Comments Concerning the Implementation of 21 CFR Part 11

Introduction There currently is considerable controversy surrounding 21 CFR Part 11 with respect to the informal interpretations that have been presented by FDA personnel at industry conferences. The lack of a clear and consistent position by the FDA with respect to the regulation has placed many manufacturers in a difficult position with respect to compliance. Of particular concern on the part of these manufacturers is that compliance with the strict interpretation presented by individuals within the Agency may incur a considerable cost without commensurate benefit in terms of increased safety or enhanced product quality. These prescriptive interpretations are in conflict with the Part 11 Compliance Policy Guide (section 160.850) that defines a results based policy that stresses the “nature and extent” of the deviation and “effect on product quality and data integrity”. We have addressed some of these controversial questions in this correspondence. Electronic Records and Part 11 Applicability The definition of an electronic record includes any electronic data, however, when that data is subject to compliance with electronic record requirements can be interpreted in several ways. This interpretation is significant with respect to defining when audit trails and additional Part 11 controls are required. To be consistent with predicate regulations, the definition of an electronic record must be based on the intended use of the application and not based on definitions such as the method, media, or duration of storage or transmission techniques. Interpretations that attempt to individually prescribe solutions for differing scenarios of use will make the regulation impractical to implement. Failure to interpret Part 11 based on intended use by introducing new definitions such as “storage to durable medium”, “hybrid records”, “typewriter excuse”, “transient views”, etc., serves only to complicate the requirements of the regulation and subject them to rapid obsolescence. The following references from Part 11 provide the manufacturer with the responsibility to define the applicability of Part 11 to their quality system. a. Part 11 section 11.1 states: 11.1 (a) The regulations in this part set forth the criteria under which the agency considers electronic records, electronic signatures, and handwritten signatures executed to electronic records to be trustworthy, reliable, and generally equivalent to paper records and handwritten signatures executed on paper. The regulation states how the manufacturer may elect to use electronic records and does not mandate compliance with all elements of Part 11 in every instance where computerized systems are used. Part 11 does not provide authority to the agency to redefine document control requirements of the predicate regulations (21 CFR 820, 21

Page 1 of 5

Comments Concerning the Implementation of 21 CFR Part 11 CFR 211, etc.) that have required document review and approval and change control but not audit trails of all changes made during document revisions. b. In addition, in the preamble of the Federal Register Volume 62, Number 54, of Thursday March 20, 1997, section III Comments on the Proposed rule, subelement I Effective Date/Grandfathering, fourth paragraph states the following: The agency emphasizes that these regulations do not require, but rather permit, the use of electronic records and electronic signatures. Firms not confident that their electronic systems meet the minimal requirements of these regulations are free to continue to use traditional signatures and paper documents to meet record keeping requirements. In accordance with this statement, the firm has the ability to control document drafts without audit trails for all changes and then to allow access to the same documents once approved in a controlled electronic environment that ensures the integrity of the document in an adequately validated system. c) The Compliance Policy Guide section 160.850 (Enforcement Policy: 21 CFR Part 11) states: Part 11 applies to all FDA program areas, but does not mandate electronic record keeping. Part 11 describes the technical and procedural requirements that must be met if a person chooses to maintain records electronically and use electronic signatures. Once again the emphasis is on the use of electronic records in place of paper records and not on the redefinition of record keeping requirements based on Part 11 interpretation. The ability to support changes to documents without maintaining the audit trail of all changes is certainly allowed under the predicate regulations as long as the change history is established. Electronic Record Definition The following are suggested clarifications to the definition of electronic records and the scope of when automated audit trails are required. 1. Manufacturers can define how electronic equipment is used to support the predicate regulations and therefore whether the data must be retained as an electronic record in support of the quality system or paper based record. All electronic equipment used in manufacturing need not be controlled in accordance with Part 11. 2. “Raw data” from an instrument that cannot be modified based on security and procedural controls need not have “secure, computer-generated time-stamped audit trail” (11.10(e)) functions implemented. Audit trails for these instruments can be established based on demonstrating the effectiveness of the security and procedural controls that prevent access to modification of run data. Audit trails for these systems can be established by demonstrating that each run generates a unique record that is archived as read-only data. Page 2 of 5

