Three Things That You Should Know About Part 11

June 4, 2012

Part 11

Three Tips on Part 11

What is FDA doing about Part 11? Is the regulation for electronic records and electronic signatures still in force? – The answer is YES – What, if anything, should my company or clinical site be doing about it. Strict compliance can be very expensive- almost as expensive as no compliance at all! Here are three tips on Part 11 compliance from veteran consultants and regular GxP Perspectives contributors, Emma Barsky and Len Grunbaum. I first met Len at the last FDA training course I attended as an FDA field inspector. He is still training FDA and Industry on computerized systems. Given that FDA is focusing more and more on the automated processes and integrity of the data collected using automated means, Part 11 is more important than ever.

Carl Anderson, GxP Perspectives

Three things you need to know about 21 CFR part 11
by Emma Barsky & Len Grunbaum

Fifteen years after becoming effective, 21 CFR part 11 seems to generate as much controversy as it did when it was first implemented. At this point in time, we cannot think of another regulation that sparks as many disagreements with respect to its interpretation and generates as many discussions. Why is that?

Since the inception of the regulation as of August 1997, compliance has been, in our view, analogous to the story of Goldilocks and the Three Bears: compliance in some companies has been too hot (i.e., too restrictive and expensive); compliance in some companies has been too cold (i.e., minimal if any at all); and, compliance in some companies has been just right (i.e., cost-beneficial and based on an effective risk assessment). So, while we do not in any way want to equate compliance with the regulation to a bowl of porridge, we hereby offer three main things that you need to know about 21 CFR part 11 to help you make your compliance just right:



1. You need to know how to assess risks when it comes to 1) developing a validation approach regarding a given system and 2) implementing controls (e.g., audit trails, logical/physical security) to help ensure the trustworthiness and reliability of the records. As indicated in the Scope and Application guidance, the FDA’s “current thinking” on the subject, the agency will expect you to have a justified and documented risk assessment regarding these items. However, in order for the respective strategies and controls to be cost-beneficial in context of the potential of the system to affect product quality and safety, and record integrity, a combination of knowledge of system functionality, regulatory understanding, financial prudence and a healthy dose of common sense are required. Take one of these elements out of the equation and the resulting risk assessment will be neither practical nor useful.

2. You need to know the minimum documentation that must be available to support compliance with 21 CFR part 11. Irrespective of the development model employed (e.g., waterfall, Agile/Scrum), the software delivery model employed (e.g., software-as-a-product, software-as-a-service) or data hosting model employed (e.g., internal data center, outsourced hosting), as applicable, a documentation suite that truly supports compliance should encompass the following:

• User/functional requirements, including 21 CFR part 11 requirements, to describe what the system is supposed to do;

• Technical specifications to define how the system is built and how it works, and which is the critical component in supporting effective system maintenance (e.g., troubleshooting problems, assessing the impact of planned bug fixes and enhancements);

• Development/validation SOPs, and evidence of compliance (e.g., required documentation, required approvals, developer-level and user acceptance testing), to define the process for developing and deploying a system that operates as intended and meets regulatory requirements;

• Traceability between test evidence and all requirements;

• Change control SOP and supporting change request/change control records to ensure that the system continues to operate as expected;

• Training SOP and supporting training records to support staff qualifications regarding system development, maintenance and use;

• IT infrastructure SOPs (e.g., logical/physical security, back-up and recovery, etc.) and supporting records to evidence on-going protection and availability of records.

3. You need to know that, for a given system, the quality of testing and quality of reviews are of paramount importance because they may compensate for ineffective development and/or validation SOPs. In other words, the devil (or in this case the saving angel) is in the details. Therefore, it is important that

• Testing is complete and reflective of true system risks;

• Test evidence is supportive of test results/conclusions and/or does not raise “red flags”;

• Reviews are timely and reasonable (e.g., only a realistic number of detailed test scripts should be reviewed in one day);

• Incident reports are reviewed and approved by appropriate individuals promptly.

If testing practices, testing evidence and/or testing reviews are questionable, they will constitute a serious gap from a risk-based perspective because 1) one may not be able to rely on the given system’s operation, results, etc., and/or 2) data quality and integrity may be viewed as being compromised.

Part 11

Is your Compliance Running Too Hot or Too Cold?

While there are other aspects to 21 CFR part 11 that one should know (e.g., how to determine if 21 CFR part 11 even applies to you and, if not, how to document such a conclusion), the three items discussed above represent those areas where, in our view, compliance tends to be too hot (i.e., potential business risk in that the cost of doing business may be higher than it should be) or too cold (i.e., a potential regulatory risk in that regularity requirements may not be met which, in turn, may result in business risks based on the operational impact of FDA enforcement actions).

Emma Barsky and Len Grunbaum
Partners of The Practical Solutions Group, LLC
Practical Solutions


Join the GxP Perspectives Linkedin Group Here
Or get an email subscription (on the right sidebar)


Part 11: How Will FDA Enforce?

July 25, 2010

Part 11 FDA enforce

How Will FDA
Enforce Part 11?

FDA’s announcement that it would begin inspections to enforce 21 CFR Part 11 has set of speculation on how FDA will enforce Part 11 and what they will be looking for. I’ve asked two experts, Len Grunbaum and Emma Barsky for their thoughts. They have written a Guest Commentary for the blog, one I am sure will be used as a resource by many of you concerned with Part 11 compliance. I first met Len at the last FDA training course I took, Advanced GLPs, where he was an instructor on validation. I learned a lot from him and think that he and Emma have a lot to share. Of course I welcome your comments and certainly would want to have additional Guest Commentaries on the subject.

Guest Commentary-

The FDA announced on July 8, 2010 that it will be “… conducting a series of inspections in an effort to evaluate industry’s compliance and understanding of Part 11 in light of the enforcement discretion described in the August 2003 ‘Part 11, Electronic Records; Electronic Signatures — Scope and Application’ guidance….”

So … 13 years after promulgating the regulation and seven years after moderating their enforcement model – by exercising enforcement discretion regarding selected aspects of the regulation – the agency is still not comfortable about something. What can it be? While we cannot speak on the agency’s behalf, the words “in light of the enforcement discretion” imply to us that the agency is looking to 1) understand the disparate risk-based approaches taken by companies with respect to validation, audit trails, legacy systems, copies of records and record retention, and 2) determine how effective these approaches have been in establishing and maintaining data integrity (i.e., data completeness, accuracy and validity). Perhaps FDA will revise the regulation and/or issue new guidance that will reflect its ideas of what it perceives as the “best of breed” in terms of activities that most effectively and efficiently result in compliance with 21 CFR part 11. Who knows?

part 11 enforce FDA

FDA Concern Regarding Data Integrity

We choose to focus our thoughts regarding this FDA’s initiative on data integrity because it is one of the main points that the FDA focuses on during its inspections. And it is because anything that calls data integrity into question will result in regulatory observations which, to date, have mainly been based on the predicate regulations that were put in place to promote data integrity. Therefore, enforcement discretion notwithstanding, we feel that companies will have to demonstrate the following basic quality measures to the agency:

1) All computerized systems that support regulated activities can be relied upon to operate as intended and identify all instances of incomplete, inaccurate and/or invalid data;

2) All regulated activities (e.g., changes to clinical data) can be reconstructed; and, 3) all regulated records (e.g., study data, manufacturing data) are available from the start of the respective process to the date of inspection and can be retrieved in a timely fashion. The way to do it would be to have complete, easy to follow and easy to explain documentation in support of the above-listed items; anything less may give the agency the perception that data integrity issues exist even if such may not be the case.

Listed below are some, but certainly not all, documentation pitfalls to avoid in this context:

Lack of validation documentation that focuses on systems risks (e.g., nature and complexity of interfaces, number of bug fixes) in establishing the testing strategy (e.g., nature and scope of regression testing)

• Lack of challenges to the computerized system in the area of identifying incomplete, inaccurate and/or invalid data

• In a complex database system, lack of details regarding what tables, records, etc., constitute the audit trail

• Lack of policies, and/or documented confirmation of compliance to processes regarding ensuring the retention, continued availability and easy retrieval of regulated records/data

• Lack of a complete and/or accurate record of what changes were implemented to computerized systems that support regulated activities and how they were tested and documented

• Lack of documentation regarding training of personnel who were involved with system development, validation, deployment and maintenance

• Lack of documentation regarding how compliance to 21 CFR part 11 is actually achieved (e.g., confirming required functionality through testing, confirming compliance to procedures, such as logical security, backup and recovery, through the internal audit program).

The bottom line is that documentation must stand on its own. Given that FDA may look at processes and records from several years ago and that staff who implemented computerized applications may no longer be around, it becomes imperative that you do what you must to ensure that all of your documentation for computerized applications is such that it does not raise data integrity-related questions that cannot be addressed in a timely fashion.

Emma Barsky
Len Grunbaum
The Practical Solutions Group, LLC
Practical Solutions Website

How FDA will enforce Part 11 will unfold over the next year or two. How regulated industry should prepare for upcoming inspections, according to Len & Emma, is to document your validation efforts. I think it is good advice.

Here is the original FDA announcement stating it would enforce Part 11: FDA Part 11 Announcement

Save The Date: On 4-5 November 2010 the Pacific Regional Chapter of the Society for Quality Assurance (PRCSQA) and the Organization of Regulatory and Clinical Associates (ORCA), a Pacific Northwest based organization, will co-sponsor a Fall Training on regulatory compliance topics in Seattle, WA.

The PRCSQA LinkedIn Group will update the agenda for the training. PRCSQA Fall Training workshops have traditionally been “at cost” and are an affordable training opportunity. The sessions will cover both GCPs and GLPs with speakers lined up on vendor management, quality systems, and GLP updates.

UPDATE: My favorite industry magazine, Applied Clinical Trials, now has a LinkedIn Group:
Applied Clinical Trials LinkedIn

New on the Blogroll: I’m not the only GxP type with a blog. Here is a well-written blog by Jackie Mardell-
Two Decades and Counting

ALSO: Please join me at:

GxP Perspectives LinkedIn Group

A new service: Please check out the Services page at the top of the Blog to learn more about GxP Services.

Part 11: It’s Back

July 14, 2010

Part 11 FDA

FDA To Resume Enforcement of Part 11

FDA has announced that “The Agency (FDA) will be conducting a series of inspections in an effort to evaluate industry’s compliance and understanding of Part 11 in light of the enforcement discretion described in the August 2003 ‘Part 11, Electronic Records; Electronic Signatures — Scope and Application’ guidance (Guidance).” This is a big deal. It has been seven years that FDA has debated Part 11 and began using “Enforcement Discretion.” The Agency announced that: “The Agency expects to begin conducting the Part 11 focused inspections soon.” Part 11, Electronic Records; Electronic Signatures has been one of the most confusing and controversial regulations FDA has ever written. I am now trying to find a Part 11 specialist to let us know the meaning of it all. Read what FDA has to say:

FDA Part 11 Announcement

UPDATE: Read the 25 July Guest Commentary on Part 11 by Len Grunbaum & Emma Barsky

The early report: The best report so far: Angie Drakulich goes into further detail on the changes including an interview with FDA in her report in the blog, PharmTech Talk

ALSO: Please join me at:

GxP Perspectives LinkedIn Group


The Blog has just been put on the expanded Top 50 Health Blogs list, which I truly appreciate. However, they constantly change their links to keep it current. Currently I am not there although there are other interesting posts. I now have two “Top Fift” links on the Blogroll.

50 Top Health Blogs

FDA Guidance- Converting Paper Files to Electronic

April 17, 2010

converting paper to electronic FDA guidance

Need to Convert Paper Files?

Converting paper files to electronic records is a practice allowed by FDA and other regulatory agencies. This question is frequently asked by those responsible for maintaining records and the Trial Master File (TMF). Workers who are trying to cut down on the massive amount of storage space needed to comply with FDA record retention policies, an important issue for GCP compliance. However, not only is it allowable, FDA actually tells you how to do it in relatively understandable English. The key guidance document you will need as a reference is:

Guidance for Industry: Part 11; Electronic Records; Electronic Signatures- Scope and Application (August 2003).”

