Risk-Based Approach to 21 CFR Part 11 (Part 1)

The 21 CFR Part 11 regulation is a comprehensive piece of legislation that outlines the controls necessary for the regulated industry to utilize electronic records and electronic signatures.

Without careful interpretation, however, the requirements can lead to over-engineered solutions that adversely impact the productivity of the industry without providing added benefit to patient health. The goal of this paper is to provide the philosophy necessary to apply risk management, and to encourage manufacturing innovation and technological advances. This philosophy is based on the ideas in the new FDA cGMP initiative. We believe that this approach is equally applicable to all FDA regulated industries.

We are currently working on more detailed material based on the philosophy presented here, covering all sections of 21 CFR Part 11 but focusing on key areas. This material includes more detailed definitions, specific processes for defining risk and identifying appropriate controls, and implementation examples. We will present this material for your consideration in the near future.
The key areas of the regulation which require attention are:

  1. The definition of an electronic record
  2. Audit trails
  3. Electronic copies for inspection
  4. Retention and maintenance of records
  5. Hybrid and procedural solutions
  6. Application of electronic signatures
    The use of a risk-based approach to Part 11 would allow the regulated industry to analyze their processes, identify GxP records, and implement appropriate controls to mitigate risks.

The suggested risk-based approach has the following steps, that cover both the scope and selection of appropriate controls:

  1. User firms identify and define GxP electronic records and signatures, based on the predicate rules, criticality of the process, and risk to product safety, efficacy and quality.
  2. User firms implement controls commensurate with the criticality of the electronic record, and risks identified for that record. These controls should be documented and justified with reference to the identified risks.
    This is a top-down approach (“is it a GxP record?”), rather than a bottom-up approach (“is it an electronic record?”). This approach focuses on the critical records as opposed to all electronic records created by a firm.

Definition of Electronic Record
Reference: 21 CFR Part 11.1 (b).
The current interpretation of what is in scope is too broad. This leads to a potential stifling of innovation, and draws focus away from the most critical areas. This is not in the spirit of a risk-based approach.
User firms should identify and define the high impact GxP electronic records and signatures, based on the predicate rules, criticality of the process, and risk to the quality, safety, identity, purity, or strength of the product.

The focus of effort should be on records that have a high impact, i.e. those records upon which quality decisions are based. Examples of high impact records are batch records and laboratory test results. Examples of records with low impact include environmental monitoring records not affecting product quality, training records, and internal computerized system information such as setup and configuration parameters.

Existing security measures and established validation measures are more than adequate to ensure the integrity of lower impact records – additional Part 11 controls are cumbersome and add very little value.

Internal system information not identified in the predicate rules is low impact. The integrity of this information can be assured by system validation, change control, configuration management, and routine security features. These may be controlled by a suitable established procedure – additional Part 11 controls are not required. Paper records of such events are acceptable.

Software should not be considered as being GxP electronic records with regard to Part 11. Industry and FDA have worked for many years on developing approaches for dealing with hardware and software in the GxP environment based on validation of systems, configuration management, change control, and adequate procedures and plans for maintaining the validated state. These approaches have been widely adopted and very successful in meeting GxP requirements. Considering software as GxP electronic records has little practical benefit, as well as discouraging firms from adopting innovative technological solutions. It should be noted that not considering software as a GxP

Electronic record is in conflict with CPG 7132a.11 “CGMP applicability to hardware and software”.

Link for part 2