25 Years of CFR Part 11

After being enacted on August 20, 1997, the regulation which determines the validation and compliance of electronic systems continues to grow in importance.

Since the FDA’s 21 CFR Part 11 (1) rules on the management and usage of electronic records and signatures for pharmaceuticals and medical devices companies were first published in 1997, computer systems and their features and capabilities have advanced exponentially. However, the purpose of 21 CFR Part 11 remains hugely relevant and has continued to grow in importance over the last 25 years as more life sciences companies employ new technological solutions to streamline their research, manufacturing, and validation work.

In this article, we examine 21 CFR Part 11 and discover:

• Why the regulation was introduced by the FDA

• History and industry concerns

• The regulation’s goals

• Its contribution to compliance

• Why it is more important than ever today

Why did the FDA introduce 21 CFR Part 11?

The origins of 21 CFR Part 11 stemmed from the FDA’s belief in the early 1990’s that the pervasiveness of new data technologies in regulated industries would inevitably lead to the universal use of electronic records and signatures and as such, would require comprehensive guidance, regulation, and oversight.

The FDA started its work on 21 CFR Part 11 in 1992 in collaboration with regulated industries and in response to a request for clarity and guidance on the use of electronic records and e-signatures by companies. These businesses wanted to leverage new and emerging technologies to boost efficiencies in their work and reduce or eradicate the requirement for paper records and wet signatures.

The history of CFR Part 11 

• 1991: the FDA establishes a task force to develop a consistent approach to accepting electronic records and signatures for all regulated activities
• 1992 (February): publication of Advance Notice of Proposed Rulemaking (ANPRM) recommended
• 1992 (July): publication of ANPRM
• 1994: FDA publishes proposed rule in the Federal Register
• 1997 (March): 21 CFR Part 11 Final Rule published by the FDA
• 1997 (August): Part 11 enacted
• 1999:Compliance Policy Guide (CPG) published & five guidance documents drafted by FDA
• 2002: “Pharmaceutical cGMPs for the 21st Century –A Risk-based Approach” initiative announced by FDA
• 2003 (February): FDA revokes CPG 7153.17, the enforcement policy, and Part 11 guidance documents
• 2003 (September): “Part 11, Electronic Records, Electronic Signatures –Scope and Application” industry guidance published by the FDA
• 2010: FDA declares intent to carry out inspections concentrating on 21 CFR Part 11 requirements relating to human drugs 
• You can view the most up-to-date version of Title 21 CFR Part 11 via the new electronic Code of Federal Regulations (eCFR).

Industry Concerns

The enactment of 21 CFR Part 11 in August 1997 was somewhat overshadowed by uncertainty and confusion among companies regarding its scope and enforcement. Industry concerns noted by the FDA at that time were that some of the interpretations of the Part 11 requirements would:

“(1) unnecessarily restrict the use of electronic technology in a manner that is inconsistent with FDA’s stated intent in issuing the rule, (2) significantly increase the costs of compliance to an extent that was not contemplated at the time the rule was drafted, and (3) discourage innovation and technological advances without providing a significant public health benefit.”(2)

These concerns were raised particularly in the areas of Part 11 requirements for validation, audit trails, record retention, record copying, and legacy systems. The FDA’s subsequent publication of “Part 11, Electronic Records, Electronic Signatures –Scope and Application” in September 2003 (3) was intended to address these concerns and clarify how the regulation should be implemented and how it would be enforced. However, there were objections from those within industry that the 2003 guidance contradicted some requirements in the 1997 Final Rule.

As a result of these concerns, the FDA stated in its introduction to the 2003 guidance that it will “execute enforcement discretion with respect to certain part 11 requirements.”(4) Because the FDA has not clarified this statement further some confusion persists today as to exactly what is required to attain compliance with the regulation.

The Regulation’s Goals

The regulation defines key areas of system validation and data management that the FDA views as having the highest likelihood of failure, leading to data misappropriation. Its primary goal is to foster safe, validated, computer systems for research, clinical study, maintenance, manufacturing, and distribution of medical products.

21 CFR Part 11 was premised on the FDA’s motivation to help life sciences companies with both their evolving data management needs and with the implementation of good business practices. The benefits include: 

• protection and retrieval of electronic records
• operational consistency
• improved productivity and efficiency through automation
• minimization or elimination of paper documentation management
• faster data-related searches
• trending
• electronic submissions to the FDA

Digitalizing Your CSV Lifecycle

21 CFR Part 11 also requires that all critical computer systems used for the manufacturing, storage, or testing of a drug product be validated and maintained in a validated state throughout the computer system’s lifecycle. It is mandated by FDA 21 CFR 11.10(a)5 for electronic data management systems: “Validation of systems to ensure accuracy, reliability, consistent intended performance, and the ability to discern invalid or altered records.”

Watch our on-demand webinar to see for yourself how our SaaS validation platform, Kneat Gx, allows you to digitalize and manage computer system validation across the lifecycle of any system—starting with requirements and critical process parameters—through to Validation Final Reports in one easy-to-use application.

This webinar also examines the CSV landscape, including what we know so far about the FDA’s revolutionary guidance on CSV, called Computer Software Assurance (CSA) and how Kneat is your jumpstart to implementing it. You’ll also hear from Kathianne Ross, Manager of IT Compliance for Fujirebio Diagnostics Inc., on how her company transformed its CSV approach.

WATCH NOW

What Has Been 21 CFR Part 11’s Contribution to Compliance?

Compliance with FDA regulations is a market requirement for the life sciences industry. It is the responsibility of the organization itself to ensure that it follows the regulation. Failure to comply can be very expensive—and can lead to product recalls, and even criminal penalties.

