Friday, February 21, 2003

FDA drops the other shoe on Part 11

FDA has just announced that it is issuing a single new draft guidance document for 21 CFR Part 11, and it is withdrawing all prior agency draft guidance on Part 11. In its announcement, FDA stated clearly that a re-examination of Part 11 is already underway that may result in revision of Part 11 itself. FDA also indicated that for the time being it will "not normally take regulatory action to enforce Part 11 with regard to systems that were operational before August 20, 1997. . . while we are examining Part 11." In other words, for now, legacy systems are grand-fathered. Furthermore, FDA indicated specific concerns over some Part 11 requirements for validation, audit trails, record retention, and record copying.

I was at the Medical Device Manufacturing conference in Anaheim when word began to spread through the exhibit floor regarding this announcement. But after carefully reading the new guidance this morning, it is clear that FDA is not abandoning its concern about use of computer systems. I say this for three reasons:
  1. Even though FDA withdrew Part 11 guidance regarding validation, validation of computer systems is still a requirement under predicate rules (e.g. 21 CFR Part 210, 211, and 820). Validation was a requirement even before Part 11 was originally promulgated.

  2. FDA stated clearly that it will continue enforcement of certain controls for closed systems (11.10) and open systems (11.30), such as limiting access, operational checks, authority checks, device checks, and administrative/procedural controls.

  3. FDA stated it would continue to enforce all of the Part 11 requirements for electronic signatures. Nearly no legacy system meets these requirements without remediation or adoption of a hybrid system of handwritten signatures executed to electronic records.

As I wrote earlier this month, FDA is not abandoning its interest in regulating use of electronic records and electronic signatures. Regulated companies should continue to implement the administrative and procedural controls called for by Part 11, since for the most part they are not difficult to implement, and they represent best security practices that will increase the trustworthiness and reliability of any system. Vendors of packaged software (such as ERP, PDM, document management, and quality assurance systems) that are working on adding technical controls required by Part 11 should continue their efforts. Nevertheless, FDA’s announcement gives both users and software vendors some breathing space to implement proper controls over electronic records and signatures, with hope of a more well-defined risk-based approach to Part 11 to come in the future.