lane, Rockville, MD 20857.
(2) Persons using electronic signatures shall, upon agency request, provide additional certification or testimony that a
specific electronic signature is the legally binding equivalent of the signers handwritten signature.
11.200 Electronic signature components and controls:
(a) Electronic signatures that are not based upon biometrics shall:
(1) Employ at least two distinct identification components such as an identification code and password.
(i) When an individual executes a series of signings during a single, continuous period of controlled system access, the first
signing shall be executed using all electronic signature components; subsequent signings shall be executed using at least one
electronic signature component that is only executable by, and designed to be used only by, the individual.
(ii) When an individual executes one or more signings not performed during a single, continuous period of controlled
system access, each signing shall be executed using all of the electronic signature components.
(2) Be used only by their genuine owners; and
(3) Be administered and executed to ensure that attempted use of an individuals electronic signature by anyone other than its
genuine owner requires collaboration of two or more individuals.

Page | 4

11.300 Controls for identification codes/ passwords.

Persons who use electronic signatures based upon use of identification codes in combination with passwords shall employ
controls to ensure their security and integrity. Such controls shall include:
(a) Maintaining the uniqueness of each combined identification code and password, such that no two individuals have the
same combination of Identification code and password.
(b) Ensuring that identification code and password issuances are periodically checked, recalled, or revised (e.g., to cover
such events as password aging).
(c) Following loss management procedures to electronically deauthorize lost, stolen, missing, or otherwise potentially
compromised tokens, cards, and other devices that bear or generate identification code or password information, and to
issue temporary or permanent replacements using suitable, rigorous controls.
(d) Use of transaction safeguards to prevent unauthorized use of passwords and/or identification codes, and to detect and
report in an immediate and urgent manner any attempts at their
Unauthorized use to the system security unit, and, as appropriate, to organizational management.
(e) Initial and periodic testing of devices, such as tokens or cards, that bear or generate identification code or password
information to ensure that they function properly and have not been altered in an unauthorized manner.

Guidance for Industry Part 11, Electronic Records; Electronic Signatures Scope and Application 2003
1>INTRODUCTION.

3>DISCUSSION

FDA is re-examining part 11 as it

applies to all FDA regulated
products.

A. Overall Approach to Part 11 Requirements

2>BACKGROUND

B. Details of Approach Scope of Part 11

1. Narrow Interpretation of Scope
2. Definition of Part 11 Records.

C. Approach to Specific Part 11 Requirements(V A L C R)

1. Validation

2. Audit Trail

3. Legacy Systems

4. Copies of Records

5. Record
Retention

A. Overall Approach to Part 11 Requirements.

1. Limiting system access to authorized individuals
2 use of operational system checks
3 uses of authority checks
4 uses of device checks
5 Determination that persons, who develop, maintain, or use electronic systems have the education,
training, and experience to perform their assigned tasks.
6 Establishment of and adherence to written policies that hold individuals accountable for actions
initiated under their electronic signatures.
7. Appropriate controls over systems documentation.
8. Controls for open systems corresponding to controls for closed systems bulleted above (11.30)
9. Requirements related to electronic signatures (e.g., 11.50, 11.70, 11.100, 11.200, and 11.300)
B. Details of Approach Scope of Part 11

1. Narrow Interpretation of Scope: We understand that there is some confusion about the
scope of part 11. Some have understood the scope of part 11 to be very broad. We believe that some of
those broad interpretations could lead to unnecessary controls and costs and could discourage
innovation and technological advances without providing added benefit to the public health. As a
result, we want to clarify that the Agency intends to interpret the scope of part 11 narrowly.
Under the narrow interpretation of the scope of part 11, with respect to records required to be
maintained under predicate rules or submitted to FDA, when persons choose to use records in

Page | 5
electronic format in place of paper format, part 11 would apply. On the other hand, when persons use
computers to generate paper printouts of electronic records, and those paper records meet all the
requirements of the applicable predicate rules and persons rely on the paper records to perform their
regulated activities, FDA would generally not consider persons to be "using electronic records in lieu
of paper records" under 11.2(a) and 11.2(b). In these instances, the use of computer systems in the
generation of paper records would not trigger part 11.

2. Definition of Part 11 Records

Records that are required to be maintained under predicate rule requirements and that are
maintained in electronic format in place of paper format. On the other hand, records (and any
associated signatures) that are not required to be retained under predicate rules, but that are
nonetheless maintained in electronic format, are not part 11 records.
We recommend that you determine based on the predicate rules, whether specific records are
part 11 records. We recommend that you document such decisions.
Records that are required to be maintained under predicate rules, that are maintained in
electronic format in addition to paper format, and that are relied on to perform regulated
activities.
In some cases, actual business practices may dictate whether you are using electronic records
instead of paper records under 11.2(a). For example, if a record is required to be maintained
under a predicate rule and you use a computer to generate a paper printout of the electronic
records, but you nonetheless rely on the electronic record to perform regulated activities, the
Agency may consider you to be using the electronic record instead of the paper record. That is,
the Agency may take your business practices into account in determining whether part 11
applies.
Accordingly, we recommend that, for each record required to be maintained under predicate
rules, you determine in advance whether you plan to rely on the electronic record or paper
record to perform regulated activities. We recommend that you document this decision (e.g., in a
Standard Operating Procedure (SOP), or specification document).
Records submitted to FDA, under predicate rules (even if such records are not specifically
identified in Agency regulations) in electronic format (assuming the records have been identified
in docket number 92S-0251 as the types of submissions the Agency accepts in electronic format).
However, a record that is not itself submitted, but is used in generating a submission, is not a
part 11 record unless it is otherwise required to be maintained under a predicate rule and it is
maintained in electronic format.
Electronic signatures that are intended to be the equivalent of handwritten signatures, initials,
and other general signings required by predicate rules. Part 11 signatures include electronic
signatures that are used, for example, to document the fact that certain events or actions
occurred in accordance with the predicate rule (e.g. approved, reviewed, and verified).

C. Approach to Specific Part 11 Requirements

1. Validation
Validation of computerized systems ( 11.10(a) and corresponding requirements in 11.30).
Although persons must still comply with all applicable predicate rule requirements for validation
(e.g., 21 CFR 820.70(i)),
Meet predicate rule.
You should also consider the impact those systems might have on the accuracy, reliability,
integrity, availability, and authenticity of required records and signatures. Even if there is no
predicate rule requirement to validate a system, in some instances it may still be important to
validate the system.
We recommend that you base your approach on a justified and documented risk assessment and a
determination of the potential of the system to affect product quality and safety, and record

Page | 6
integrity. For instance, validation would not be important for a word processor used only to
generate SOPs
2.

Audit Trail: computer-generated, time-stamped audit trails ( 11.10 (e), (k)(2) and any
corresponding requirement in 11.30). date (e.g., 58.130(e)), time, or sequencing of events as
well as any requirements for ensuring that changes to records do not obscure previous entries.

We recommend that you base your decision on whether to apply audit trails, or other appropriate
measures, on the need to comply with predicate rule requirements, a justified and documented risk assessment,
and a determination of the potential effect on product quality and safety and record integrity.
We suggest that you apply appropriate controls based on such an assessment. Audit trails can be particularly
appropriate when users are expected to create, modify, or delete regulated records during normal operation.
3.

Legacy Systems: Existing system whose validation does not necessarily meet
current compliance requirements.

The Agency intends to exercise enforcement discretion with respect to all part 11 requirements for systems that
otherwise were operational prior to August 20, 1997, the effective date of part 11, under the circumstances
specified below.
This means that the Agency does not intend to take enforcement action to enforce compliance with any part 11
requirements if all the following criteria are met for a specific system:
the system was operational before the effective date.
the system met all applicable predicate rule requirements before the effective date.
the system currently meets all applicable predicate rule requirements.
you have documented evidence and justification that the system is fit for its intended use (including having an
acceptable level of record security and integrity, if applicable).
If a system has been changed since August 20, 1997, and if the changes would prevent the system from meeting
predicate rule requirements, Part 11 controls should be applied to Part 11 records and signatures pursuant to the
enforcement policy expressed in this guidance.

4. Copies of Records:
The Agency intends to exercise enforcement discretion with regard to specific part 11 requirements
for generating copies of records ( 11.10 (b) and any corresponding requirement in 11.30). You
should provide an investigator with reasonable and useful access to records during an inspection.
All records held by you are subject to inspection in accordance with predicate rules (e.g.,
211.180(c), (d), and 108.35(c) (3) (ii)).
We recommend that you supply copies of electronic records by:
Producing copies of records held in common portable formats when records are maintained in these
formats.
Using established automated conversion or export methods, where available, to make copies in a more
common format (examples of such formats include, but are not limited to, PDF, XML, or SGML)
In each case, we recommend that the copying process used produces copies that preserve the content
and meaning of the record. If you have the ability to search, sort, or trend part 11 records, copies given
to the Agency should provide the same capability if it is reasonable and technically feasible. You
should allow inspection, review, and copying of records in a human readable form at your site using
your hardware and following your established procedures and techniques for accessing records.

