Wednesday, February 05, 2003

FDA signals change in approach to Part 11

Last week, FDA announced that it is withdrawing its draft guidance regarding the electronic copies requirements of 21 CFR Part 11. This is good news for all companies regulated by FDA. When FDA first issued this draft guidance less than three months ago, it was clear to me that if something wasn’t changed it was going to be nearly impossible to implement. For example, the guidance called for companies to provide FDA with capabilities to "perform the same kinds of data processing" on the electronic copies that the company’s own system allows on the original records. Other consultants I’ve spoken to had basically the same reaction. So, withdrawal of this guidance is welcome.

There are hints that FDA soon may be making more changes to its approach to Part 11. FDA made this announcement in the context of the initiative it began last August to update its current good manufacturing practice (cGMP) program to a more risk-based approach. In this context, FDA indicates that the withdrawn guidance on Part 11 "may no longer represent FDA’s approach under the CGMP initiative." Furthermore, FDA announced that main responsibility for implementing Part 11 is shifting from the Office of Regulatory Affairs to the Center for Drug Evaluation and Research (CDER), the FDA center that regulates drugs.

The implications of FDA’s announcement are a) that a more risk-based approach to Part 11 may be forthcoming, something that practitioners have been calling for since Part 11 was first promulgated, and b) that Part 11 should be applied on an industry-specific basis, by those who best understand industry issues and risks. Although CDER will take the lead in implementing Part 11, it would seem likely that inspection to Part 11 would take place by investigators from each FDA Center.

Companies struggling with Part 11 compliance should view FDA’s announcement and its implications as providing some breathing space--not as an abandonment of FDA’s interest in regulating use of electronic records and electronic signatures. Regulated companies should continue to implement the administrative and procedural controls called for by Part 11, since for the most part they are not difficult to implement, and they represent best security practices that will increase the trustworthiness and reliability of any system. Vendors of packaged software (such as ERP, PDM, document management, and quality assurance systems) that are working on adding technical controls required by Part 11 should continue their efforts. Nevertheless, FDA’s announcement may indicate that both users and vendors may be able to deal with Part 11 with less uncertainty than in the past.

For more discussion on Part 11 and its implications for users and vendors, see the posts I wrote in October, November, and December of last year.