‘I’m from the Government, and I’m Here to Help You!’

End-users expect significant benefits from achieving compliance with the U.S. Food and Drug Administration's (FDA, Rockville, Md.) 21 CFR Part 11 regulation on electronic records and electronic signatures, according to similar but independent polls conducted during late 2001 and early 2002 by AFAB Group (Avon, Ind.

By Dave Harrold April 1, 2002
  • Software and information integration

  • Standards and regulations

  • Data acquisition

  • Information systems

  • Open systems

Examples of Systems Possibly Subject to 21 CFR Part 11
FDA says to expect a widespread expansion of 21 CFR Part 11 requirements

End-users expect significant benefits from achieving compliance with the U.S. Food and Drug Administration’s (FDA, Rockville, Md.) 21 CFR Part 11 regulation on electronic records and electronic signatures, according to similar but independent polls conducted during late 2001 and early 2002 by AFAB Group (Avon, Ind.) and NuGenesis Technologies (Westborough, Mass.).

However, turning perceived benefits into real benefits requires planning, communication, commitment, and superior execution.

Because 21 CFR Part 11 targets product quality, it makes sense that a compliance strategy must become part of a company’s overall quality improvement process. And, even if a company isn’t affected by the Part 11 regulation, incorporating electronic records and electronic signatures as part of a company’s quality improvement process can help achieve better data security and faster, more accurate documentation access.

What it is

The FDA’s overall mission blends law and science to try to promote and protect consumer public health by:

  • Helping ensure safe and effective products reach the market in a timely manner;

  • Monitoring products already in use remain safe; and

  • Participating in the harmonization and reduction of regulatory compliance burdens.

FDA consults with affected industry experts and then develops and enforces the Code of Federal Regulations (CFR). Part 11 of Title 21 of these regulations was developed with affected industry expertise input. (See ’21 CFR Part 11 development timeline’ diagram.)

In March 1997, the FDA published Part 11, which defines regulatory requirements necessary to use electronic records and signatures in place of paper and wet-ink representations.

Part 11’s goal

21 CFR Part 11 outlines the procedures and technical control requirements necessary to implement computer systems using electronic records and/or electronic signatures. Significant among Part 11’s defined controls are:

  • Computer system validation;

  • User authentication;

  • System access/security;

  • Time stamps;

  • Audit trails;

  • Record retention; and

  • Predicate rule considerations in identifying what a required record actually is.

The goal of Part 11’s rule is to help protect public health by improving the quality of regulated products.

Part 11 achieves the goal by ensuring electronic records and electronic signatures associated with a product’s manufacturing and/or distribution are ‘trustworthy, reliable, and generally equivalent to paper records and handwritten signatures.’

Part 11 applies to data that directly affects a product’s quality and/or distribution, including the people, systems, and/or processes involved in producing or distributing those products. Thus electronic records created about regulated products, and/or their distribution, after the rule became effective (August 20, 1997) clearly must comply. However, Part 11 can also apply to electronic records created before August 20, 1997, if a computer system has been used to modify, maintain, archive, retrieve, or distribute those records.

Regardless of vintage, systems currently involved in the production and/or distribution of FDA regulated products must comply with the rule, thus extending the rule to nearly all control and automation systems, including laboratory systems, producing and/or distributing FDA regulated products. (See ‘Examples of systems subject to 21 CFR Part 11’ table.)

Despite poll respondent concerns about making legacy laboratory and control systems compliant, nearly half the responders to both polls believe achieving Part 11 compliance can deliver benefits in the areas of better data security and faster, more accurate documentation access.

To achieve compliance, reap the benefits, and manage related costs, complexities, and risks requires applying four key actions: leveraging the current quality process, managing cost and complexity, designing and implementing an enterprise-wide plan, and exercising pragmatism about requirements.

Leverage quality

Every good quality process has executive-level support. Making Part 11 compliance part of a company’s quality process leverages this support and helps ensure compliance activities are viewed in the broader context of emerging business landscapes.

Data about a product, whether in development or on the market, is a recognized business asset that should be kept secure and reliable; therefore the regulation provides the appropriate guidelines for securing a company’s valuable assets including ensuring data is protected against accidental or intentional ‘after-the-fact’ changes.

Addressing Part 11 compliance in this way helps elevate company-wide awareness of similar emerging electronic records and electronic signature standards, regulations, and requirements fashioned after 21 CFR Part 11. (See ‘FDA says…’ sidebar.)

Manage cost

About half of either polls’ respondents anticipate Part 11 compliance costs to be substantial with another five plus percent indicating costs will be ‘more than you can possibly believe.’

Though neither poll attempted to define ‘substantial,’ a third poll, conducted by Accenture (Philadelphia, Pa.), revealed one unnamed U.S. company, following FDA citation for Part 11 non-compliance, spent over $1 million for remediation and validation activities associated with a single system.

This example reinforces the importance of not waiting until senior management edicts ‘get us compliant, and do it now.’

Waiting until such an edict is handed down, allows precious little time to analyze ways to include tangible business improvements into compliance activities.

Paul J. Motise, FDA’s consumer safety officer and authority on 21 CFR Part 11, says ‘In FDA’s experience thus far, we have seen a direct correlation between the quality of records and the quality of the products produced.’

Considering Mr. Motise’s observation, poll responder costs expectations, and one company’s million dollar experience it’s clear that turning compliance costs into tangible benefits will help create a good return on investment. Tangible benefits include reducing business risk, improving product quality, and improving information quality, consistency, and efficiency.

A Part 11-compliance plan should prioritize remediation activities and it should harmonize procedural enhancements and individual remediation efforts with longer-term technology planning, architecture, and computer system validation (CSV) activities.

A white paper prepared by Accenture sums it up by saying, ‘As companies expand their participation in the digital economy, the compliance mandate, originating with the definition of information roles and authorities, can yield a company greater integrity, security, consistency, and standardization. In turn, this improves speed and efficiencies across the organization and reduces risks associated with business partner information exchanges.’

Architect enterprise-wide

Both polls’ results indicate nearly half of the companies are approaching Part 11 compliance with a committee/project team, and if companies are to reap the benefits described above, that’s exactly what needs to be done.

However, the polls also indicate a sizable number of companies have assigned only one person full- or part-time, and many have no dedicated resources assigned to address these compliance issues. Likely, these companies are focusing on ‘pure’ information system solutions and have failed to include the people, processes, and technology infrastructures necessary to reap lasting business benefits.

Many companies’ compliance processes have evolved over time and may not be as efficient or effective as is possible or necessary. Because Part 11 compliance is so far reaching, now is the best time to review, and perhaps overhaul, the entire compliance process into a strategic, enterprise-wide information technology approach that ensures that human, procedural, and technical aspects of the rule are continually met.

Be pragmatic

When addressing compliance requirements, it’s best to be pragmatic.

The FDA has already issued a significant number of non-compliance citations, mostly in the areas of security, data integrity, audit trail, and record retention.

Companies who are still working to achieve Part 11 compliance may be able to avoid FDA citation harshness by presenting evidence they have:

  • Developed a detailed inventory of systems falling within the rule’s scope;

  • Identified gaps in current compliance practices;

  • Developed justifications for continued use of non-compliant systems;

  • Created a map of how and when Part 11 compliance will be attained;

  • Validated all affected installed systems; and

  • Tracked implementation progress.

21 CFR Part 11 did not change the FDA’s ‘cradle-to-grave’ record retention requirements, so depending on a product’s patent-life, that could mean 20, 30, or more years of retaining documents.

Considering the rapid changes in electronic technology, ‘life expectancy’ of electronic records far exceeds the life of any given system, and few systems are designed to inherit all the records from legacy systems. Therefore, archiving of records becomes a major, but manageable issue.

To minimize archiving issues over time:

  • Select application software suppliers with demonstrable upgrade experience that protects end-user data;

  • Minimize the number of applications that retain compliance-related information;

  • Minimize physical distribution of electronic records (i.e., store centrally and provide secure, distributed access); and

  • Consider separating data from the creating application and store data in a data warehouse or document repository using standard formats for retrieval and viewing.

Just about every product produced today involves various uses of electronic systems. For those industries regulated by FDA, 21 CFR Part 11 can not be ignored or circumvented. Because a company must take action to comply with the rule, it simply makes sense to go the extra mile and reap the available business benefits.

Examples of Systems Possibly Subject to 21 CFR Part 11


Stability systems

Toxicology systems

Laboratory robotic systems

Environmental monitoring systems

Laboratory instruments with data acquisition capability

Laboratory information systems

Other data acquisition systems


Case report form systems

Clinical data management systems

Remote data entry systems

Remote data capture systems

Adverse event reporting systems

Other data acquisition systems


Manufacturing execution systems

Maintenance management systems

Calibration management systems

Building management systems

Enterprise resource planning systems

Control and automation systems

Other data acquisition systems


Document management systems

Good practices and other product tracking systems

Standard operating procedure systems

Other data acquisition systems

Source: Control Engineering with data from Accenture

FDA says to expect a widespread expansion of 21 CFR Part 11 requirements

Control Engineering asked Paul J. Motise, FDA’s consumer safety officer and authority on 21 CFR Part 11, to share his opinions about issues facing end-user companies’ struggles to achieve control and automation system compliance.

He made it clear that such regulations are expanding beyond FDA-regulated companies, and beyond the U.S.

CE: What is the biggest hurdle facing end-user companies in getting their current control and automation system implementations 21 CFR Part 11 compliant?

PJM: Keeping up with emerging standards and technologies. In recent years [our] global society has begun to accept the legitimacy of electronic records and signatures, but only on condition there be adequate controls in place to ensure record and signature integrity, authenticity, availability, confidentiality, and non-repudiation. I believe there is a wide spread realization that technologies that enable electronic records and electronic signatures are rife with weaknesses and problems that need careful remediation and control. The principles and particulars of these standards are remarkably alike.

In the U.S., such standards are embodied not only in Part 11, but also in the Health Insurance Portability and Accountability Act, the Government Paperwork Elimination Act, and the Electronic Signatures in Global and National Commerce Act.

Also a slate of similar legislation is developing in Europe, Asia, and the Americas. Additionally, a host of private and professional standard-setting associations, such as the American Bar Association (Washington, D.C.), the Parental Drug Association (Bethesda, Md.), the American Institute of Certified Public Accounts (New York, N.Y.), and the Canadian Institute of Chartered Accountants (Toronto, Ontario, Canada) are developing compendia of good practices in this [electronic records and signatures] area.

CE: What can control and automation system manufacturers do to make their systems easier for end-users to achieve 21 CFR Part 11 compliance?

PJM: Control and automation manufacturers can make things easier for their customers by becoming familiar with Part 11 as well as the FDA predicate regulations that require companies to create records. They [manufacturers] should also be open to customer audits of their software development activities.

CE: What is the single biggest misunderstanding about 21 CFR Part 11 among end-users and/or manufacturers as the regulation applies to control and automation systems?

PJM: There seems to be a mistaken belief that electronic records do not have an impact on product quality and safety, and that there should be no sense of urgency in making systems Part 11 compliant. In FDA’s experience thus far, we have seen a direct correlation between the quality of records and the quality of the products produced.

In several cases, adulterated and misbranded products have been released for distribution, and public health jeopardized as a consequence, because firms did not have sufficient controls over their electronic records.