FDA’s New Initiative

Despite having become law in March 1997, end-users have been slow in complying with the U.S. Food and Drug Administration's (FDA, Rockville, MD) 21 CFR Part 11 regulation on electronic records and signatures. Users often cite the FDA's need to provide a better interpretation of what it meant to be compliant as the reason for their slowness.

By Dave Harrold May 1, 2003
  • Software and information integration

  • Standards and regulations

  • Data acquisition

  • Information systems

  • Open systems

Highlights of ISPE’s risk-based approach to 21 CFR Part 11

Breaking Down Systems and Sub-systems for HACCP Studies

Recent Control Engineering articles promoting the use of risk-based assessments

Despite having become law in March 1997, end-users have been slow in complying with the U.S. Food and Drug Administration’s (FDA, Rockville, MD) 21 CFR Part 11 regulation on electronic records and signatures. Users often cite the FDA’s need to provide a better interpretation of what it meant to be compliant as the reason for their slowness.

In our April 2002 issue, Control Engineering published an article titled, “I’m from the Government and I’m Here to Help You,” outlining how to achieve compliance with the 21 CFR Part 11 regulation on electronic records and electronic signatures and improve business benefits in the process.

In November 2002, the FDA’s response to the call for more detail came in the form of a draft guidance document titled, “Guidance for Industry, 21 CFR Part 11: Electronic Records; Electronic Signatures; Electronic Copies of Electronic Records.”

Then, on February 3, 2003, the FDA sent a shock wave through the industry when it announced the withdrawal of its Part 11 guidance document, leaving some industry analysts and watchdogs to speculate the demise of the Part 11 regulation.

Alive and well

The reality is, the FDA did nothing to change or affect the 21 CFR Part 11 regulation; it is simply undertaking a new initiative to enhance its entire current-Good Manufacturing Practice (cGMP) program which includes Part 11. This only sounds simple. The truth is many of the FDA’s GMPs haven’t been revised in more than 25 years and thus frequently represent hurdles to users desiring to apply new technologies and innovation.

Under its new initiative, the FDA intends to:

  • Focus resources and regulatory attention on those parts of manufacturing posing the greatest risk to public health;

  • Ensure that the FDA’s work does not impede innovation; and

  • Enhance the consistency of the FDA’s regulatory approach among its various components.

As part of all the changes, primary responsibility for oversight of Part 11 has been shifted to the FDA’s Center for Drug Evaluation and Research (CDER), also in Rockville.

On February 20, 2003, the FDA issued a new draft guidance document for 21 CFR Part 11, making it available for 60 days of public comment.

The new guidance indicates that the FDA intends to re-examine Part 11 and may, as part of its “Pharmaceutical cGMPs for the 21st Century: A Risk-Based Approach” initiative, propose revisions to Part 11. While the FDA re-examines Part 11, it intends to interpret the scope of Part 11 narrowly, and exercise enforcement discretion with respect to specific Part 11 provisions.

Responding to request from regulated industries to use electronic records, the FDA developed Part 11 to Title 21 of the Code of Federal Regulations to define where and when electronic records and signatures apply.

This means the FDA will not, as part of normal operations, take regulatory action to enforce compliance with the validation, audit trail, record retention, and record copying requirements of Part 11. The FDA has also indicated it intends to exercise enforcement discretion with regard to systems that were operational before the March 1997 effective date of Part 11—something of a legacy system grandfathering philosophy.

Predicate rules

This new guidance draft emphasizes the importance of predicate rule requirements, and the need to document and justify risk assessments. The draft document includes several references to existing FDA guidance documents on software and computerized systems, as well as to The International Society of Pharmaceutical Engineers’ (ISPE, Tampa, FL). “Guide for Validation of Automated Systems” (GAMP).

Under its narrower interpretation, the FDA will enforce predicate rule requirements for records that remain subject to Part 11, thus regulated industries remain responsible for maintaining and submitting secure and reliable records in accordance with underlying predicate rules and for meeting all other predicate rule requirements.

At about the same time the FDA issued its new guidance document, ISPE released a paper titled, “Risk-based Approach to 21 CFR Part 11.”

Risk-based assessments

Using Part 11 as the springboard, ISPE, in cooperation with the FDA, convened a group of industry experts to investigate approaching compliance for all GMP records using a risk-based method. The group’s challenge was to develop a method that answers the question, “Is it a GMP record?” rather than “Is it an electronic record?”

The method the group submitted to the FDA for comment (and which was approved by the FDA for further development) provides:

  • Scope— User firms should identify and define high-impact electronic records and signatures, based on the predicate rules, criticality of the process, and risk to product safety, effectiveness, identity, purity, and/or quality; and

  • Selection— User firms must implement controls commensurate with the criticality of the electronic record and risks identified for that record. These controls should be documented and justified with reference to identified risks.

In an exclusive Control Engineering interview with Sion Wyn, director with Conformity (Lianrwst, U.K.) and an ISPE technical adviser, he says, “We [the committee] are not advocating any particular methodology over any other, nor devising radically new methods where established practices can be successfully applied. We are using established concepts and are applying them as appropriate.”

One area where proposals to use risk-based assessments in quantifying risks might cause confusion has to do with the proximity of the control systems to the delivery of the final product to the public. On the surface, it might seem the further upstream the control system is from the final product, the smaller the risk, thus the less stringent validation requirements. However, as pointed out by Victoria Landers, market development manager with NuGenesis Technologies (Westborough, MA), risk depends on what data systems create, how data are used, and where data end up.

“For example,” Ms. Landers says, “there are upstream processes, such as pre-clinical toxicology tests, that take place during drug discovery and development. If these tests are poorly performed, or data are misinterpreted, the results can adversely affect public health in the final product.”

Impact to Part 11

In its initial submission to the FDA, the ISPE committee indicated the current definition of an electronic record is too broad, potentially stifling innovation and drawing attention and resources away from ensuring the integrity of product records representing the greatest risk to public health.

The committee’s recommendation is to rely on existing system validation, change control management, and configuration management procedures for ensuring low-impact systems perform adequately, thus freeing resources to focus on high-impact areas.

Examples of high-impact records include batch records and laboratory test results. Low-impact record examples include environmental monitoring not affecting product quality, employee training, software, and internal computerized system information, such as setup and configuration parameters.

Ever since Part 11 became law, the copying, retention, and maintenance of electronic records has been the source of many heated discussions. Under proposed new Part 11 guidance, users should be able to meet regulation requirements by (in order of preference):

  • Using industry-standard portable formats as long as the benefits are greater than its disadvantages;

  • Employing established automated conversion or export methods to produce copies in commonly accepted formats including PDF, microfiche, microfile, or paper copies; and/or

  • Permitting inspection and review of records following the firm’s established procedures and using the firm’s hardware and onsite software.

The committee does add one caveat related to high-impact records by stating, “For high-impact records, it may be essential that electronic copies of the record are also retained—although not necessarily in reprocessable form.”

When you consider the life-cycle of a health care product can be 20, 30, or more years, these proposals for managing electronic records represent a huge reduction in the burden of maintaining several generations of legacy electronic systems to reprocess electronic records to satisfy an FDA inspection that may never occur.

Accessing risks

Analyzing risks are part of everyday life.

Informal risk assessments include deciding whether to press on the gas or the brake when approaching a traffic light that’s just turned yellow.

Formal, structured risk-assessment methods are applied everyday to business processes, such as financials, marketing, insurance underwriting, weather, and employee and community safety. Thus, it should surprise no one that the FDA is looking within its own resources for a suitable risk assessment methodology to help achieve its stated initiative of “Pharmaceutical cGMPs for the 21st Century: A Risk-Based Approach.”

