I was at the Medical Device Manufacturing conference in Anaheim when word began to spread through the exhibit floor regarding this announcement. But after carefully reading the new guidance this morning, it is clear that FDA is not abandoning its concern about use of computer systems. I say this for three reasons:
- Even though FDA withdrew Part 11 guidance regarding validation, validation of computer systems is still a requirement under predicate rules (e.g. 21 CFR Part 210, 211, and 820). Validation was a requirement even before Part 11 was originally promulgated.
- FDA stated clearly that it will continue enforcement of certain controls for closed systems (11.10) and open systems (11.30), such as limiting access, operational checks, authority checks, device checks, and administrative/procedural controls.
- FDA stated it would continue to enforce all of the Part 11 requirements for electronic signatures. Nearly no legacy system meets these requirements without remediation or adoption of a hybrid system of handwritten signatures executed to electronic records.
As I wrote earlier this month, FDA is not abandoning its interest in regulating use of electronic records and electronic signatures. Regulated companies should continue to implement the administrative and procedural controls called for by Part 11, since for the most part they are not difficult to implement, and they represent best security practices that will increase the trustworthiness and reliability of any system. Vendors of packaged software (such as ERP, PDM, document management, and quality assurance systems) that are working on adding technical controls required by Part 11 should continue their efforts. Nevertheless, FDA’s announcement gives both users and software vendors some breathing space to implement proper controls over electronic records and signatures, with hope of a more well-defined risk-based approach to Part 11 to come in the future.