As Life sciences manufacturers continue to seek efficiencies in processes through computer systems, demand to install and maintain an array of increasingly complex computer systems and software grows, as does their risk profile. Part 11 helps companies to avoid non-compliance by setting out broad definitions and rules, supported by extensive guidance.

For example, 21 CFR Part 11, s.11.3 defines “electronic record” to mean; “any combination of text, graphics, data, audio, pictorial, or other information representation in digital form that is created, modified, maintained, archived, retrieved, or distributed by a computer system.”(6)

It is important to note that this broad definition means that even companies using paper-based validation processes must nevertheless comply with 21 CFR Part 11, if their current system involves scanning and uploading any document to a server.

21 CFR Part 11’s contribution to compliance benefits all life sciences stakeholders—regulators, companies, patients, and consumers—in many ways:

• Regulators are empowered to provide oversight and audit with confidence. Part 11 ensures the inspect-ability of electronic records and that they are available for the prescribed detention period.
• Companies are enabled to leverage technology safely allowing them to keep competitive and enable profitable growth. Required systems and processes result in better process control, transfer of information, data integrity, and less data-related errors. Companies that make the move to paperless systems benefit from standardization and increased efficiencies and productivity.
• Patients benefit from faster innovations enabled by digitalization and faster data analysis.
• Consumer confidence is instilled and promoted through the preservation of data integrity.

Why 21 CFR 11 Is More Important Than Ever Today

CFR Part 11 continues to grow in importance and relevance for the life science sector today. Three key influencers are: the Pharma 4.0™ initiative; workplace restrictions brought on by the global pandemic; and the ongoing digital revolution in manufacturing.

Pharma 4.0

Technological advances in the industry have accelerated rapidly in recent years, driven in part by thought leaders like the International Society for Pharmaceutical Engineering’s (ISPE®) whose Pharma 4.0 (7) initiative, aims “To enable organizations involved in the product life cycle to leverage the full potential of digitalization to provide faster innovations for the benefit of patients.” 

Workplace Restrictions

Ongoing workplace restrictions imposed by COVID-19 over the last three years have also amplified the need for new technology-enabled solutions to enable online collaboration and drive efficiency among multidisciplinary remote teams.

Manufacturing

Traditionally the life sciences industry has been cautious in its approach to employ digital solutions to improve manufacturing. However, manufacturers are now digitalizing at a rapid rate, in response to growing challenges—including globalization, supply chain complexity, price and cost pressure, and personalized medicine (8). 21 CFR 11 helps manufacturers to plan and digitalize with confidence and provides a clear and compliant pathway to future-proofing their businesses.

Final thoughts

The birth of the FDA’s 21 CFR Part 11 in 1997 changed the dynamic of data and records management in the life sciences industry forever, by initiating a transformation toward modernized technology that continues to gather pace today.

And the FDA continues to innovate in this domain with its novel approach to CSV—Computer Software Assurance(CSA)—which represents a step-change in computer system validation, placing a risk-based approach and critical thinking at the center of the CSV process, as opposed to a traditional almost “one size fits all” approach.

The FDA’s 2022 guidance on CSA aims to reduce the burden of CSV, improve quality, remove non-value-added activities, and focus testing on high-risk areas only. It is eagerly awaited by validation professionals and will result in a re-boot of quality best-practice. 

Manage your validation needs with compliance confidence

Here are five key areas for consideration that you should look for in a software vendor to ensure that it is 21 CFR Part 11 compliant: 

• Security controls for user identification—Part 11 compliant systems must have password and security features that limit user access and their privileges. 
• Ability to generate accurate and complete copies of records.
• Detailed audit trail—When regulators arrive for inspections, you will need to provide a time-stamped chronological record of all operations, an audit trail. The software you use must be capable of keeping a daily record of all initiated functions.
• Electronic signatures—A Part 11 compliant system must be able to assign unique electronic signatures to each user, legally equivalent to a binding signature.
• Training resulting in minimum qualifications for staff who develop, maintain, or use electronic record and electronic signature systems.

Our SaaS validation platform, Kneat Gx, ticks all the above boxes and is complemented by Kneat Academy, which delivers certified training for all validation and quality professionals using our Kneat Gx platform.

Kneat Gx is 21 CFR Part 11 compliant and is trusted by Engineers to help them perform their work effectively, releasing them from paper, by Managers to create, maintain and manage best practice processes, by Validation and Quality Directors to oversee quality and satisfy compliance, and by CIOs to help deliver digital transformation.

Learn more in our
21 CFR 11 Fact Sheet

Download our “21 CFR 11 Fact Sheet” to better understand
this key regulation and how Kneat ensures compliance. 

Read Now

References

1. [https://www.accessdata.fda.gov/scripts/cdrh/cfdocs/cfcfr/CFRSearch.cfm?CFRPart=11]
2. [https://www.fda.gov/regulatory-information/search-fda-guidance-documents/part-11-electronic-records-electronic-signatures-scope-and-application#ii]
3. [https://www.fda.gov/regulatory-information/search-fda-guidance-documents/part-11-electronic-records-electronic-signatures-scope-and-application#ii]
4. [https://www.fda.gov/regulatory-information/search-fda-guidance-documents/part-11-electronic-records-electronic-signatures-scope-and-application]
5. [https://www.ecfr.gov/current/title-21/chapter-I/subchapter-A/part-11]
6. [https://www.accessdata.fda.gov/scripts/cdrh/cfdocs/cfcfr/CFRSearch.cfm?fr=11.3]
7. [https://ispe.org/initiatives/pharma-4.0]
8. [https://www.strategyand.pwc.com/gx/en/insights/2016/digitization-in-pharma.html]