20 Years Later, 21 CFR Part 11 is More Relevant than Ever

If 21 CFR Part 11 and the life science industry were a married couple, they would be celebrating their platinum wedding anniversary this year. For better or for worse, in sickness and in health, it has been 20 years of compliance. It’s an important milestone to celebrate and think about.

First off, what’s new with Part 11? Every now and then, there are rumors about updates. The on-again, off-again speculation stems from the FDA’s “Guidance for Industry: Part 11, Electronic Records; Electronic Signatures—Scope and Application.”

The 2003 guidance says: “While the re-examination of Part 11 is underway, we intend to exercise enforcement discretion with respect to certain Part 11 requirements” (1). And yet, neither re-examination nor update is apparent.

I spoke to a media officer at the FDA’s Center for Drug Evaluation and Research (CDER), but she refused to be quoted. She referred me to CDER’s Division of Drug Information, which said in writing, “The public is notified when any of our guidances are published via Federal Register announcements. Note that the guidance document you are referring to is not included in the 2017 Guidance Agenda.In other words, the 2003 guidance remains the same. It remains the key to the FDA’s thinking about the use of electronic systems in compliance.

This article is related to the White Paper:
To get the full details, please view your free White Paper

Part 11’s Relevance Today

How relevant is Part 11 today? By all accounts, it is more relevant than ever. Lisa Olson, a Part 11/computer system validation auditor at Polaris Compliance Consultants, explained it this way: “With the explosion of more and more systems, more automation, mobile devices, apps, digital imaging, and the proliferation of individuals who are not necessarily formal IT professionals now developing systems, I would say that Part 11’s relevance definitely continues.”

She noted that today there are more people who have access to technology tools that allow them to build systems without the proper training in computer system validation, which requires that developers fully understand the business requirements of those systems, that system design is structurally sound, and that the systems are fully tested.
“Without computer system validation, the system might not be working correctly, yet it might not be obvious that it isn’t,” said Olson, who has over 30 years’ experience in the FDA environment, in both IT and regulatory compliance roles (2).

The Meaning of Part 11

The FDA issued 21 CFR Part 11 in 1997 to establish the criteria for the use of electronic records and electronic signatures in complying with predicate rules. It applies to all FDA-regulated organizations (companies that comply with the Food, Drug, and Cosmetic Act and the Public Health Service Act).

Part 11 does not mandate the use of electronic systems. Rather, it specifies the requirements for companies that choose to use computerized systems in their compliance efforts. “When persons choose to use electronic records in place of paper format, Part 11 would apply,” according to the FDA’s guidance (3).

Part 11 is meant to allow the use of electronic records as much as possible and at the same time safeguard the integrity of data and systems and the validity of electronic signatures. For the FDA, data integrity is a vital part of ensuring the safety of medical products.
A key aspect of Part 11 is that it doesn’t exist in a vacuum, but it goes hand in hand with predicate rules. “Persons must comply with applicable predicate rules, and records that are required to be maintained or submitted must remain secure and reliable in accordance with predicate rules,” according to the FDA guidance (4).
Predicate rules refer to primary regulations that bind life science organizations, such as 21 CFR Part 211 for pharmaceutical companies and 21 CFR Part 820 for medical device firms.

Part 11 Compliance


The industry has undergone a fear-ridden phase, in which companies were afraid they had to validate every single system, which in turn resulted in a backlash that made them resist validation, even when it was necessary, according to Olson. She emphasized that Part 11 only requires validation for systems that create, modify, maintain, archive, retrieve, or transmit electronic records required by predicate regulations.
“Having said that, however, there may be certain systems performing critical operations where validation still makes sense, because the accuracy of the result is key,” she explained. “For instance, a glucose monitor may only provide a read-out, which is then hand-entered into a clinical trial case report form. So the glucose monitor isn’t directly creating a record itself, but one would want to ensure that it was giving an accurate result.”

Indeed the FDA guidance said, “Even if there is no predicate rule requirement to validate a system, in some instances it may still be important to validate the system.” (5)

Tips on Compliance

Kevin Bogert, senior managing member at Azimuth Compliance Consulting, echoed the importance of validation in Part 11 compliance. He observed that on the one hand, some companies overdo their validation efforts, and on the other hand, some companies simply take the validation documentation of their software vendors and adopt it as their own.  

His advice: “Always use risk-based assessment in your validation. Understand the predicate rule that applies to your product.”
Olson reminded regulated companies about the essence of the regulation. “Don’t forget the overall intention of Part 11—correct processing and complete and accurate records,” she said. “I think one of the most important things that companies can do right now is to understand their data flow and use of systems.”

She gave the example of data that moves to another system. It’s crucial to ask these questions: Are there third parties involved? What are the controls in place as the data moves? How do you know in the end that the data is accurate? 

“Instead of being overwhelmed in the weeds of Part 11, it is key to look more at the overall picture—where things could go wrong and what the impact would be—and to not assume that everything is working, just because it’s supposed to be working,” Olson said.  “Perhaps my single piece of advice is: be suspicious, and know your data flow.”
Going back to our marriage analogy, the life science industry has certainly learned a lot in two decades of Part 11 compliance. We look forward to many more years of success and wisdom from this day forward, for richer or for poorer. Five more years until the next important milestone—the silver jubilee anniversary in 2022!

Read a related story: What 21 CFR Part 11 Means to Med Device Firms after 20 Years of Compliance

Cindy Fazzi is the editor of MasterControl Insider, a monthly publication for MasterControl users. She writes about the life science industry and other regulated environments. Her two decades of experience as a news reporter, writer, and editor includes working for the Associated Press in Ohio and New York City. She has a master’s degree in journalism from Ohio State University.

(2) Lisa Olson, Part 11 / CSV Auditor at Polaris Compliance Consultants, assists clients with ensuring the systems they use are compliant with 21 CFR Part 11.  She has over 30 years’ experience in FDA-regulated industry, in both IT and regulatory compliance roles, in a major pharmaceutical company, three clinical research organizations, and a consulting firm. Her experience includes system development, Part 11 and computer system validation training, system assessments against Part 11, supplier audits, risk assessments, and development of computer compliance procedures and policies. You may reach Olson at info@polarisconsultants.com.