FDA spokespersons insist that any risk-based method applied by regulated industry users must be designed to prevent unsafe conditions from occurring. The FDA is adamant that any solution that relies on spot-checks of manufacturing conditions and/or random sampling of final products to detect unsafe conditions is considered unsuitable.

A likely risk-assessment candidate is the FDA’s “Hazard Analysis and Critical Control Point (HACCP)” guidance document developed and used by the FDA’s Center for Food Safety & Applied Nutrition (CFSAN, College Park, MD) to ensure food safety.

CFSAN’s HACCP guidance document employs seven basic principles to meet its goal of assuring food safety.

  • Analyze potential hazards and measures to control those hazards;

  • Identify critical control points;

  • Establish preventive measures with critical limits for each control point;

  • Establish procedures to monitor the critical control points;

  • Establish corrective actions to be taken when monitoring shows that a critical limit has not been reached;

  • Establish procedures to verify that the system is working properly; and

  • Establish effective record keeping to document the HACCP program.

Just from the brief descriptions provided above, the flow and intent of the HACCP guidance document is obvious. However, the trick will be to figure out how to apply HACCP guidance information to systems used to produce electronic records and signatures.

One approach would be to identify high- and low-risk systems, then focus resources to identify high-risk sub-systems.

Armed with a prioritized list of systems and sub-systems, knowledgeable teams, with possible representation from the sub-systems hardware and software apply HACCP principles.

There is no doubt that FDA threw 21 CFR Part 11 regulation a curve-ball this past February. However, a close examination reveals the proposed changes actually will provide the public with safer products and make it easier and less costly for users to comply, making for a truly winning combination.

And, just in case you were wondering, with few exceptions, the concepts Control Engineering proposed in its April 2002 article are still valid.

Comments? E-mail dharrold@reedbusiness.com

Additional information sources:

Highlights of ISPE’s risk-based approach to 21 CFR Part 11

In cooperation with the FDA, ISPE convened a team of experts and prepared a document suggesting an alternative method for addressing 21 CFR Part 11 compliance. Highlights of that document are:

Focus efforts on high-impact records, such as batch records and laboratory test results;

Rely on system validation, change control, configuration management, and routine security features to manage low-impact records, such as environmental monitoring records not affecting product quality, training records, and internal computerized system information such as setup and configuration parameters;

Considering software as part of cGMP electronic records has little practical benefit and discourages firms from adopting innovative technology solutions. Continued use of system validation, change control, etc. provides adequate risk-management for such systems; and

Copies of required electronic records must ensure content and meaning are preserved in human readable form.


Breaking Down Systems and Sub-systems for HACCP Studies


Stability systems

Toxicology systems

Laboratory robotic systems

Environmental monitoring systems

Laboratory instruments with data acquisition capability

Laboratory information systems

Other data acquisition systems


Case report form systems

Clinical data management systems

Remote data entry systems

Remote data capture systems

Adverse event reporting systems

Other data acquisition systems


Manufacturing execution systems

Maintenance management systems

Calibration management systems

Building management systems

Enterprise resource planning systems

Control and automation systems

Other data acquisition systems


Document management systems

Good practices and other product tracking systems

Standard operating procedure systems

Other data acquisition systems

Source: Control Engineering

Recent Control Engineering articles promoting the use of risk-based assessments

Risk-based assessment methods have long been an accepted and consistent means of evaluating and quantifying a multitude of business decisions. Visit

Get Safe: Prepare for Security Intrusion, March 2003

Figure Out When Enough is Enough!, June 2002

Applying Hazardous Risk to Safety Integrity Levels, April 2000

Understanding Safety Integrity Levels, February 2000

What Regulations and Standards Apply to Safety Instrumented Systems?, March 2000

Safety Requirements Specification in a Capital Project Environment, April 2000

Developing and Using a Risk Assessment Model, December 2000

Managing Risk Improves Production, December 1999

Improving Safety in Process Control, September 1998