It’s been seven years since the FDA made its initial attempt to bring drug submissions into the information age. At one point, many in Pharma and Biopharma thought they were facing a computer crisis of nearly Y2K proportions, but subsequent clarifications and the August 2003 Guidance have assuaged many fears about the extent of compliance. Since the initial 21 CFR Part 11 ruling, the FDA has adopted a risk-based approach to compliance, which has definitely had an impact on how Part 11 has been interpreted. The Guidance is an effort by the FDA to narrow interpretations and return to the fundamentals (the predicate rules, that is) for generating electronic records and electronic signatures.

So how has the industry responded? The FDA’s risk-based approach seems to have become the pathway to Part 11 compliance. Although Part 11 continues to demand a big investment of time and resources, it now comes down to identification and remediation of vulnerable systems, not an overhaul of every process. Conceivably 21 CFR Part 11 compliance is not so daunting after all.

Risk-Based Approach
The industry has been largely concentrating on risk-based approach to Part 11, which involves identifying risks of system-generated electronic records as they relate to consumer safety and the remediation of those risks, as well as documentation of the assessment. The risk-based approach is intended to help companies determine both how long to retain records and which records are most important. A system is considered to be high risk if it generates electronic records with greater impact on product quality and consumer safety. Thus the key element with this approach stresses that critical electronic records (but not all electronic records) must be identified. Naturally, this has made Part 11 compliance more feasible and has given companies a starting point for their validation strategies. Risk management within the scope of Part 11 is also significant; this repetitive process is designed to optimize the benefit-risk balance for regulated products. In particular, the risk-based approach allows companies to examine their processes and the electronic records generated, and as a result to implement controls to reduce/minimize risk.

In order to achieve the appropriate controls for risk assessment, firms need to define electronic records established by predicate rules and rank the criticality of the process, thus shifting the focus to high-impact processes and records. These high-impact records are ones associated with quality decisions, batch records, lab test results and clinical results, all of which affect product quality. Low-impact records include environmental monitoring systems, word processing for SOPs (standard operating procedures) and the following records: operator training, instrument qualification and instrument calibration. On the whole, the factors involved in a risk assessment are probability, impact and detection.

Validation and audit trail are areas requiring particular attention. Validation of computerized systems is required if the system can potentially affect product quality, safety and the integrity of Part 11 records. Validation includes all components of a system, software, hardware and documentation, and is a continuous process. Accordingly, this is an area of major concern addressed in the Guidance, where a broad interpretation of Part 11 led to “over-validation” or in some cases a retreat from electronic documents altogether, ultimately impeding FDA intentions. With risk assessment, it becomes a matter of determining whether or not a system needs to be validated, and if it does, to what extent it needs to be tested. Extensive testing may not be required.

Audit trails are designed to ensure data integrity, reliability of records such as date, time and sequence of events, and to
support validation. Therefore procedural security measures are particularly important where regulated records are created, modified or deleted.

Essentially, the FDA is looking to see that a company has performed a risk assessment and has a documented plan in place to remediate risks. According to one industry expert, “You don’t see a ton of enforcement. As long as companies have some logical interpretation of the Guidance and are following basic constituents of Part 11, until we see some
evidence otherwise, they’re going to be in good shape.” While the FDA will use enforcement discretion, the expert said,
systems must still be validated under the predicate rules.

One provider said, “A good rule of thumb remains this: If you can imagine explaining your program with a straight face to an FDA inspector, you are probably okay. If the idea of explaining your program to a living, breathing FDA inspector makes you squirm, then you probably have some work to do!” Notably, if a company hasn’t done a risk assessment or
documented anything about its data, then the FDA considers all records to be critical.

Response to the Guidance
For many, the recent Guidance proved a much-needed reprieve from the stringent Part 11 requirements. Initially, many companies within the regulated industry struggled, uncertain of how to implement the Part 11 rules. For some, the Guidance merely points out the obvious, while others feel there are still gray areas that need to be addressed.

Prior to the issuance of the Guidance, some more conservative companies attempted to implement a general level of
validation for all systems, a time-consuming and costly venture from which the benefit of consumer safety wasn’t apparent. In some cases, this broad interpretation of Part 11 forced companies to continue using paper-based systems. With the issuance of the Guidance in August of 2003, coupled with the risk-based approach proposed by the FDA, companies are now able to adjust the extent to which Part 11 applies. “With the Guidance, the FDA has given the industry more flexibility to determine which systems need to be validated and the extent of validation required. For example, a vision inspection system on a pharmaceutical manufacturing system would require a much more robust validation effort than a system that stores training records. A caveat here is that, for any system where regulated data exists in electronic form, organizations must document their justification for the level of validation, even in cases where a determination is made that validation is not necessary,” said Robert J. Finamore, senior validation manager, CSSC, Inc.

At one point, some companies in the industry were considering programming—such as, program logic control (PLC)—to be electronic records. One provider gave this example, “‘What happens if the operator has to put different control parameters into the PLC? Let’s say I’m making a tablet formulation and I have 200 lbs. or 200 kilos of the different things that go into it and now I have to tell the system I’m making a batch that’s 200 kilos big, of course I could also make a batch that’s 300 kilos, and based on those numbers the system works differently. Well, who entered those numbers? Companies construed this as meaning, we have to put in that kind of Part 11 security right at the operating station and the FDA said, ‘No, that’s not what we mean by Part 11’. That got eliminated.”

Hybrid systems have proven to be an intermediary solution to the Part 11 rules for some companies following the Guidance. A hybrid system is defined as an environment consisting of both electronic and paper-based records. An example would be a system-generated electronic record that is printed out and signed by hand. The original rules stated that electronic records would have to replace paper-based records entirely. This issue has since been clarified in the Guidance. In fact, in order to resolve some of the implementation issues associated with Part 11 compliance, some providers recommend the use of hybrid systems.

According to one industry source, “Things are pretty clear as they are right now. The Guidance hasn’t brought any
additional clarity for me. The basic requirements of Part 11—authenticity, audit trails, protection of electronic records—these are all things that are, first of all, good business sense and are things we would want to do as a company anyway. They’re things that I would argue are supported in the regulations already.” The predicate regulations—21 CFR 210, 211—also require secure records, record integrity and record retention, and isn’t Part 11 really just an extension of that? The source contended, “As a laboratory, I don’t think that anything has really changed. I think Part 11 is a good thing and the criteria for it have been pretty clear all along.”

Indeed, the Guidance has helped the industry focus on the critical issues, but gray areas remain. “Clearly there’s a lot of interpretation that comes out of the Guidance; things are just not specific and companies are still spending a great deal of time trying to figure those things out,” said one provider. “In many ways the FDA has said, ‘We want you to have electronic record integrity, but how you get there is up to you. However, you’d better be able to explain your process and it better work,’” another source remarked. Previously, the FDA seemed more focused on the process of how to attain electronic record integrity. Furthermore, the FDA Guidance is not legally binding and, even though the FDA uses “enforcement discretion,” there’s nothing legally that prevents them from enforcing it. Needless to say, more clarification is expected, and that hasn’t come about thus far, which has led to frustration within the industry.

Software and training providers have adapted to the new landscape by putting things back into perspective, concentrating on and defining for clients the areas of great importance. Providers educate clients in terms of having a risk assessment and determine which processes have critical functionalities within different pieces of software. Also, providers work with vendors and the entire supply chain to strive for Part 11 compliance. One industry source said, “We make sure the software controls what’s going on, consistent with FDA inspections. These inspections are focused on quality systems and fundamental ways to control processes around problem management, deviation management, root cause analysis, corrective actions and preventive actions. Next, they want to see that these changes that were implemented did effectively eliminate the root cause of problems.”

What is the FDA’s approach to GxP? One provider answered, “Enlightened common sense! The FDA is trusting industry to do this properly. This represents a tremendous opportunity for industry to make this work for the business, but it is also a threat in that, if industry drops the ball, the FDA might intervene in a punitive way and set harsh rules again.”

Another provider commented, “The FDA’s new approach to cGMP-regulated industry is also centered on risk assessment: identify systems involved in producing cGMP products or data to support these products, identify non-compliant systems, and rank criticality of each system. Then, perform remediation of each system in the proper order.” This is clearly stated in the FDA’s Pharmaceutical cGMPs for the 21st Century report, issued September 2004. The cGMP initiative also adopts a risk-based approach and, based on this initiative, the FDA is looking to establish a risk-based model to help determine where inspections would prove most beneficial to public health. “I would say the FDA is taking a more streamlined approach to compliance and trying to focus on the highest risk areas. This is seen in the Quality System Inspection Technique adopted a few years ago in which the FDA will focus on key quality systems of an organization during an audit rather than doing a broad assessment,” another source contended.

Challenges
Several industry sources feel that the challenges aren’t much different today. One provider said, “Part 11 is still a big investment of time and money and you hope the investment pays off. I’m sure that it does for us insofar as it means that our records are electronic, which allows information to be retrieved quicker, stored in a more compact fashion, and be searchable.” The main challenge is determining what systems Part 11 applies to. Previously the industry approached everything as being relevant to Part 11; with the new Guidance the scope has narrowed. Another source said, “I think it’s important that companies are determining where it applies, and where it applies really nothing has changed. So the challenges continue to be the same at that scope.”

Although, now that we know what to do, how do we do it? According to one provider, “I think the critical issue is to do a proper risk assessment in the first place. Once a system has been identified for remediation, the road to Part 11 compliance should follow a predefined set of procedures to bring the system into compliance.” Another source commented, “Using risk assessment to determine where certain parts of controls are required is a challenge. How do you approach risk assessment in regards to section requirements? There’s a learning curve involved in terms of how to do that.”

Server design and systems that maintain audit trails continue to be a challenge. Dealing with audit trails—and the logs that get created—tends to grow very quickly and it becomes difficult to create systems that maintain such extensive amounts of information. Some feel the Guidance doesn’t lend itself towards maintaining systems of reasonable size. Moreover, determining what records can be deleted over time and documenting the decisions around that is unclear. Additionally, there are concerns about how long records should be kept and how to go about assessing the relative risk levels associated with those records. “If you were to lose a record after X amount of time, how would that impact the
safety and efficacy of the product? Broadly speaking, the more key to product safety and efficacy the electronic record, the longer you should keep it and the higher its threshold for absolute record integrity,” one source said.

Still, the overall challenge is the responsibility of regulated organizations to interpret the Guidance and justify their
reasoning. This is a cause of much frustration within the industry. Although the Guidance has narrowed, it remains a “wait-and-see” period until the Part 11 rules are amended.

IT Issues
So how do organizations approach these challenges? There are a range of IT issues from the laboratory standpoint. “One challenge is to be able to choose vendors and put pressure on vendors to supply data acquisition systems that are Part 11 compliant. Key components to look for in software are audit trail, authentication and validation. If we can get that from our vendors, we can put the rest of the controls necessary to meet Part 11 compliance in our environment. We have developed laboratory in-formation management systems (LIMS) in house, within which we conduct most of our laboratory business: acquire data, produce reports and produce electronic deliverable data. Furthermore, we provide audit trail capability with our information system so if data is edited we know who, what, when, where, and why the data was edited,” the provider mentioned.

Data security and data integrity remain critical IT issues. After all, these Part 11 electronic records are replacing paper records, and electronic data can be pretty vulnerable. Putting controls and safeguards around the electronic data can be
complicated. It’s become an IT function in terms of generating backups, rotating them and developing redundant hardware. As a result, IT infrastructure has grown and adapted to become Part 11 compliant. In terms of qualification, applications are often validated and Part 11 is considered in terms of infrastructure and the network, qualifying the network, ensuring that the infrastructure is compliant can be difficult.

Also, record retention (with respect to server design) and systems that maintain audit trails continue to be a challenge. It has proven difficult to create systems that maintain extensive amounts of information. In many cases IT is unaware of the attendant issues such as the security and GxP system requirements. In the past IT dealt with enterprise systems. According to one provider, the industry is taking the following approach with the FDA: “They’re saying, ‘Let’s wait until the IT and computer industries reach a point where they’re mature enough to support us. We’ll work with the IT suppliers to ensure that we’re meeting the regulations, but you have to give us discretion while they put together systems, networks, and applications that will be useful to us.’”

Figure 1: Sample of TrackWise Web TeamAccess screens, courtesy of Sparta Systems

Changes Within the Industry
Big Pharma, Small Pharma, contract manufacturers, how do their Part 11 IT needs differ? One industry source said, “I don’t think they do differ. The regulations apply to the products that you’re making, either for your own company or on behalf of another company. There are certainly processes or systems that fall within the scope of Part 11 that would apply to all of them.” According to industry sources, the compliance challenge for Big and Small Pharma balances out. Big Pharma has the resources but Small Pharma can make decisions more quickly and implement their interpretations with something that works for them.

“From that point of view, sometimes smaller companies are ahead of the game in terms of implementation,” said another provider. As for contract manufacturers, it can be tricky. CMOs that deal with pharmaceutical companies have their own interpretations of the Guidance. “For example, a CMO stores records in its own system which have been signed using digitized signature capture (i.e., handwritten signature executed to an electronic record). This data is passed on to a client using a secure interface that involves passing the records in one file and the signature images in another. Both files are encrypted during transfer and are logically linked (e.g., via a hash value). Although it is not possible to positively preclude that the signatures can be separated from their associated records, Customer A finds the risk small enough to be acceptable for compliance with 11.70. Client B, on the other hand, may find this interface unacceptable because of the ‘physical’ division of the files and the potential for separation of signature from the record. Therefore, the CMO must design a second interface (possibly an XML feed that contains both the records and signature images) to accommodate the needs of Client B,” one provider explained.

“Although it’s clearly in the best interest of CMOs to understand Part 11 and the risk-based approach, and to treat their IT and manufacturing systems and data storage in a like manner,” one provider said, “they just don’t have the requirements that would bring the FDA into their facility to review them.” In that respect, the source further argued, GxP and Part 11 don’t apply to CMOs unless they put these requirements upon themselves. CMOs that work in a GxP environment per their agreements with their customers do in fact have these same issues, but they are secondary, some feel.

A change some providers have seen recently is that larger pharmaceutical companies are becoming more confident in their ability to build Part 11 proficiency internally. They are seeking out CMOs based on Part 11 compliance and disqualifying those based on failure to comply. In turn, CMOs require their vendors to address Part 11 issues. This has led to a “trickle-down” effect within the industry. One source commented, “From a regulatory standpoint, it’s the pharmaceutical companies that possess the ultimate risk and therefore require the supply chain to be squared away.”

Another development seen in recent years is the growth and improvement of education on the topic of 21 CFR Part 11 and the Guidance, and the software to sustain it. Seminars are copious and available throughout the industry. Fear of Part 11 has subsided; the focus today is on core quality systems and the validation surrounding those systems, an area the FDA is looking at more closely. There has been a shift in focus from Part 11 to GxP requirements; implementing Part 11 has been the result. “What we’ve seen is that our customer base has come back to the core things they need to be spending time on. First, to have systems in place that are meeting GxP requirements and, ‘Oh yes, by the way, it needs to be Part 11 compliant.’ Whereas early on the first thing they thought about was Part 11 and the other issues came second. So things are back in perspective,” said one provider.

Software is available today that meets many, if not all, FDA requirements regarding electronic records and processes. For example, Sparta Systems’ TrackWise (see Fig. 1, page 101) is a compliance and quality management system designed to be a single repository for managing quality and regulatory issues, having a workflow process that needs to be followed. The software also has a reporting/search component and accesses a centralized database management system. “It enables companies to integrate all types of quality issues as well as any resulting corrective and preventive action or possible change control. At the same time companies can also define security to reflect their organizational structure,” said Steven R. Cagle, manager, operations, Sparta Systems, Inc.

Overall, the most significant change seen in the industry is a narrower interpretation of Part 11 regulations per the Guidance, allowing companies more flexibility in their approach to Part 11 compliance. Also, the industry and the FDA are working together successfully, according to one source, not only in the U.S. but in Europe and Japan as well. The FDA has taken an initiative to establish a commonality with foreign regulation for companies doing business on a multi-national level. One source said, “The FDA is focusing on a number of activities in Europe and Japan harmonizing our regulations with theirs and coming up with a commonality—let’s call it ‘GMPs,’ that are applicable to a U.S. company making a product for Europe, or a company in Europe that’s making a product for Japan and a company in Japan that’s making a product for the U.S., Japan and Europe. By putting us all on an equivalent basis as far as plant performance, for example, we can then manage the quality and validation and control those activities.”

Figure 2: CAPA Process Flow, courtesy of AssurX

The Benefits of 21 CFR Part 11
Part 11 allows electronic records to be created and stored electronically, which results in lower archival cost, faster retrieval of data, and dissemination of data across the enterprise. More significant than the financial benefit of electronic records is the control that results from the use of Part 11 systems and the documentation that is essential for implementing changes. One industry source commented, “We see many people taking a smart, pragmatic, business-case approach. There’s a sense among many life science firms that Part 11 compliance represents an opportunity to significantly improve operations. Part 11 compliance programs can make businesses more efficient and help in areas such as electronic data capture (EDC) to move clinical trials along faster. That in turn gets products to market faster, and that helps the bottom-line.” The provider continued, “We’ve also seen companies save money with operational efficiencies such as faster adverse event reporting and action, and better corrective and preventative action (CAPA) capabilities.”

Said another, “For the companies that are doing things very well, taking on Part 11 initiatives, the FDA is saying, ‘OK, we’ll work with you. We’re going to reduce the amount of enforcement.’ Now when you look at the FDA coming in for weeks’ worth of investigation, behind those weeks (probably at least a month or two) three to five people are working until midnight to get everything in shape that they think the FDA is going to want to look at, and that’s a big expense. So from the benefits side, that becomes cost avoidance. They’re going to be doing more value added things rather than getting ready for an inspection; it provides a considerable financial benefit.” One provider mentioned that, in a conversation with a senior quality manger, the quality manager said, “We have an audit going on every day somewhere with the FDA, if we can cut that by 10% or 15%, which is minimal, then in fact we are saving an enormous amount of money, which is the bottom-line.”

On the other hand, another source feels, “There have definitely been benefits gained from complying with the rule, such as increased security, improved efficiency, assurance of integrity of regulated data, faster exchange of data and
standardization in technology practices (i.e., procedures). However, I don’t think that financial benefits have yet been realized. Over-interpretation of the regulation has led to a burden on organizations trying to comply with the rule, well beyond what the FDA originally estimated. This includes direction of resources to low-risk systems or legacy systems that were impossible to bring into compliance. The new guidance helps amend this situation and allows organizations to focus compliance activities on more critical areas.”

The Future of Part 11
It appears the industry is headed towards further development using the risk-based approach, with improved operations and public health benefit. Companies are becoming more incisive and the supply chain is progressing in terms of Part 11 compliance. While more clarification is expected, where things are going remains to be a wait-and-see period. One provider remarked, “It’s going to be dependent upon the amended rule. I think it’s just going to be better efficiency in terms of where you spend your time and, as time goes by, technology advances. Part 11 is becoming a part of the culture rather than the hot topic it was in the beginning. It becomes standard business in the pharmaceutical industry: Better efficiency, technological improvements, and vendor awareness.”

The FDA is currently re-examining Part 11 with regard to FDA-regulated products and a new declaration is expected this year. However, 21 CFR Part 11 remains intact. It may be subject to revisions in the future, namely areas involving validation and audit trail, but e-submissions are here to stay. Fortunately, this idea is recognized within the industry and companies have responded, taking Part 11 very seriously. “Bottom-line, the FDA has said it will not enforce Part 11 in a narrow or aggressive fashion for the time being,” said one industry expert. “There have been no indications they plan any imminent change to that policy, but it is worth remembering that FDA inspectors have fairly wide enforcement latitude. All it will take to put Part 11 on the front burner will be one 483 from an inspector who doesn’t like what he sees when he inspects a company’s electronic record retention integrity.”