21 CFR Part 11: 20 Years and Counting

20 years ago, as a response to the pharmaceutical and life science industries wanting to increase the use of computer systems in the lab, the FDA released 21 CFR Part 11.  The ruling on using electronic records and signatures in place of their hard copy counterparts has since impacted not only how we collect, analyze, report, and transmit data, but also the technology we use to do it and the processes and procedures we follow day to day.

Part 11 – The Early Years

A day in the life of a typical regulated lab may have looked something like this in the early years of Part 11.

  • Labs used shared workstations and lab credentials to access software
  • Hardcopy SOP binders were used to make temporary copies
  • Paper study forms were used to collect data and then transcribed into systems
  • Antivirus protection often had to be turned off so data collection could run
  • Shared spreadsheets on desktops were used for calculations
  • Workstations were often left unlocked for other users to finish data collection

As the years passed, the industry struggled to understand how best to comply with the ruling and software vendors felt hesitant to introduce innovative solutions due to potential non-compliance.  In 2003 the FDA withdrew all previous guidance documents and released the Guidance for Industry Part 11, Electronic Records; Electronic Signatures – Scope and Application, which described the FDA’s current thinking on Part 11 at the time.

How to do a Risk Based Approach for Computer System Validation (CSV)

The guidance document encouraged the industry to use a more risk based approach to software validation and Part 11 compliance.  The FDA started using enforcement discretion, which meant that auditors were able to enforce adherence to aspects of Part 11 at their discretion based on intended use and documented risk assessments.  And software vendors became more educated on how to incorporate technological compliance with Part 11 into the functionality of their systems.

Part 11 – Today

A day in the life a typical regulated lab may look something like this today.

  • Systems on internal servers (behind your firewall) or externally hosted servers (i.e. outside your firewall, SaaS), can be accessed via web browsers or Citrix portals
  • SOPs are controlled electronically (e.g., EDMS) which allows for onscreen viewing
  • Most lab systems support workflows which can be used to assign specific tasks to individuals
  • ELN systems can be used instead of paper forms and notebooks
  • Systems can be interfaced with statistical packages for performing more complex calculations, and business intelligence and data visualization applications for reporting and trending
  • Mobile access allows for off-hour monitoring and data review
Webinar: "It's all about the Data... Integrity, that is!"

In 2016 the FDA released a draft guidance on data integrity, which is the next step in the evolution of Part 11 and electronic records and signatures.  The data integrity guidance emphasizes a renewed focus on the principal of ALCOA (Attributable, Legible, Contemporaneous, Original, and Accurate), as well as further thinking from the FDA on topics such as the frequency of audit trail reviews, access to computer systems and shared accounts, electronic copies as accurate reproductions of paper or electronic records, and when electronic data become cGMP records.

Although the backbone of the data integrity guidance is not new, as it is built upon the predicate rules and Part 11, the FDA has seen an increase of audit findings in the last few years related to the requirements for electronic records and signatures, and software validation that were introduced in 1997 with Part 11.  In fact from 2015-2016, 75% of all warning letters included lapses in data integrity.

  • Failed analytic results were hidden
  • Time/date settings were hidden
  • Routine retesting of analytic data and deleting original results
  • System audit trails were disabled
  • Batch records were completed days after operations ended

As we continue to move into the future we will be faced with ensuring the technology of today, like cloud based and hosted systems remain compliant with Part 11.  And what about quickly advancing technologies like voice activated system controls or dictation, and augmented or virtual reality for interacting with dynamic study data?  These too will need to be fully Part 11 compliant.

Where was your lab two decades ago with respect to compliance with Part 11, and where is it now?  How have the last 20 years of complying with Part 11 impacted your laboratory computer systems, and how you use them today?

Share Now:

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.