The regulation applies to all aspects of the research, clinical study, maintenance, manufacturing, and distribution of medical products.

Collaborative efforts between FDA and the regulated industries begun in 1992 were the origin of 21 CFR Part 11. The regulation is grounded in the agency's belief that the new data technologies have become so pervasive that the use of electronic records and signatures will inevitably become universal. It is designed essentially to minimize the possibility of data misappropriation. Part 11 focuses on ensuring the authenticity of data, the integrity of data and systems, the confidentiality of data (particularly with respect to clinical trials and blood banks), and the nonrepudiation of electronic signatures.

The regulation defines key areas of coverage in which FDA sees the greatest likelihood of failures that could lead to data misappropriation. They are:

Systems designed to manage regulated electronic records are also subject to the requirements of 21 CFR Part 11. These include electronic document management systems (EDMS); warehouse management systems (WMS); materials resource planning (MRP) and enterprise resource planning (ERP) systems; programmable logic control (PLC), data control system (DCS), and supervisory control and data acquisition (SCADA) reporting systems; laboratory information management systems (LIMS); clinical trial management systems (CTMS); and maintenance and calibration systems (see Table I).

Implementation Controls

Part 11 of 21 CFR outlines three types of implementation controls that can be employed to achieve compliance with the regulation: controls for closed systems, controls for open systems, and controls for electronic signatures. Which controls apply depends on who owns and controls access to the data or records, and whether electronic signatures are used exclusively to sign the electronic records. The following controls are applicable to both closed and open systems.

In addition to those, the regulation mandates for open systems the use of encryption to protect data and safeguard their integrity, and the use of the digital signature rather than the electronic signature. Specific controls for electronic signatures are as follows.

FDA Expectations

In public presentations and guidance documents, FDA has repeated its expectation that companies comply with 21 CFR Part 11.³ The level of expectation may vary with the criticality of the data and the type of systems used to manage the data.

New electronic data management systems must comply with the requirements of 21 CFR Part 11. Since 1999, when the agency began to enforce the regulation, an FDA 21 CFR Part 11 task force has met with technology companies to discuss the extent to which their applications are compliant with the requirements of Part 11. These meetings have reinforced FDA's conviction that technologies are available to ensure that new systems comply with the regulation.

The regulation provides no exemption for legacy systems—no grandfathering. However, recognizing the technical challenge of bringing these systems into compliance, FDA will be more lenient in reviewing them. This lenience is predicated on the company having a documented plan of action and working actively to bring its legacy systems into compliance.

The agency's position on hybrid systems—those that combine paper-based and electronic components—is that they must be made compliant as legacy systems, or else replaced with compliant systems.

FDA is also looking carefully at manually signed paper records generated from electronic records. Saying that the signed records are the official records will not do: the electronic records must be controlled. The agency expects regulated companies to use an electronic storage system or a defined mechanism for version control of these records, and to ensure consistency in data integrity and representation between the manually signed printouts and their electronic equivalents.

To support ongoing compliance efforts, FDA has released Part 11 guidance documents on validation and time stamps, and a glossary of terms.^4–6 At least two more in this series are planned. These documents provide substantial insight into the agency's long-term expectations, especially with regard to audit trails and time stamps.

FDA Enforcement

The enforcement history of 21 CFR Part 11 also supplies insights. After issuance of the regulation in 1997, FDA held off on enforcement actions until 1999, at which time serious enforcement began.⁷ Enforcement actions occurred in a consistent flow for two years, then spiked in 2001.

A company that is out of compliance with FDA regulations may be hit with an FDA Form 483, a warning letter, an injunction (which can include a market recall or ban on importation), or a consent decree. A review of warning letters relating to Part 11 deficiencies was conducted in early 2002 to analyze the causes of noncompliance.⁸ Most faults have been found in the areas of system validation and the protection of records.

The direct and indirect penalties that result from FDA actions can take many forms, and can become very expensive. A warning letter has been known to cause a company's stock to lose a third to a half of its value when the letter was made public. Targets of enforcement actions can experience a falloff in revenues when customers flee to competitors or when government contracts are lost.

And past profits may have to be disgorged. FDA considers profits obtained while a company is out of compliance with its regulations to be illegal and subject to seizure. Recent consent decrees regarding compliance deficiencies have cost Schering-Plough $500 million and Abbott Laboratories $100 million. But the real cost of noncompliance is even greater. Those companies have had to spend millions more on new employees and outside consultants hired to develop policies to bring the companies' systems into compliance with the terms of their consent decrees.

