21 CFR Part 11: It’s Not Going Away

Will FDA’s emphasis on risk management bring new clarity to an unpopular regulation?

By Paul Thomas, Managing Editor

1 of 2 < 1 | 2 View on one page

“Many, many people in the industry would love to see Part 11 go away,” says Warren Perry, compliance advisor for Qumas (Florham Park, N.J.), a compliance software and consulting group. “That’s just not going to happen. Part 11 is a federally mandated law. It can’t go away.”

But the going may at least get a bit easier for drug manufacturers that have focused so intently on the letter that they’ve forgotten the spirit of the law and its real import. This year, FDA will release revised guidance for 21 CFR Part 11, the contentious and widely disliked regulations governing electronic records and signatures. The new guidance promises to offer a less-prescriptive, more risk-oriented approach to electronic recordkeeping — in line with the Agency’s risk-based philosophy.

In speeches and public forums, the Agency has said that it plans to narrow the scope of Part 11 guidance, to focus on documents that are critical to product quality and safety, asking that they be maintained securely and with integrity. The onus will be on manufacturers to ensure compliance, and to self-correct should compliance lapse.

While guidance is under review, the Agency has promised that it will not fine manufacturers — in FDA-speak, it will exercise “enforcement discretion”—as long as electronic documents and signatures adhere to fundamental “predicate rules” (GMPs, GLPs) as well as the Food, Drug and Cosmetic Act and Public Health Service Act.

Given FDA’s deferral to predicate rules, one might assume that Part 11 is becoming irrelevant, or perhaps less relevant than it once was. Not so, says John Blanchard, senior consultant, life sciences, for ARC Advisory Services (Dedham, Mass.). “Part 11 is alive and well,” he says, “but you can do it any way you want. FDA is saying, ‘We don’t care, as long as you know what your high-risk processes are and can show us the authenticity, integrity and security of your records.’ ”

“Given FDA’s own thinning resources, the Agency is telling drug manufacturers that they need to be self-controlling, self-regulating and self-remediating,” adds Qumas’ Perry.

Savvy compliance professionals will see a risk-based interpretation of Part 11 as an opportunity, says Dr. Thomas Zimmer, head of corporate division safety, quality and environmental protection for Boehringer Ingelheim. “This allows for compliance levels that are directly related to the risk that electronic records pose to product and human safety,” he says. “Therefore, it ensures cost containment.”

That’s exactly what FDA is trying to do, says Blanchard: lower the costs of compliance to encourage innovation and pass savings and benefits on to consumers.

Problems of the past

A clearer vision for Part 11 can’t come soon enough for some manufacturers, who have endured confusion and nail-biting, some of it unnecessary, since Part 11 was introduced in 1997. There has always been such a wide range of possible interpretations of Part 11 as to make compliance difficult, and costly, says Boehringer Ingelheim’s Zimmer. Early in 2003, FDA withdrew previous guidance, noting that it was inconsistent with the Agency’s developing 21st Century GMP initiative. Better to have no guidance at all than have manufacturers wasting precious time and effort grasping at compliance.

Later that year, FDA issued draft guidance on the “scope and application” of Part 11 to fill the regulatory void until official guidance could be drafted. This document promised a narrow, risk-oriented approach, but it, too, remains a subject of debate.

Few drug manufacturers have handled Part 11 well, agrees Kate Townsend, solution partner for BusinessEdge Solutions (East Brunswick, N.J.) and an ISPE/GAMP4 trainer on Part 11. If anything, manufacturers have responded to uncertainties by overcomplying, she says. “Companies were looking at the regulations too literally, rather than looking at their computer systems in context,” she says. As a case in point, manufacturers would assume that temperature and humidity data recorded every five seconds by an environmental monitor were electronic records.

Software vendors offered products that would create an audit trail for such information. End users, in turn, would exercise that functionality only to find themselves living a data-gathering and archiving nightmare.

Today, manufacturers need only apply audit trails to operator activities, as required by Part 11, Townsend says. Information captured on monitoring systems does not require an audit trail unless it is open to operator access and manipulation.

Discouraging innovation

In the past, FDA’s guidance has not only led some companies to focus on the trees rather than the forest, but it has also discouraged them from adopting new technologies or being innovative. The Agency has openly admitted that it seeks to rectify this problem.

Some of the confusion lies in the fact that Part 11 has never been consistently applied in the field, ARC’s Blanchard notes. Agency guidance has, in fact, been fairly consistent, he says. It is the subjective application of that guidance by investigators and reviewers that has led industry to interpret FDA’s mandate in myriad ways.

After guidance was pulled from the table in 2003, Part 11 was largely ignored by FDA investigators, says Ludwig Huber, worldwide compliance fellow with Agilent Technologies and a consultant and trainer with LabCompliance (Oberkirch, Germany), which offers a Part 11 compliance package. “Inspectors were afraid to bring up Part 11,” says Huber, who follows FDA field reports and warning letters closely. “They hardly looked at Part 11, because they weren’t sure of the Agency’s guidance.”

Last year, drug investigators began to look at computer validation and electronic records in earnest again, he says. “Typically, Part 11 is not really mentioned in observations and warning letters, but they do refer to the predicate rule requirements,” he says. One 483 sent by FDA to device manufacturer Guidant Corp. last fall, however, did make several Part 11-related observations. It cited failures to validate software, establish a proper audit trail for key documents and maintain the integrity of records. And it noted that many electronic records and signatures were deleted or never existed (see "Master the Possibilities," below).

1 of 2 < 1 | 2 View on one page
Show Comments
Hide Comments

Join the discussion

We welcome your thoughtful comments.
All comments will display your user name.

Want to participate in the discussion?

Register for free

Log in for complete access.


No one has commented on this page yet.

RSS feed for comments on this page | RSS feed for all comments