COMPLIANCE POLICY GUIDE Section 160.850

Office of Regulatory Affairs
COMPLIANCE POLICY GUIDE    Section 160.850

COMPLIANCE POLICY GUIDE
Section 160.850

Title: Enforcement Policy: 21 CFR Part 11; Electronic Records; Electronic Signatures (CPG 7153.17)

Background:
This compliance guidance document is an update to the Compliance Policy Guides Manual (August 1996 edition). This is a new Compliance Policy Guide (CPG) and will be included in the next printing of the Compliance Policy Guides Manual. The CPG is intended for Food and Drug Administration (FDA) personnel and is available electronically to the public. This guidance document represents the agency's current thinking on what is required to be fully compliant with 21 CFR Part 11, "Electronic Records; Electronic Signatures" and provides that agency decisions on whether or not to pursue regulatory actions will be based on a case by case evaluation. The CPG does not create or confer any rights for or on any person and does not operate to bind FDA or the public. An alternative approach may be used if such approach satisfies the requirements of the applicable statute, regulation, or both.

In the Federal Register of March 20, 1997, at 62 FR 13429, FDA issued a notice of final rulemaking for 21 CFR, Part 11, Electronic Records; Electronic Signatures. The rule went into effect on August 20, 1997. Part 11 is intended to create criteria for electronic recordkeeping technologies while preserving the agency's ability to protect and promote the public health (e.g., by facilitating timely review and approval of safe and effective new medical products, conducting efficient audits of required records, and when necessary pursuing regulatory actions). Part 11 applies to all FDA program areas, but does not mandate electronic recordkeeping. Part 11 describes the technical and procedural requirements that must be met if a person chooses to maintain records electronically and use electronic signatures. Part 11 applies to those records required by an FDA predicate rule and to signatures required by an FDA predicate rule, as well as signatures that are not required, but appear in required records.

Part 11 was developed in concert with industry over a period of six years. Virtually all of the rule's requirements had been suggested by industry comments to a July 21, 1992 Advance Notice of Proposed Rulemaking (at 57 FR 32185). In response to comments to an August 31, 1994 Proposed Rule (at 59 FR 45160) the agency refined and reduced many of the proposed requirements in order to minimize the burden of compliance. The final rule's provisions are consistent with an emerging body of federal and state law as well as commercial standards and practices.

Certain older electronic systems may not have been in full compliance with Part 11 by August 20, 1997, and modification to these so called "legacy systems" may take more time. As explained in the preamble to the final rule, Part 11 does not grandfather legacy systems and FDA expects that firms using legacy systems will begin taking steps to achieve full compliance.

Policy:
When persons are not fully compliant with Part 11, decisions on whether or not to pursue regulatory actions will be based on a case by case evaluation, which may include the following:

Nature and extent of Part 11 deviation(s).

FDA will consider Part 11 deviations to be more significant if those deviations are numerous, if the deviations make it difficult for the agency to audit or interpret data, or if the deviations undermine the integrity of the data or the electronic system. For example, FDA expects that firms will use file formats that permit the agency to make accurate and complete copies in both human readable and electronic form of audited electronic records. Similarly, FDA would have little confidence in data from firms that do not hold their employees accountable and responsible for actions taken under their electronic signatures.

Effect on product quality and data integrity.

For example, FDA would consider the absence of an audit trail to be highly significant when there are data discrepancies and when individuals deny responsibility for record entries. Similarly, lack of operational system checks to enforce event sequencing would be significant if an operator's ability to deviate from the prescribed order of manufacturing steps results in an adulterated or misbranded product.

Adequacy and timeliness of planned corrective measures.

Firms should have a reasonable timetable for promptly modifying any systems not in compliance (including legacy systems) to make them Part 11 compliant, and should be able to demonstrate progress in implementing their timetable. FDA expects that Part 11 requirements for procedural controls will already be in place. FDA recognizes that technology based controls may take longer to install in older systems.

Compliance history of the establishment, especially with respect to data integrity.

FDA will consider Part 11 deviations to be more significant if a firm has a history of Part 11 violations or of inadequate or unreliable recordkeeping. Until firms attain full compliance with Part 11, FDA investigators will exercise greater vigilance to detect inconsistencies, unauthorized modifications, poor attributability, and any other problems associated with failure to comply with Part 11.

Regulatory Action Guidance:

Program monitors and center compliance offices should be consulted prior to recommending regulatory action. FDA will consider regulatory action with respect to Part 11 when the electronic records or electronic signatures are unacceptable substitutes for paper records or handwritten signatures, and that therefore, requirements of the applicable regulations (e.g., CGMP and GLP regulations) are not met. Regulatory citations should reference such predicate regulations in addition to Part 11. The following is an example of a regulatory citation for a violation of the device quality system regulations.

Failure to establish and maintain procedures to control all documents that are required by 21 CFR 820.40, and failure to use authority checks to ensure that only authorized individuals can use the system and alter records, as required by 21 CFR 11.10(g). For example, engineering drawings for manufacturing equipment and devices are stored in AutoCAD form on a desktop computer. The storage device was not protected from unauthorized access and modification of the drawings.

Issue date: 5/13/99