The message from FDA is very clear: be fully compliant with 21 CFR Part 11 and applicable predicate regulations, or face severe penalties.

Strategies for Achieving 21 CFR Part 11 Compliance

Implementing a compliance program requires focus, consistency, and a methodical approach. Whatever the exact shape of its implementation methodology, a company must take an approach that accomplishes the following.

Any program that possesses these characteristics will not only make it easy to achieve compliance quickly, but will also ultimately minimize costs and resource consumption.

Phase 1: Creating a Part 11 Compliance Culture. In order to ensure compliant practices at the lowest level, a company needs commitment to compliance at the highest level. In the first program phase the organization provides awareness training for its senior management. Also taking place at this stage is the selection of members of a task force that will be responsible for implementing the compliance effort through all the levels of the enterprise.

Phase 2: Defining Policies and Procedures. Policies and procedures required to achieve Part 11 compliance are established next. Outside consultants can be helpful here, as they will have experience with policies and procedures used by other companies in the same regulated industry.

Once the company has a procedural framework in place, it can then disseminate the information throughout the organization via meetings and training classes. Bias in training must be minimized by using both company staff and outside consultants as leaders.

Phase 3: Inventorying Systems. In the third phase, existing regulated systems within the organization are inventoried and their conformity with Part 11 requirements determined. The number of systems involved is critical, as it establishes a baseline of resource requirements. Once these are known, financial budgeting and resource allocation can proceed.

Phase 4: Prioritizing the Inventory. FDA expects regulated companies to take a prioritized approach to compliance. That means evaluating the criticality of each system with regard to business risks, product risks, and data risks. Business risks are risks of the enterprise being cited for failing to meet specific requirements of the regulation. Product risks involve the impact on product safety, identity, strength, purity, or overall quality caused by bad data or poorly qualified processes. Data risks are threats to the integrity, authenticity, or other aspect of data quality.

At the conclusion of this phase of compliance program implementation, the organization can determine its overall exposure with regard to the systems to be evaluated in order to undertake the appropriate gap-assessment effort.

Phase 5: Performing Gap Analysis. Next, technical and procedural assessments of the system are performed with respect to requirements itemized within the interpretations and guidelines of the company's policies and procedures. The use of an assessment tool is highly recommended. Such a tool enforces consistency, provides an automated reporting and tracking mechanism, and ultimately accelerates and optimizes the gap assessment. One such tool is 21 CFR Part 11 Analyst from Trusted Integration Inc. (Alexandria, VA).

If the right tool is selected, it can also help the company with prioritization, remediation tracking, reporting management, and project management.

Phase 6: Prioritizing Findings. The focus of this phase is to use the gap analysis findings to create a priority order for getting the systems into compliance. A system's priority must be based on the extent of its deviations from Part 11 requirements, the importance of its data quality, and its history of compliance with applicable predicate regulations, including validation and change control. The prioritization performed at this stage enables systems posing the highest levels of risk to the company to be addressed expeditiously.

Phase 7: Formulating the Remediation Plan. Each system is remediated next, the formulated plan being tracked by the assessment tool if possible. Any one or a combination of five possible approaches can be taken by the company during this phase:

In most cases, a company will choose the third option as a short-term approach while working toward implementing the fourth or fifth approaches.

Phase 8: Implementing the Remediation Plan and System Requalification. In implementing the remediation plan, the organization may get the original system vendors or third-party technology solution providers involved in the process. Remediation does not happen overnight; it may require customized codes, software patches, and system version upgrades that are completed over several months. FDA finds this acceptable as long as a documented plan outlines the approach and a reasonable remediation schedule is maintained.

Once a remediation plan of appropriate extent has been implemented, the system is requalified. Special attention is paid to functions that could be affected by the technical fixes or that relate to any key control areas of 21 CFR Part 11. Care must be taken to conduct sufficient regression testing in order to ensure that the elements required to be qualified are addressed.

Compliance Costs and Benefits

Well-established larger organizations with plenty of resources are addressing the issue of 21 CFR Part 11 compliance. However, in small and midsized companies, the regulation does not yet appear on the radar of most executives.