5. Record Retention

Page | 7
The Agency intends to exercise enforcement discretion with regard to the part 11 requirements for
the protection of records to enable their accurate and ready retrieval throughout the records
retention period ( 11.10 (c) and any corresponding requirement in 11.30). Persons must still
comply with all applicable predicate rule requirements for record retention and availability (e.g.
211.180(c),(d), 108.25(g), and 108.35(h)).
We suggest that your decision on how to maintain records be based on predicate rule requirements
and that you base your decision on a justified and documented risk assessment and a determination
of the value of the records over time.
FDA does not intend to object if you decide to archive required records in electronic format to
nonelectronic media such as microfilm, microfiche, and paper, or to a standard electronic file
format (examples of such formats include, but are not limited to, PDF, XML, or SGML). Persons
must still comply with all predicate rule requirements, and the records themselves and any copies
of the required records should preserve their content and meaning. As long as predicate rule
requirements are fully satisfied and the content and meaning of the records are preserved and
archived, you can delete the electronic version of the records. In addition, paper and electronic
record and signature components can co-exist (i.e., a hybrid8 situation) as long as predicate rule
requirements are met and the content and meaning of those records are preserved.

Extra
Electronic Records

Electronic records (covered by part B of the regulation) generated by any computerized system
must be trustworthy and reliable; therefore, a number of controls exist in the regulation to support
this requirement. In summary, key requirements are:
Systems must be validated.
Systems must be able to detect altered and invalid records.
Only authorized individuals must have access to a system and their access levels must reflect
their job.
Audit trails are required to monitor creation of and changes to records, including archiving or
deletion of data.
People using a system must be trained; this includes all levels of support from system
administration, to front line users and IT support staff.
Records must be protected for the duration of the records retention period, up to 15 to 20 years
depending on the predicate rule.
Systems must be able to provide the data and associated meta data to an inspector if required.
Signing of records requires the name of the individual, reason for signing, and the date and time
to be displayed at the time of signing.
Signatures must be linked to respective records so that the signatures cannot be removed or

copied.
Policies must be established holding individuals accountable for actions taken under their
electronic signatures.
Where data confidentiality is required, the addition of security such as file encryption or digital
signatures is required to ensure confidentiality. The system, including training and resultant
records, must be sufficient to prevent repudiation of electronic signatures as not genuine.

Electronic signatures

Part C of the regulation has many requirements for procedural and administrative controls, with
relatively few technical requirements. While Part C of the rule is voluntary, and each company can
choose whether to implement electronic signatures, there are also pertinent security requirements

Page | 8
for the trustworthiness and reliability of electronic records; for example, the ability to detect
unauthorized access to a system in 11.300(d). The main requirements are:
People using electronic signatures must have their identities verified.
Companies must send a letter to the FDA certifying that when electronic signatures are used, they
are the legal equivalent of traditional handwritten signatures.
Electronic signatures must be unique to an individual and never reused by a company.
Controls must be in place to prevent fraud.
Fraud would require the collaboration of two or more individuals.
The system must be able to detect attempts of unauthorized access and notify the appropriate
security/management staff.

Electronic signatures that can be used under Part 11 are one of the following three types:
(1)Electronic signature [password and user ID (identification code which may or may not have elements
of the user's actual name)]. This is the easiest method to implement in many applications used in
P auser.
ge |9
bioanalysis, but its effectiveness is highly dependent upon the quality of the password chosen by the
Passwords that are easily remembered can often be easily guessed; this is the so-called password
paradox.

There has been debate on the effectiveness of various password policies. Long complex passwords and
Interrelationships
of technical
andin
procedural
controls:
frequent
changes to password
results
people writing
passwords down or cycling through passwords.
Some technical
controls
do not stand
their own.
They
require
a procedure to
ensure that
Examples
of password
characteristics
areonpassword
length
and
compositioneight
characters
withthey are
implemented
and
are
effective.
Examples
include:
alphanumeric combinations and no dictionary words are three fairly common requirements. The National
11.300(d)
The (NSA)
systemlists
must
the ability
to detectMicrosoft
unauthorized
use; thissix
is characters
limited to as
access
Security
Agency
14have
characters
as minimum;
recommends
the attempts
currently. When unauthorized access is attempted, the software (technical controls portion of the system)
minimum.
notifies administrative/security personnel, who will follow a documented procedure to investigate the issue
and
Password
reportchange
on the frequency
outcome. and reuse frequency: Maximum age of 90 days, minimum age of one day
(user
must
wait
one
day after
setting
a passwordindividuals
to set a newand
password).
cannot
reuse same
11.10(d) limits system
access
to authorized
11.10(g)User
requires
authority
checks to ensure that
password
for
one
year
(according
to
NSA
guides).
NSA
has
several
documents
dealing
with must
computer
people only have access to functions appropriate to their position and training. A SOP
be in place for
security
including
password
policy
(www.nsa.gov/snac).
Microsoft
has
several
security
guides
which
are individual
defining and implementing these two requirements, and also listing the authorized users and their
usually
not
as
specific
as
the
NSA
material
(www.microsoft.com/
technet/security/topics).
access levels. We will look at this in more detail as we review the requirements for 21 CFR Part 11.
Biometric signature (based on a measurable human trait such as fingerprint or iris recognition). The
prices of fingerprint devices are dropping to reasonable levels and multimode verification devices
(verifies
+ temperature
+ pulse
etc.) are
more
to fool and are becoming readily available.
Analystprint
Software
Customer:
Validation
and
Usedifficult
Case Study
However, the use of fingerprint technology in a bioanalytical laboratory may be hampered by the need to
use
for at
many
bioanalytical
activities. of Drug Metabolism at the Skokie, Ill., facility (Pharmacia was
Jeffgloves
Duggan
Pharmacia's
Department
purchased by Pfizer in 2003) has been involved with the validation of Analyst software version 1.2 when used
Digital signature (public/private key infrastructure plus a personal pass-phrase or password).
as a hybrid system (electronic records and handwritten signatures on paper records). The validation carried
Implementing digital signatures usually requires a token or equivalent that generates a random number
out at Skokie was a global project undertaken by a validation team with participants at two US and one
that is synchronized with the same algorithm running with the application.
European site, validating 27 networked Analyst software workstations. Configuring user security is an
The customer must administer passwords through the use of SOPs training and tools to ensure that (a)
important consideration before the validation can start. There are four types of users within the system:
The user IDs and user names are unique and never reused, (b) passwords are suitably secure, strong
administrators, analysts, operators, and users. The user types in Analyst software were linked to network
passwords, known only to their user, and (c) the user ID/password combination is used only by its
groups rather than individual users, because creating a separate security database on each individual
respective owner
machine would have made such a large system difficult to manage. Two added advantages of the networkresident
groups
for each
type11are:
1) users are easily added to or removed from the entire system by the
Role
of the
predicate
ruleuser
in Part
interpretation
For
bioanalysis,
the main predicate
regulation
is 21 CFR
Partname
58 (Good
Practice),
network
IT administrator
simplyrule
removing
or adding
a user
fromLaboratory
the appropriate
group, and 2) any
although
Part 320
(the bioavailability
regulations)
21 CFR
Part 11 group.
makes
user can21
useCFR
Analyst
software
in any location
provided may
that also
theybe
areinvolved.
in the proper
network
The
latter feature
users
to use
at different
geographic
no
mention
of whichallowed
records global
must becompany
generated,
signed
andsystems
maintained;
this is determined
bysites,
the if necessary.
This version
of Analyst
applicable
predicate
rule. software could only acquire data to the local hard drive. To protect the data that was
generated, there was an automated disk-to-disk copy at 5:00 am every day via a backup to a protected server.
The
predicate
rulethe
will
state those
records
that are
required,
records
signature.
Wherehard drive
Once
stored on
server,
data are
archived
weekly
via and
tapethose
backup.
Therequiring
acquisition
workstation
the
predicate
requires
a record,
Part 11
says youthe
candata
havearea
an electronic
record. Where
the predicate
remains
the rule
storage
site for
raw data;
therefore,
of each acquisition
station
hard drive is writerule
requires
a
signature,
part
11
says
you
can
have
an
electronic
signature.
Where
the
predicate
ruleis does
protected to prevent file overwrites or erasures. Within the server environment, file security
defined so that
not
identify
a
record
or
a
signature
as
required,
Part
11
requirements
do
not
apply
(note
that
there
areSOP (an
only administrators have the right to delete data, but the ability to do so is controlled by local
records
identified
specifically
21 procedural
CFR Part 11,controls
such as of
audit
trails,
may not have
a direct
paper
example
of mixing
technicalinand
Part
11). that
Furthermore,
each
user has
their own file
equivalent).
However, bioanalysts
workingdata
in the
pharmaceutical industry or contract research
share with restricted
access to prevent
overwriting.
organizations
tend to generate
and
sign records specification"
regardless of what
is actually
by theuse and
Validation involved
writing apaper
"user
requirements
(URS)
aroundrequired
the intended
predicate
When
implementing
ER/ES
systems, itProcesses
is important
to understand
exactly
what signing
workflowrules.
of the
software
and LC/MS
instrument.
integrated
to data
generation
such as the front
actions
areback
required
and where it to
is important
identify
an the
individual's
actions.data
For example,
when you
end and
end connections
the LIMStosystem
and
network-based
backup system
were included
make
handwritten
to a worksheet,
is a full
signature
or just initials?
This is(IQ)
an that was followed
in thea workflow
forchange
scripting.
The hardware
platform
hasrequired
an installation
qualification
important
distinction
to make
What is the role
the asignature
or initials?
Is it the for how to set
by the Analyst
software
IQ. and
Forunderstand.
multiple installations,
thereofwas
configuration
specification
identification
of anapplication
individual that
who performed
an action,
or is it the
approval
or authorization
up the platform,
anddenotes
user permissions.
Scripts
were written
to test
the workflow
on an end-toof
results
a report?
This is a critical
issue, as the
implementation
of many
data systems
and
used
end
basisor(sample
preparation
to calculation
of results).
Users were
trained,
first with
anLIMS
introductory
course,
inand
bioanalysis
have
an "electronic
signature"
associated
with writing
to the
In validation,
fact, per thea vendor
then by acan
more
detailed
training
for advanced
and "power"
users.
As database.
part of the
applicable
predicate
signing requirements
areThere
very limited.
in many labs
it is
still the involved
audit of MDS
Sciexrule,
wasthe
undertaken
in late 2002.
were noHowever,
major deficiencies,
and
everyone
practice
sign and
virtually
every scrap of
with thetoaudit
wasdate
willing
and cooperative.
A paper.
summary report was written that covered the validation
process.
Roles and responsibilities involved in 21 CFR Part 11: Three Roles
Administrative: Admin
controls are policies for 21
CFR Part 11 within an
organization and can include
a company interpretation of
the regulation and how the

2. procedural:
Procedural controls
are essentially
standard operating
procedures (SOPs) or
other written

3. technical : Examples of technical

controls are the security and access
control for the application, and the audit
trail to monitor changes to the records

P a g e | 10

Question and Answers

Q.1 What IS 21 CFR part 11

What is 21 CFR Part 11?

An important driver for the "Electronic Records; Electronic Signatures" final rule
was the pharmaceutical industry, which approached the FDA with a request to
use electronic records so that the industry could take advantage of modern
technology and reduce the use of paper. Following the publication of a draft of
the regulation in 1994, the final rule was published on March 20, 1997, and
became effective on August 20, 1997.
In essence, the regulation provides the basis for the use of electronic records in
place of paper records as well as the use of electronic signatures, rather than
handwritten ones.
Under 21 CFR Part 11, electronic records can be equivalent to the paper records
required by predicate regulations (e.g., 21 CFR Part 58, the Good Laboratory
Regulations). Electronic signatures can be considered as legal equivalents to
handwritten signatures. The regulation further stipulates that both electronic
signatures and electronic records must be trustworthy and reliable.
The regulation impacts almost all FDA-regulated work (e.g., pharmaceuticals,
medical devices, food); thus, it impacts bioanalysis directly when studies are
used to support new drug applications or new formulations of existing drugs. Any
organization that wishes to register products for sale in the US, regardless of
where the organization is based, must comply with the requirements of this
regulation.
What is an SOP

A Standard Operating Procedure (SOP) is a certain type of document that describes in a stepby-step outline form how to perform a particular task or operation. Everyone in a company
must follow the same procedures to assure that tasks are performed consistently and correctly.
Most companies have a wide variety of SOPs that describe how to do different tasks. In many
companies technicians and operators are trained in how to follow individual SOPs and their
training record specifies which SOPs they are trained on and are authorized to use.
What is 21 CFR part 11

Title 21 CFR Part 11 of the Code of Federal Regulations deals with the Food and Drug
Administration (FDA) guidelines on electronic records and electronic signatures in the
United States. Part 11, as it is commonly called, defines the criteria under which electronic

P a g e | 11

records and electronic signatures are considered to be trustworthy, reliable and equivalent to
paper records

What is an SOP
A Standard Operating Procedure (SOP) is a certain type of document that describes in a stepby-step outline form how to perform a particular task or operation. Everyone in a company
must follow the same procedures to assure that tasks are performed consistently and correctly.
Most companies have a wide variety of SOPs that describe how to do different tasks. In many
companies technicians and operators are trained in how to follow individual SOPs and their
training record specifies which SOPs they are trained on and are authorized to use.
What is 21 CFR part 11
Title 21 CFR Part 11 of the Code of Federal Regulations deals with the Food and Drug
Administration (FDA) guidelines on electronic records and electronic signatures in the
United States. Part 11, as it is commonly called, defines the criteria under which electronic
records and electronic signatures are considered to be trustworthy, reliable and equivalent to
paper records
What are user requirements
User Requirements Specification describes what users require from the System. User
requirement specifications are written early in the validation process, typically before the
system is created. It is written by the System Owner and End Users, with input from Quality
Assurance. Requirements outlined in the URS are usually tested in the Performance
Qualification. User Requirements Specifications are not intended to be a technical document;
readers with only a general knowledge of the system should be able to understand the
requirements outlined in the URS.
What is a validation plan
Validation Plans define the scope and goals of a validation project. Validation plans are
written before a validation project and are specific to a single validation project. Validation
Plans can include:

Deliverables (Documents) to be generated during the validation process

Resources/Departments/Personnel to participate in the validation project

Time-Line for completing the validation project

What is an IQ document

P a g e | 12

Installation Qualifications are a collection of test cases used to verify the proper installation
of a System. The requirement to properly install the system was defined in the Design
Specification. Installation Qualifications must be performed before completing Operational
Qualification or Performance Qualification.
What is an OQ Document
Operational Qualifications are a collection of test cases used to verify the proper functioning
of a System. The operational qualification tests requirements defined in the Functional
Requirements. Operational Qualifications are usually performed before the system is released
for use.
What is a PQ Document
Performance Qualifications are a collection of test cases used to verify that a System
performs as expected under simulated real-world conditions. The performance qualification
tests requirements that were defined in the User Requirement Specification (or possibly the
Functional Requirements). Due to the nature of performance qualifications, these tests are
sometime conducted with power users as the system is being released.
What is a Validation Summary Report
Validation Summary Reports provide an overview of the entire validation project. When
regulatory auditors review validation projects, they typically begin by reviewing the summary
report. The validation summary report should include:

A description of the validation project

All test cases performed, including if those test cases passed without

All deviations reported, including how those deviations were resolved

issue

What is a Change Request

Change Control is a general term describing the process of managing how changes are
introduced into a controlled System. In validation, this means how changes are made to the
validated system. Change control is required to demonstrate to regulatory authorities that
validated systems remain under control after system changes. Change Control systems are a
favorite target of regulatory auditors because they vividly demonstrate an organization
capacity to control its systems.
How to assess clinical laboratories for GCP compliance is one of the more difficult issues
facing GxP professionals. Is CLIA the gold standard? How do the good laboratory practice
(GLP) regulations impact clinical labs? Isnt there a handy checklist out there somewhere?
What do people mean by GCLP? I have been dealing with this issue a lot of late and people
are really all over the map. Here are some of the approaches I take, along with a handy-dandy
reference list at the bottom of the post.

P a g e | 13

First, lets look at the easy part. The primary regulation dealing with clinical laboratories is
the Clinical Laboratory Improvement Amendments (CLIA). Wow, thats simple.
However, CLIA specifically states that it does not have jurisdiction over research. CLIA
covers the day-to-day laboratory tests that your doctor orders to check up on your cholesterol
or hematocrit. For these routine tests, FDA recognizes CLIA certification as an acceptable
standard. FDA also recognizes other certifications such as from the College of American
Pathologists (CAP). However, FDA does not have its own laboratory program. No, the GLP
regulations (Part 58) just dont apply here. My advice is to keep them on the shelf.
However, things can get more complex. Not all laboratory tests are CLIA certified, there is
a whole lot of research going on out there. Research methods are being developed every day.
To make matters worse, just because a lab is CLIA or CAP certified, it does not mean that
they have clinical trial experience and knowledge of kit building or blinding procedures. You
need to go to their laboratory and see if they are equipped to perform the tasks in your
statement of work. You need to perform a chain-of-custody tour to determine that your
samples will be handled and analyzed in an appropriate manner, if there is quality control at
each stage of data handling (ICH E6 Section 5.1.3).
One document that will come in handy is the FDA Guidance for Industry: Bioanalytical
Method Validation. If you have a new laboratory method, it should be validated. What about
an audit plan? I use the European Medicines Agency (EMA) GCP Inspection Guidance on
Clinical Laboratories (Annex II). Links to both of these documents are listed below. The
important thing to remember is that you have critical safety and efficacy endpoints being
evaluated by the lab and they are highly importance to your study. Give the laboratory the
attention it deserves.
Tour the Laboratory
Chronological order is a useful tool in assessing a laboratory. Follow the route of the
samples starting with kit building, shipment to the sites, receipt from the sites and how they
make it through the laboratory. Remember, the majority of laboratory errors take place
Before sample analysis, in the pre-examination phase (source: CDC). In addition, there are
more errors reported in the post-examination phase than the examination phase itself.
Reporting is of critical importance. Your NDA or PMA might depend on the accuracy of
those reports.
I have seen many checklists for conducting clinical laboratory audits. Most of them have
issues that can impact their effectiveness. Your audit should be protocol-specific. The lab
needs to be able to conduct the analyses required by the protocol. Thats why I use the EMA
GCP Inspection Guidance for Clinical Laboratories as a basic audit plan. EMA has a GCP
inspection program for clinical labs. Another important point is that not only do you need to
pre-qualify a lab, you need to go back during the trial and audit live data. This is true for any
critical vendor.
Many organizations are working on the clinical laboratory dilemma. You will hear the term
GCLP quite a bit (for good clinical laboratory practice). It is important to remember that
there is not one consistent standard on what GCLP is. Wouldnt it be nice if we did have a
consistent GCLP standard recognized by the worlds regulatory authorities? Here are some

P a g e | 14

important references for clinical labs and GCP. Feel free to make additions to this list in the
Comments section below.

GxP Audit Techniques & Etiquette

May 29, 2011

GxP Audit Techniques and Etiquette

Auditing for quality assurance purposes or for an independent quality assessment has
become a necessity for GxP Professionals in the highly regulated life sciences industry. Many
companies have highly developed SOPs for auditors but there is no consensus on the basic
behaviors of auditors. In this Guest Commentary veteran GxP Consultants Emma Barsky
and Len Grunbaum offer their perspectives on how auditors should behave when conducting
audits that can easily impact peoples jobs and reputations. I firmly believe that auditors
should take their approach very seriously. Recent experiences of my own indicate it is a topic
well worth review.
===
GxP Perspectives will be taking a break for a few weeks. Everyone should take a break now
and then.
===
Guest Commentary by Emma Barsky & Len Grunbaum
As consultants in the life science industry, we often serve in the capacity of audit hosts for
companies and, as such, have a greater exposure than most to various audit behaviors. We
therefore are rarely surprised by inappropriate audit conduct.

P a g e | 15

"I put three people

in jail."
But even our eyebrows were raised when a third-party auditor, who was representing a
company doing business with our client, started the audit with, I put three people in jail.
Was she showing off and justifying her credentials? Was she trying to intimidate our client
and us? Both? The result was that no one in the room was impressed or made nervous by
such an introduction. If anything, her attitude provided the inspiration for this blog Guest
Commentary.
In light of having to conform to technical and ethical standards of ones profession, an
auditor represents himself/herself and group/department he/she belongs to for sure. More
importantly, however, the auditor also represents his/her company as a whole, even if
representing the auditing company in the role of a consultant. Given that the auditor is often
viewed as the companys due diligence eyes and ears, every word and every move that the
auditor makes is a reflection on the company he/she represents and on the employees of that
company.
So what should one consider when it comes to the audit preparation, conduct and follow-up?
Based on our experience (both good and bad), the following tips regarding audit etiquette, if
put into practice, will usually leave the auditee with positive impressions regarding the
auditor and the company he/she represents, irrespective of the audits outcome:
Be prepared learn as much as you can in advance about the company you will be
auditing. At a minimum, this can be accomplished through:
1) reading about the company on its website,
2) having a discussion with those groups and/or individuals who intend to use the company to
be audited,
3) doing an internet search to see if there is anything of interest regarding the company to be
audited (e.g., warning letters, legal actions), and
4) reviewing previous audit reports if applicable and available.

Preparation:
"An audit agenda is the first document the auditee will see"
Stay focused develop an audit agenda that will center on the business reason(s) for the
audit (e.g., qualification/due diligence audit, for cause audit, follow-up of a previous audit,
investigation). An audit agenda is the first document that the auditee will see, and from this
will form an opinion regarding the auditor. Therefore, it is best to have a detailed agenda that
is customized in terms of the basis for the audit. This will:

P a g e | 16

1) demonstrate the auditors understanding of the nature of the auditees actual and/or
potential support as it relates to the auditors company,
2) be indicative of the fact that there is no hidden agenda on the part of the auditor, and
3) set the tone for the auditors own expectations regarding thoroughness of the auditees
preparation for the audit.
Be timely if possible (e.g., you are not conducting a for cause audit or an investigation),
send the audit agenda to the auditee at least two (2) weeks in advance of the audit. While a
company should be prepared for an audit at all times, a timely agenda:
1) allows the auditee time to gather correct and complete information in advance of the audit,
2) permits the auditee to identify and schedule the appropriate individuals who will provide
information during the audit, and
3) establishes the auditors own standard regarding timeliness for the auditee to provide
requested information.
Dress appropriately while many companies have a casual dress code, we believe that an
auditor should always be dressed in a suit because this is a sign of respect and
professionalism even in todays less than formal work environment.

Avoid Surprises
Avoid surprises information regarding the number of people attending the audit should be
communicated to the auditee as far in advance as possible. More than once, we have seen
instances where more people than expected showed up for an audit without warning. Even if
the number of people to be hosted changes at the last second, it is the auditors responsibility
to let the auditee know about it. Anything less than that is viewed as unprofessional.
Be sensitive recognize the fact that audits are stressful in that they take away from the
auditees ability to do billable work. Therefore, to maximize on your own effort while being
conscious of the auditees availability, have all of your questions prepared in advance of
interviews (e.g., after reading SOPs or other documents so the questions can be detailed and
specific) to minimize the interview time and be flexible if the times for the interviews have to
be changed on the spot.
Be fair sometimes issues are very complicated and overlap multiple processes and/or
organizational groups. Thus it is only fair to split the responsibility for
misunderstandings/miscommunication and activities going amiss between the auditee and
the company on behalf of which the audit is being performed.

P a g e | 17

Be Fair
'From what we have observed, the auditees often get all the blame'
From what we have observed, the auditees often get all the blame, even though the fault may
not be entirely theirs. If you position yourself as someone who takes no sides and listen to all
parties involved, you will be in a better position to identify the root cause of the issue(s) and,
as a result, help the company you represent to resolve/mitigate them no matter whose fault it
is.
Know your stuff be well-versed with respect to the applicable regulations and be
versatile in how regulations can be applied operationally, while still maintaining compliance,
in the areas you are auditing.
Be open-minded if you have not seen a regulation being addressed in a certain way, it
does not mean that it presents a regulatory compliance problem. If it ever happens, your only
job is to determine whether the unconventional approach, chosen by an auditee, may result in
potential data integrity issues.

Professionalism:
"exhibiting a courteous and business-like manner during the audit "
Be polite and tactful is essential. And, therefore, the usage of language becomes a critical
part of the audit conduct. Not only should one stay away from inappropriate introductions
(such as that described above), but also from 1) arguments, 2) accusations and 3) exhibiting
lack of patience. Even if you think the company you are auditing is wrong, stay away from
heated discussions. Instead, include your point of view and an explanation, along with the
auditees position, in the audit report and let the companys Operations deal with the rest.
Also, the auditors authority should not be misused - we have seen cases where, due to the
auditors lack of understanding, the auditees were wrongly charged with something they have
not done.
Be open audit observations and potential audit findings should be discussed with the audit
host throughout the audit, rather than just at the close-out meeting or even worse yet,
mentioned only in the audit report that the auditee has to respond to.

P a g e | 18

"Transparency throughout the audit"

Transparency throughout the audit will give the auditee a chance to present additional
documentation, provide clarifications and collect supplementary evidence before the end of
the audit. Not only will such an approach prevent the auditee from feeling cheated or
blind-sided, but it will also give you, the auditor, a much better idea regarding where the
auditee really stands.
Be sensible unlike many seem to believe, minimal or no observations is not necessarily
a reflection on your competency. So dont be afraid to walk out of the audit with no
findings where findings are not warranted. Remember that even the FDA itself is
comfortable to close-out its inspections with no FDA-483s. Furthermore, there should also be
a clear difference between auditors preferences (e.g., recommendations) and findings that
present deviations from the regulations and have a potential impact on the quality of the
product and/or process(es).
Be factual when writing observations, provide enough facts and details to substantiate
your findings. It is best to stay away from ambiguities and generalities when describing an
issue because nothing frustrates an auditee more than all-encompassing statements that make
the issue look worse than it really is.

Review Audit Findings

in a Timely Manner
Be responsive just like you expect the auditee to respond within thirty (30) calendar days
(or business days, depending on the individual companys requirements) to the audit findings,
the auditee is also expecting reasonably prompt feedback from you regarding the audit
findings and feedback to the respective auditees responses. Therefore, the audit findings,
audit responses and any follow-ups should be sent out and/or reviewed in a timely fashion.
Not letting the auditee know what the audit status is, even if responses are acceptable, is not
an option because contracts often depend on the auditee successfully passing the audit.

P a g e | 19

The morale of the story is that the auditor has a big responsibility towards the
company he/she represents and towards the company he/she is auditing. In our opinion, the
biggest compliment and validation that the auditor can get is for the auditee to say you were
fair, findings notwithstanding. In this case, everyone wins.
Emma Barsky
Len Grunbaum
Partners
The Practical Solutions Group, LLC

ACRP Meets in Seattle for 2011 Global Conference

April 29, 2011

ACRP Meets in Seattle for 2011 Global Conference

Seattle, WA plays host to the Association of Clinical Research Professionals (ACRP)
annual Global Conference. ACRP is one of the larger professional organizations focusing on
clinical trials and expects 2,000 participants. It will be the first time I have attended their
Global Conference and I am looking forward to it. There will be sessions on Introduction to
Imaging in Clinical Trials and on Distance-Based Learning for Foreign Study
Coordinators. GxP Perspectives will be there for the entire conference (the pre-conference
workshops have already begun) and among the sessions I look forward to is Comparative
Effectiveness Trials. I am going to try to blog at least twice during the conference on issues I
think are of concern to GxP Perspectives readers. If I am super industrious maybe I will blog
from the ACRP Global Conference every day.
Here is a new feature that ACRP is offering: ACRP is pleased to announce that for the
first time ever, two live-feed Plenary Sessions from the ACRP Global Conference &
Exhibition will be broadcast FREE of charge. Join us May 1 for the Regulatory Affairs
Public Forum featuring representatives from global regulatory agencies addressing issues
facing clinical trials. Join us May 2 for Innovation & Global Health, a discussion by Tachi
Yamada, MD, President, Global Health Program, Bill and Melinda Gates Foundation.
For more information visit the ACRP Website on the Plenary Sessions

P a g e | 20

Do You Have a Guest Commentary for

GxP Perspectives?
Another highlight will be the May 1st session on Your Site Doesnt Need 60 SOPs, But How
Many Does It Need? The speakers are Christine Pierre, RN and Steven Steinbreuck, MPH
and the author of a Guest Commentary on GxP Perspectives on Informed Consent
Requirements. Remember, I am always looking for a good Guest Commentary. Send me a
note and ask me how-

FDA Enforcement: The Four Elements of Proof

April 16, 2011

FDA Enforcement:
The Four Elements
of Proof
What is FDA required to document to initiate an enforcement action? What proof is
necessary to establish clear and significant violations of the regulations? What elements of
noncompliance do FDA field investigators need to establish that a Warning Letter, seizure,
injunction, consent degree, or prosecution is required? FDA has basic requirements that
should be documented during an inspection: they are called the Four Elements of Proof.
When reviewing a Form FDA 483, Inspectional Observations, it should be compared against
these basic required elements for consistency, relevancy and significance. Lets look at the
Four Elements of Proof, sometimes referred to with the acronym JIVR.

Does FDA Have Jurisdiction?

JURISDICTION: For FDA to take an enforcement action, it needs jurisdiction. We know
that FDA regulates drugs, medical devices, and biologics/vaccines. However, It isnt always
simple. There is a strict definition of drug in the Food, Drug & Cosmetic Act. That is the
reason FDA lost at the Supreme Court with the first attempt at asserting jurisdiction over
tobacco in the 1990s. It was a question of intent, which is also the title of former
Commissioner Dr. David Kesslers fascinating book on his time at FDA. Laws and

P a g e | 21

regulations usually have a section for definitions. Take some time to read them. It will help
you understand the way FDA interprets inspections and when to seek enforcement actions.

An Early FDA Inspection: Railroad Watering Points

INTERSTATE COMMERCE: One of the principal functions of the United States
government is to regulate interstate commerce. Railroads were the principal means of
interstate transportation when FDA was founded and an important area of FDA concern. And
just try to document medical oxygen in interstate commerce. I once had a promotion delayed
for three months because as a Bioresearch Monitoring investigator, I was dealing with the
biopharmaceutical and medical device industries where interstate commerce is basically
assumed. So I had to go out to a couple of medical gas repackers and collect DOC Samples
(a DOC sample consists of paperwork, not a product) to establish that I could document
interstate commerce. (See Warning Letter Below for Interstate Conveyance Sanitation.)

What is the Violation?

VIOLATION: There should be a clear and significant violation of the regulations to put
something on a 483 or Warning letter. If the laboratory normal range for the
inclusion/exclusion criteria for blood glucose is 80-120 Mg/DL and the result is 121 that is a
clear violation. Is it significant? I think not. Determining significance is not an easy task. It is
something that may need discussion during an FDA inspection. Patient, professional
discussion of the issue is usually the best approach. Your FDA field investigator may not have
experience in the specific therapeutic area or technical issues of the inspection. It isnt always
easy conducting an FDA inspection and establishing the four elements of proof and the
significance of the violation. And remember, You cannot determine the root cause of a
problem if you dont know what the violation is. What is the Violation? Find it in the
regulations.

Regulations Assign Responsibility

P a g e | 22

RESPONSIBILITY: Regulations assign responsibility. In clinical trials they are assigned to

sponsors, investigators, and IRBs. In GMPs and postmarket activities responsibilities are
assigned to the applicant and the manufacturer of a regulated product. In the GLP
regulations, responsibility is assigned to the testing facility. Responsibility is a Big Deal to
an FDA investigator. It is just as important to ask, Whose regulatory responsibility is it? as
it is to ask, What is the Violation? Without regulatory responsibility you cannot determine
who should recommend the actions necessary to correct a regulatory error.
There you have it. The four elements of proof. The basic requirements for FDA enforcement.

When Should Quality Begin?

When should quality preparation begin for a pivotal phase III clinical trial? About once a
month I get a call asking for help for a clinical trial because its time to get ready for FDA
inspections. I ask When will the application be filed? The response? Soon, very soon.
It is a good thing to prepare for an FDA inspection. It is even better to prepare at the
beginning, reviewing the quality considerations necessary to do the job right by frontloading
quality. Here are some things I think you should consider. (Please take the survey at the
end)
Phase III Considerations for Compliance with the FDA Bioresearch Monitoring
Program: by Carl Anderson
The U.S. Food and Drug Administration conducts inspections of clinical trials as part of their
Bioresearch Monitoring program. Although all FDA regulated clinical trials are subject to
inspection, the large majority of inspections are the result of an application for the approval
of an investigational product. Results of an FDA Bimo inspection can have a direct impact
on the review and approval of an NDA, PMA, or BLA by the agency. FDA conducts
inspections of clinical trials for two primary reasons:
1. To ensure the integrity of data submitted to the agency in support of an application.
2. To protect the safety, rights, and welfare of human participants in clinical trials.
The regulations that the FDA enforces for clinical trials are collectively known as the good
clinical practice (GCP) regulations. They include 21 CFR Parts 11, 50, 54, 56, 312, 314, 601,
812, and 814. They can be found on the web at: http://www.fda.gov/oc/gcp/regulations.html.
In particular FDA Bimo inspections cover the specific responsibilities required of sponsors
and investigators covered by 21 CFR 312 Subpart D: Responsibilities of Sponsor and
Investigators. For medical devices they are contained in Part 812.
The primary guidance document used for GCPs is the International Conference on
Harmonization E6: Good Clinical Practice: Consolidated Guidance. This document is the
international standard and the primary GCP regulation in many countries. ICH documents for
clinical studies including E6 can be found at the link on the bottom

P a g e | 23

There are two types of GCP inspections that are of concern for sponsors. The first type is the
inspection of clinical investigators at the sites where research is conducted. The majority of
FDA inspections are of the investigators. The second type is the inspection of the sponsor or
contract research organization. This is a routine inspection for medical device sponsors and is
becoming more common at drug sponsors. Although most inspections are at clinical sites, in
the event that serious deficiencies are documented, there can be directed inspections of
sponsors that can result in serious regulatory action.

QA for the Data Lifecycle

Prior to beginning a pivotal study the sponsor should establish a system of clinical quality
assurance. This is a recommendation, not a requirement, of FDA. E6 defines quality
assurance (QA) as: All those planned and systematic actions that are established to ensure
that the trial is performed and the data are generated, documented (recorded), and reported
in compliance with GCP and applicable regulatory requirement(s). Among the most
important QA activities are the following:
Clinical trial materials. They should be produced in compliance with good manufacturing
practice (GMP) regulations and qualified by an onsite audit.

