White Paper

21 CFR Part 11 —
Are You Ready for
an FDA Inspection?
 White Paper

When the U.S. Food and Drug Administration (FDA) issued 21 CFR Part 11 in
1997,1 the internet existed but it was not as ubiquitous as it is today. Google
wasn’t around yet. Life science companies submitted documents to the FDA by
the truckload because paper records were the norm.

In many ways, Part 11 was an acknowledgement of the inevitable movement

toward the use of electronic systems in compliance. The regulation established
the criteria for the use of electronic records and electronic signatures by
organizations that comply with the Food, Drug, and Cosmetic Act and the Public
Health Service Act. It applies to all FDA-regulated companies.

Part 11 has been scrutinized and criticized over the years, but it remains in
effect today. Given the pervasive automation of processes and digitization of
data today, the regulation is more relevant than ever.

What Part 11 Means

The FDA released a guidance in 2001 to explain Part 11’s application, but it
was eventually withdrawn. The agency issued another document in 2003 titled
“Guidance for Industry: Part 11, Electronic Records; Electronic Signatures—
Scope and Application.” To this day it remains the key to the FDA’s thinking
about the use of electronic systems in compliance.2

Part 11 does not mandate the use of electronic systems. Rather, it specifies the
requirements for companies that choose to use computerized systems in their
compliance efforts. “When persons choose to use electronic records in place of
paper format, Part 11 would apply,” according to the 2003 guidance.3

The importance of Part 11 is directly tied to compliance with predicate rules

such as the Current Good Manufacturing Practice (CGMP), Good Laboratory
Practice (GLP), and Good Clinical Practice (GCP) regulations.

The FDA guidance provides: “Persons must comply with applicable predicate
rules, and records that are required to be maintained or submitted must remain
secure and reliable in accordance with predicate rules.”4

Part 11 is meant to allow the use of electronic records as much as possible and
at the same time safeguard the integrity of data and systems and the validity
(or nonrepudiation) of electronic signatures. For the FDA, data integrity is a vital
part of ensuring the safety of medical products.

How to Comply with Part 11

Electronic records generated to comply with predicate rules are subject to Part
11. For those records, the FDA will exercise “enforcement discretion” in these
areas: validation, audit trails, record retention, and record copying.

The agency does not grandfather legacy systems (meaning systems that were
operational before Part 11 took effect on Aug. 20, 1997). Companies that still
use legacy systems are responsible for taking the necessary steps to make
those old systems fully compliant.5

21 CFR Part 11 — Are You Ready for an FDA Inspection? 1

 White Paper

4 Areas of Compliance
To avoid overdoing Part 11 application, the agency recommends using risk
assessment in the following areas highlighted in the 2003 guidance. Risk
assessment refers to “a determination of the potential effect of a system on
product quality and safety.”

#1 Validation: The most common question people ask is, which computer
systems need to be validated under Part 11? The regulation applies to “records
in electronic form that are created, modified, maintained, archived, retrieved, or
transmitted, under any records requirements set forth in agency regulations.”6

For example, a computer system used by a pharmaceutical company’s

accounting department to generate the payroll doesn’t need to be validated
because it has no impact on the quality of the allergy pill the company
manufactures.

However, a software system used by the company for maintaining clinical trial
documents that constitute the Trial Master File (TMF) needs to be validated.
The TMF has direct bearing on the quality of the company’s product because
it will show any serious adverse events during the clinical trial, whether GCP
requirements were fulfilled, and patient rights protected, among other things.

For every electronic system that requires validation, a company must be able
to demonstrate that the system consistently performs as it is intended to do. It
must meet company requirements for each purpose for which it’s used.

An FDA investigator is likely to ask for a list of users and functional and design
requirements and how the system meets those requirements. “If it isn’t
documented, it didn’t happen” is the common thinking within the FDA.

Installation qualification (IQ), operational qualification (OQ), and performance

qualification (PQ) are the most common methodologies, whether it is the initial
validation or after an upgrade of the software system. IQ and PQ must be
validated at the location the software is being used. It is necessary to conduct
PQ for critical business processes and other processes that impact product
quality and safety.

#2 Audit Trail: The use of electronic records has grown exponentially since
Part 11 was issued, making the audit trail more crucial today. The FDA
guidance says, “Even if there are no predicate rule requirements to document,
for example, date, time, or sequence of events in a particular instance, it may
nonetheless be important to have audit trails, or other physical, logical, or
procedural security measures in place to ensure trustworthiness and reliability
of the records.”7

The audit trail can help reveal data tampering or fabrication of results. It is
particularly appropriate for users who create, modify, or delete regulated
records.

21 CFR Part 11 — Are You Ready for an FDA Inspection? 2

 White Paper

#3 Copies of Records: Part 11 requires that electronic systems should be able

“to generate accurate and complete copies of records in both human readable
and electronic form for inspection, review, and copying by the agency.”8

The FDA guidance specifies that during inspection, a company should provide
the FDA investigator with reasonable access to records. It should allow
inspection, review, and copying of records using company hardware at the site
and following established procedures for accessing records.

