21 CFR Part 11: The New Draft Guidance

Since the introduction of the US Food and Drug Administration (FDA) 21 CFR Part 11 rule on electronic records and electronic signatures in 1997, its subsequent enforcement by FDA and (thanks to existing mutual recognition agreements) its international counterparts has led to a concerted effort within the pharmaceutical industry to

• interpret the rule

• perform Part 11 compliance assessments of current systems

• perform gap analyses

• develop and execute validation and implementation plans for new systems (along with migration/retirement plans for old systems)

• develop new systems to implement the procedural and technical controls mandated by Part 11

Many people were, therefore, somewhat surprised when FDA announced it was to re-examine Part 11 and withdraw its previous draft guidance documents and compliance policy guide (CPG) 7153.17. This was announced in the Federal Register on 4 February1 and was followed by the issuance of a new draft guidance, "Part 11, Electronic Records; Electronic Signatures -- Scope and Application" on 20 February.2

Finding the balance

As discussed in the authors' previous article,3 FDA is re-examining Part 11 in light of the current good manufacturing practice (cGMP) initiative that was announced in August 2002.4 Following the original rule becoming effective, the agency published CPG 7153.17 regarding the 21 CFR Part 11 enforcement policy and a number of draft guidance documents related to validation, glossary of terms, time stamps, and the maintenance of electronic records and electronic copies of electronic records.5–9 The guidance documents have been analysed by the industry, which has raised additional concerns regarding the cost of compliance. Two draft guidance documents, "Maintenance of Electronic Records"7 and "Electronic Copies of Electronic Records,"9 have been heavily criticized because both recommend the processability (instant reply) of records during the entire record retention period. This could be 10 years or more, and the industry's concern is that the required technology is very expensive and not always available.

Table I: Examples of records required by predicate rules.

Part 11 defines a framework, and many practical system and process issues have been identified since the industry began implementing compliance. For example, the Parenteral Drug Association (PDA) formed a Part 11 task force to develop guidelines for good electronic records management (GERM), and the Good Automated Manufacturing Practice (GAMP) Forum formed a special interest group (SIG) to develop a document on how to best implement Part 11.10,12 Some experts agree that it has been difficult to find the correct balance between doing enough and too much: "If there is any doubt regarding whether a specific validation should be performed, the final answer can be obtained only by asking if validation adds any scientific value."11

New requirements

21 CFR Part 11 will still remain; the new draft guidance does not define any additional Part 11 requirements - it simply redirects the focus to aspects critical to product quality and public health, which are mostly governed by the predicate rules. The final guidance (expected some time after the discussion period ended in April) is likely to result in less emphasis on the technically complex and validation-intensive areas of audit trails, time stamps, record retention and record copying, particularly for systems that have been in place before Part 11 became effective (so-called "legacy" systems). FDA is re-emphasizing the requirements for records mandated by the predicate rules and states that fewer records will be considered subject to Part 11. The authors also expect that the most stringent requirement of data processing during the entire retention period will be replaced by a time frame that is based on a company's documented risk assessment and business practices.

Until February 2003, Part 11 interpretations were generally wide and, in some cases, did not differentiate between systems posing a high risk to product quality and safety (such as chromatography data systems [CDS] used for quality assurance/quality control [QA/QC] analysis) and low-risk systems (such as word processors used to generate standard operating procedures [SOPs]). Companies were required to develop, document and implement credible action plans for becoming Part 11 compliant for ALL electronic records created in GxP environments - this one-size-fits-all approach to Part 11 caused most of the controversy and confusion.

A risk-based approach

In August 2002, FDA announced an initiative that would merge science-based risk management with an integrated quality systems approach: "To provide the most effective public health protection, FDA must match its level of effort against the magnitude of risk. Although the agency has been implementing risk-based programmes, a more systematic and rigorous risk-based approach will be developed."4

Table II: Records subject to 21 CFR Part 11.

Before 20 February, in the absence of precise guidance from regulatory agencies on how to conduct assessments, industry forums such as GAMP published numerous guidelines, including one regarding risk assessment (appendix M3 of GAMP4).12 This particular guideline establishes the missing link between process validation and risk management, and proposes a formalized and documented risk assessment process, which identifies and grades GxP risks through risk scenarios; assesses the likelihood and severity of potential failures or deviations; judges the probabilities for detecting the failure; and asks for the definition of appropriate risk mitigation strategies.

