Three Things That You Should Know About Part 11

Part 11

Three Tips on Part 11

What is FDA doing about Part 11? Is the regulation for electronic records and electronic signatures still in force? – The answer is YES – What, if anything, should my company or clinical site be doing about it. Strict compliance can be very expensive- almost as expensive as no compliance at all! Here are three tips on Part 11 compliance from veteran consultants and regular GxP Perspectives contributors, Emma Barsky and Len Grunbaum. I first met Len at the last FDA training course I attended as an FDA field inspector. He is still training FDA and Industry on computerized systems. Given that FDA is focusing more and more on the automated processes and integrity of the data collected using automated means, Part 11 is more important than ever.

Carl Anderson, GxP Perspectives

Three things you need to know about 21 CFR part 11
by Emma Barsky & Len Grunbaum

Fifteen years after becoming effective, 21 CFR part 11 seems to generate as much controversy as it did when it was first implemented. At this point in time, we cannot think of another regulation that sparks as many disagreements with respect to its interpretation and generates as many discussions. Why is that?

Since the inception of the regulation as of August 1997, compliance has been, in our view, analogous to the story of Goldilocks and the Three Bears: compliance in some companies has been too hot (i.e., too restrictive and expensive); compliance in some companies has been too cold (i.e., minimal if any at all); and, compliance in some companies has been just right (i.e., cost-beneficial and based on an effective risk assessment). So, while we do not in any way want to equate compliance with the regulation to a bowl of porridge, we hereby offer three main things that you need to know about 21 CFR part 11 to help you make your compliance just right:



1. You need to know how to assess risks when it comes to 1) developing a validation approach regarding a given system and 2) implementing controls (e.g., audit trails, logical/physical security) to help ensure the trustworthiness and reliability of the records. As indicated in the Scope and Application guidance, the FDA’s “current thinking” on the subject, the agency will expect you to have a justified and documented risk assessment regarding these items. However, in order for the respective strategies and controls to be cost-beneficial in context of the potential of the system to affect product quality and safety, and record integrity, a combination of knowledge of system functionality, regulatory understanding, financial prudence and a healthy dose of common sense are required. Take one of these elements out of the equation and the resulting risk assessment will be neither practical nor useful.

2. You need to know the minimum documentation that must be available to support compliance with 21 CFR part 11. Irrespective of the development model employed (e.g., waterfall, Agile/Scrum), the software delivery model employed (e.g., software-as-a-product, software-as-a-service) or data hosting model employed (e.g., internal data center, outsourced hosting), as applicable, a documentation suite that truly supports compliance should encompass the following:

• User/functional requirements, including 21 CFR part 11 requirements, to describe what the system is supposed to do;

• Technical specifications to define how the system is built and how it works, and which is the critical component in supporting effective system maintenance (e.g., troubleshooting problems, assessing the impact of planned bug fixes and enhancements);

• Development/validation SOPs, and evidence of compliance (e.g., required documentation, required approvals, developer-level and user acceptance testing), to define the process for developing and deploying a system that operates as intended and meets regulatory requirements;

• Traceability between test evidence and all requirements;

• Change control SOP and supporting change request/change control records to ensure that the system continues to operate as expected;

• Training SOP and supporting training records to support staff qualifications regarding system development, maintenance and use;

• IT infrastructure SOPs (e.g., logical/physical security, back-up and recovery, etc.) and supporting records to evidence on-going protection and availability of records.

3. You need to know that, for a given system, the quality of testing and quality of reviews are of paramount importance because they may compensate for ineffective development and/or validation SOPs. In other words, the devil (or in this case the saving angel) is in the details. Therefore, it is important that

• Testing is complete and reflective of true system risks;

• Test evidence is supportive of test results/conclusions and/or does not raise “red flags”;

• Reviews are timely and reasonable (e.g., only a realistic number of detailed test scripts should be reviewed in one day);

• Incident reports are reviewed and approved by appropriate individuals promptly.

If testing practices, testing evidence and/or testing reviews are questionable, they will constitute a serious gap from a risk-based perspective because 1) one may not be able to rely on the given system’s operation, results, etc., and/or 2) data quality and integrity may be viewed as being compromised.

Part 11

Is your Compliance Running Too Hot or Too Cold?

While there are other aspects to 21 CFR part 11 that one should know (e.g., how to determine if 21 CFR part 11 even applies to you and, if not, how to document such a conclusion), the three items discussed above represent those areas where, in our view, compliance tends to be too hot (i.e., potential business risk in that the cost of doing business may be higher than it should be) or too cold (i.e., a potential regulatory risk in that regularity requirements may not be met which, in turn, may result in business risks based on the operational impact of FDA enforcement actions).

Emma Barsky and Len Grunbaum
Partners of The Practical Solutions Group, LLC
Practical Solutions


Join the GxP Perspectives Linkedin Group Here
Or get an email subscription (on the right sidebar)


6 Responses to Three Things That You Should Know About Part 11

  1. Steve Steinbrueck says:

    First, Len and Emma, thanks for your sharing your thoughts…they seem “just right.”

    If you were asked by a family practice doc in a small town (busy practice, nets about 150K a year, recently adopted an off the shelf EMR) who conducts a few trials a year, “what should I be doing about Part 11?” What advice would you give?

    • Len Grunbaum says:

      Assuming that any of the EMR information will be submitted to the sponsor in electronic form for ultimate submission to the FDA, we suggest that the family practice doctor does the following:
      1. Request, from the EMR vendor, a certificate attesting to the fact that the system meets the 21 CFR part 11 requirements. If this certificate cannot be obtained, then the family practice doctor, who uses the EMR system, should perform and document an independent assessment (e.g., audit of the vendor and/or detailed testing) to determine whether the system meets 21 CFR part 11 requirements. The vendor’s audit certificate, independent audit and/or in-house testing should focus on the 21 CFR part 11 features (e.g., audit trail, access control, e-signatures).
      2. Identify where records are being maintained and document how the family practice doctor can confirm that the regulated records are protected (e.g., backup and recovery, physical security).

  2. Reblogged this on Clinical Research Management & Leadership and commented:
    We are currently running a trial were the primary endpoint is assessed with commercially acailable US sodtware. Can one rely on the validation documentation that comes with the product or is additional validation required according to 21CFR?

    • GxP Perspectives says:

      I am referring both questions to Len & Emma. You might want to check out Christian’s blog at:

      • Len Grunbaum says:

        At a minimum, one needs to confirm that the system operates as intended in the user’s operating environment, so additional user acceptance testing will be necessary. This testing would need to include additional tests and challenges commensurate with operational risks that may be present in the user’s environment (e.g., hardware platform, concurrent number of users).

      • Thank you for the reply – it is very helpful!

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: