MD+DI Online is part of the Informa Markets Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

21 CFR Part 11: How and Why to Comply

The FDA regulation in 21 CFR Part 11, effective since August 20, 1997, specifies how companies in FDA-governed industries must handle electronic records and electronic signatures.1 The regulation does not mandate the use of electronic records or signatures; rather, it simply outlines the requirements that must be met by medical device, drug, and biologic manufacturers that do choose to use them, within the context and enforcement parameters of the regulation.

The regulation applies to all aspects of the research, clinical study, maintenance, manufacturing, and distribution of medical products.

Collaborative efforts between FDA and the regulated industries begun in 1992 were the origin of 21 CFR Part 11. The regulation is grounded in the agency's belief that the new data technologies have become so pervasive that the use of electronic records and signatures will inevitably become universal. It is designed essentially to minimize the possibility of data misappropriation. Part 11 focuses on ensuring the authenticity of data, the integrity of data and systems, the confidentiality of data (particularly with respect to clinical trials and blood banks), and the nonrepudiation of electronic signatures.

The regulation defines key areas of coverage in which FDA sees the greatest likelihood of failures that could lead to data misappropriation. They are:

  • System Validation. Systems covered by Part 11 must be validated to demonstrate fitness of use, consistency, and reliability.
  • Records Management. The regulation addresses all aspects of managing batch and production records, process-monitoring data, equipment-related GMP data, standard operating procedures (SOPs), test methods, specifications, policies, inventory records, calibration and maintenance records, product complaint records, validation protocols and reports, and training records. It outlines specific requirements and controls pertaining to regulated electronic records through all phases of their life cycle: creation, modification, maintenance, archiving, retrieval, and transmission.
  • System Security Management. Part 11 establishes a minimum standard for limiting access to regulated systems and discusses security measures, including both physical and logical controls.
  • Audit Trail Management. The use of audit trails to authenticate and confirm the integrity of regulated records and signatures offers the greatest challenge to regulated companies.
  • System Documentation Management. System documentation must be controlled throughout the life cycle of development, revision, issuance, and obsolescence.
  • Electronic Signature Management. Part 11 discusses the requirements for any use of electronic signatures.
  • Certification. Individuals granted access to electronic systems must be certified and trained prior to using them. In this section, FDA certifies that electronic signatures are equivalent to personal signatures for its purposes.

Systems designed to manage regulated electronic records are also subject to the requirements of 21 CFR Part 11. These include electronic document management systems (EDMS); warehouse management systems (WMS); materials resource planning (MRP) and enterprise resource planning (ERP) systems; programmable logic control (PLC), data control system (DCS), and supervisory control and data acquisition (SCADA) reporting systems; laboratory information management systems (LIMS); clinical trial management systems (CTMS); and maintenance and calibration systems (see Table I).

Type of System
System Name and Manufacturer
EDMS Quality and Manufacturing Information Management System (Pilgrim Software Inc.)
Documentum 4i and DocControl Manager (Documentum Corp.)
WMS MARC System (TRW Inc.)
Visual Distribution—WMS (Lilly Software Associates Inc.)
MRP and ERP MFG/Pro (QAD Corp.)
SAP R/3 and mySAP.com (SAP AG)
BPCS (SSA Global Technologies Inc.)
Navision XAL (Navision a/s; recently acquired by Microsoft Corp.)
SCADA CIMScan (CIMTechniques Inc.)
Intellution iFix (Emerson Corp.)
InTouch, InBatch, and InSQL (Wonderware Corp.)
PLC and DCS SIMATIC Series (Siemens AG)
Allen-Bradley PLC 5 and SLC Series (Rockwell Automation Inc.) Fisher-Rosemount Delta V (Emerson Corp.)
Advant (ABB Corp.)
LIMS Millennium (Waters Corp.)
Agilent ChemStation (Agilent Corp.)
CTMS InForm, InFusion, Clintrial, and Clintrace (Phase Forward Inc.)
PMX—CTM (Propack Data Corp.)
Maintenance and calibration Advanced Maintenance Management System (Microwest Software Systems)
Calibration Manager (Blue Mountain Quality Resources Inc.)
GAGEtrak Calibration Management Software (CyberMetrics Corp.)
Table I. Prominent systems for managing regulated electronic records that are themselves subject to the requirements of 21 CFR Part 11.

