About 21 CFR Part 11 Electronic Records; Electronic Signatures

The pharmaceutical, biotech, and medical device industries have become dependent on computerized systems for every aspect of a drug's lifecycle.  Clinical trials are managed using software; New Drug Applications are submitted to the FDA electronically; laboratory assays on a drug's efficacy are performed using computerized instrumentation; and critical parameters in the drug's manufacturing process such as temperature and pH are controlled using automated systems.  Labeling, adverse reaction reporting, consumer complaints, and pharmacy controls also depend on various computer systems working perfectly.  All these systems now fall under the jurisdiction of 21 CFR Part 11.

History of 21 CFR Part 11

The FDA has required pharmaceutical, biotech, and medical device companies to validate their computerized systems since the mid-1980's under various current good manufacturing practice ("cGMP") regulations.  The validation of computerized systems in FDA regulated industries has been evolving ever since.  However, technology was outgrowing the existing regulations. These regulations could not accommodate paperless record systems.  The old regulations kept industry from realizing the advances in efficiency, accuracy, and productivity that new technologies were allowing.  In 1991, members of the pharmaceutical industry met with the agency to determine how they could accommodate paperless record systems.  The ultimate result of this action was 21 CFR Part 11 ("Part 11"), which became effective on August 20, 1997.   

To date 21 CFR Part 11 has been in effect for nearly four years.  There was an official grace period of five months, and there are no grandfather provisions in the regulation.   The current regulatory environment is one of ever broadening interpretation of federal law and harsher penalties by the FDA.  On November 2, 1999, Abbott Laboratories announced it had reached an agreement with the FDA to enter into a consent decree.  Under the terms of the consent decree, Abbott Laboratories agreed to a $100 million payment to the U.S. Government.  This record FDA penalty seems to have signaled the start of increased regulatory pressure being applied by the FDA to the pharmaceutical industry.  Since the record Abbott fine, Schering-Plough, Eli Lilly, and Pharmacia & Upjohn have all recently been issued harsh warnings by the FDA. 

21 CFR Part 11 Policy

During her talk at the Good Automated Manufacturing Practice ("GAMP") Americas Forum on March 22, 2001 in Philadelphia, Regina Brown, an inspector from the New Jersey District Office, indicated that the FDA expected that industry take notice of these high profile warnings.  This means that deficiencies listed in a warning issued to Pharmacia should be noted and remedied at Abbott as well.  Ms. Brown stated that the FDA is taking a very dim view of companies that are waiting for a FDA warning to implement a Part 11 strategy.  It is quite clear that any company in the pharmaceutical, biotech, or medical device industry must have a Part 11 strategy in place and remediation underway.  It is also apparent that in the not too distant future merely having a strategy will not be sufficient and that 100% compliance with Part 11 will be required. 

Compliance with Part 11 requires that an organization have a fully functioning quality assurance infrastructure in place.  It is not possible for computer hardware and software to be compliant out-of-the-box.  This is because automated systems must fit into an organization as part of a larger quality system, which entails much more than just the code itself.  The most important element of Part 11 compliance is a firm's written policy on Part 11.  A firm's written policy on Part 11 is the cornerstone of, and will set the tone for, Part 11 compliance.  The policy will dictate which systems will need to be Part 11 compliant and how the validation of these systems will take place.  No two FDA regulated companies do exactly the same thing in the way.  There is no indication this will be any different for implementation of Part 11.  Each company will need to integrate solutions into its existing quality assurance infrastructure.  The only common themes from company to company should be sound, logical policy based upon the best available science and implemented using the best available technology.

Current Interpretation and Enforcement

The following are excerpts from FDA warning letters highlighted by an FDA official at a recent industry event.  A FDA 483 is a form filled out at the end of an inspection to document any observations and is the basis for any further actions deemed necessary by the FDA. 

Warning Letter 

Inadequate oversight by the Quality Control Unit …  QC Unit failed to ensure that adequate procedures were in place to define and control computerized production operations, failure investigations, equipment qualifications, and laboratory operations. 

Computer System FDA 483 

There are no records to document that the Information Technology (IT) service provider staff personnel have received training that includes cGMP regulations and procedures. 

Laboratory Computer System FDA 483 

The effect of HW & SW system upgrades and configuration changes on performance was never assessed and the changes were not a part of the change control system at this firm. 

Laboratory Computer System FDA 483 

Analysts and the Sys. Admin. had access to change SW functions with no audit trail; changes to a file as read-only or read & write, data file deletion, data modification, data overwrite and file name changes.  The PC menu screen allowed access to all files on the server and the capacity to rename and replace data record files.

These warning letters and 483's are examples of how the FDA enforces the law.  All of these warnings directly refer to portions of Part 11 requirements discussed in this paper.  These warnings illustrate that firms need to have a Part 11 plan in place and remediation underway.  Organizations need to have a substantial answer to an FDA request to "…please outline your firm's global corrective action plan".  Failure to have an action plan places an organization in a very awkward starting position with the FDA.  The warnings highlight the fact that firms must have policies and procedures in place to govern all aspects of computerized systems that manipulate cGMP data.  Part 11 is even more stringent on training documentation than the original cGMPs.  Do not try to circumvent this requirement by outsourcing; anyone working on the firm's systems will have to be trained.  Warning letters from the FDA typically end with statements such as, "You should take prompt action to correct these deviations.  Failure to promptly correct these deviations may result in regulatory action without further notice.  These include seizure and/or injunction." 

Conclusions

Ensuring that critical data is always accurate and available takes dedicated effort, along with good planning and follow-up.  The FDA in issuing 21 CFR Part 11, codifies the steps required to reasonably assure quality electronic data when reporting to the agency.  The recent spate of high profile software failures such as the Mars Polar Lander or the recall of Intel's 1.13 GHz Pentium III Chip, underscores how society takes computer reliability for granted.  It also highlights the need to be ever vigilant, as the complexity of computer systems grows exponentially larger.  It will take the diligent efforts of government, industry and software manufacturers to produce systems that will successfully comply with Part 11, thereby furthering the FDA's mandate to promote and protect the public health and ensure the highest possible standard of healthcare. 

*******

This article is provided by Automated Systems, Inc. (ASI) and re-published with their permission.  ASI is a system integrator serving the pharmaceutical, biotech, and medical device industries by providing systems engineering for facilities, equipment, and processes.  For more information about Automated Systems, Inc., 21 CFR Part 11 solutions, or any of their services, please visit their website at http://www.automatedsys.com.