For medical device, biotechnology, and pharmaceutical companies, the cost of attaining Part 11 compliance can be tremendous—perhaps in excess of $100 million for a global company.⁹ Compliance spending is likely to go toward establishing the implementation task force; developing policies and procedures; educating company personnel about compliant practices; analyzing existing electronic data systems; retrofitting, remediating, or replacing affected systems; purchasing compliant systems; and requalifying systems.

Part 11 compliance efforts will probably exceed those required for the Year 2000 retrofit. However, unlike Y2K, when remediation costs tended to increase as 2000 approached, expenditures for Part 11 compliance are expected to decrease as the regulation matures and more resources become available.

Achieving compliance with 21 CFR Part 11 has benefits as well as costs. Companies with compliant systems will enjoy better process control, improved information transfer between related enterprises, a higher level of data integrity, fewer data-related errors, and reduced time requirements for data analysis, capturing, and filtering.

Conclusion

It is important that everyone in the company, regardless of authority level, understands 21 CFR Part 11 and the key benefits that the regulation can bring to the organization. FDA expects compliant systems—or at least an inventory of known noncompliant systems, with a plan for bringing them into compliance—and its enforcement actions have made it very clear that delay, avoidance, and rushed compliance are bad choices for approaching the challenge. Far better that the organization initiate its own measures for compliance than that the heavy hand of FDA dictate compliance. The possibility of being punished by forced disgorgement of profits eliminates any benefit to be derived from deferring regulatory compliance spending.

Documented evidence of progress toward Part 11 compliance must be provided should a company be inspected by FDA. Adoption of a compliance initiative like the eight-phase approach outlined in this article will satisfy that expectation. It also offers a pragmatic, efficient way to achieve compliance within the organization's budget of time, resources, and money.

A rushed approach to compliance through crash Part 11 compliance programs will be much more expensive than a planned, phased approach, and will likely not consider fully all of the requirements. Such an approach often will result in more work than would have been required had the company systematically structured a program for prioritizing and then meeting its needs.

Do not recreate the wheel! Implementing a 21 CFR Part 11 compliance initiative does not have to be difficult. Companies can tap into a large fund of knowledgeable people and established methods for achieving Part 11 compliance. Available methodologies can achieve implementation efficiencies by streamlining the flow of tasks and responsibilities defined for each phase. Software technology tools and templates are also abundant.

Companies in FDA-regulated industries must view spending on 21 CFR Part 11 compliance as an investment in their long-term success. Like investing in employees through benefits and training, spending on compliance builds an infrastructure to manage the processes that lubricate the engine that powers the medtech enterprise of the information technology era.

References

1. "21 CFR Part 11—Electronic Records; Electronic Signatures," Final Rule; Federal Register, 62 FR:13430–13466, March 20, 1997.

2. General Principles of Software Validation: Guidance for Industry (Rockville, MD: FDA, 2002).

3. Summary of FDA Public Meeting on Industry Experience Implementing Technical Provisions of 21 CFR Part 11 (Rockville, MD: FDA, 2000).

4. 21 CFR Part 11; Electronic Records; Electronic Signatures—Validation: Guidance for Industry (Rockville, MD: FDA, 2001).

5. 21 CFR Part 11; Electronic Records; Electronic Signatures—Timestamps: Guidance for Industry (Rockville, MD: FDA, 2002).

6. 21 CFR Part 11; Electronic Records; Electronic Signatures—Glossary of Terms: Guidance for Industry (Rockville, MD: FDA, 2001).

7. Enforcement Policy: Electronic Records; Electronic Signatures—Compliance Policy Guide: Guidance for FDA Personnel (Rockville, MD: FDA, 1999).

8. "Practical Laboratory Remediation Strategies for FDA's 21 CFR Part 11 Regulation" [Webcast on-line] (Bridgewater, NJ: Taratec Development Corp., April 17, 2002); available from Internet: http://www.taratecuniversity.com.

9. Truth and Misconceptions: The Federal Electronic Records Statute, Report 0502-0077 (Stamford, CT: Gartner Inc., May 2002).

Tuan T. Phan is president of Validation Associates Inc. (Raleigh, NC), a regulatory compliance consulting firm that performs 21 CFR Part 11 gap assessments, software and computer system validation, process validation, and system and vendor audits for life sciences companies. The author acknowledges Karenann Brozowski of Teleflex Medical Group (Research Triangle Park, NC) and Stephen Sanders of Validation Associates Inc. (Feasterville, PA) for their contributions to this article.