Implementation Controls

Part 11 of 21 CFR outlines three types of implementation controls that can be employed to achieve compliance with the regulation: controls for closed systems, controls for open systems, and controls for electronic signatures. Which controls apply depends on who owns and controls access to the data or records, and whether electronic signatures are used exclusively to sign the electronic records. The following controls are applicable to both closed and open systems.

  • Systems must be validated.2
  • Managed records must be accurately reproducible in both printed and electronic forms, and must be available for FDA to copy.
  • Data and system integrity must be preserved through authority, operational, device, and other checks and verifications.
  • System access is limited to authorized users, and the control of access must be documented.
  • Automated audit trails must be implemented to authenticate records and to maintain record integrity.
  • System documentation must be controlled, and revised or updated.
  • SOPs governing process management as well as system management must be implemented extensively, including procedures for the use of electronic signatures, electronic data access, and data security.

In addition to those, the regulation mandates for open systems the use of encryption to protect data and safeguard their integrity, and the use of the digital signature rather than the electronic signature. Specific controls for electronic signatures are as follows.

  • Control of user IDs and passwords, including issuance, periodic management, recall, and disablement, must meet a defined minimum standard.
  • Any biometric signatures that are used must be controlled as specified.
  • Employees must be trained to understand the legality and use of electronic signatures, and this training must be certified in writing for FDA.
  • Implementation of the electronic signature in signed records and in the execution of signed records must meet a defined minimum level.
  • Signed records must be linked to the user automatically, and the act of signing must not be able to be falsified, transferred, or otherwise uncontrolled.

FDA Expectations

In public presentations and guidance documents, FDA has repeated its expectation that companies comply with 21 CFR Part 11.3 The level of expectation may vary with the criticality of the data and the type of systems used to manage the data.

New electronic data management systems must comply with the requirements of 21 CFR Part 11. Since 1999, when the agency began to enforce the regulation, an FDA 21 CFR Part 11 task force has met with technology companies to discuss the extent to which their applications are compliant with the requirements of Part 11. These meetings have reinforced FDA's conviction that technologies are available to ensure that new systems comply with the regulation.

The regulation provides no exemption for legacy systems—no grandfathering. However, recognizing the technical challenge of bringing these systems into compliance, FDA will be more lenient in reviewing them. This lenience is predicated on the company having a documented plan of action and working actively to bring its legacy systems into compliance.

The agency's position on hybrid systems—those that combine paper-based and electronic components—is that they must be made compliant as legacy systems, or else replaced with compliant systems.

FDA is also looking carefully at manually signed paper records generated from electronic records. Saying that the signed records are the official records will not do: the electronic records must be controlled. The agency expects regulated companies to use an electronic storage system or a defined mechanism for version control of these records, and to ensure consistency in data integrity and representation between the manually signed printouts and their electronic equivalents.

To support ongoing compliance efforts, FDA has released Part 11 guidance documents on validation and time stamps, and a glossary of terms.4–6 At least two more in this series are planned. These documents provide substantial insight into the agency's long-term expectations, especially with regard to audit trails and time stamps.

FDA Enforcement

The enforcement history of 21 CFR Part 11 also supplies insights. After issuance of the regulation in 1997, FDA held off on enforcement actions until 1999, at which time serious enforcement began.7 Enforcement actions occurred in a consistent flow for two years, then spiked in 2001.

A company that is out of compliance with FDA regulations may be hit with an FDA Form 483, a warning letter, an injunction (which can include a market recall or ban on importation), or a consent decree. A review of warning letters relating to Part 11 deficiencies was conducted in early 2002 to analyze the causes of noncompliance.8 Most faults have been found in the areas of system validation and the protection of records.

The direct and indirect penalties that result from FDA actions can take many forms, and can become very expensive. A warning letter has been known to cause a company's stock to lose a third to a half of its value when the letter was made public. Targets of enforcement actions can experience a falloff in revenues when customers flee to competitors or when government contracts are lost.

And past profits may have to be disgorged. FDA considers profits obtained while a company is out of compliance with its regulations to be illegal and subject to seizure. Recent consent decrees regarding compliance deficiencies have cost Schering-Plough $500 million and Abbott Laboratories $100 million. But the real cost of noncompliance is even greater. Those companies have had to spend millions more on new employees and outside consultants hired to develop policies to bring the companies' systems into compliance with the terms of their consent decrees.

The message from FDA is very clear: be fully compliant with 21 CFR Part 11 and applicable predicate regulations, or face severe penalties.

Strategies for Achieving 21 CFR Part 11 Compliance

Implementing a compliance program requires focus, consistency, and a methodical approach. Whatever the exact shape of its implementation methodology, a company must take an approach that accomplishes the following.