#4 Record Retention: How long should a company keep regulated records?

The FDA guidance recommends maintaining records based on predicate rule
requirements and on a justified risk assessment of the value of the records over
time. Any record retention and copying process should be able to preserve the
content and meaning of the records.

When it comes to signatures, electronic and handwritten signatures can co-

exist in “hybrid” situations as long as predicate rule requirements are met. An
example of hybrid situation is when a company uses handwritten signatures to
execute electronic records.

In the Forefront of Part 11

MasterControl closely followed the development of 21 CFR Part 11, its
subsequent release in 1997, and its enforcement over the years. In 1998,
MasterControl was among the first to release a software solution specially
designed to comply with Part 11.

Since then, it has helped hundreds of FDA-regulated companies comply with

Part 11 requirements through solutions that provide document control, change
control, a time-stamped audit trail, and reporting and electronic-signature
capabilities. MasterControl supports customers in their validation efforts
through an array of validation products and services.

MasterControl’s Principles of Validation

MasterControl recognizes that validation is a crucial component of Part
11 compliance. Drawing on FDA regulations and the Good Automated
Manufacturing Process (GAMP) framework, MasterControl has developed a
validation approach based on the following principles.9

1. Implement a robust change control process.

2. Incorporate validation as part of change control, rather than its own
activity or process.

3. Practice risk-based testing through effective risk assessments.

4. Leverage the vendor’s test efforts and documentation.

5. Perform the remaining testing based on impact to critical business
processes (CBP).

MasterControl’s approach has helped many customers reduce the time and
effort in their own validation efforts. With the fourth principle in particular,
organizations can avoid duplication of efforts by taking advantage of

21 CFR Part 11 — Are You Ready for an FDA Inspection? 3

 White Paper

MasterControl’s validation documentation. MasterControl conducts extensive

testing as part of its software development lifecycle, including unit testing,
manual functional testing, regression testing, defect and enhancement
verification, and scalability testing. It generates validation and support
documentation of IQ and OQ in the form of an automated transfer OQ (ATOQ).

MasterControl products and services simplify and speed up the validation

process for companies that use its software.10 Its Validation Toolkit provides
procedure templates that customers can adopt. MasterControl offers IQ
protocols that are automatically completed for a customer’s approval upon
software installation or upgrade. Its state-of-the-art ATOQ product has made
the traditional use of manual OQ validation unnecessary. The ATOQ provides
additional benefits over a manual execution, including cleaner documentation,
fewer user errors, inline screenshots and execution notes, and a full video
recording of each execution.

MasterControl Spark, hosted quality management system for organizations

with fewer than 50 employees, includes transfer PQ (TPQ) documentation so
Spark customers need not execute PQ at all.

The company’s experienced Validation Services and Solutions team works

closely with customers through a spectrum of services: validation training
course, validation planning, TOQ implementation review, custom protocol
development, and GxP documentation services.

Inspection Readiness
To maintain constant inspection readiness, a company should begin by
evaluating all areas impacted by Part 11. Assemble a team consisting of
members from quality assurance, operations, information technology,
regulatory affairs, and compliance to conduct the evaluation. Once all core
processes and systems are identified, they should be examined and prioritized.

In preparing for inspection, a company should not lose sight of the spirit of 21
CFR Part 11. The FDA’s concern remains the same since the advent of Part
11—all electronic records in support of regulated activities should be accurate
and valid. Anything that calls data integrity into question can potentially lead to
regulatory action.

Companies should view the FDA recommendations in its guidance not

as a regulatory hurdle but as an opportunity to improve the security and
accountability in document-based and record-generating processes. They
should aim to maintain documentation that can stand up to scrutiny not only
during inspection, but throughout the retention period.

References
(1,8) 21 CFR Part 11, Electronic Records and Electronic Signatures
(2-4,6-7) Guidance for Industry: Part 11, Electronic Records; Electronic
Signatures Scope and Application
(5) Inspections, Enforcement, Compliance, & Criminal Investigations

21 CFR Part 11 — Are You Ready for an FDA Inspection? 4

 White Paper

(9) Learn more about MasterControl Validation Strategy and Advantages.

(10) Learn more about MasterControl’s validation products and services.

About MasterControl
MasterControl Inc. creates software solutions that enable life science and
other regulated companies to deliver life-improving products to more people
sooner. MasterControl’s integrated solutions accelerate ROI and increase
efficiencies by automating and securely managing critical business processes
throughout the entire product lifecycle. More than 1,000 companies worldwide,
ranging in size from five employees to tens of thousands, rely on MasterControl
cloud solutions to automate processes for new product development, clinical,
regulatory, quality management, supplier management, manufacturing and
postmarket surveillance. MasterControl solutions are well-known for being
scalable, easy to implement, easy to validate and easy to use. For more
information, visit www.mastercontrol.com.

© 2019 MasterControl Inc. All rights reserved.

WPXXXXUSENA4-01/19

21 CFR Part 11 — Are You Ready for an FDA Inspection? 5