21 CFR Part 11: It’s Not Going Away

Feb. 16, 2006
Will FDA’s emphasis on risk management bring new clarity to an unpopular regulation?

“Many, many people in the industry would love to see Part 11 go away,” says Warren Perry, compliance advisor for Qumas (Florham Park, N.J.), a compliance software and consulting group. “That’s just not going to happen. Part 11 is a federally mandated law. It can’t go away.”

But the going may at least get a bit easier for drug manufacturers that have focused so intently on the letter that they’ve forgotten the spirit of the law and its real import. This year, FDA will release revised guidance for 21 CFR Part 11, the contentious and widely disliked regulations governing electronic records and signatures. The new guidance promises to offer a less-prescriptive, more risk-oriented approach to electronic recordkeeping — in line with the Agency’s risk-based philosophy.

In speeches and public forums, the Agency has said that it plans to narrow the scope of Part 11 guidance, to focus on documents that are critical to product quality and safety, asking that they be maintained securely and with integrity. The onus will be on manufacturers to ensure compliance, and to self-correct should compliance lapse.

While guidance is under review, the Agency has promised that it will not fine manufacturers — in FDA-speak, it will exercise “enforcement discretion”—as long as electronic documents and signatures adhere to fundamental “predicate rules” (GMPs, GLPs) as well as the Food, Drug and Cosmetic Act and Public Health Service Act.

Given FDA’s deferral to predicate rules, one might assume that Part 11 is becoming irrelevant, or perhaps less relevant than it once was. Not so, says John Blanchard, senior consultant, life sciences, for ARC Advisory Services (Dedham, Mass.). “Part 11 is alive and well,” he says, “but you can do it any way you want. FDA is saying, ‘We don’t care, as long as you know what your high-risk processes are and can show us the authenticity, integrity and security of your records.’ ”

“Given FDA’s own thinning resources, the Agency is telling drug manufacturers that they need to be self-controlling, self-regulating and self-remediating,” adds Qumas’ Perry.

Savvy compliance professionals will see a risk-based interpretation of Part 11 as an opportunity, says Dr. Thomas Zimmer, head of corporate division safety, quality and environmental protection for Boehringer Ingelheim. “This allows for compliance levels that are directly related to the risk that electronic records pose to product and human safety,” he says. “Therefore, it ensures cost containment.”

That’s exactly what FDA is trying to do, says Blanchard: lower the costs of compliance to encourage innovation and pass savings and benefits on to consumers.

Problems of the past

A clearer vision for Part 11 can’t come soon enough for some manufacturers, who have endured confusion and nail-biting, some of it unnecessary, since Part 11 was introduced in 1997. There has always been such a wide range of possible interpretations of Part 11 as to make compliance difficult, and costly, says Boehringer Ingelheim’s Zimmer. Early in 2003, FDA withdrew previous guidance, noting that it was inconsistent with the Agency’s developing 21st Century GMP initiative. Better to have no guidance at all than have manufacturers wasting precious time and effort grasping at compliance.

Later that year, FDA issued draft guidance on the “scope and application” of Part 11 to fill the regulatory void until official guidance could be drafted. This document promised a narrow, risk-oriented approach, but it, too, remains a subject of debate.

Few drug manufacturers have handled Part 11 well, agrees Kate Townsend, solution partner for BusinessEdge Solutions (East Brunswick, N.J.) and an ISPE/GAMP4 trainer on Part 11. If anything, manufacturers have responded to uncertainties by overcomplying, she says. “Companies were looking at the regulations too literally, rather than looking at their computer systems in context,” she says. As a case in point, manufacturers would assume that temperature and humidity data recorded every five seconds by an environmental monitor were electronic records.

Software vendors offered products that would create an audit trail for such information. End users, in turn, would exercise that functionality only to find themselves living a data-gathering and archiving nightmare.

Today, manufacturers need only apply audit trails to operator activities, as required by Part 11, Townsend says. Information captured on monitoring systems does not require an audit trail unless it is open to operator access and manipulation.

Discouraging innovation

In the past, FDA’s guidance has not only led some companies to focus on the trees rather than the forest, but it has also discouraged them from adopting new technologies or being innovative. The Agency has openly admitted that it seeks to rectify this problem.

Some of the confusion lies in the fact that Part 11 has never been consistently applied in the field, ARC’s Blanchard notes. Agency guidance has, in fact, been fairly consistent, he says. It is the subjective application of that guidance by investigators and reviewers that has led industry to interpret FDA’s mandate in myriad ways.

After guidance was pulled from the table in 2003, Part 11 was largely ignored by FDA investigators, says Ludwig Huber, worldwide compliance fellow with Agilent Technologies and a consultant and trainer with LabCompliance (Oberkirch, Germany), which offers a Part 11 compliance package. “Inspectors were afraid to bring up Part 11,” says Huber, who follows FDA field reports and warning letters closely. “They hardly looked at Part 11, because they weren’t sure of the Agency’s guidance.”

Last year, drug investigators began to look at computer validation and electronic records in earnest again, he says. “Typically, Part 11 is not really mentioned in observations and warning letters, but they do refer to the predicate rule requirements,” he says. One 483 sent by FDA to device manufacturer Guidant Corp. last fall, however, did make several Part 11-related observations. It cited failures to validate software, establish a proper audit trail for key documents and maintain the integrity of records. And it noted that many electronic records and signatures were deleted or never existed (see "Master the Possibilities," below).

