Contrary to rumors, the FDA’s rules on electronic information and signatures, 21 Code of Federal Regulations Part 11, continues to be alive and enforced. Thankfully, however, the days of “validate everything” are gone.
QS-Based Part 11
With the FDA’s shift to a more cost-effective, risk-based compliance approach, Part 11 has transitioned from its earlier misplaced emphasis on technology to information integrity.
Defining the scope of what information falls under Part 11 begins with five broad categories of the quality system components:
- management controls
- device design control / drug or biologic development control
- production processes and controls
- laboratory controls
- corrective and preventative action (CAPA)
Typical records that might be included are standard operating procedures (SOPs), production documents, log books, laboratory notebooks, change control, quality control trend results, complaint records, and so on. For Part 11 compliance, consider only those records that are created, used, maintained and archived in electronic (i.e., digital) format.
Inventory Information
Under previous interpretations of a technology-focused Part 11, validation teams immediately began to inventory and evaluate a company’s technology equipment, from computer hardware to software.
With my lean Part 11 compliance consulting work, I recommend clients inventory their records first—this will immediately exclude any equipment not involved in the creation, use, maintenance and archival of electronic records associated with your quality system.
Once the electronic records that fall under the Quality System Regulations (QSRs), Good Manufacturing (GMP), Clinical (GCP) or Laboratory (GLP) Practices have been identified, then it is time to inventory your company’s computer equipment…but only that equipment that is utilized to create, use, maintain and store such information.
Information about Information
Known in information technology and e-discovery circles as “metadata,” information about information is crucial to providing context for electronic information.
A typical example I discuss with my clients is lab test results. In a non-computer environment, the scientist’s laboratory notebook would include the date the test was run, the time periods involved, who was involved, what the overall process was, the materials (such as chemicals) used, and the results, such as a print-out pasted into the notebook.
When a test is run and captured in digital format, there is no lab notebook in which to paste the results, and so forth. Therefore, all of the information about the results must also be captured (or somehow directly referenced) with the test results—who was involved, who ran the test, who reviewed the results, who reviewed the protocol, the protocol itself, and so on.
From the standpoint of Part 11, this means that not only is the electronic record itself important, but so is any contextual data (when it was last modified, by whom, etc.). For documents like SOPs or batch records, this is usually fairly straightforward. When a database is involved, complexity, risk and costs increase. In such situations, using risk assessment to prioritize next steps is a logical approach.
Evaluations and Next Steps
Once a firm has identified its regulated records, and then identified the relevant systems upon which those electronic records rely, someone needs to conduct a gap analysis.
In the past, such assessments focused on specific technological controls like security, a system’s status as open versus closed, and so forth. Given recent discussions with FDA officials, it is clear that emphasis is now on the integrity of electronic information. Technology is merely a means to an end.
As such, I take a contrarian approach to previous industry interpretations and counsel my clients to focus first on the risks to their information integrity. Just as one might evaluate hazards and risks involved in a firm’s production processes to determine controls, so can one identify risks to information and determine which risks to mitigate or eliminate. This is where independent expertise in important to minimize mistakes and surprises.
It is important to remember that risk controls do not necessarily need to be automated, but can be procedural (for instance, a common control to minimize virus protection is only granting internet access to a new employee after he or she has gone through some level of internet security and safety training).
Pitfalls
In helping my clients learn from previous attempts at Part 11 & Annex 11 compliance, I have seen four hurdles companies can face:
1. Misinterpretation
Sadly, the earlier, overzealous interpretations of Part 11 sometimes become entrenched in an organization, preventing it from moving forward cost-effectively. Meet with teams to clarify understandings, expectations and priorities. For firms where this entrenchment is evident, consider regular “check-ins” and “pulse checks” with any project teams, or hire a Part 11 expert to conduct a corporate workshop on current FDA expectations.
2. Miscommunication
Team meetings can also surface underlying assumptions before they turn into costly mistakes. As a single example, recognize that Part 11’s “validation” is very different from “validation” as understood by computer engineers and technicians.
3. Silver Bullets
Typically the result of an IT executive eager to “get rid of” what he or she sees as the distraction of compliance; one size fits all solutions simply do not exist. This is a significant section of my corporate workshop on IT in effective compliance because their is such a disconnect between what IT vendors try to sell versus what can actually be achieved.
4. Archival Missteps
The fourth common problem is the migration to final resting status of electronic records contained in a database, with a loss in either the metadata or the linkages providing context. If you fear you may already have this issue, or want to prevent this very costly mistake, work with an independent expert to put in place a program of controls, risk assessments, triggers and proactive tactics.
Final Thoughts
No executive has ever been in trouble with the FDA as a result of computer tool problems or sloppy network configurations, but plenty of executives have bowed their heads in resigned frustration as inspectors explained the lack of control the company has over its electronic information and integrity. If you expect to rely upon electronic information, focus on controlling it.
Are you ready?
Adapted from an article published in SmarterCompliance 1(8), August 2007