A molehill out of a mountain? 21 CFR Part 11
21 CFR Part 11 is a set of regulations put forth by FDA to restrict and guide use of computerized systems in the food, drug, and device industries. It governs electronic records, electronic signatures, access control, how to provide assurances of data accuracy, and records retention, among other things, the goal of which is to enable companies to use computerized systems for their daily work while also preserving the high quality of food, drugs, and devices developed by these companies. For someone such as myself who has always worked on newly built and/or newly implemented computerized systems, this has seemed to be somewhat of a non-event and really quite common-sensical; after all, it's not particularly intelligent to build a system that handles critical data but doesn't limit who can touch that data, for instance. On top of that, GxP, generally referred to as the predicate rules for 21 CFR Part 11, covers a great deal of ground as far as clinical, laboratory, and manufacturing controls go, so it's not as if the arena was completely uncontrolled prior to the advent of 21 CFR Part 11.
However, for companies using legacy systems or computerized manufacturing equipment, 21 CFR Part 11 was more of a big deal. There simply is no way to perform an electronic signature or have the computer automatically generate an audit trail with reliable timestamps when dealing with some manufacturing equipment; likewise with legacy computer systems that were built years before such a thing had been considered. 21 CFR Part 11 did not go into effect until 1997, well into the Information Age. A lot of companies had a lot to fix and not a lot of time to do it.
... Until FDA's guidance came out last year, at which point those companies could breathe a sigh of relief. FDA made public that they were going to exercise "enforcement discretion" with respect to legacy systems so long as they fulfilled predicate rule requirements, and, in fact, the guidance stated that it should not be read to impose any additional validation requirements beyond those needed to demonstrate compliance with predicate rules. Further, FDA stated that a risk-based approach should be taken with 21 CFR Part 11 compliance validation; meaning that the impact on patient health and product safety of a given system should be assessed, and that validation should be conducted per the results of the assessment.
This is huge news to the pharmaceutical industry, evidenced by the fact that 21 CFR Part 11 is still a key topic in journals and at conferences over a year after the final guidance narrowing its scope dramatically was issued.
The regulations found their way into the news again recently, when the scope was actually extended to include requirements set forth by the Public Health Security Act and Bioterrorism Preparedness and Response Act of 2002. I'm not sure of what the impact on the food industry has been, as I'm not part of that industry, but I think it does show that the August 2003 guidance isn't the last we've heard of 21 CFR Part 11.
However, for companies using legacy systems or computerized manufacturing equipment, 21 CFR Part 11 was more of a big deal. There simply is no way to perform an electronic signature or have the computer automatically generate an audit trail with reliable timestamps when dealing with some manufacturing equipment; likewise with legacy computer systems that were built years before such a thing had been considered. 21 CFR Part 11 did not go into effect until 1997, well into the Information Age. A lot of companies had a lot to fix and not a lot of time to do it.
... Until FDA's guidance came out last year, at which point those companies could breathe a sigh of relief. FDA made public that they were going to exercise "enforcement discretion" with respect to legacy systems so long as they fulfilled predicate rule requirements, and, in fact, the guidance stated that it should not be read to impose any additional validation requirements beyond those needed to demonstrate compliance with predicate rules. Further, FDA stated that a risk-based approach should be taken with 21 CFR Part 11 compliance validation; meaning that the impact on patient health and product safety of a given system should be assessed, and that validation should be conducted per the results of the assessment.
This is huge news to the pharmaceutical industry, evidenced by the fact that 21 CFR Part 11 is still a key topic in journals and at conferences over a year after the final guidance narrowing its scope dramatically was issued.
The regulations found their way into the news again recently, when the scope was actually extended to include requirements set forth by the Public Health Security Act and Bioterrorism Preparedness and Response Act of 2002. I'm not sure of what the impact on the food industry has been, as I'm not part of that industry, but I think it does show that the August 2003 guidance isn't the last we've heard of 21 CFR Part 11.
posted by m at 11:06 AM
<< Home