How Part 11 Compliance Impacts QbD

Oct. 15, 2007
No longer stuck with the "validate everything" mantra, companies now need to assess the risks applicable to their electronic information and integrity to determine what (if any) validation is needed.

An ominous shift in regulatory enforcement expectations is increasingly apparent to many pharmaceutical and life sciences executives around the world. The rise in the U.S. Food and Drug Administration’s (FDA) information integrity-based audit findings, 483s and warning letters reflects a larger move away from reactive post-market inspections. Interestingly, FDA officials advocate Quality by Design (QbD) as their goal, but it is hard to see the relationship between QbD and data integrity without stepping back to look at the big picture.

Over the past two years, pilot programs have shown an increased approval speed for new products drawing on elements of Quality by Design. Despite this progress, the largest question remains: given that so many FDAregulated firms view their preclinical product development process as “outside the box” of FDA regulatory oversight, how do companies intend to bring their R&D test data, laboratory results, protocols, lab notebooks, engineering prototypes and schematics into a state of compliance with QbD principles?

When seen as part of the larger FDA regulatory landscape, the answer emerges from 21 Code of Federal Regulations Part 11 (21 CFR Part 11), the electronic signatures and records act. As counterintuitive as this may seem, my experience with clients over the past few years has shown that a strategic, risk-based approach to Part 11 dovetails with QbD to improve a company’s new product pipeline, speed its new product time-to-market and increase its compliance flexibility. The fact that FDA enforcement actions increasingly focus on pre-market data integrity would seem to support this. How then are Part 11 and QbD intertwined, and what are the pitfalls associated with an integrated approach?

QbD discussions began within FDA during the 1990s. The idea of using QbD to speed time-to-market coalesced later, around 2003-2004, when FDA was under pressure to hasten approvals and identify safety approvals.

For the past 20 years, QbD has been widely used in the consumer products and software development industries. These industries’ experience has shown that the earlier in the design phase certain predefined, critical product aspects (such as consumer preferences) are implemented, the faster product development occurs — with an analogous increase in product quality. By extension, for pharmaceutical, medical device and biologics companies, incorporating predefined critical product aspects (such as safety and efficacy) should start in the preclinical product development stage.

As FDA officials began to see QbD as a way to speed new products to market safely, there was a growing realization that the overzealous aspects of earlier interpretations, applications and enforcements of 21 CFR Part 11 often focused on specific technologies. The actual impact on electronic information integrity for the data that supported a product’s safety and efficacy (or proved compliance with good manufacturing and laboratory practices) had not been considered.

Coinciding with the 2004 announcement of an initiative to speed new medicines to market safely, FDA announced its intent to revise Part 11 to be more closely aligned with current risk-based practices and other FDA initiatives. The focus of Part 11 was now to be on the integrity of a company’s electronic records as they related to product safety and efficacy, as well as proof of adherence to good manufacturing and laboratory practices (GMPs and GLPs).

For consumers, regulators, shareholders and life science companies alike, this shift has been a welcome watershed. Information integrity is crucial to ensuring product safety and efficacy, and the costs of Part 11 compliance are now beginning to fall in line with costs associated with other aspects of risk-based regulatory compliance. No longer is the mantra “validate everything or else.” Now, a firm needs to assess the risks applicable to its electronic information and integrity to determine what (if any) validation is needed. This philosophical shift is the crux of why Part 11 is a good catalyst for both Quality by Design and for getting new drugs, biologics and medical devices to market faster, more safely and more easily. It is also a key reason that 95% of FDA’s enforcement targets in 2006 were related to data integrity.

With my clients, I encourage adoption of a strategic, riskbased Part 11 compliance approach within the framework of preclinical activities associated with QbD and the compilation of a device or drug design history file.

Over the past several years, three specific benefits have emerged from this integrated, strategic approach:

  • Reduction in risk and costs
  • Improved new product pipeline flexibility
  • Improved new product return on investment.

Risk and Cost Reduction

As risks increase, costs rise. The more risk can be engineered out of a product or process, the less costly the final result will be. Three common areas to examine are design inputs, intellectual property security and the transference from preclinical to clinical to final production.

For product design inputs, assess the impact of each design specification on the patient’s safety and the product’s efficacy. The assessment needs to be conducted using a risk analysis; however, the industry’s most commonly used tool, Failure Modes and Effects Analysis, is not an appropriate method, as it is reactively focused. To speed development, crucial product safety and efficacy attributes must be identified as early as possible. Therefore, I counsel clients to adopt a simpler, more proactive tool like the Hazard Analysis Critical Control Points technique used in the food industry.