21st Century concerns

The 2003 “scope and application” document and FDA’s own outreach to industry have alleviated much of the consternation over Part 11. Still, manufacturers seek further clarification on:

  • What a “risk-based” approach to Part 11 means and how to implement it;


  • What determines risk and which activities are within the scope of regulation.

The publication last year of a risk-based GAMP Good Practice Guide has helped manufacturers resolve some of these major dilemmas. FDA’s risk-ranking model for GMP inspections, still a work in progress, will answer many questions about how risk is defined, says ARC’s Blanchard.

There are finer points in need of clarification:

  • What systems require detailed, secure audit trails;


  • How hybrid (paper/electronic) systems will be regulated — Part 11 applies, even if you print out paper records, the Agency has been saying;


  • What time sources (i.e., local, global) may be used to document operator activities — companies should be able to determine this themselves, depending upon their local or global manufacturing orientation, says Townsend.

Anyone hoping that amended FDA regulation will spell out the ABCs of electronic recordkeeping will be sorely disappointed. A certain degree of latitude is inherent where regulations apply to so many different types of systems and situations, says Townsend.

Latitude will also come with a risk-based approach, which may itself become a regulatory risk, says Per Olsson, principal consultant with ABB Process Solutions (Warrington, U.K.). “We have not seen enough live cases to know where this will go, but a risk-based approach is open to abuse,” Olsson says. “It may not be carried out stringently enough.” Yet to be seen is whether FDA can establish a cohesive regulatory front among the ranks of its investigators and reviewers.

Paper is still an option, it should be noted. FDA continues to maintain that paper records (as well as microfiche and other data storage forms) are perfectly acceptable — good news for small manufacturers with limited budgets to tackle e-records. But progressive companies are embracing electronic recordkeeping and signatures and would dearly like the Agency’s wholehearted blessing and support. “FDA should not attempt to impose audit trail requirements that would exceed those found in paper-based records required by the predicate rules,” says Boehringer Ingelheim’s Zimmer. “Doing so would only further support the avoidance of electronic record usage.”

It appears as though FDA has taken such criticism to heart. “They’re actually doing a pretty clever job of encouraging customers to give them electronic records,” says Perry of Qumas. Statistics show that FDA addresses electronic records in a much more timely fashion than it does paper records. “A year or so ago, people dismissed those statistics,” he says. “But clearly, the difference is overwhelming today.”

What next?

What will the new Part 11 look like? Most observers feel that it will be modeled after the “scope and application” document, though with more emphasis on “how” compliance can be achieved, and less on “what” requirements must be satisfied.

It will be written in the language of the risk-based approach, says Blanchard. Whereas the scope and applications document suggested that, for instance, systems in place prior to August 20, 1997, were grandfathered from regulation, the new document should omit such language altogether. “They’ll say that if it’s proven to be a low-risk process and follows GMPs, then it’s compliant,” Blanchard says.

FDA will defer to the predicate rules on most matters, agrees Greg Meyer, president of consulting firm Compliance Media (Palo Alto, Calif.). And it will make significant concessions on having an audit trail for all systems. “Likely, they will simply remove the section that will have requirements for the audit trail,” Meyer says. “But they will probably clarify or reinforce the necessity of maintaining auditable backup tapes.” Auditors will need the technology to, say, perform sweeps of server logs to find out who made a release decision on a batch from a given date.

At a minimum, manufacturers have to have a risk matrix for their computer systems, Meyer advises. This includes an understanding of how systems impact risk to patients, and regulatory risk. “The companies that have done this are way ahead of the game,” he says. “It’s a survival skill at this point. FDA does not want to be your QA department.”

The “center of the bull’s-eye,” says Meyer, is electronic manufacturing controls for high-risk systems — such as quality controls for the release or rejection of product. “In these cases, I wouldn’t advise the typewriter rule,” says Meyer, referring to the common practice of typing and printing simple documents such as SOPs, so that they fall outside the realm of electronic records. “You have to have a validated system and ensure an auditable backup.”

“Adopt a risk-based approach to electronic records that is based on sound logic,” suggests Olsson of ABB. For electronic signatures, however, “follow the letter of Part 11 law,” he says.

“Define the criticality of each record and, even more important, look at the entire life of a record from it’s origin to archiving,” advises Huber. “Identify steps where operators manipulate records and make sure these systems have an electronic audit trail built in.”

“This looks like a complicated process,” he adds, “but it is not if you have the right tools.”

Master the Possibilities

There is no one way to comply with 21 CFR Part 11. Kate Townsend, solution partner with BusinessEdge Solutions and an ISPE/GAMP4 trainer, offers the following rules of thumb:

  1. Don’t “over-comply.”
  2. Electronic records are only required when they are identified in FDA’s predicate rules (e.g., GMPs, GLPs). Just because information is stored in a computer doesn’t mean that it qualifies as an “electronic record.”

  3. Apply a risk-based approach to electronic records and signatures
  4. that considers the context in which a computer system is being used, and perform a gap analysis to ensure that holes or errors in recordkeeping are accounted for.

  5. Base record and signature information on a secure time source,
  6. whether local or global (such as Greenwich Mean Time). FDA’s preamble guidance to Part 11 related to “time stamps” suggested that manufacturers needed to record operator activities in local time, dependent upon the site at which they occurred. This interpretation has since been retracted.

About the Author

Paul Thomas | Managing Editor