Established in August 1997, Part 11 of Title 21 of the Code of Federal Regulations—more commonly known as 21 CFR Part 11—applies to records in electronic form that are created, modified, maintained, archived, retrieved or transmitted under any system used to satisfy any U.S. Food and Drug Administration (FDA) regulation. The rule, which applies to all companies regulated by the FDA, requires that the system be able to generate accurate and complete electronic record copies in both electronic and human readable form. The rule also requires various system-level checks, including establishing user access levels and operational sequence checks, and validating the data entering the system, including electronic signatures.
In August 2002, the FDA announced a new initiative to enhance the regulation of pharmaceutical manufacturing and product quality by using a science and risk-based approach to current good manufacturing practices (cGMP). Using the new risk-based approach (which focuses on veterinary and human drugs, including human vaccines), companies would not apply the same level of compliance to all types of processes, records or computer-related systems. Instead, they would perform a risk assessment and identify and record appropriate controls based upon the predicate rule requirements, criticality of the process, and risk to product quality, safety, identity, purity and strength. Under this approach, companies must document user requirements and perform risk analysis to substantiate and define the scope of the evidence necessary to demonstrate that a system is validated for its intended use.
As an outgrowth of this initiative, in February 2003, the FDA announced that it is re-examining Part 11 as it applies to all FDA regulated products and that it may revise provisions of the regulation. In addition, the agency withdrew its previously defined enforcement policy for Part 11 along with published draft guidance documents. In its place, the FDA has developed a new draft guidance document titled, “Part 11, Electronic Signatures—Scope and Application.” The new draft guidance document will have a varying impact on life sciences companies, but overall may affect their total number of records and systems that are subject to 21 CFR Part 11 compliance.
But don’t throw away your compliance manuals just yet. While the FDA currently intends to exercise enforcement discretion regarding certain 21 CFR Part 11 requirements during this re-examination period, companies should note that 21 CFR Part 11 has not been withdrawn. The FDA will continue to enforce compliance to specific provisions of the regulation.
The FDA’s intention to narrow the scope of 21 CFR Part 11 should not be interpreted to mean that systems no longer need validation in general, but only that validation requirements resulting directly from Part 11 will not be enforced. Companies should validate systems to ensure the accuracy and reliability of the records contained in the system using written best practice guidance.
21 CFR Part 11 has been a major milestone for using computerized technology in life sciences industries. FDA’s new guidance document is bridging the gap between current good practices and current industrial capabilities. The new approach will certainly lead to more and better automated systems and improved quality of products for the patients.
To ensure compliance, companies are required to implement a formal 21 CFR Part 11 compliance program. This program needs to include a stepwise methodology for the assessment and remediation of all applicable computerized systems. It should describe the manufacturer’s roadmap to compliance and ensure that corporate policies address all compliance issues.
Combining an understanding of the regulations and an accurate interpretation of the new draft guidance documents with a solid plan of action, industry knowledge, expertise and the right technology will allow life sciences companies to make the leap to compliant systems in a cost-effective and painless manner.
Gerhard Werling, email@example.com, and
Kenneth S. Kovacs, firstname.lastname@example.org
email@example.com is director of regulatory compliance
services, Propack Data—A Rockwell Automation Business. firstname.lastname@example.org is regulatory compliance services manager, Rockwell Automation.