  • Supports corporate tracking.
  • Centralizes the company's document management.
  • Generates required reporting documents, such as progress reports.
  • Uses a consistent assessment standard for all systems.
  • Documents all remediation actions.
  • Provides a means of postremediation qualification.

Any program that possesses these characteristics will not only make it easy to achieve compliance quickly, but will also ultimately minimize costs and resource consumption.

Phase 1: Creating a Part 11 Compliance Culture. In order to ensure compliant practices at the lowest level, a company needs commitment to compliance at the highest level. In the first program phase the organization provides awareness training for its senior management. Also taking place at this stage is the selection of members of a task force that will be responsible for implementing the compliance effort through all the levels of the enterprise.

Phase 2: Defining Policies and Procedures. Policies and procedures required to achieve Part 11 compliance are established next. Outside consultants can be helpful here, as they will have experience with policies and procedures used by other companies in the same regulated industry.

Once the company has a procedural framework in place, it can then disseminate the information throughout the organization via meetings and training classes. Bias in training must be minimized by using both company staff and outside consultants as leaders.

Phase 3: Inventorying Systems. In the third phase, existing regulated systems within the organization are inventoried and their conformity with Part 11 requirements determined. The number of systems involved is critical, as it establishes a baseline of resource requirements. Once these are known, financial budgeting and resource allocation can proceed.

Phase 4: Prioritizing the Inventory. FDA expects regulated companies to take a prioritized approach to compliance. That means evaluating the criticality of each system with regard to business risks, product risks, and data risks. Business risks are risks of the enterprise being cited for failing to meet specific requirements of the regulation. Product risks involve the impact on product safety, identity, strength, purity, or overall quality caused by bad data or poorly qualified processes. Data risks are threats to the integrity, authenticity, or other aspect of data quality.

At the conclusion of this phase of compliance program implementation, the organization can determine its overall exposure with regard to the systems to be evaluated in order to undertake the appropriate gap-assessment effort.

Phase 5: Performing Gap Analysis. Next, technical and procedural assessments of the system are performed with respect to requirements itemized within the interpretations and guidelines of the company's policies and procedures. The use of an assessment tool is highly recommended. Such a tool enforces consistency, provides an automated reporting and tracking mechanism, and ultimately accelerates and optimizes the gap assessment. One such tool is 21 CFR Part 11 Analyst from Trusted Integration Inc. (Alexandria, VA).

If the right tool is selected, it can also help the company with prioritization, remediation tracking, reporting management, and project management.

Phase 6: Prioritizing Findings. The focus of this phase is to use the gap analysis findings to create a priority order for getting the systems into compliance. A system's priority must be based on the extent of its deviations from Part 11 requirements, the importance of its data quality, and its history of compliance with applicable predicate regulations, including validation and change control. The prioritization performed at this stage enables systems posing the highest levels of risk to the company to be addressed expeditiously.

Phase 7: Formulating the Remediation Plan. Each system is remediated next, the formulated plan being tracked by the assessment tool if possible. Any one or a combination of five possible approaches can be taken by the company during this phase:

  1. Discontinuing use of affected processes and the noncompliant system.
  2. Employing a paper-based work process to manage affected processes.
  3. Implementing additional administrative and procedural controls until long-term solutions are in place.
  4. Upgrading a noncompliant system with compliant supporting infrastructure and subsystems.
  5. Replacing a noncompliant system with commercial off-the-shelf solutions.

In most cases, a company will choose the third option as a short-term approach while working toward implementing the fourth or fifth approaches.

Phase 8: Implementing the Remediation Plan and System Requalification. In implementing the remediation plan, the organization may get the original system vendors or third-party technology solution providers involved in the process. Remediation does not happen overnight; it may require customized codes, software patches, and system version upgrades that are completed over several months. FDA finds this acceptable as long as a documented plan outlines the approach and a reasonable remediation schedule is maintained.

Once a remediation plan of appropriate extent has been implemented, the system is requalified. Special attention is paid to functions that could be affected by the technical fixes or that relate to any key control areas of 21 CFR Part 11. Care must be taken to conduct sufficient regression testing in order to ensure that the elements required to be qualified are addressed.

Compliance Costs and Benefits

Well-established larger organizations with plenty of resources are addressing the issue of 21 CFR Part 11 compliance. However, in small and midsized companies, the regulation does not yet appear on the radar of most executives.

