Professional Documents
Culture Documents
21 CFR Part 11 —
Are You Ready for
an FDA Inspection?
White Paper
When the U.S. Food and Drug Administration (FDA) issued 21 CFR Part 11 in
1997,1 the internet existed but it was not as ubiquitous as it is today. Google
wasn’t around yet. Life science companies submitted documents to the FDA by
the truckload because paper records were the norm.
Part 11 has been scrutinized and criticized over the years, but it remains in
effect today. Given the pervasive automation of processes and digitization of
data today, the regulation is more relevant than ever.
Part 11 does not mandate the use of electronic systems. Rather, it specifies the
requirements for companies that choose to use computerized systems in their
compliance efforts. “When persons choose to use electronic records in place of
paper format, Part 11 would apply,” according to the 2003 guidance.3
The FDA guidance provides: “Persons must comply with applicable predicate
rules, and records that are required to be maintained or submitted must remain
secure and reliable in accordance with predicate rules.”4
Part 11 is meant to allow the use of electronic records as much as possible and
at the same time safeguard the integrity of data and systems and the validity
(or nonrepudiation) of electronic signatures. For the FDA, data integrity is a vital
part of ensuring the safety of medical products.
The agency does not grandfather legacy systems (meaning systems that were
operational before Part 11 took effect on Aug. 20, 1997). Companies that still
use legacy systems are responsible for taking the necessary steps to make
those old systems fully compliant.5
4 Areas of Compliance
To avoid overdoing Part 11 application, the agency recommends using risk
assessment in the following areas highlighted in the 2003 guidance. Risk
assessment refers to “a determination of the potential effect of a system on
product quality and safety.”
#1 Validation: The most common question people ask is, which computer
systems need to be validated under Part 11? The regulation applies to “records
in electronic form that are created, modified, maintained, archived, retrieved, or
transmitted, under any records requirements set forth in agency regulations.”6
However, a software system used by the company for maintaining clinical trial
documents that constitute the Trial Master File (TMF) needs to be validated.
The TMF has direct bearing on the quality of the company’s product because
it will show any serious adverse events during the clinical trial, whether GCP
requirements were fulfilled, and patient rights protected, among other things.
For every electronic system that requires validation, a company must be able
to demonstrate that the system consistently performs as it is intended to do. It
must meet company requirements for each purpose for which it’s used.
An FDA investigator is likely to ask for a list of users and functional and design
requirements and how the system meets those requirements. “If it isn’t
documented, it didn’t happen” is the common thinking within the FDA.
#2 Audit Trail: The use of electronic records has grown exponentially since
Part 11 was issued, making the audit trail more crucial today. The FDA
guidance says, “Even if there are no predicate rule requirements to document,
for example, date, time, or sequence of events in a particular instance, it may
nonetheless be important to have audit trails, or other physical, logical, or
procedural security measures in place to ensure trustworthiness and reliability
of the records.”7
The audit trail can help reveal data tampering or fabrication of results. It is
particularly appropriate for users who create, modify, or delete regulated
records.
The FDA guidance specifies that during inspection, a company should provide
the FDA investigator with reasonable access to records. It should allow
inspection, review, and copying of records using company hardware at the site
and following established procedures for accessing records.
MasterControl’s approach has helped many customers reduce the time and
effort in their own validation efforts. With the fourth principle in particular,
organizations can avoid duplication of efforts by taking advantage of
Inspection Readiness
To maintain constant inspection readiness, a company should begin by
evaluating all areas impacted by Part 11. Assemble a team consisting of
members from quality assurance, operations, information technology,
regulatory affairs, and compliance to conduct the evaluation. Once all core
processes and systems are identified, they should be examined and prioritized.
In preparing for inspection, a company should not lose sight of the spirit of 21
CFR Part 11. The FDA’s concern remains the same since the advent of Part
11—all electronic records in support of regulated activities should be accurate
and valid. Anything that calls data integrity into question can potentially lead to
regulatory action.
References
(1,8) 21 CFR Part 11, Electronic Records and Electronic Signatures
(2-4,6-7) Guidance for Industry: Part 11, Electronic Records; Electronic
Signatures Scope and Application
(5) Inspections, Enforcement, Compliance, & Criminal Investigations
About MasterControl
MasterControl Inc. creates software solutions that enable life science and
other regulated companies to deliver life-improving products to more people
sooner. MasterControl’s integrated solutions accelerate ROI and increase
efficiencies by automating and securely managing critical business processes
throughout the entire product lifecycle. More than 1,000 companies worldwide,
ranging in size from five employees to tens of thousands, rely on MasterControl
cloud solutions to automate processes for new product development, clinical,
regulatory, quality management, supplier management, manufacturing and
postmarket surveillance. MasterControl solutions are well-known for being
scalable, easy to implement, easy to validate and easy to use. For more
information, visit www.mastercontrol.com.