One of the key areas documented in appendix M3 is the "determination of whether the system function or subfunction represents a risk when assessed against a series of GxP criteria." This risk-based approach will help the pharmaceutical industry and regulatory agencies to focus resources on the critical issues for public health and consumer safety.

Continued enforcement

The key message of the new draft guidance is that FDA will now interpret the rule with a narrower scope and intends to "exercise enforcement discretion with respect to certain Part 11 requirements" such as "validation, audit trails, record retention and record copying."1 These are areas where an extraordinary amount of effort has been spent trying to manage technical complexity for little return. However, "enforcement discretion" does not mean that technical controls for audit trails or processes and procedures for record retention are no longer required - 21 CFR Part 11 still remains in effect. A company must base its decision whether to implement a certain control or not on a justified and documented risk assessment, along with the consideration of the record required by the corresponding predicate rules.

Table III: Enforcement versus "enforcement discretion" of record requirements according to the new draft guidance.

The new draft guidance emphasizes the importance of the record requirements outlined in the predicate rules, which will continue to be enforced for records subject to Part 11 regulations. Key technical controls for access security; operational system and device checks; open system controls; and electronic signatures are still required, along with appropriate staff training, documentation and change control. Some predicate rules (such as good clinical practice [GCP] and good laboratory practice [GLP]) explicitly require audit trails for traceability of changes, particularly where users are expected to create, modify or delete regulated records during normal operation.

Table I lists examples of records required by the predicate rules, underlining the authors' previous statement that the new guidance has little impact on CDS used in analytical laboratories, which are subject to GxP regulations. Table II highlights the different record categories and summarizes whether they are subject to Part 11 and their subsequent enforcement according to the original GxP regulations. The most important area is the role of established business processes to determine whether an electronic record, kept in addition to a paper record, will be subject to Part 11 requirements. It is, if such a record is relied on to perform regulated activities.

Networked systems, laboratory information management systems (LIMS), CDS and enterprise resource planning (ERP) systems manage critical decision support data and will continue to be in the limelight for GxP enforcement. The trustworthiness and reliability of the data managed by these systems is highly dependent on efficient technical controls that ensure access security, data integrity and traceability.

The new draft guidance stresses that FDA may take business practices into account when determining whether an electronic or paper record should be used. This means that companies need to assess in advance which records are required by the predicate rules and which types of records are used by actual company procedures to perform regulated activites. The business use will determine whether Part 11 will apply or not.

Enforcement discretion

The new draft guidance announces "enforcement discretion" for a number of technical controls mandated by Part 11, acknowledging that the industry is now facing a transition period during which its approach to GxP and Part 11 compliance may have to be revised. Table III summarizes the requirements affected by the new draft guidance, illustrating that the majority of original Part 11 technical controls will continue to be enforced for records that are subject to Part 11.

Table IV: Examples of required technical controls that should be available in compliant systems and resulting user requirements.

Table IV lists the key Part 11 requirements and correlates them to resulting user requirements. The following requirements, however, have not changed:

System access must be limited to authorized personnel and the system must perform authority checks when pertinent. Appropriate technical controls must ensure that security is not breached - in modern pharmaceutical QA/QC systems this is implemented based on the security of the underlying operating system to easily align access control to the CDS with general information technology (IT) practices.

Device checks ensure that critical records are trustworthy and reliable. Level 4 mechanisms (see later)2,13,14 implement this requirement effectively and efficiently.

Operational checks are still required to enforce the permitted sequencing of steps; for example, for reviewing and approving results.

Electronic signature requirements have also not changed. If an organization is using electronic records with electronic signatures according to Part 11, then the technical controls mandated by the rule for electronic signatures in closed or open systems apply, as before 20 February.

Discussions and guidelines for implementing these requirements can be found at www.pda.org and www.ispe.org.

Level 4 instrument control

Would a regulatory agency ask for documented evidence regarding the instrument parameters for acquiring analytical instrument raw data in, for example, a pharmaceutical quality control laboratory for testing finished drug products? The answer is yes because the laboratory relies on its data system to perform regulated activities such as QA/QC. It would be very difficult to prove that a given result was generated according to the defined procedure or monograph without proper documentation of the instrument control parameters used during the analysis.

In this example, managing the metadata electronically (including the instrument control parameters) is important in maintaining trustworthy and reliable results, and reduces the risk of adversely affecting product quality. Level 4 instrument control uses advanced mechanisms that automatically track instrument identification or configuration information, and it is a prerequisite for implementing additional failure warning mechanisms, such as early maintenance feedback (EMF).2,13 The authors believe that Level 4 instrument control is a relevant and important measure for maintaining trustworthy and reliable electronic raw data, metadata and results, according to FDA's cGMP initiative that has now resulted in the new draft guidance.

Conclusion

Even with FDA's recently announced re-examination of 21 CFR Part 11, the focus of enforcement will continue to be on predicate rule requirements for records that are subject to Part 11. Records that fall into this category must be trustworthy and reliable and, therefore, technical controls (for access security, operational system and device checks, open system controls and electronic signatures) are still required along with appropriate staff training, documentation and change control.

Records managed in a network (network data systems [NDS] and CDS), LIMS or ERP will continue to be subject to Part 11 and predicate rules, particularly if they have a high risk potential to product quality. Although its scope has narrowed, 21 CFR Part 11 will remain,14 and the decision whether or not the rule applies will be based on the risk that the records have on product quality and on companies' documented business practices.

References

1. FDA Docket No. 00D-1540, "Withdrawal of Draft Guidance for Industry on Electronic Records; Electronic Signatures, Electronic Copies of Electronic Records,"

www.fda.gov/cber/gdlns/esigcopieswdrl.pdf

2. FDA draft guidance, "Part 11, Electronic Records; Electronic Signatures - Scope and Application," www.fda.gov/cber/gdlns/prt11elect.pdf

3. W. Winter and L. Huber, "Instrument Control in Pharmaceutical Laboratories - Compliance with 21 CFR Part 11 and the New Draft Guidance," in 21 CFR Part 11: Compliance and Beyond (2003) pp 40-45, a supplement to Pharm. Technol. Eur. 15(3), 2003.

4. "Pharmaceutical cGMPs for the 21st Century: A Risk-Based Approach," www.fda.gov/oc/guidance/gmp.html

5. "Guidance for Industry, 21 CFR Part 11; Electronic Records; Electronic Signatures; Glossary of Terms," www.fda.gov/cber/gdlns/esigglos.htm

6. "Guidance for Industry, 21 CFR Part 11; Electronic Records; Electronic Signatures; Validation," www.fda.gov/cber/gdlns/esigvalid.htm

7. "Guidance for Industry, 21 CFR Part 11; Electronic Records; Electronic Signatures Electronic Copies of Electronic Records," www.fda.gov/cber/gdlns/esigcopies.htm

8. "Guidance for Industry, 21 CFR Part 11; Electronic Records; Electronic Signatures Time Stamps," www.fda.gov/cber/gdlns/esigtime.htm

9. "Guidance for Industry, 21 CFR Part 11; Electronic Records; Electronic Signatures Maintenance of Electronic Records," www.fda.gov/cber/gdlns/esigmaint.htm

10. "Good Practice and Compliance for Electronic Records and Signatures, Part 1: Good Electronic Records Management (GERM)," www.ispe.org and www.pda.org

11. L. Huber, Validation of Computerized Analytical and Networked Systems (Interpharm Press, Inc., Englewood, Colorado, USA, 2002).

12. "GAMP 4 Guide for Validation of Automated Systems," December 2001, www.ispe.org

13. "Good Practice and Compliance for Electronic Records and Signatures, Part 2: Complying with 21 CFR Part 11, Electronic Records and Signatures," www.ispe.org and www.pda.org

14. L. Huber and W. Winter, "Implementing 21 CFR Part 11 in Analytical Laboratories, Part 5: The Importance of Instrument Control and Data Acquisition," BioPharm 13(9), 52-56 (2000).

15. W. Winter, "Electronic Records - They're Here to Stay," in Biopharm Europe (2002) pp 29-31, a supplement to Pharm. Technol. Eur. 14(9), 2002.