Part 11 FAQ's

When was 21 CFR Part 11 instituted?

The rule became effective in August 1997, and the FDA started an aggressive enforcement in January 2000.

Is packaged software compliant?

Packaged software itself cannot be “compliant”; it is the application that one creates with the packaged software that can become Part 11 compliant. Packaged software should be designed with Part 11 in mind, and have built-in tools for capturing electronic signatures and creating secure electronic records.

Is the FDA currently inspecting for 21 CFR Part 11 violations?

Yes; if you choose to use electronic records that are electronically signed in lieu of paper records, then the FDA can audit your process for Part 11 compliance and may cite you for failure to comply.

Is the FDA forcing me to be 21 CFR Part 11 compliant?

The FDA is not forcing companies to implement electronic signatures and electronic records. Many companies continue to use paper-based signatures and records. The FDA is enforcing requirements for companies choosing to use electronic signatures and electronic records.

Is this going to be another ‘Y2K’ for FDA-regulated industries?

Y2K had a date set in stone, - midnight December 31, 1999. For Part 11, the due date has past and the clock is ticking. Industry analyst reports indicate that companies are applying more resources and budget to become Part 11 compliant than they did to prepare for Y2K.

Does simply capturing the logged-in system user’s name meet the requirement of “capturing an electronic signature”?

No. The currently logged-in user isn’t necessarily the person performing or verifying an operation. Applications should be designed to ensure point verification for each operation.

What are the benefits of “Continuous Use”?

Continuous Use allows for the entry of electronic signatures using only a single token for a short period of time after a signature has been executed with two signatures. Continuous Use requires several controls around its use, and does not remove the need for an operator to execute a signature, to capture the users “Printed Name” and the meaning of that signature. Using the current logged on User ID does not constitute an electronic signature under continuous use.

Where in my manufacturing process does 21 CFR Part 11 compliance apply?

Part 11 compliance applies wherever electronic records are used in lieu of paper records.

Can I get by with having my integrator put in a software patch?

No; Part 11 is not merely an integration issue. The regulations require security management beyond the “industry standard”, as well as secured audit trails of alarms and event logs, and point-based verification of the user.

What is a “483” warning letter and how can I prevent my company from receiving one?

A “483” is what the FDA issues when a pharmaceutical company or any FDA- regulated industry is found to be negligent in some facet of their operations. Severe fines or a plant shutdown could accompany this. 483’s could be for violations of cGMP, for non-validated processes, and, increasingly, for violations of 21 CFR Part 11. Companies choosing to use electronic records and electronic signatures should ensure that they meet part 11 rules to avoid a 483 warning letter.

Nice…a couple of clarifications. A 483 is not a Warning Letter. A 483 is the form used by the FDA to convey observations “Form 483” hence the name. I don’t think companies are required to respond to 483s, although it is in their best interest. Numerous 483 or observations of gross infractions may necessitate the FDA to send a warning letters. Warning letters require a response. Multiple Warning letters may then cause a Consent Decree.

Software in itself cannot be Part 11 compliant, Procedural controls must be in place in addition to the technical controls that the software affords.

It is my understanding that the FDA is not currently inspecting against Part 11 except under the few items described in their Guidance Document from 2003. They (the FDA) can more easily make observations against predicate rules.

Predicate Rules - regulations other than Part 11 that GMP regulated companies must adhere to.

I think you need to clarify the difference between electronic signature and action. It is completely acceptable to use the audit trail to document user actions that do not require an electronic signature. A system would be completely unusable if a signature or login were required to perform an action. It is not acceptable, as you stated, to use the audit trail as an e-signature.

Continuous use - define…this is a very difficult concept. I could define as 5 minutes, yet I could walk away and a person could use my signature. A lot of companies side step this by not even answering the question and requiring two part identification for signatures.