Once key safety and efficacy aspects have been pinpointed, whether they are product-specific or process-related (such as a formulation that must be mixed within a relatively narrow range of temperature, humidity, air cleanliness and time), the controls needed to ensure those safety and efficacy targets have to be determined. For many controls today, automation can be incorporated, thus speeding processes, reducing labor, ensuring consistency and reducing risk.

The identified controls, plus any automation thereof, must be validated. The goal is to answer two questions:

  1. Does the control (and its automation) work as intended?
  2. Are the records generated by that control – whether automated or not – created, maintained and stored at a level that provides a reasonable assurance of data integrity?

Examined in this light, only those automated processes or controls that impact information integrity need to undergo a risk assessment to determine the level of Part 11 compliance required. Ironically, the efforts required to validate such automated processes or controls (including those on data creation, maintenance and archival) to Part 11 expectations serves as an impetus to limit late-stage product design changes, and thus encourages full-scale QbD adoption.

The information gathered during the preclinical stage will, at some point, need to be transferred to clinical, and eventually to final production. That transference process should undergo risk assessments and be validated, especially as it concerns data integrity. In any information transfer process, risks such as data loss, manipulation or public disclosure are always present and need to be controlled.

Also, consider conducting different statistical analyses of study results as the design process shifts from preclinical to clinical to final production. Ensure that the conclusions are always consistent. Multiple successful analyses reflect a higher degree of certainty regarding the quality and integrity of relevant product safety and efficacy data as it travels through the design process. The analyses processes and any controls on the results should also be validated.

The controls and processes used by a company to secure its intellectual property stored in electronic format can also undergo this type of scrutiny. Having written extensively on this topic elsewhere [1, 2, 3], I will not cover it here. However, I will say that for companies seeking partnerships to help bring their new products to market, securing intellectual property through risk assessment, critical control point identification and information integrity validation can spell the difference between profitability and bankruptcy.

By focusing on validating the processes, controls and data integrity related to a product’s safety and efficacy (and proof of compliance with good manufacturing and laboratory practices), the flexibility of a firm’s preclinical arena is vastly expanded. Because only certain test protocols or even laboratories are in a validated state, researchers can follow their hunches and inspirations to conduct one-off tests without going through the more controlled and validated processes. If a desired result from such one-off testing is obtained, the development of the new product is neither jeopardized nor slowed, but can be improved if the company so desires. At a high level, such an improvement process works as follows:

First, the test is repeated under the validated process (with the Part 11 compliance automated components) to ensure consistent results and capture the data with integrity.

Second, the company can either choose to incorporate the changes in its product that the new test results suggest (without risking earlier progress), or it can determine to hold off on the change. Either way, the test and its data have integrity under QbD and Part 11 and can be adopted later, or even included as part of another product’s design.

To product development professionals in the consumer products arena, this approach is known as “bookshelving.” Bookshelving is increasingly being adopted and relied on not only to speed product development and increase flexibility, but also improve the success rate and return on investment of new products. Because FDA-regulated medicines take so long to reach the marketplace, bookshelving is a natural fit for preclinical development. The result is flexibility in exploration for researchers, risk reduction for compliance and product safety and efficacy, and improvement of new product development success rates.

A recent study by the Pharmaceutical Research and Manufacturers of America found that the typical ratio of innovations to marketplace approval is 250 to 1. Of those products that do reach market, only 30% will ever recover their cost of development, according to a study in Pharmacoeconomics.

With bookshelving, where compliant data can be used multiple times to support several different new product regulatory applications, development costs are lowered by eliminating duplicate work over the long term. Modules of study results and data can be drawn on by the firm to speed development of promising new products, or to shut down avenues of research that have a high likelihood of failure based on the historical information that has been bookshelved by the company.

Use of bookshelved information makes it imperative that the data has integrity, which includes Part 11 compliance. Minus that, such information becomes nothing more than private collections of public literature survey results. Further, as Dr. Barry Cherney (Deputy Director, Division of Therapeutic Proteins, FDA’s Center for Drug Evaluation and Research) pointed out at an FDA conference in May, under QbD, while a firm can use literature surveys to help support its preclinical results and expected product characteristics, the company cannot rely solely on such non-compliant information to allow a transition into clinical. Validated preclinical processes and information collected, maintained and archived under Part 11-compliant conditions are required under the proactive philosophy of QbD.