For medical device, biotechnology, and pharmaceutical companies, the cost of attaining Part 11 compliance can be tremendous—perhaps in excess of $100 million for a global company.9 Compliance spending is likely to go toward establishing the implementation task force; developing policies and procedures; educating company personnel about compliant practices; analyzing existing electronic data systems; retrofitting, remediating, or replacing affected systems; purchasing compliant systems; and requalifying systems.

Part 11 compliance efforts will probably exceed those required for the Year 2000 retrofit. However, unlike Y2K, when remediation costs tended to increase as 2000 approached, expenditures for Part 11 compliance are expected to decrease as the regulation matures and more resources become available.

Achieving compliance with 21 CFR Part 11 has benefits as well as costs. Companies with compliant systems will enjoy better process control, improved information transfer between related enterprises, a higher level of data integrity, fewer data-related errors, and reduced time requirements for data analysis, capturing, and filtering.

Conclusion

It is important that everyone in the company, regardless of authority level, understands 21 CFR Part 11 and the key benefits that the regulation can bring to the organization. FDA expects compliant systems—or at least an inventory of known noncompliant systems, with a plan for bringing them into compliance—and its enforcement actions have made it very clear that delay, avoidance, and rushed compliance are bad choices for approaching the challenge. Far better that the organization initiate its own measures for compliance than that the heavy hand of FDA dictate compliance. The possibility of being punished by forced disgorgement of profits eliminates any benefit to be derived from deferring regulatory compliance spending.

Documented evidence of progress toward Part 11 compliance must be provided should a company be inspected by FDA. Adoption of a compliance initiative like the eight-phase approach outlined in this article will satisfy that expectation. It also offers a pragmatic, efficient way to achieve compliance within the organization's budget of time, resources, and money.

A rushed approach to compliance through crash Part 11 compliance programs will be much more expensive than a planned, phased approach, and will likely not consider fully all of the requirements. Such an approach often will result in more work than would have been required had the company systematically structured a program for prioritizing and then meeting its needs.

Do not recreate the wheel! Implementing a 21 CFR Part 11 compliance initiative does not have to be difficult. Companies can tap into a large fund of knowledgeable people and established methods for achieving Part 11 compliance. Available methodologies can achieve implementation efficiencies by streamlining the flow of tasks and responsibilities defined for each phase. Software technology tools and templates are also abundant.

Companies in FDA-regulated industries must view spending on 21 CFR Part 11 compliance as an investment in their long-term success. Like investing in employees through benefits and training, spending on compliance builds an infrastructure to manage the processes that lubricate the engine that powers the medtech enterprise of the information technology era.


References

1. "21 CFR Part 11—Electronic Records; Electronic Signatures," Final Rule; Federal Register, 62 FR:13430–13466, March 20, 1997.

2. General Principles of Software Validation: Guidance for Industry (Rockville, MD: FDA, 2002).

3. Summary of FDA Public Meeting on Industry Experience Implementing Technical Provisions of 21 CFR Part 11 (Rockville, MD: FDA, 2000).

4. 21 CFR Part 11; Electronic Records; Electronic Signatures—Validation: Guidance for Industry (Rockville, MD: FDA, 2001).

5. 21 CFR Part 11; Electronic Records; Electronic Signatures—Timestamps: Guidance for Industry (Rockville, MD: FDA, 2002).

6. 21 CFR Part 11; Electronic Records; Electronic Signatures—Glossary of Terms: Guidance for Industry (Rockville, MD: FDA, 2001).

7. Enforcement Policy: Electronic Records; Electronic Signatures—Compliance Policy Guide: Guidance for FDA Personnel (Rockville, MD: FDA, 1999).

8. "Practical Laboratory Remediation Strategies for FDA's 21 CFR Part 11 Regulation" [Webcast on-line] (Bridgewater, NJ: Taratec Development Corp., April 17, 2002); available from Internet: http://www.taratecuniversity.com.

9. Truth and Misconceptions: The Federal Electronic Records Statute, Report 0502-0077 (Stamford, CT: Gartner Inc., May 2002).

Tuan T. Phan is president of Validation Associates Inc. (Raleigh, NC), a regulatory compliance consulting firm that performs 21 CFR Part 11 gap assessments, software and computer system validation, process validation, and system and vendor audits for life sciences companies. The author acknowledges Karenann Brozowski of Teleflex Medical Group (Research Triangle Park, NC) and Stephen Sanders of Validation Associates Inc. (Feasterville, PA) for their contributions to this article.

Hide comments
account-default-image

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish