How Will FDA
Enforce Part 11?
FDA’s announcement that it would begin inspections to enforce 21 CFR Part 11 has set of speculation on how FDA will enforce Part 11 and what they will be looking for. I’ve asked two experts, Len Grunbaum and Emma Barsky for their thoughts. They have written a Guest Commentary for the blog, one I am sure will be used as a resource by many of you concerned with Part 11 compliance. I first met Len at the last FDA training course I took, Advanced GLPs, where he was an instructor on validation. I learned a lot from him and think that he and Emma have a lot to share. Of course I welcome your comments and certainly would want to have additional Guest Commentaries on the subject.
The FDA announced on July 8, 2010 that it will be “… conducting a series of inspections in an effort to evaluate industry’s compliance and understanding of Part 11 in light of the enforcement discretion described in the August 2003 ‘Part 11, Electronic Records; Electronic Signatures — Scope and Application’ guidance….”
So … 13 years after promulgating the regulation and seven years after moderating their enforcement model – by exercising enforcement discretion regarding selected aspects of the regulation – the agency is still not comfortable about something. What can it be? While we cannot speak on the agency’s behalf, the words “in light of the enforcement discretion” imply to us that the agency is looking to 1) understand the disparate risk-based approaches taken by companies with respect to validation, audit trails, legacy systems, copies of records and record retention, and 2) determine how effective these approaches have been in establishing and maintaining data integrity (i.e., data completeness, accuracy and validity). Perhaps FDA will revise the regulation and/or issue new guidance that will reflect its ideas of what it perceives as the “best of breed” in terms of activities that most effectively and efficiently result in compliance with 21 CFR part 11. Who knows?
We choose to focus
FDA Concern Regarding Data Integrity
our thoughts regarding this FDA’s initiative on data integrity because it is one of the main points that the FDA focuses on during its inspections. And it is because anything that calls data integrity into question will result in regulatory observations which, to date, have mainly been based on the predicate regulations that were put in place to promote data integrity. Therefore, enforcement discretion notwithstanding, we feel that companies will have to demonstrate the following basic quality measures to the agency:
1) All computerized systems that support regulated activities can be relied upon to operate as intended and identify all instances of incomplete, inaccurate and/or invalid data;
2) All regulated activities (e.g., changes to clinical data) can be reconstructed; and, 3) all regulated records (e.g., study data, manufacturing data) are available from the start of the respective process to the date of inspection and can be retrieved in a timely fashion. The way to do it would be to have complete, easy to follow and easy to explain documentation in support of the above-listed items; anything less may give the agency the perception that data integrity issues exist even if such may not be the case.
Listed below are some, but certainly not all, documentation pitfalls to avoid in this context:
• Lack of validation documentation that focuses on systems risks (e.g., nature and complexity of interfaces, number of bug fixes) in establishing the testing strategy (e.g., nature and scope of regression testing)
• Lack of challenges to the computerized system in the area of identifying incomplete, inaccurate and/or invalid data
• In a complex database system, lack of details regarding what tables, records, etc., constitute the audit trail
• Lack of policies, and/or documented confirmation of compliance to processes regarding ensuring the retention, continued availability and easy retrieval of regulated records/data
• Lack of a complete and/or accurate record of what changes were implemented to computerized systems that support regulated activities and how they were tested and documented
• Lack of documentation regarding training of personnel who were involved with system development, validation, deployment and maintenance
• Lack of documentation regarding how compliance to 21 CFR part 11 is actually achieved (e.g., confirming required functionality through testing, confirming compliance to procedures, such as logical security, backup and recovery, through the internal audit program).
The bottom line is that documentation must stand on its own. Given that FDA may look at processes and records from several years ago and that staff who implemented computerized applications may no longer be around, it becomes imperative that you do what you must to ensure that all of your documentation for computerized applications is such that it does not raise data integrity-related questions that cannot be addressed in a timely fashion.
The Practical Solutions Group, LLC
Practical Solutions Website
How FDA will enforce Part 11 will unfold over the next year or two. How regulated industry should prepare for upcoming inspections, according to Len & Emma, is to document your validation efforts. I think it is good advice.
Here is the original FDA announcement stating it would enforce Part 11: FDA Part 11 Announcement
Save The Date: On 4-5 November 2010 the Pacific Regional Chapter of the Society for Quality Assurance (PRCSQA) and the Organization of Regulatory and Clinical Associates (ORCA), a Pacific Northwest based organization, will co-sponsor a Fall Training on regulatory compliance topics in Seattle, WA.
The PRCSQA LinkedIn Group will update the agenda for the training. PRCSQA Fall Training workshops have traditionally been “at cost” and are an affordable training opportunity. The sessions will cover both GCPs and GLPs with speakers lined up on vendor management, quality systems, and GLP updates.
UPDATE: My favorite industry magazine, Applied Clinical Trials, now has a LinkedIn Group:
Applied Clinical Trials LinkedIn
New on the Blogroll: I’m not the only GxP type with a blog. Here is a well-written blog by Jackie Mardell-
Two Decades and Counting
ALSO: Please join me at:
GxP Perspectives LinkedIn Group
A new service: Please check out the Services page at the top of the Blog to learn more about GxP Services.