Since FDA announced its intent to vigorously enforce 21 CFR 11, I've collected various questions posed by attendees at my workshops and speeches on 21 CFR 11 compliance. Now, one year later and a year's track record of Part 11-related FDA Warning Letters, I thought it might be time to walk through a few of the most common questions and answers. Hopefully, this will help you stay on the right track when it comes to validating non-product software, computerized systems and Part 11 validation.
Q: Will the FDA cite you for 21 CFR 11 non-compliance?
Yes...and no. Unfortunately, despite FDA's intent to raise the enforcement profile of Part 11, no Warning Letters actually cite 21 CFR 11, only the predicate rules. That said, the agency is trying to make clear the responsibility of firms to comply with Part 11 rules for electronic information:
You are responsible for the accuracy and integrity of the data generated by your firm. Provide a more comprehensive corrective action plan to ensure the integrity of all data used to assess the quality and purity of all drugs manufactured at your facility, including any registration lots. (Warning Letter to Cadila Healthcare, June 2011)
Or this one:
You are responsible for the accuracy and integrity of the data generated by your firm. A firm must maintain all raw data generated during each test, including graphs, charts, and spectra from laboratory instrumentation. These records should be properly identified to demonstrate that each released batch was tested and met release specifications. Appropriate record retention policies should also be in place. … Should product quality or safety concerns arise in the future, the original records pertaining to batches listed in an application may be integral in providing reasonable assurances to the Agency regarding a product and integrity of data submitted to support it. (Warning Letter to Ningbo Smart Pharmaceutical Co., February 2011)
As should be clear from the above Warning Letter excerpts, FDA’s enforcement emphasis for Part 11 compliance is all about how companies ensure — or fail to ensure — record integrity (including, as in the Ningbo situation, appropriate FDA records and document retention).
Q: Does the FDA conduct random 21 CFR 11 only inspections?
No. The FDA does not conduct random Part 11-only inspections. The only reason a stand-alone, "for cause" or PAI-type of Part 11 audit occurs is because the agency has very serious concerns regarding data integrity directly impacting product safety (i.e., impacting public safety). Since 1997, the only examples of stand-alone Part 11 audits that I know of involved one the following:
- whistleblower complaint alleging data fraud (triggered a "for cause" inspection)
- submission with serious data integrity issues (triggered a pre-approval inspection)
- meta-analysis of adverse event reports, clinical trial data, etc. led to a "for cause" inspection of a contract research organization
The problem, of course, is that these situations ended up blind-siding the firms involved and their management. Thus it seemed like it was random. Executives had zero idea that these inspections would occur because the data in question was in a submission, in an adverse event report, or was part of a whistleblower complaint from a disgruntled former employee. This was all data and historical documents that the firm thought it was "done with" and there were no more risks when the FDA knocked on the door.
As I point out to my clients when I help them put in place lean Part 11 controls, the records and documents that trigger Part 11 concerns tend to be all the stuff that people have completed. You are no longer paying attention to such historical info. Ironically, once you're "done with" the processes and projects that generated the data, that's when FDA actually starts paying attention. So the key is to have Part 11 controls such as validation, qualification, electronic security, qualified IT vendors, and a FDA records retention policy that work for both active and archived records.
Q: Do I need to validate commercial software like Microsoft Word or Excel?
No. Nor will you be able to without significant input from Microsoft - input you will not get unless you can write a multi-million dollar check (and not have it bounce). Here's what George Smith, the chair of FDA's internal Part 11 working group has to say on this:
Validation is to intended use. Thus, the exact same two computers or two exact same software installations at two different companies produce two different sets of records.
In other words, you validate the process in which you use Word or Excel (or any other commercial software) for its intent (production and maintenance of a record, computation of a formula, etc.). The degree of risk associated with the process/data will drive the level of validation needed and the degree of Part 11 controls necessary on the automation involved and the records generated.
Thus, if I use a spreadsheet macro in order to calculate a critical quality attribute of temperature, then I'd validate the macro itself and ensure a significant number of controls on the macro (so it wasn't accidentally messed up if an Excel patch is auto applied) and on the data results. I would not go about trying to validate Excel as a piece of software. Incidentally, a good resource on spreadsheet macro validation in laboratory environs is Ludwig Huber's LabCompliance.com site.
Likewise, if I use Word to author SOPs, I would not validate Word per se but rather validate my SOP process that happens to rely upon Word to automate some aspects (spelling, etc.). In this light, my validation efforts will likely be very light (afterall, how many of us have the money and time to spend conducting process validation on our SOP of SOPs process?).
The key is to view any commercial software as a tool. When it comes to off-the-shelf software, think of Part 11 validation as automated process validation rather than computer validation. The Part 11 controls then largely center around ensuring data integrity (i.e., data integrity tips or steps).
Q: How do I deal with a software vendor who issues automated patches (such as virus scan engine updates, bug fixes, hotfixes, etc.) and won't agree to notify us ahead of time?
This is why you cannot validate commercial software - you have zero control over it. Without control, there is no validation.
And yet you still have to manage changes to the environment in which your electronic records exist. Remember, your personnel perform various regulated actions, undertake specific processes, and make decisions using those records (which are, in turn, reliant upon an IT infrasctructure that is in a "state-of-control"). This is how IT compliance, and 21 CFR 11 compliance in particular, goes awry. Where do you start? How do you control an IT environ over which your vendors exert considerable influence?
In general, the best answer is make the decision that my clients have taken - to bring an outside expert to either run a Part 11 workshop for the firm, to help draft 21 CFR 11 validation protocols, to conduct a mock Part 11 audit, or some other means by which your site specific questions can be addressed.
In the context of dealing with a vendor who issues automated software updates, the best approach that I've seen over the past decade take a three-phase tact:
- Compile a "pre-approved" change list that then goes through normal change control
- Conduct quick, basic, retrospective testing when such updates are noticed AND they may have an impact to the electronic data
- Have Quality audit to the above.
Number two - the quick, basic, retrospective testing - can get tedious and potentially allow for IT and Quality to start arguing over what should have been noticed, what should have been retrospectively tested, etc. Avoid this by agreeing on some common criteria. For instance, any patch that states upfront it "affects data stability" (from an old Microsoft patch for Windows a few years back), should get some testing. Another example is large service packs (in other words, if the patch is big enough for the vendor to change its CD/DVD press labels, it's large enough for you to do some testing).
When was the last time you cringed after reading an email regarding Part 11 by someone in your organization? Or listened as someone listed off all the expensive, costly ways in which Part 11 was too much for your company? Maybe it was last week or last month. It’s not that your colleagues and team members don’t care about Part 11, it’s that they just don’t know how to move from last century’s misinterpretations and frustrations to today’s lean Part 11 compliance.
Your Quality, Regulatory Affairs, IT, Records Management and other operational employees must know how to work effectively and productively under Part 11 rules.
I started Cerulean Associates LLC to provide this type of practical, lean compliance advice on 21 CFR 11 compliance. As an FDA inspector-trained Part 11 expert, I have 20 years of business expertise being accountable for regulatory compliance (and the costly mistakes to prove it). If you'd like to learn more about avoiding FDA Part 11 and business trouble, visit my Part 11 consultant page or simply contact me directly.
I look forward to your feedback.