21 CFR Part 11

Where Are We Now?

William Goebel

W
hen FDA issued 21 CFR Part 11 in March of 1997,
it was perceived as one of the most significant pieces
of regulation to affect the pharmaceutical indus-
try in many years. The stated purpose of the rule
was to enable the use of technology for recordkeeping activi-
ties while ensuring the reliability, authenticity, integrity, and us-
ability of electronic records. The agency has subsequently re-
iterated its support of the use of scientific and technological
advances in pharmaceutical manufacturing. Unfortunately, the
interpretation of some provisions of Part 11 and the guidance
documents issued since 1997 may have had the opposite effect.
Unlike previous regulations, which were issued with stepped
implementation policies, Part 11 required all systems in use to
become compliant, including so-called legacy systems that pre-
dated the rule. However, a stepped enforcement policy was an-
EYEWIRE

nounced that would give the industry some time to bring sys-
tems into compliance. Rather than provide rigid timetables for
compliance, the agency signaled that users were expected to as-
FDA’s revised guidance on 21 sess affected systems and develop comprehensive remediation
CFR Part 11 offers relief to the plans to achieve full compliance. Following closely on the Y2K
date–format issue, the industry’s approach was to inventory all
regulated industry by providing systems related to regulated activities, perform a detailed analy-
for enforcement discretion and sis of system functions, identify areas of noncompliance, and
suggesting a risk-based then develop and implement remediation plans.
approach to compliance. In February 2003, FDA announced the withdrawal of previ-
ous draft Guidance for Industry documents as well as its Com-
pliance Policy Guide 7153.17 and issued a single draft Guid-
ance for Industry for Part 11. At the same time, the agency
announced that a reexamination of Part 11 would occur and
that changes to Part 11 may result. On 4 September 2003, the
final Guidance for Industry was issued with few changes from
the draft issued in February. In revising its guidance, FDA has
indicated that it intends to exercise discretion in enforcing some
requirements of Part 11 while it reexamines the regulation and,
most notably, that it expects industry to take a risk-based ap-
proach to compliance. This represents a dramatic shift in regu-
latory policy and has a direct effect on current regulatory com-
pliance activities across the industry.
The September 2003 Guidance for Industry makes two sig-
nificant changes in enforcement policy. First, Part 11 will be in-
William Goebel is a director of quality at
terpreted more narrowly, clarifying that fewer records will be
CimQuest Inc., 35 E. Uwchlan Ave., Suite considered subject to Part 11. Second, discretion in enforce-
330, Exton, PA 19341, tel. 610.363.0422, ment will be exercised with regard to requirements for valida-
www.cimquest.com, goebel@cimquest.com. tion, audit trails, record retention and record copying, and the
application of all Part 11 provisions to legacy systems.
8 Pharmaceutical Technology IT INNOVATIONS 2003 www.phar mtech.com
 The underlying premise is that predicate rule requirements
still apply, and FDA clearly stated that it will enforce predicate
rule requirements for records that are subject to Part 11. Thus,
there will be no relief from compliance with predicate rules. In
fact, the new guidance contains 27 references to predicate rules.
Regulated companies still must demonstrate acceptance of and
compliance to predicate rules. Although Part 11 is not the dri-
ving force, computer systems used in regulated activities must
still be validated. Regulated companies should also be able to
demonstrate the reliability, authenticity, integrity, and usabil-
ity of records generated by these systems.
Narrowed scope of Part 11
The narrowed scope of Part 11 means that fewer records will be
considered subject to Part 11, which is good news for the regu-
lated industry. Regulated companies can now determine which
records are important and critical to their operations and im-
plement an appropriate level of control. There is a tradeoff, how-
ever, in that determining which records are critical entails a for-
mal and documented risk analysis and justification, along with
procedures that define how these records will be used. Further-
more, any records that are submitted to FDA in an electronic
format are subject to Part 11 even though the records are not
specifically covered by regulation. In other words, the fact that
an electronic record is submitted makes it subject to the rule.