Here is what the agency has to say:

4. Copies of Records

The Agency intends to exercise enforcement discretion with regard to specific part 11 requirements for generating copies of records (§ 11.10 (b) and any corresponding requirement in §11.30). You should provide an investigator with reasonable and useful access to records during an inspection. All records held by you are subject to inspection in accordance with predicate rules (e.g., §§ 211.180(c), (d), and 108.35(c)(3)(ii)). We recommend that you supply copies of electronic records by:

• Producing copies of records held in common portable formats when records are maintained in these formats

• Using established automated conversion or export methods, where available, to make copies in a more common format (examples of such formats include, but are not limited to, PDF, XML, or SGML)

In each case, we recommend that the copying process used produces copies that preserve the content and meaning of the record. If you have the ability to search, sort, or trend part 11 records, copies given to the Agency should provide the same capability if it is reasonable and technically feasible. You should allow inspection, review, and copying of records in a human readable form at your site using your hardware and following your established procedures and techniques for accessing records.”

I was able to get this information from FDA’s excellent resource, “GCP Questions.” There is a link under FDA Stuff, scroll down beneath the Blogroll on the right, as: FDA Answers to GCP Inquiries. That’s also where you will find the Scope and Application for Part 11 link to the FDA Guidance Document.

I would make a very strong recommendation that before you start converting paper files to electronic ones that you develop a standard operating procedure (SOP) for how you are going to do it. Your files are your story of how a clinical trial was conducted. You want to convert files the right way each and every time.

UPDATE 6 January 2011: Two Important New GCP Documents:

There is a Draft Guidance on Electronic Source Documentation in Clinical Investigations. The comment period is for 90 day (April 4, 2011 ?)

There is a new Final Rule on required elements of Informed Consent. You can read the Federal Register Announcement here that includes FDA comments in the preamble. The exact change in 21 CFR Part 50 is:

“Sec. 50.25 Elements of informed consent.

* * * * *
(c) When seeking informed consent for applicable clinical trials,
as defined in 42 U.S.C. 282(j)(1)(A), the following statement shall be
provided to each clinical trial subject in informed consent documents
and processes. This will notify the clinical trial subject that
clinical trial information has been or will be submitted for inclusion
in the clinical trial registry databank under paragraph (j) of section
402 of the Public Health Service Act. The statement is: “A description
of this clinical trial will be available on
http:[sol][sol], as required by U.S. Law. This
Web site will not include information that can identify you. At most,
the Web site will include a summary of the results. You can search this
Web site at any time.”

FDA Guidance on converting paper files to electronic

Do You Have a Topic for the Blog?

I was asked this question by one of the fine people who has become a Fan of the Blog. You can do so as well. Now Facebook gives you the option to “LIKE” the Blog instead of becoming a “Fan.” I think it makes sense. Anyway, visit the site on Facebook, it is a great way to ask a question or keep up with my experiences with volcanoes. By the way, I just had a trip to Europe cancelled because of some volcano. Oh well.

So I welcome your comments and suggestions. In fact, you don’t have to be a Fan to comment. You can do it by clicking on “Leave a Comment” just below!


GxP Perspectives LinkedIn Group

The Blog enters the world of movie reviews

May 11, 2009

When you are the author of an internationally famous Blog on FDA Stuff and you’ve had over 200 hits the past week, you know its time to take on Hollywood. I just saw Duplicity with Clive Owens and Julia Roberts at the Blue Mouse, the last single screen theater in the Northwest. Movies only play at the Blue Mouse after they’ve played everywhere else they possibly could. So if you want to see Duplicity you will probably have to wait to rent it.

When I first began working at FDA (a former employer), I answered the phone at the San Francisco District’s Consumer Affairs Office. One of my first calls was about a drug, now widely available, that would grow peach fuzz where men had grown bald. “When is it going to be approved?” the caller asked desperately. I soon learned that cures for baldness, along with weight loss gimmicks and impotence potions were very big business.

Which leads us to Duplicity. At first I thought it had been written by a computer geek obsessed with Part 11 of the FDA regulations on computerized records. There is a lot of security system hocus pocus that is pretty cool. Then, about three quarters through the movie, the plot thickens, so to speak. Anyway, when you want a fun, lightweight movie to rent, please consider Duplicity. It’s about industrial espionage and products that go bang in the night. Without FDA approval, I might add. I’ve added a link to the Duplicity website under the Blogroll. Have fun.

%d bloggers like this: