The Impact of FDA’s Part 11

Draft Guidance:
Scope and Applications

February 26, 2003

1
Overview

• History of part 11 and guidance documents

• Industry problems with part 11
• New scope of part 11
• Detailed comparison between old and new guidances
• Impact on validation, audit trail, archiving
• Impact on ‘legacy’ systems
• Recommendations

2
 21 CFR Part 11 - History
• 1992 - Advanced notice of Proposed Rule
Making (ANPR)
• 1994 - Proposed Rule
• 1994 - 1997 Industry responses
• 1997 - Final rule, Effective date: August 20
• 1999 - FDA insp.reports and warning letters
• 2001-2003 Five Draft guidance documents
• Feb 20, 2003 New Draft Guidance

3
FDA Part 11 Guidance Documents
Withdrawn
• Compliance policy guide 7153.17 (1999)
www.fda.gov/ora/compliance_ref/cpg/cpggenl/cpg160-850.htm
• Validation industry guidance (draft, 2001)
• Glossary industry guidance (draft, 2001)
• Time stamps (draft, 2002)
• E-records management (draft, 2002)
• E-copies
New on Feb 20, 2003
• Scope and applications

All guidances are still available from the Labcompliance website

http://www.labcompliance.com/conferences/s991.htm

4
What Happened?
• On February 4, 2003, the FDA did withdraw the draft
Guidance: E-copies of E-records.
• Reason: The guidance does no longer represent FDA’s
approach under the CGMP initiative
• On February 20, 2003, the FDA published a new
guidance on “Scope and Applications” and did withdraw
all other guidances
• The Guidance states that the FDA may re-examine part
11 as part of FDA’s new initiative to go for risk based
inspections

5
Part 11 and Industry Problems
• Scope not clear or too broad (all computer generated material
as required by predicate rule)
• Software for e-audit trail not available, especially for
manufacturing systems
• Biggest problem: long term archiving and reprocessing of
data not technologically feasible (up to 10+ years, high cost)
• High cost and long time to bring legacy systems into
compliance
• Some industry did overreact, e.g., hold back new technology

6
FDA Part 11 Draft Guidance for Industry

• Released on February 2003

• The only guidance available from the FDA
• For comments until April 30
• In line with CGMP Initiative
Scope and Applications • Narrows scope
• Some enforcement on hold
• Enforcement of GMP requirement
continues
• Implementation should be based on
documented risk assessment
- e.g, validation, audit trail, archiving
Download from
http://www.labcompliance.com/conferences/s991.htm

7
 What Did Change?
Before Feb 20, 2003
• Wide scope (all documents as required by predicate rule and generated
by computer)
• FDA expects active implementation plan based on documented risk
assessment (industry has developed guidance, e.g. GAMP)
• Enforcement of deviations based on impact on product quality
After Feb 20, 2003
• Narrow scope
• Implementation defined by company in documented risk analysis
• ‘Risk’ depends on product quality and data integrity

8
Enforcement
During part 11 Re-examination Period

On hold
• Part 11 specific requirements, e.g., e-audit trail,
validation, record maintenance, e-copies
• Legacy systems (installed before August 20, 1997)
Ongoing
• FDA will enforce predicate rule requirements for
records that are subject to Part 11. (Validation is one of
them)
• Security, data integrity, accountability

9
Enforcement - Examples
During part 11 Re-examination Period

• Limiting system access to authorized individuals

• Use of operational system checks
• Use of authority checks
• Use of device checks
• Determination that persons who develop, maintain, or use
electronic systems have the education, training, and experience
to perform their assigned tasks;
• Accountability for signatures
• Requirements related to electronic signatures

Most requirements not affected by new guidance !!!

10
Records Under the New Scope

1. Records that must be maintained by the underlying predicate

rules and are in electronic format in place of paper
2. Records that are required to be maintained by underlying
rules, are maintained in electronic format in addition to paper,
and are relied on to perform regulated activities
3. Records under the underlying rules submitted to the FDA in
electronic format, even if the records are not specifically
identified in agency regulations
4. E-signatures that are intended to be the equivalent of
handwritten signatures, initials and other signings required by
the core rules
Most critical
CDS=Chromatographic Data Systems
Typical situation for CDS
11
 Records Not Under the New Scope

1. Records – and any associated signatures – not required

by the core rules are not subject to Part 11 even if they
are in electronic format.
2. When persons use computers to generate paper
printouts of electronic records, those paper records
meet all the requirements of the applicable predicate
rules, and persons rely on the paper records to perform
their regulated activities, the merely incidental use of
computers in those instances would not trigger Part 11.
Example: Word processors for SOPs

12
 Part 11 and Paper Copies

• For example, if a record is required to be maintained by

a predicate rule and you use a computer to generate a
paper printout of the electronic records, but you
nonetheless rely on the electronic record to perform
regulated activities, the Agency may consider you to be
using the electronic record instead of the paper record.
• That is, the Agency may take your business practices
into account in determining whether Part 11applies.

Most critical: Typical situation for CDS

Should Retain E-records
13
Validation

• Even if there is no predicate rule requirement to validate a

system in a particular instance, it may nonetheless be
important to validate the system to ensure the accuracy and
reliability of the Part 11 records contained in the system.
• We suggest that your decision to validate such systems, and
the extent of validation, be based on predicate rule
requirements to ensure the accuracy and reliability of the
records contained in the system.

Computer systems with impact on product quality should

be validated
14
 Validation
• We recommend that you base your approach on a justified and
documented risk assessment and a determination of the
potential of the system to affect product quality and safety and
record integrity.
• For instance, a word processor used only to generate SOPs
would most likely not need to be validated.

“When you determine the appropriate extent of system

validation, the factors you should consider include:
• The risk that the system poses to product safety, and quality
efficacy
• The risk that the system poses to data integrity, authenticity,
and confidentiality
Ref: Old validation guidance: Par 5.6

15
Audit Trail

• We recommend that your decision on whether to apply audit trails,

or other appropriate measures, be based on the need to comply with
predicate rule requirements, a justified and documented risk
assessment, and a determination of the potential impact on product
quality and safety and record integrity.
• Audit trails are particularly important where the users are expected
to create, modify, or delete regulated records during normal
operation.

Audit trail is required by some predicate rules

16
 Impact on Product Quality is Key

• Decision on whether to apply audit trails depends on

your determination of the potential impact on product
quality and safety and record integrity.

For comparison: Compliance policy guide from 1999

When persons are not fully compliant with Part 11, decisions on whether or not to
pursue regulatory actions will be based on a case by case evaluation, which may
include the following:

• Effect on product quality and data integrity

17
Electronic Copies

• In each case, we recommend that you ensure that the copying

process used produces copies that preserve the content and
meaning of the record.
• If you have the ability to search, sort, or trend Part 11 records,
copies provided to the Agency should provide the same
capability if it is technically feasible.
• You should allow inspection, review, and copying of records in a
human readable form, on your site, using your hardware and
software, following your established procedures and techniques
for accessing those records.

This means in this case we can not delete e-records

18
Record Retention
• We suggest that your decision on how to maintain records be based on
predicate rule requirements and that you base your decision on a justified
and documented risk assessment and a determination of the value of
the records over time.
• FDA normally does not intend to object if you decide to archive required
records in electronic format to non-electronic media such as microfilm,
microfiche, and paper, or to a standard electronic file format, such as PDF.
• Persons must still comply with all predicate rule requirements, and the
records themselves and any copies of the required records should preserve
their content and meaning.

Record retention with re-processing capability

For 2-5 years provide value, not for 5+ years
19
Recommendations for Records
Archiving
• Develop, implement and document an archiving strategy
• Look at your business practices. If you archive records in e-
form for business reasons, you also should make them available
during inspections
• If the computer is used for evaluation of data, especially with
human interaction, ensure prosessability until final guidance is
released. In this case e-records and software for reprocessing
should be maintained in e-form
• If the computer is used to produce final word documents
without a need for later updates, you can either convert into pdf
file or make a print-out and delete the original e-record.

20
Legacy Systems

• The Agency will not normally take regulatory

action to enforce compliance with any part 11
requirements.
• However, all systems must comply with all
applicable predicate rule requirements and should
be fit for their intended use.

21
High Risk Records

Criteria
1. Primary records with direct impact on product quality
2. When operators can influence accuracy of results

Example
• Computer systems for analysis of products, if results are used for batch
releases
• Electronic batch record systems

22
 Low Risk Systems/Records in
Laboratories
Secondary records without direct impact on product quality

Examples
• Environmental monitoring systems
• Instrument qualification/calibration records
• Word processing for operator training records/SOPs/
validation documentation

23
 ISPE=International Society for
ISPE White Paper Pharmaceutical Engineering

Risk-Based Approach to 21 CFR Part 11

• Developed based on request by FDA
• The proposal focuses on six areas:
1. The basic definition of an e-record (*)
2. Copies of e-records (*)
3. Archiving and processability (*)
4. Audit Trails. (*)
5. Hybrid and procedural solutions (*)
6. Application of signatures

(*) Similar areas as covered in the FDA guidance

http://www.ispe.org/02pdf/Pt11WhitePaper.pdf
24
From the ISPE White Paper - Scope
• The focus of effort should be on records that have a high
impact, i.e. those records upon which quality decisions are
based.
• Examples of high impact records are batch records and
laboratory test results.
• Examples of records with low impact include environmental
monitoring records not affecting product quality, training
records, and internal computerized system information such as
setup and configuration parameters.

Reference: White Paper developed by ISPE on request by FDA

http://www.ispe.org/02pdf/Pt11WhitePaper.pdf
25
 Conclusion
• New guidance has very high influence on computer systems
with low impact on product quality
e.g., word processing systems
• Low or no impact on Chromatographic Data Systems with high
impact on product safety/quality
• Requirement for long term reprocessing (>5 years) may go
away
• Users are required to develop risk assessments for about
everything: opportunities for consulting

26
 Recommendations
- if you have your part 11 remediation plan in
place -
• Don’t panic, continue as before
• You may remove some of the ‘low risk’ systems
from the plan
• You may look at your archiving strategy. Look at
your business practices and archive records you may
need later on for re-processing in e-form. Document
your archiving strategy.

27
 Recommendations
- if you no part 11 plan in place -
• Develop a part 11 master plan
• Make a computer system inventory and identify GxP type systems
• Implement requirements not affected by the new guidance (see slide #10 of this
presentation)
• Develop an SOP for risk assessment
• Validate all systems classified as medium or high risk
• Develop and document a strategy to implement and defend an archiving
strategy. Look at your business practices and archive records you may need later
on for re-processing in e-form. Document your archiving strategy.

28