Comments Concerning the Implementation of 21 CFR Part 11

3. Even when a manufacturer is using electronic records, the applicability of audit trails requires clarification. Audit trails should be defined in two different categories: a) The first category is “raw data” that is captured by equipment or manually entered based on observed information and can be changed on-line requires all changes to the data to be tracked as “secure, computer-generated time-stamped audit trails” (11.10(e)). b) The second category is documents that are developed in word processing systems are subject to review and approval in accordance with document controls established in quality system regulations (21 CFR part 820, 21 CFR part 210/211, etc.). A revision history is required for these documents but not an audit trail for all changes made by any personnel throughout the life of the document such as for drafts and preliminary document versions. These documents have been formally reviewed prior to release. As such, these documents, when used as an electronic record, should include read only access to the documents on-line and manual controls to ensure that the versions provided on-line are accurate. 4. Data collected for assessment of machine performance and other quality system data not explicitly required by regulation, need not be controlled as electronic records if the data is only used to define potential corrective and/or preventive actions that are later subject to validation. 5. Monitoring systems that are used as the basis for real-time process adjustments must be validated. 6. Where automated systems have been validated and the results are controlled, incoming machine data and results of intermediate processing from the automated system need not be controlled as an electronic record. 7. Paper based output of a computer system is acceptable given validation has been conducted. If the process definition requires only summary data from the process, then only this data need be transferred (electronically or hard copy) to the target quality record. Issues Regarding Specific Articles of the Part 11 Regulation 11.10(b) The ability to generate accurate and complete copies of records in both human readable and electronic form suitable for inspection, review, and copying by the agency. ASCII files that can be exported must be acceptable for copying electronically or else potential copyright problems may arise. Unless the FDA standardizes on select applications that they use and therefore the format of data they need, it will be impossible to provide copies of all applications to the FDA. 11.10(c) Use of secure, computer-generated, time-stamped audit trails to independently record the date and time of operator entries and actions that create, modify, or delete electronic records. Record changes shall not obscure previously recorded information. Page 3 of 5

Comments Concerning the Implementation of 21 CFR Part 11

This portion of the regulation is the one that has generated the most controversy. Where “raw data” is required by predicate regulations (21 CFR Part 58 Good Laboratory Practices) an audit trail is clearly necessary. Where documents are reviewed and approved separately (such as for on-line procedures), the electronic version need not include an audit trail for all changes made. The current regulatory requirement to provide a description of changes made to documents has been recognized as an acceptable practice and is compliant with the predicate regulation. (See previous discussion items regarding audit trails.) 11.30 Controls for open systems - Procedures and controls to ensure authenticity, integrity, and as appropriate, confidentiality. Include additional measures beyond 11.10 requirements such as document encryption and use of digital signature standards The prescribed controls for open systems are certainly reasonable. What is unreasonable is the interpretation that any system that provides access via the Internet is considered to be an open system. This interpretation is not consistent with the definition as provided in section 11.3 of the regulation. Access to an electronic record system via e-mail does not constitute an “open” system and is acceptable provided security controls are in place to restrict external access by unauthorized personnel. 11.50 Signature manifestations - Signed electronic records contain the following information associated with the signing: (1) Name (2) Date and time (3) Meaning (author, review, approval) This is certainly reasonable requirement; however, more prescriptive requirements such as that the time is local and that the time is to the nearest second are not appropriate or beneficial. 11.100 General requirements - Electronic signatures shall be unique and not reused or reassigned Not reused or reassigned should include a time period such as defined for record retention. Two years would seem to be adequate time to ensure that all operations associated with an ID can be conclusively identified to a unique owner. 11.300 Controls for identification codes/ passwords - Use of transaction safeguards to prevent unauthorized use of passwords and/or identification codes, and to detect and report in an immediate and urgent manner any attempts at their unauthorized use to the system security unit, and, as appropriate, to organizational management. Amplifying guidance is needed to clarify these requirements. Is a function that log-offs a user after three unsuccessful log-on attempts acceptable? When are reports to be sent to

Page 4 of 5

Comments Concerning the Implementation of 21 CFR Part 11 organizational management? Are there any other safeguards that would be expected from the agency? Summary The FDA’s publishing of new regulations in the recent past has been accompanied by significant amplifying guidance documents. These guidance documents have very effectively served to specify the implementation requirements. Part 11 requirements have been promulgated without accompanying guidance documents and industry is left to interpret according to inconsistent statements of a few FDA individuals. Guidance on Part 11 is essential to facilitate industry compliance. ASQ Biomedical Division as a professional society would like to assist in providing better information to industry and establishing consistent and reasonable guidance for implementation of this regulation. Please let us know how this service may be accomplished in conjunction with agency programs. We look forward to your feedback.

Page 5 of 5