Increased Enforcement of
Part 11
Computerized systems including eCRFs. There are many forward looking systems available
for electronic case report forms (CRFs) including systems that are internet based. These
vendors are not regulated by FDA and do not receive regulatory inspections. The burden is on
the sponsor to determine if the vendor provides GCP compliant services. All should be
qualified by an onsite audit.FDA has started looking a lot closer at eCRF systems.
Site management organizations (SMOs). These are unregulated organizations that provide
support for clinical investigators and recruit study subjects. FDA inspections of sites using an
SMO have frequently been cited for noncompliance with GCPs. SMOs should also receive
onsite audits.

P a g e | 24

Central IRBs. These commercial institutional review boards have a better record than
SMOs. However, the protection of human participants in research is a central FDA concern.
Commercial IRBs should be qualified by an onsite audit.
Randomization services. This might not require an onsite audit and qualification, but the
sponsor needs to critically determine that the vendor can supply the required services.

QA Audits of Clinical Sites

Audits of clinical sites. ICH E6 states that: The sponsors audit plan and procedures for a
trial audit should be guided by the importance of the trial to submissions to regulatory
authorities The sponsor should audit a pivotal clinical trial throughout the data lifecycle.
In particular the sponsor should audit problematic sites during the study. It is the sponsors
responsibility to secure investigator compliance if the investigator is violating GCPs. This
was the first violation cited on the Sanofi-Aventis Warning Letter and has historically been a
major violation cited on FDA Warning Letters to sponsors.
Top enrolling sites should always be audited during the course of the study because of their
increased importance for a successful study and the likelihood that the site will receive an
inspection by FDA. The sponsor should also audit sites that may be inspected by FDA at the
conclusion of the study including data outliers, sites with a history of noncompliance, and
sites that do not have a history of FDA inspections.
Database audits The sponsors data management activities should have independent QA
review. This should include a qualification audit if data management is contracted out. An
excellent resource for data management is the Society of Clinical Data Management. They
publish a Good Clinical Data Management Practices Guide which is available for purchase
on their website below.
Trial master file (TMF) audits: A TMF consists of the Essential Documents section of ICH
E6. There should be QA review periodically throughout the study. The failure to adequately
document a clinical trial will hinder any application to FDA. The agency field investigators
have a saying that, If it isnt documented then it didnt happen. Take a look at the TMF
page at the top of the blog for additional resources.

Conduct Regular GCP Training

P a g e | 25

GCP training: The sponsor should have a training program that includes initial and
continuing training on good clinical practice. The training program should be in writing and
training should be documented. At least once a year staff members should attend an outside
conference, meeting, or workshop that includes clinical trial professionals that are not the
sponsors employees.Peer-to-peer interactions are necessary to develop staff
GLP audits: The FDA conducts routine surveillance audits of nonclinical test facilities. An
FDA inspector may randomly select a study of the sponsor to track as part of that inspection.
Protocols and final reports are collected and sent to FDA headquarters as part of the
inspection. The sponsor should always qualify a nonclinical laboratory used for GLP studies
submitted to the agency. The new FDA Sponsor Compliance Program (see previous post)
gives instructions for looking at nonclinical studies during GCP inspections at the sponsor.
Sponsor audits and mock FDA inspections

Always Prepare for an FDA Inspection

Finally, a sponsor should conduct audits of their clinical management department and
conduct mock FDA inspections in preparation for the regulatory audits that will inevitably
take place after the NDA, PMA, or BLA is filed. Preparing for a regulatory inspection is
invaluable for effectively hosting any regulatory agency, in particular FDA. Medical device
sponsors need to remember that FDA typically inspects sponsors submitting a PMA. Drug
sponsor inspections are on the increase. The OAI violation rate for inspections of medical
device sponsors was 33% in fiscal year 2007. OAI stands for official action indicated the
most serious classification.

FDA Inspections: What NOT To Say & How Not To Say It

March 13, 2011

"It's Not My Job"

P a g e | 26

FDA Inspections are Always stressful. How should you answer the FDA Investigators
questions? What should you say or, more importantly, what should you NOT say? Two
common answers are to tell the truth and to only answer the question asked. Both are good
points. The FDA investigator is conducting a public health inspection so you should want to
tell the truth. It also happens to be against the law to lie to a federal official so there are both
positive and negative motivations to answer a question truthfully. It is also a good idea to
give a brief, factual, and truthful answer to the question you are asked, not a question you
think might be asked. And remember to use a complete sentence. Receiving a barrage of
monosyllables in an interview is only going to irritate the FDA investigator. The one answer I
recommend to never give to an FDA investigator is, Its not my job.
What? Most people who answer, its not my job are telling the truth! Not only that, it is not
a good idea to answer for someone else who actually has that responsibility. However, you
have to remember that an FDA investigator has heard that response one hundred times before.
People frequently give evasive answers and avoid responsibility when being interviewed by
the FDA. It gets very old, very fast.

"I Know Who Has That Responsibility"

A better approach is to say, That isnt my job but I know whose responsibility it is and let
me see if she is available. During an FDA inspection it is important to build trust. If an FDA
inspector asks a reasonable question, lets say, How do you ship investigational product to
clinical sites? It is in your interest to see that the right person answers the question and that
you find the right person in a timely manner.
FDA has begun a program to increase the types of GCP inspections it conducts. There will
be more inspections of CROs and clinical trial vendors such as clinical laboratories. In fact,
they have already started. That means that many more people will need training on how to
participate in an FDA inspection. GxP Perspectives will be having some Guest
Commentaries on the subject and try to provide some practical solutions.

Frontloading Quality:
The Key to Success

P a g e | 27

The first step in successfully hosting an FDA inspection is to have a quality system in place
that monitors the data or product lifecycle. You dont want to start your quality process after
you lock your database! Then, when FDA does show up, you want to give a positive
impression. You want to build trust with FDA. Think back to the last time you phoned your
utility company or complained about a pothole on your street. When you finally got a live
person and they told you, thats not my job, how did you feel? That isnt how you want
FDA to feel either.

CAPA Plans for Clinical Trials

February 22, 2011

CAPA Plans: Corrective and Preventative Actions

CAPA- corrective and preventative action- Are CAPA plans for clinical trials different than
a CAPA for a GMP quality system? Do GCP regulations require CAPA plans? Is a root cause
analysis necessary to develop a CAPA plan? What are FDAs expectations for CAPA plans?
These are some of the questions that were asked at EXL Pharmas conference on CAPAs in
the clinical trial environment held last month in Virginia. I then had the opportunity to ask
them all over again during a for-cause GCP audit. The results provided for some interesting
insight into how sponsors, CROs, and clinical investigators can investigate errors in clinical
trials and put in place a process to prevent the errors from continuing.
First we should define our terms:
Corrective Action: Immediate action to a problem that has already occurred or has been
identified.
Preventative Action= Taken to eliminate the root cause of a potential problem including the
detection/identification of problems.
Root Cause Analysis: A class of problem solving methods used to identify the root causes of
problems or events.
These definitions hold true for all GxP quality systems. However, there are some basic
differences that set GCP CAPAs apart from the manufacturing or GLP arena:
= FDA regulations assign responsibilities to Investigators, Sponsors, & IRBs- there are NO
regulatory responsibilities for human subjects participating in clinical trials

P a g e | 28

= GMPs involve a manufactured product- GCPs involve a clinical investigation, an

experiment- The products are the integrity of the data and the protection of human subjects
in clinical research.
= GMPs largely involve a manufacturing process- GCPs largely involve the interactions of
People

What is the Root Cause of the Problem?

FDA has made it clear both in public presentations and in Warning Letters to sponsors and
clinical investigators that they expect two responses to GCP problems once they have been
identified. First, there should be an investigation regarding how widespread the problem is. In
effect, conducting a root cause analysis and investigation into the problem. Next, FDA
expects a description of efforts into the prevention of the problem in the future. This is
essentially a plan of corrective and preventative action, a CAPA. So even though FDAs GCP
requirements dont specify CAPA plans, if you receive a Form FDA 483, Inspectional
Observations, you really need to put a CAPA plan into place. Here are two examples why:
= FDA Sponsor Warning Letter, January 2011 Your response is inadequate in that it does
not describe your corrective and preventive actions in sufficient detail.
= FDA NIDPOE letter to Clinical Investigator (potential disqualification warning) 2009:
however, you failed to investigate for additional acts of falsification within the same clinical
investigation or in other clinical investigations in which the study coordinator was involved.

Always Look for at Least 2 Root Causes

The root cause analysis of a clinical trial problem should include an investigation into what
happened. Different problems will need different levels of investigation depending on
significance. In addition, the root cause analysis will need to determine if a CAPA plan is
required. Not all problems or errors are both systemic and significant. You dont want to

P a g e | 29

institute a system of Death by CAPA by initiating a CAPA plan for each error that occurs.
People make mistakes and a quality system should focus on the errors that matter. Sometimes
you will see a CAPA that merely restates the error and then the ubiquitous note to file
saying retrained study coordinator. This is not an appropriate CAPA plan and not an
appropriate corrective action. Here are some points to include in a CAPA investigation:
= There can be multiple root causes- Always Look at Two Possible Root Causes
= Always look at the raw data. If you are not looking at original documents, then you are
missing something of importance
= Why, why, why, why, why The five whys of CAPA. Drill down to find the root cause.
= The root cause is not restating the error.
= PICCC: Problem, Investigate, Comparison, Clues, Cause

Problem Solving in Clinical Trials

PICCC is a useful tool in a root cause analysis. What does comparison mean? It means to
compare the problem across protocols and across clinical sites. If you have the failure to
follow a point in the protocol at one site, do other sites have the same problem? If that is the
case, the root cause may very well be that the protocol is poorly written, it may need an
amendment. The corrective action would not read, retrained study coordinator on the
importance of protocol adherence. The CAPA plan would look in a different direction,
towards the sponsor. The ubiquitous note to file may not be necessary.
There is a wealth of resources on CAPA, root cause analysis, and conducting an investigation.
I am including some of those that I used for this post as well as for presentations. There is
still a lot to be developed on CAPAs for clinical trials. However, it is clear that regulatory
agencies want to know what you have done to investigate clinical problems and what you are
doing to prevent them from recurring. In short, they want CAPA plans.
Barb Immel on CAPA Investigations
Essential Components of an Effective CAPA Plan by Jim Colyn
Root Cause Analysis by Edward Dunn, MD
====

P a g e | 30

You can help out GxP Perspectives! Please let your colleagues and friends know about GxP
Perspectives. I also encourage you to get an email subscription (on the sidebar to your right)
or join the LinkedIn group (below).
=======
GxP Audit & Risk Management Congress: 20-21 October 2011, Philadelphia, PA. This
conference combines both GMP and GCP tracks to maximize the opportunity for cross
training, shared best practices, and networking. Two members of the GxP Perspectives
LinkedIn group, Janice Wilson and Adi Lampmann, are among the faculty. The conference is
sponsored by ExL Pharma and GxP Perspectives is a media partner.
=======
SPECIAL UPDATE: 18MAR2011: FDA has released an updated version of the
Compliance Program Guidance Manual 7348.810, Sponsors/Contract Research
Organizations/Monitors. There are new sections on registration of clinical trials on
ClinicalTrials.gov, Financial Disclosure, the Part 11 Scope & Application Guidance
Document, and other issues. If you work for a sponsor, a CRO, or are a contract CRA you
MUST read this document. Review Section III, Inspectional.
============
On the Blogroll: GxP Perspectives made the list for Best 40 Blogs (and tweets) on the
FDA. This comes from FDAZilla. I think it is a pretty good list.

GxP Quality- Building a Culture of Compliance

January 24, 2011

Building a Culture of Compliance

Building a culture of compliance is almost a cliche in GxP Quality Assurance circles.
However, time and again major problems occur when we discover that a culture of
shortcuts has set in. In this Guest Commentary veteran GxP consultants Emma Barsky and
Len Grunbaum cover the basics of how to build a culture of quality and compliance from the
ground up. I first met Len Grunbaum in 2004 when he was on the faculty of an Advanced
GLP course for FDA field investigators. This was the last FDA training I took before leaving.
I was impressed with Lens knowledge of validation processes and weve kept in touch. Im
still impressed.
This will be the last post for two weeks as I go traveling for a bit. I wanted to let readers
know of two important recent articles (with links at the bottom of the post.)

P a g e | 31

The first is about a report issued earlier this month by the British Academy of Medical
Sciences. The report was commissioned by the British government to try to pare back some
of the bureaucracy involved with clinical trials in the U.K. An article on the report by Nick
Taylor in Outsourcing-Pharma there are some interesting revelations about the British
regulatory agency, MHRA. I strongly recommend reading this article.
In addition, I would like to refer readers to last weeks FDA Matters for interesting issues of
concern at FDA. Now, here are Len & Emma:
Guest Commentary by Emma Barsky & Len Grunbaum
Implementing a Culture of Compliance: Practical Steps
Establishing a culture of compliance is not a paint-by-numbers exercise; it must be
injected into the DNA of a company. In our experience, many companies strive to create a
culture of compliance but few approach it from the perspective of a mindset of shared
attitudes, values, goals and practices that characterizes an institution or organization, which
is the essence of a culture. The ideas that follow are intended to provide a roadmap and
practical steps towards implementing a company-wide culture of compliance in the life
science industry, across any GXP area.
1. Develop a quality policy statement and quality objectives

Developing a Quality Statement

Every company should set quality-related expectations for its employees and contractors. The
policy that establishes an environment where employees and contractors are made
knowledgeable of, and held accountable for, good quality practices pertinent to the
companys business should not only be visibly displayed but also discussed with/explained to
those parties who will be required to adhere to it. Company management should emphasize
the details of the quality policy that are outlined in item number 2.
2. Identify and document quality criteria
Company management should identify and document the criteria for good quality practices.
These components may include, but may not necessarily be limited to, adherence to written
policies and procedures, exercising good documentation practices (e.g. initialing and dating
cross-outs, using a single line to for corrections), promptly bringing any deficiencies and/or
deviations to the attention of company management, documenting unplanned deviations,
providing explanations/justifications when planned deviations occur and correcting them in a
timely fashion.

P a g e | 32

Defining Expectations for Quality

To successfully implement staff adherence to the companys quality policy, it may be
beneficial for a company, in part, to tie staff members annual reviews, promotions and/or
salary increases to the effectiveness of the adherence to, and application of, good quality
practices. In other words, it should be made clear to the employees that everyone, including
those responsible for a given department/operation where a quality deficiency is identified,
will be held tangibly accountable.
3. Establish a robust quality baseline
Through performing internal audits and assessing CAPAs, the companys Quality function
(e.g., Quality Assurance) should identify quality-related issues based on the criteria regarding
the components of good quality practices outlined in item number 2.
While performing the internal audits and through capturing the findings in the CAPA system,
the Quality function should focus on identifying trends and themes related to noncompliance. In order to achieve this objective, the companys CAPA system should be such
that it allows the company to collect information regarding appropriate metrics to assess the
success of the culture of compliance initiative.
Lack of compliance should be tracked not only on an issue-by-issue basis, but also across
departments, individuals and operations/processes. Collecting information on these items will
help to identify the root cause of the issue, which may stem from a larger issue related, but
not necessarily limited to,
1. Cumbersome and, therefore, ineffective processes
2. Lack of appropriate supervision
3. Procedures that lack clarity (e.g., poorly worded documentation; lack of guidance,
contradictory information)
4. Lack of documented procedures
5. Lack of an individuals attention to detail and common sense
6. Lack of effective training
The list of potential root causes of the deficiencies encountered is limitless, but one thing
always remains clear: unless quality-related issues are addressed and remedied at the root
cause level, the fix to compliance issues will not be permanent, nor will the company be able
to create and maintain the culture of compliance.
4. Maintain a robust quality baseline
Every internal audit should focus on the effectiveness of the established CAPA system.
Specifically, the Quality function should determine whether:

P a g e | 33

1. The nature and impact of the deficiency on data has been properly identified
2. Effective corrective and preventive actions have been implemented
3. Appropriate follow-ups have been performed
4. The system is robust enough to trend and track quality-related issues accurately and
completely
5. The system is robust enough to identify weaknesses with processes, documentation
practices, personnel, etc.
The companys Quality function should investigate all instances where the above has not
been achieved for improvements within the quality system. This includes the defined metrics
of the CAPA system.
In conclusion, we would like to emphasize that many factors, including but not limited to,
new staff, acquisitions/mergers, new lines of business, staff reductions and/or new
management have an impact on the culture of compliance. Therefore, in order to be
successful, a culture of compliance should be a living initiative, which is constantly
assessed for its effectiveness in light of changes that every company experiences during the
normal course of events.
Emma Barsky
Len Grunbaum
Partners
The Practical Solutions Group, LLC
=============
Read about the Academy of Medical Research Report by Nick Taylor in OutsourcingPharma
UPDATE: There is a very interesting Important Notice to IRBs that is on the FDA website.
Sort of a Coast IRB redux.
=============
Please join GxP Perspectives on LinkedIn at:
GxP Perspectives LinkedIn Group
See the page Guest Commentaries (at the top of the blog) for the previous article by Len &
Emma on Part 11 compliance.
On FDAs Website there are Two New Warning Letters from FDA to Clinical Investigators
that show the need to effectively respond to a Form FDA 483, Inspectional Observations,
with a well thought out CAPA Plan.

How Should You Respond to a Form FDA 483?

P a g e | 34

What is an adequate response to a Form FDA 483, Inspectional Observations? That

question was discussed by two representatives of FDA at a training workshop hosted by the
Pacific Regional Chapter of the Society for Quality Assurance and the Organization of
Regulatory and Clinical Associates Northwest. The workshop, held on 4-5 November 2010
in Seattle, featured discussions by Chrissy J. Cochran, PhD, from the Division of Bioresearch
Monitoring (BIMO) at the Center for Devices and Radiological Health (CDRH) and Mihaly
S. Ligmond, Consumer Safety Officer, Division of Domestic Field Investigations, Office of
Regulatory Affairs (ORA). ORA is the field organization that conducts most FDA
inspections. Both Cochran, who spoke by teleconference on the 4th, and Ligmond, who
attended on the 5th, stressed the dos and donts of responding to an FDA 483.
The Form FDA 483
Both FDA speakers stressed that the 483 is the preliminary observations of the field
investigator, not the final compliance determination of the Agency. Both emphasized that
there was no requirement to respond in writing to a 483. However, both told the training
session that if there are issues identified on a 483, then a clear written response can help
prevent enforcement action, including a Warning Letter, by FDA. Cochran discussed a few
ineffective FDA 483 response letters received by CDRH. They included a clinical
investigator who was using an informed consent form without all of the required elements
required by 21 CFR 50.25. These elements include a clear statement of research; alternative
procedures; a discussion of confidentiality and other important information. The clinical
investigator complained that: You cited us on a technicality. This was a clear and
significant violation of FDA clinical trial regulations and this was not an acceptable response.
Cochran gave an example of an adequate response to an FDA 483 for protocol violations. The
response included a copy of a written procedure developed to prevent recurrence of the
violation. The procedure was presented to a seminar for study staff with a sign-in sheet with
the date of the seminar. It included implementation dates with a review scheduled after three
months to determine the effectiveness of the corrective action.
The response to an FDA 483 should go to both the District Office and to CDRH, Cochran
said. She stated that it is the assessment at BIMO that makes the final compliance
determination for Bioresearch Monitoring inspections. She reviewed the issues that BIMO
considers when reviewing an establishment inspection report (EIR) and a Form FDA 483,
Inspectional Observations. These include:
Are the FDA 483 observations actual violations of the regulations?
Are there additional violations in the exhibits submitted with the EIR?
Are the observations documented with exhibits or discussion in the EIR?
Are the observations significant?
Did the inspected party address the issue in their response?
Is the response adequate? We will carefully look at it.
Ligmond, who is a National Expert for drug good manufacturing practice (GMP) inspections,
gave the following recommendations for a response letter to an FDA 483:
Set a reasonable timeline for taking action;
Initiate a Global Response if the deficiency can impact other areas;
Include details and attachments;

P a g e | 35

Be comprehensive;
Address disagreements with the observations;
As a courtesy, copy the investigator

The FDA 483 is the Preliminary Observation of the FDA Field Investigator
Both Cochran and Ligmond restated the new FDA policy for written responses to an FDA
483 if the response is to be considered by FDA prior to issuing a Warning Letter. That
response time is 15 business days from the date the FDA 483 is issued. Ligmond gave an
excellent recommendation to avoid possible disputes on FDA 483 observations. Address
misunderstandings promptly, courteously, and with the facts, he said. He discussed the
importance of a daily wrap-up session o clear up any disagreements or inaccurate information
that may have been given to the FDA field investigator.
CAPA
Corrective and Preventative Action, or CAPA, was discussed by both speakers. Ligmond said
that a CAPA plan should address problems completely and in a timely manner. Cochran said
that a good CAPA plan should assess the root cause of deficiencies; identify the problems;
evaluate the extent of problems; give a clear timeline, describe the CAPA being taken; and
reassess the root cause.
Inspection preparedness was also discussed. Ligmond said to spend each day as if you were
going to be inspected by FDA. They stressed the importance of Mock FDA Audits in
preparing staff for inspections.

ALWAYS Respond to a Form FDA 483

My own experience is that it is always a good idea to respond to an FDA 483. If there is a
problem, then give clear details on how the problem is going to be fixed, with specifics such
as a timeframe. If you disagree with the observation, then follow Ligmonds advice to address

P a g e | 36

it with the facts and with documentation of the facts. FDA rarely will accept excuses such
as I thought my study coordinator was going to do that. However, if there is a legitimate
response, you should make it in a clear, respectful manner. The 483 responses I have worked
on always included specific actions, specific dates, and a specific person or department
accepting responsibility for ensuring that the corrective action takes place. And they always
include documentation of corrective actions. If it isnt documented, then its just a rumor.

Clinical Trial Compliance & Checklists: The

Right Approach?
January 24, 2010

Update: Checklists and clinical trials are points to consider for clinical trial professionals. I
am including a link to some resources you may find of interest. Since I wrote this on January
24, 2010 the post has continued to receive a lot of traffic so I am putting a link to some sites
that may be of use to you after reading my original post. One link is Norton Audits and they
have a number of documents you can access. The checklist is at the bottom right. The links
are at the bottom, scroll down.
Original Post: Checklists and complex medical procedures: Some physicians argue that
checklists can reduce infection rates during surgery and help manage an increasingly complex
medical system. Also, there is a growing use of checklists in clinical trials including the use
of protocol-specific worksheets to assist a clinical site in protocol compliance. Some QA
specialists think checklists are essential. Others ask, Is this a good thing? Are we missing

something in the checklists?

The New York Times Book Review reports on the medical part of this discussion in a review
by Dr. Sandeep Jauhar entitled One thing after another, about the book The Checklist
Manifesto by Dr. Atul Gawande (Metropolitan Books/Henry Holt & Company: $24.50). Dr.
Gawande is a professor of surgery at Harvard Medical School and a staff writer at the New
Yorker. The reviewer, Dr. Jauhar, is a cardiologist and the author of Intern: A Doctors
Initiation. A quick note: His review does not discuss clinical trials. However, I immediately
drew a connection.
An example in the book cites A five-point checklist implemented in 2001 virtually
eradicated central line infections in the intensive care unit at Johns Hopkins hospital,
preventing n estimated 43 infetions and eight deaths over 27 months. That is a very
impressive result that has been repeated at studies at intensive care units (ICUs) in Michigan,
according to the review.
In clinical trials I have seen many quality assurance audit plans and monitoring procedures
that rely heavily on checklists. Checklists are something that I should probably use more. I
usually use the FDA Clinical Investigator Compliance Program Guidance Manual (CP

P a g e | 37

7348.811) that I was trained on when I was at FDA (see link on the right under FDA
Stuff). However, I see a downside of checklists. Although they help make sure you review the
necessary documents hey rarely assist the monitor or auditor in determining significance. I
have seen cases where a monitor or auditor has hammered away about an item on their
checklist that really wasnt all that important, or maybe not even relevant for that specific
study.

In addition, checklists are entirely dependent on who is writing the checklist and if their list,
written in an office complex somewhere, is practical in the field where clinical trials actually
are taking place. There can be some serious unintended consequences. I have seen recent
FDA Warning Letters to clinical investigators that state:
A. Your site chose to use the sponsors standardized forms as source documents to record
and document information related to the subjects study visits. Per the standardized form,
your site was to Complete the Inclusion/Exclusion Criteria Worksheet to evaluate for
study eligibility. In the FDA investigators review of 16 of 65 subject records at your site,
there was no Inclusion/Exclusion Criteria Worksheet found for any of these subjects.
The records kept at a clinical site are the responsibility of the site, of the clinical investigator,
not of the sponsor or the employee that wrote them. If the site doesnt fill out each of the
worksheets, and perhaps sign and date them, then FDA will write you up in a Form FDA
483, Inspectional Observations, for inadequate recordkeeping and possibly a protocol
violation. In short, the checklists and worksheets have to be practical to use at the clinical
site.
Dr. Jauhar does not talk about clinical trials in his book review. But he does give concrete
examples of how checklists can be a problem. For exmple he says:
Today, insurers are rewarding doctors for using checklists to treat such conditions as
heart failure and pneumonia. One item on the pneumonia checklist that antibiotics be
administered to patients within six hours of arrival at the hospital has been especially
problematic. Doctors often cannot diagnose pneumonia that quickly. But with money on
the line, there is pressure on doctors to treat, even when the diagnosis isnt firm. So more
and more antibiotics are being used in emergency rooms today, despite the dangers of
antibiotic-resistant bacteria and antibiotic-associated infections.
The book review is very much worth reading. In addition there is access to a podcast
featuring Dr. Gawande. You can find a ink under Interesting Articles on the right as well

subscribe

6610396

http://gxpperspectiv

loggedout-follow

868394aeb8

/tag/quality-assuran

FRS:
A formal description of a software system that is used as a blueprint

P a g e | 38

for implementing the program. At minimum, a functional specification

should precisely state the purpose (e.g., the function) of the software.
Depending on the software engineering methodology used, the
functional specification might also provide implementation details,
such as how the project is divided into modules and how the different
modules interact. In addition, a functional specification often
describes the software from the user's perspective -- how the user
interface appears and how a user would use the program to perform
specific functions.
A functional specification is often called a functional spec, or just spec.