One of the pitfalls of integrating QbD with Part 11 compliance is to make a leap of logic from the assumption that if some bookshelving and validation of critical product aspects means faster time to market and higher success rates, then even better results will occur if all laboratories are validated and all preclinical information is given high degrees of integ-rity. However, because data has a long lifespan, 80% of its cost lies not in its acquisition or creation, but in its maintenance. By assuming that it must be better if all information has high integrity (and thus, all processes and controls must be validated), the result is an ever-increasing escalation of costs.

Imagine a laboratory where every test was run, every result was kept under validated conditions, where the data and metadata (the context of the test results like the protocol, etc.) was stored, migrated and archived under Part 11 conditions. At first, the costs would be low, but within five years, costs would be rapidly on the upswing. That said, it should be no surprise, given the past Part 11 interpretation (“validate everything”) plus the constant pressure on company executives to speed product development, that most executives have been guilty of falling into this trap.

The second pitfall that is typical in this arena arises from the cross-functional communication difficulties that plague companies large enough to have separate functional areas such as information technology (IT), legal, quality assurance (QA) and compliance. The individuals in these groups often use the same terminology, but with different meanings and implications. For instance, “validation” is understood by technologists to refer to an engineering-based “does it work?” viewpoint, while quality and compliance professionals see “validation” as also encompassing data integrity, personnel qualifications, training, risk assessments and so forth.

Thus, when IT executives hear phrases like “information integrity,” there is a predilection to look for silver-bullet solutions, particularly with a technology marketplace full of vendors claiming “21 CFR Part 11-certified.” The danger of this fondness is too much focus on technology versus the information itself. A natural extension of this occurs when a company implements an automated system to speed batch processing with no commensurate increase in data quality.

There are other pitfalls in applying QbD to preclinical product development that stem, in part, from a combination of the previously discussed problems. Examples include: the IT executive, validation engineer and QA director who insist on an overly broad, strict application of Part 11 to the product development area; the researchers who balk at having any controls placed on their work that might limit their initiative and creativity; and the financial and operations managers who consistently refuse to adopt techniques that may have high implementation costs but low long-term maintenance and validation costs in favor of techniques with low upfront costs but high long-term maintenance.

As I have seen over the years working with clients, each company has its own specific tipping point. Being able to see that point before stumbling over it requires a collaborative, company-wide effort — from validation to compliance, QA to IT, legal to finance — to encourage questions and suggest revisions at both strategic and tactical levels.

QbD and Part 11 make for strange bedfellows. A company’s IT group, compliance and quality teams, and scientists and engineers must work together; a tall task in any organization, even without the added pressure of shareholders and outside investors scrutinizing a pipeline of future products for a regulated marketplace. By combining a fresh view of Part 11’s strengths with QbD’s clear ability to improve finished product quality and compliance, a company can achieve at least a 12% increase in time-to-market speed. In a world where timeto- market takes 10-15 years at a cost of $1.2 billion, that’s a savings of at least one to two years and $144 million. For newly patented products, that also means one to two more years of competitor-free marketplace revenue.

More information on QbD, associated industry statistics plus costs and success rates of pharmaceutical product development are compiled in a 36-page report, “Is Quality by Design Right for My Organization…?” available free to subscribers of Pharmaceutical Manufacturing. To obtain a complimentary PDF copy, visit On the request form (, under the question “Is there any other information you’d like to receive?” simply type in “Pharmaceutical Manufacturing subscriber.” Alternatively, you can send an e-mail with your contact information and request to [email protected]. The report includes a workbook section you can use to make a company-specific cost-benefit analysis to determine if QbD is appropriate for your organization. Are you ready?


  1. “Trade Secrets,” European Biopharmaceutical Review, January 2007
  2. “Joint Development Agreements,” SmarterCompliance, Month? 2007
  3. “Intellectual Property from the Inside Out”, a chapter in the yet-to-bepublished
    book Advanced Topics in Biotechnology Business Development,
    edited by Yali Friedman

About the Author

An author, speaker and business compliance advisor, John Avellanet is the
co-founder and managing director of Cerulean Associates LLC . He can
be reached at:
[email protected].

About the Author

John Avellanet | Cerulean Associates LLC