Navigating the New 21 CFR 11 Guidelines

When FDA commenced discussions on the use of electronic records in lieu of paper records in 1991, it embarked upon a six-year consultation exercise culminating in the issuance of the final rule "21 CFR 11,"¹ which came into force on 20 August 1997. The final rule itself is succinct (approximately 2000 words), but has given rise to massive amounts of commentary and interpretative text. The latest guidance aims to address issues with these secondary texts rather than the rule itself.

Electronic/paper equivalence

Throughout its discussion of the consultation process,

²

FDA made clear that the rule addressed "criteria under which FDA will consider electronic records to be equivalent to paper records and electronic signatures equivalent to traditional handwritten signatures," where "electronic records may be used in lieu of paper records."

Over the period between August 1997 and February 2003, a body of guidance documents, expressions of opinions, and findings from regulatory inspections led to a perception in industry that the scope of 21 CFR 11 was far wider than stated above. The root causes of this widening seem to be:

• confusion between "records," maintained to meet the requirements of the predicate rules (other rules enforced by FDA, e.g., CFR GCP) and other documents, which might be subject to inspection by an FDA inspector (e.g., operating procedures).

• the computing industry's imprecise terminology--the term "record" can mean just about anything stored on a computer.

• a desire by the entire pharmaceutical industry to have explicit and definitive direction about the requirements for regulatory compliance, making anything specific seem welcome.

The consequences of the expansion in scope has been twofold: it has served to make some units less likely to use/update computer-based technologies (contrary to FDA's declared intent), and it has diverted quality & compliance efforts onto unnecessary programs that add to neither patient safety nor regulatory compliance.

General FDA guidance

New FDA guidance finalized in August 2003,

³

under FDA's initiative to review pharmaceutical cGMP, effectively returned the rule to its original intent as previously described. This replaced five previous draft guidance documents and an associated compliance policy guide, which have been withdrawn.

^4-9

The draft guidance identifies the scope to be applied in considering if a record is subject to 21 CFR 11:

• "Records that are required to be maintained...in electronic format in place of paper format"

• "Records...maintained in electronic format in addition to paper format, and are relied on to perform regulated activities"

• "...Records submitted to FDA, under the predicate rules...in electronic format..."

• "Electronic signatures that are intended to be the equivalent of handwritten signatures...."

The following exclusions are also listed:

• "Records...that are not required to be retained by predicate rules...are not Part 11 records"

• "A record that is not itself submitted, but is used in generating a submission, is not a Part 11 record unless it is otherwise required to be maintained by a predicate rule and it is maintained in electronic format."

This statement of the scope is now referred to as the "narrow interpretation." One indirect effect of the narrow interpretation is to make any citation with respect to Part 11 more significant, in that it will directly impact on the core regulatory arena.

Guidance for clinical trials

The only previously issued 21 CFR 11-related guidance document not withdrawn is: "Guidance for Industry-Computerized Systems Used in Clinical Trials."

¹⁰

While possibly an oversight, it is more likely that FDA has reviewed the guidance and considers it appropriate. This guidance, which informs day-to-day regulatory decisions, addresses the circumstances in which computer system records are considered to be "source data/source documents" and the nature and extent of computer system validation that needs to be conducted. It is the authors' opinion that the document is unlikely to be withdrawn. The clinical trials community is therefore in the position of having the most complete guidance of any sector with regards to 21 CFR 11.

Interim interpretation issues

In the new guidance

³

FDA has stated that: "For those records that we are now clarifying are subject to Part 11, we intend to exercise enforcement discretion with regard to Part 11 requirements for validation, audit trails, record retention, and record copying...and in applying Part 11 to systems that were operational before the effective date of Part 11."

Validation

21 CFR 11 states the requirement to achieve "Validation of systems to ensure accuracy, reliability, consistent intended performance, and the ability to discern invalid or altered records."

^1,10-11

FDA has stated that during the period when 21 CFR 11 is under review, they will apply their discretion with regards to computer system validation. However FDA emphasizes that: "Persons must still comply with all applicable predicate rule requirements for validation."

¹¹

While it is tempting to focus on the discretion aspect, it is important to remember that the concept of validation was not introduced by 21 CFR 11. The vast majority of cases where there is a genuine need to validate a computer system is based on other regulations. In practice, where the need for validation was identified based solely on 21 CFR 11, it is likely that the assessment was mistaken/faulty. Where the requirement is based on other rules, the requirement stands. It is the authors' opinion that this does not constitute a material relaxation in FDA's originally intended enforcement policy but serves to draw industry's attention to the real drivers for validation.

Audit trails

The requirement for audit trails is an area where 21 CFR 11 can be viewed as being very prescriptive. It is possible that FDA will change the detail of audit requirements in 21 CFR 11 after review. The underlying requirements for audit trails are described in FDA's discussion of the consultation process

²

to ensure that:

• "representations of database information have been generated in a manner that does not distort data or hide noncompliant or otherwise bad information, and that database elements themselves have not been altered so as to distort truth or falsify a record."

• "the audit trail provide a record of essentially who did what, wrote what, and when."

• "record changes must not obscure previously recorded information."

While the rule may be amended in this area to become less prescriptive, it is unlikely that FDA would relax the underlying requirements as outlined above.

Once a record keeper has identified that a given system does indeed create or maintain records which fit within the scope of 21 CFR 11, we believe that the abilities of the system should be assessed against the three basic requirements as identified above. If the system does indeed allow for all three to be met with a high degree of confidence, then it would be reasonable not to change or update the system simply to provide an audit trail that is compliant with 21 CFR 11. If the system does not meet the above requirements, then it is highly likely that it does not meet other regulatory requirements. Remediation should be considered as a matter of priority.

Record retention and copying

The new guidance reiterates the need for FDA to be provided with "reasonable and useful access to records during an inspection." The requirement for providing electronic records is essentially the equivalent of "certified copies" for paper records: "...a copy of original information that has been verified, as indicated by dated signature, as an exact copy having all of the same attributes and information as the original."

¹⁰

In the context of an electronic record, "attributes" here should be interpreted as including (where practical) the ability to sort, search, selectively print, etc. In the short term, the authors recommend that organizations should maintain copies of all electronic records in unchanged form on durable media (e.g., WORM Copy), or copied to "PDF" format and secured if this is not practical.

It is unlikely that any eventual change in 21 CFR 11 will alter record retention periods (set by predicate rules), or introduce different retention periods to be applied to electronic versus paper records. It is, however, quite possible that firms will now be allowed to build online, system-independent, electronic record repositories. During the period while FDA establishes its long-term policy for record retention, it is advisable that organizations retain any systems they choose to retire, or at least such portions of them as allow the firm to fully recover, access, and copy the records held.

In the long term, we believe that it is likely that FDA will agree to such records systems being either mothballed indefinitely, or the records transferred to an offline system-independent archive. We would suggest that transfer of records to nonelectronic forms, allowed in the new guidance, should be avoided if possible, as this may render it difficult to transfer them into any future long-term electronic archive.

Legacy systems

In the new Guidance,

³

FDA has stated (with certain provisos) that: "The Agency intends to exercise enforcement discretion with respect to all part 11 requirements for systems that otherwise were operational prior to August 20, 1997, the effective date of Part 11."

This seems to be a significant change in FDA's policy. At a practical level, it is difficult to see that a large number of systems that correctly fall within the scope of 21 CFR 11 would be affected. Most such systems are likely to have undergone significant change if not replacement in the interim, particularly given "Y2K," and are therefore unlikely to be exempted.

FDA, by applying a risk-based approach, has essentially indicated that if a system has remained fully compliant with all other rules for more than the last six years without material change, then the risks involved in making it 21 CFR 11 compliant are likely to exceed the benefits that may accrue.

Form of records

FDA has stated more clearly than previously how it expects to interpret the applicability of Part 11 to hybrid systems.

For the most part, these scenarios see paper records produced from computer systems, possibly updated, and then signed-with the paper copy the definitive copy.

If the paper version of the record is the one that is relied upon for business purposes, then the use of the computer is considered to be incidental and the record is not subject to Part 11. However, if it is the electronic version that is relied upon and carried forward in the workflow, then the record is considered to be subject to Part 11.

The new guidance3 explicitly states that "...the Agency may take your business practices into account in determining whether Part 11 applies." Great care should be taken with interpretation of this, as it is an area where the scope of 21 CFR 11 may be argued to have actually widened as a result of the new guidance. This can be seen if we apply the guidance to documents such as consent forms. These may be communicated between centers and investigators in electronic form. If the electronic representation is the one relied upon by the recipient, it becomes a record covered by Part 11 alongside and in addition to the record that records the subject's actual signature. Many people had previously argued that, as the "definitive" record was in paper form, the electronic record was entirely outside the scope of Part 11.

Recommended compliance approach

Over recent years there has been a tendency to consider compliance with 21 CFR 11 and validation of computer systems to be synonymous. However, given the new draft guidance, it is important that the distinction between these two areas of compliance is recognized. Systems that create, maintain or process records within the scope of 21 CFR 11 must clearly comply with this part. However, all systems require validation as set out by predicate rules if, should they fail to operate correctly, could result in regulatory noncompliance, product quality issues or other risk to patient health.

Overall risk analysis

Prior to any consideration of detailed risks posed by an organization's systems, it is valuable to first consider the risks associated with the organization holistically. This analysis can be used to direct the evaluation of severity of particular risks posed by particular systems.

A corporate risk analysis should consider all of the processes and functions of the organization. This is because the most common role for computer systems, with respect to significant risks, is as a mitigating agent. It is most likely that significant computer system failures will be failures to perform mitigating functions (for noncomputer-related risks) rather than failures directly causing risk. Although this paper concerns itself primarily with computer systems, this process will also identify risks associated with or mitigated by other business systems. It is important that these are also considered from a risk mitigation/compliance perspective.

Systems inventory

A full inventory of all computerized systems within the business is a vital prerequisite of any comprehensive 21 CFR 11/validation review. All computers and applications should be included in such a list. This includes specific uses of such tools as the Microsoft Office suite to help manipulate or scrutinize data, or to control any part of a trial. It is far better to make the list too long by adding extra systems subsequently struck off as irrelevant (and documented as such) than to miss a system.

The creation of a systems inventory should not be a one-off event. Each department or function should maintain such an inventory as a matter of course. Leaving aside all matters to do with 21 CFR 11 and even directly concerning validation, computer systems are introduced into units for a reason: they perform tasks which otherwise would have to be achieved in other ways. Unknown or unrecognized computer systems within a unit are indicative of a unit that that is not operating in a controlled way following documented procedures.

System risk analysis

A systems risk analysis forms the basis for determining where validation efforts should be focused irrespective of the need to comply with 21 CFR 11. Each system listed in the systems inventory should be considered for its potential to contribute or mitigate any of the risks identified in the corporate risk analysis. Each system should also be assessed as to whether it fulfils any role mandated by regulation, and more significantly whether its failure would constitute a failure to properly discharge a regulatory function (regulatory risk). This is likely to be an iterative process with the first iteration being to determine which systems require detailed consideration. Typically systems are initially categorized as:

• Definitely in: electronic data capture systems, laboratory systems, electronic data management systems

• Definitely out: staff expenses systems, marketing analysis systems, accounting systems

• Systems which require consideration: planning systems- they may also act as control systems, spreadsheet macros, local databases.

It is likely that in the first instance, attention will be concentrated on the systems requiring consideration in order to determine whether they do in fact contribute to or mitigate corporate risks. A review of each system should be conducted once those systems requiring detailed consideration have been listed. Identified risks should be categorized using pre-agreed criteria that relate to likelihood of occurrence and impact of particular failures in the system. In general, any system that contributes to material risks or their mitigation requires validation.

Electronic record analysis

Electronic record analysis forms the basis for determining which systems are subject to 21 CFR 11.

To be subject to 21 CFR 11, a record must be both held electronically (initially identified based on systems inventory) and required to either be maintained by predicate rule (e.g., GCP 11) or submitted to FDA.

The resulting review of records will determine which records are indeed held in electronic form and therefore potentially subject to 21 CFR 11, and which are held in paper form and excluded from the scope of the rule. It also identifies the majority of areas where electronic copies of paper records are potentially used in lieu of their paper equivalents.

Compliance plan

Once all systems have been identified and their validation/21 CFR 11 compliance requirements determined, the next stage is to build and implement a compliance plan. Three criteria should be applied to determining the priorities for achieving compliance: outcome of risk analysis (higher risk-higher priority), systems currently undergoing change (higher priority than otherwise assigned), and previous history of compliance issues (systems in these areas have higher priority). Priorities should be set independently of consideration of work involved in bringing the systems into compliance.

The underlying purpose of regulation is to reduce risks posed to patient safety (either during the trial or subsequently). Addressing these risks must, accordingly, be the central focus for any compliance plan. A plan that is not based on risk suggests a failure to consider them.

Review of existing compliance documentation

Many of the systems, especially the high-risk systems, will already have been subject to a degree of validation, and to some extent have been brought into compliance with 21 CFR 11. This documentation should be reviewed in order to avoid unnecessary repetition, and to ensure that the documentation is still valid given changes since the date of such documentation. The result of such a review is that the work associated with all items on the priority list can be reasonably established.

Developing a schedule

An overall compliance schedule should be guided by the established priority list. It is not necessary to slavishly follow the priority list. In particular, it is often advisable to widen the scope from one particular system within a unit to encompass other systems of slightly lower priority, or systems that feed data to the system under consideration. How wide to draw the scope for each project is a matter of judgment. However, it would be inappropriate if many high-priority systems went unaddressed for any significant time because the first unit addressed had one system of high priority system and many of low priority.

This schedule and the procedures to be followed in delivering it form the backbone of the Validation Master Plan. It is also important to consider the time scale over which a schedule can be drawn up. The maximum limit to such a schedule can readily be identified relative to average life cycle for systems. This, in effect, reflects the rate at which "new" systems will be added to the list. For instance, if systems have a life cycle of five years and half of all systems currently require attention, it can be estimated that a "catch-up" schedule of 20 months followed by 40 months for "new" systems as they arrive will bring the business into full compliance over one replacement life cycle. A shorter time scale can be achieved if desired, but a longer time scale is not sustainable.

Validation activities

In the New Guidance,

²

FDA commends two guidance documents: General Principles of Software Validation and the GAMP 4 Guide.

^12-13

The inclusion of the reference to GAMP 4 is of particular significance because some commentators had previously held GAMP 4 to be inconsistent with FDA's Guidances. Although neither of these documents specifically addresses the clinical trials environment, the authors commend the principles described in both to clinical trials organizations as providing templates for validation activities.

References

1. Food and Drug Administration, Title 21 Code of Federal Regulations (21 CFR Part 11), "Electronic Records; Electronic Signatures."

2. Food and Drug Administration, Rules and Regulations, Federal Register 62 (54), 13430-13461, Thursday, March 20, 1997.

3. Food and Drug Administration, Guidance for Industry, 21 CFR Part 11, "Electronic Records; Electronic Signatures-Scope and Application."

4. Food and Drug Administration, Guidance for Industry, 21 CFR Part 11, "Electronic Records; Electronic Signatures Validation" (Withdrawn).

5. Food and Drug Administration, Guidance for Industry, 21 CFR Part 11, "Electronic Records; Electronic Signatures, Glossary of Terms" (Withdrawn).

6. Food and Drug Administration, Guidance for Industry, 21 CFR Part 11, "Electronic Records; Electronic Signatures, Time Stamps" (Withdrawn).

7. Food and Drug Administration, Guidance for Industry, 21 CFR Part 11, "Electronic Records; Electronic Signatures, Maintenance of Electronic Records" (Withdrawn).

8. Food and Drug Administration, Guidance for Industry, 21 CFR Part 11, "Electronic Records; Electronic Signatures, Electronic Copies of Electronic Records" (Withdrawn).

9. Food and Drug Administration, CPG 7153.17: Enforcement Policy: 21 CFR Part 11, "Electronic Records; Electronic Signatures" (Withdrawn).

10. Food and Drug Administration, Guidance for Industry, "Computerized Systems Used in Clinical Trials."

11. "Rules and Regulations," ICH GCP-Federal Register 62 (90), 25691-25709, Friday, May 9, 1997; also ICH Harmonised tripartite guideline, "Guideline for Good Clinical Practice," ICH, May 1996.

12. Food and Drug Administration, General Principles of Software Validation; Final Guidance for Industry and FDA Staff.

13. ISPE/GAMP Forum, The Good Automated Manufacturing Practice (GAMP) Guide for Validation of Automated Systems.

John Farrell* is director of quality and validation with The Synapse Partnership Ltd, 207A Ashley Road, Hale, Cheshire WA15 9SQ, United Kingdom, +44(0) 161 9295777, fax +44(0) 161 9290805, email: john.farrell@synapse-partnership.com. Michael Cooper is on sabbatical from the same company.

*To whom correspondence should be addressed.