The guidance states that the incidental use of computer sys-
tems to generate paper records will not be considered within the
scope of Part 11 as long as the paper records meet all require-
ments of the predicate rule and are the documents that are re-
lied on to perform regulated activities. For example, computer
systems used to generate procedures for regulated activities need
not be compliant as long as the paper versions are reviewed, ap-
proved, issued, and used. The revised guidance also states that
records and any associated signatures that are not required to
be retained by predicate rules are not Part 11 records simply be-
cause they happen to be in electronic format. On the other hand,
the guidance is clear that records required by predicate rules that
are maintained in electronic format are subject to Part 11.
FDA’s Compliance Policy Guide 7153.17, which was also with-
drawn, provided an example of a regulatory citation for vio-
lating device quality system regulations wherein engineering
drawings for manufacturing equipment and devices were stored
in AutoCAD on a desktop computer. The storage device (i.e., a
desktop computer) was not protected from unauthorized ac-
cess and modification of the drawings. Under the current pol-
icy, this may not be considered a violation if the computer is
used only as a drawing tool and paper versions of the drawings
are used for all regulated activities. Users who adopt this prac-
tice should exercise caution, however, if using an uncontrolled
system to maintain base-line versions for updates. This means
that every time a drawing is revised, the entire drawing must
be reviewed against the previous paper version, not just the
highlighted changes.
Regulated companies are strongly recommended to docu-
ment, in advance, whether they plan to rely on the paper or elec-
tronic record to perform regulated activities and how they in-
tend to maintain the required records. These decisions should
10 Pharmaceutical Technology IT INNOVATIONS 2003
be based on good business practices, and the justification for
the decision or risk analysis also should be documented.
Enforcement discretion
For now, it appears that the validation, audit trail, record re-
tention, and record copying requirements of Part 11 will be en-
forced in a discretionary manner. Except for legacy systems, the
provisions concerning controls for closed and open systems and
the requirements related to electronic signatures will still be en-
forced. For systems that “otherwise met predicate rule require-
ments before 20 August 1997,” FDA will not enforce any Part
11 requirements. The qualifying factor is that all systems “must
comply with all applicable predicate rule requirements and
should be fit for their intended use.” The following sections ex-
amine the application of enforcement discretion to the Part 11
requirements of validation, audit trails, legacy systems, record
retention, and record copying.
Validation. The agency will exercise enforcement discretion
regarding the Part 11 requirement to validate systems; however,
users must still comply with all applicable predicate rule re-
quirements for validation. Since Part 11 became effective, many
companies in the industry believed that it would be used as an
enforcement tool by the agency to drive validation of computer
systems. Although the guidance clarifies that Part 11 is not in-
tended to impose additional requirements for validation, predi-
cate rules require that systems be fit for intended use (validated)
and that there be documented evidence to that effect. For ex-
ample, 21 CFR Part 211.68 (b) requires appropriate controls,
including input–output verification with the frequency of the
verification based on the complexity and reliability of the sys-
tem. Part 211.68 (b) also requires a written record of the pro-
gram along with appropriate validation data. Because many
legacy systems in use today are commercial-off-the-shelf (COTS)
products and a source code is not available, validation docu-
ments provide the required written record. What FDA seems
to be saying is that, although it will not use Part 11 to drive vali-
dation or the extent of validation, it will expect to see a docu-
mented risk assessment that justifies the decision to validate
and the extent of validation testing and documentation.
FDA suggests that the decision to validate systems and the
extent of validation should be based on predicate rule require-
ments to ensure the accuracy and reliability of the records con-
tained in or generated by the system. The agency recommends
that regulated companies base their approach on a justified and
documented risk assessment that determines the potential of
the system to affect product quality and safety and record in-
tegrity. Even if a specific predicate rule requirement does not
exist, validating a system may still be important. Successful com-
panies will accomplish this through a solid validation model
that provides a documented approach of the decision and the
validation process.
Audit trail. Although enforcement discretion will be applied
to the requirements for computer-generated, time-stamped
audit trails, it does not mean that audit trails are no longer re-
quired. Predicate rule requirements related to the documenta-
tion of date, time, and sequence of events still apply. If an elec-
tronic record is used to document a critical sequence of events
www.phar mtech.com
and that record is subject to change, a computer-generated,
time-stamped audit trail may be required. Along with predi-
cate rule requirements, FDA indicated that audit trails may be
important to ensure the trustworthiness and reliability of
records. Again, deciding whether to apply audit trails should be
based on a documented risk assessment.
Legacy systems. The current guidance appears to grandfather
in legacy systems; however, it does not exempt them from predi-
cate rule requirements. The agency has stated that it will not
typically take regulatory action on systems that were opera-
tional before 20 August 1997 unless the system or related down-
stream processes pose a risk to public safety or health. If a de-
cision is made to eliminate a legacy system from current Part
11 assessment and remediation efforts, predicate rule require-
ments should be researched thoroughly. Documentation that
demonstrates if the system is fit for its intended use should still
be available, which usually means that the system has been vali-
dated. The final guidance further states that “if a system has
been changed since 20 August 1997, and if the changes would
prevent the system from meeting predicate rule requirements,
Part 11 controls should be applied to Part 11 records and sig-
natures pursuant to the enforcement policy.” It appears that
FDA is indicating that changes to legacy systems may negate
the grandfather provision. At any rate, companies should exer-
cise caution because any change that prevents a system from
meeting predicate rule requirements will place the operator out
of compliance, which should be avoided or promptly corrected.
In addition, a documented risk assessment should be performed
to determine the potential effect on safety and health.
Copies. Enforcement discretion will provide some relief to
companies in the way that copies may not have to be in both
human-readable and electronic format, provided that an FDA
investigator has reasonable and useful access to records during
an inspection. The agency recommends that companies pro-
vide copies of electronic records in a portable format (PDF,
XML, or SGML). If the records are not already maintained in
this format, they should be converted to a portable format using
established methods.
The revised guidance only requires systems to have the ca-
pability to produce copies of records in human-readable for-
mat. When systems have search, sort, or trend capabilities, copies
of records given to FDA should provide the same capabilities,
if reasonable and technically feasible. The question here is how
the agency will define reasonable and technically feasible. For
example, documents provided in a PDF format could incor-
porate bookmark capabilities that allow the user to search the
document; however, documents extracted from database ap-
plications may not include all the original functionality once
extracted. FDA recommends that “the records themselves and
any copies of the required records preserve their content and
meaning.” Typically, the use of the word recommend indicates
that an alternative is acceptable, provided that the alternative is
equivalent and justified. The key is that the copying process
must preserve the critical content and meaning of the record.
For example, if an electronic record contains metadata that is
essential to the content and meaning of the record, then an al-
ternative record format such as PDF may not be acceptable. The
agency clearly expects to have site access to all records by using
established procedures and techniques. Regulated companies
should have procedures in place for providing access to elec-
tronic records and making copies.
Record retention. It appears that FDA intends to allow in-
creased flexibility in how records are maintained on the basis
of predicate rule requirements, which will permit users to more
easily retire systems when they are no longer useful. Previous
guidance had promoted a rigid process wherein an electronic
record must always be retained in an electronic format with all
the capabilities of the original system. This implied that obso-
lete systems would have to be retained if the electronic records
could not be migrated to new systems without the loss of some
functionality or change in format. The agency appears to have
recognized that advances in technology will make this imprac-
tical over time (does anyone remember the Wang word pro-
cessing system?). The relaxed guidance specifically permits
archiving electronic records to nonelectronic formats such as
microfilm, microfiche, or paper or to standard electronic-file
formats such as PDF, XML, or SGML. The rendering process
must still be controlled to ensure that the content and mean-
ing of records are maintained. A prudent approach would be
to validate the rendering process. For new or updated systems,
users should plan for the eventual retirement or decommis-
sioning of the system to ensure an orderly and efficient transi-
tion of records to an archival format while maintaining data
integrity.
In addition to meeting predicate rule requirements, FDA
suggests that deciding how to maintain records should be based
on a justified and documented risk assessment and a determi-
nation of the value of the records over time. This evaluation
should take into account business processes when determin-
ing how the record is being used. The agency provides some
helpful advice by suggesting that, for required records, users
determine in advance whether to rely on the paper or the elec-
tronic version of the document and that users document such
decisions.
Risk assessment
A common thread throughout the revised guidance is risk as-
sessment. This is underscored by reference to FDA’s “Pharma-
ceutical CGMPs for the 21st Century: A Risk-Based Approach,”
in which FDA announced its intent to focus more attention on
areas where risk to public health and safety are greatest. Risk
assessment is a required element of compliance for medical de-
vice manufacturers; however, it may be a relatively new approach
to compliance for pharmaceutical manufacturers. In the areas
of information technology and electronic records, companies
should identify the records that are most important to product
quality and safety and apply commensurate levels of control.
Throughout the revised guidance, FDA indicates that users
are expected to perform and document risk assessments to jus-
tify decisions. The National Institute of Standards and Tech-
nology’s Special Publication SP800-30: Risk Management Guide
for Information Technology Systems was included in the Febru-
ary draft but removed from the final guidance. The final guid-
ance references ISO/IEC 17799:2000, Code of Practice for In-
Pharmaceutical Technology IT INNOVATIONS 2003 11
formation Security Management; ISO 14971:2002, Application
of Risk Management to Medical Devices; and The Good Auto-
mated Manufacturing Practice (GAMP) Guide for Validation of
Automated Systems. Although none of these documents pro-
vides a detailed process for risk assessment specific to electronic
records and signatures, they should be consulted when devel-
oping a risk management process. FDA is demonstrating an
expectation that information technology will be controlled
through formal practices in a manner that is consistent with its
importance to product quality and consumer safety.
Recommendations
The revised guidance appears to provide significant latitude by
exercising enforcement discretion on the basis of risk. Rather
than eliminating requirements, the agency expects users to en-
sure that electronic records are secure and reliable. These goals
are not in opposition to good business practice; they are com-
plementary. Part 11 compliance activities should focus on records
and the relative importance of those records to product qual-
ity and safety rather than on the systems that produce those
records. Risk assessment capabilities, processes, and practices
must be developed and implemented in a consistent manner
across the enterprise so that practices for creating and handling
electronic records are consistent with the relative risks.
Regulated companies are encouraged to continue their ef-
forts to be compliant by incorporating the new guidance into
12 Pharmaceutical Technology IT INNOVATIONS 2003
their remediation planning and execution. Considering the cur-
rent guidance, the following steps are suggested:
● Use formal risk assessment processes to identify systems that
should comply fully with Part 11 provisions and those of low
risk to public safety and health to which enforcement discre-
tion would apply. When a gap analysis or assessment has al-
ready been performed, apply risk assessment to identify low-
risk systems that could be removed from the remediation list.
● Identify records that are used for regulated activities and en-
sure that the records that are critical to product quality meet
the applicable requirements. Decide in advance to maintain
records in electronic or paper format and document the de-
cisions in SOPs or specifications.
● Use formal risk assessment processes to determine the level
of validation testing and documentation required for systems
and document the justification for not validating systems or
for reducing the scope of validation.
● Continue gap analysis and compliance assessments of legacy
systems to ensure that they are validated and that change con-
trol processes are in place and being followed.
The changes in the interpretation and enforcement of Part
11 may appear to lessen regulatory exposure; however, regu-
lated companies should not be lulled into a false sense of secu-
rity. The reality is that Part 11 is still a regulation that will be
enforced, and regulated companies should continue imple-
menting their Part 11 initiatives. PT
www.phar mtech.com