How Harmonizing 21 CFR Part 11 and Data Integrity Delivers Higher Quality Products

EDITOR'S NOTE: The following article is a Q&A with data integrity expert Matt Brawner from Sequence Inc.

In the late 1990s, the U.S. Food and Drug Administration’s (FDA) 21 CFR Part 11 (Part 11) regulation ushered in the use of modernized technology for records and submissions by making electronic records and signatures as valid as paper records and handwritten signatures. The onus was still on companies to decide which method to use, but it changed the dynamic of data and records management in the life sciences industry.

A critical aspect of records management is the record’s data needs to be complete, consistent and accurate. In other words, the data must own up to regulatory guidelines for data integrity. Completing the many record and data management tasks required for Part 11 and data integrity can be daunting for companies developing or manufacturing regulated products. Regulators require compliance with both Part 11 and data integrity, yet each differ in scope, objectives, intent and processes.

According to Matt Brawner, data integrity subject matter expert (SME) at Sequence Inc., a life sciences industry quality and compliance consulting firm, companies can actually harmonize their Part 11 and data integrity processes. Unifying the efforts of each focus area leads to more efficient quality management and more seamless regulatory compliance pathways.

GxP Lifeline recently met with Matt Brawner, where he shared some expert insights into how companies can integrate Part 11 and data integrity compliance processes to accelerate regulatory approval and deliver higher quality products to market.

Q: Remind us what 21 CFR Part 11 is.

Matt: In a nutshell, Part 11 states that electronic records and electronic signatures are equivalent to their paper record and handwritten signature counterparts. Per the FDA, the intent of the regulation is to permit the widest possible use of electronic technology for records management and signature processes.

Beneath that, there are controls that apply to electronic records, such as signature manifestations, which is information that links signers to their specific electronic signature. The regulation has guidelines on employing controls for ensuring the integrity of records in both open and closed systems. These include user authentication and accountability. Incidentally, these are among the most common Part 11 violations cited in warning letters. For example, a company might not have adequate system configurations that limit access and edit rights to only authorized individuals. Another issue involves multiple employees sharing the same login credentials.

Then, there’s the predicate rule, which requires companies to retain certain records for a specific amount of time as well as be able to provide complete and accurate information to the FDA upon request. Shifting to a paperless record management system makes it easier to comply with this rule.

Q: How is the FDA applying enforcement discretion regarding Part 11?

Matt: In 2003, the FDA revisited Part 11 in a guidance. At this time, the agency was re-examining the regulation as part of a risk-based approach, which led to changing some rules. The agency subsequently narrowed its approach to enforcing the regulation. Specifically, the FDA stated that it would not take enforcement action for any Part 11 requirements with respect to validation, audit trails, record retention and record copying. In fact, if you were to look at FDA warning letters, you would see that Part 11 has not been referenced in an observation for years.

Q: How does Part 11 differ from data integrity?

Matt: For starters, data integrity is data focused. It looks at data as “the product” that must be complete, consistent and accurate. The goal of data integrity is to maintain data quality, much like manufacturing systems are developed with the goal of maintaining product quality. The goal for Part 11 is similar in that it assures that records are trustworthy and reliable. But it’s focused on electronic systems, and it tries to accomplish its goal through equivalency with paper records and written signatures.

This was a respectable strategy 17 years ago when the agency was starting to enable electronic submissions. However, given the advancements in technology, paper equivalency may not be a good strategy now.

Where Part 11 and data integrity don’t fly in unison is the strategy by which they ensure quality. Data integrity ensures quality by specifying the attributes of quality data. Part 11 ensures data quality by specifying electronic system-related requirements and controls without necessarily relating them to the safety, identity, strength, quality or purity of the product, as commonly seen in the predicate rules.

Q: Part 11 applies to systems and data integrity applies to data. How can the two fit together?

Matt: Upfront, it’s important to recognize that both Part 11 and data integrity are required for compliance and getting products on the market. When companies can find an easy and effective way to comply with both, the better off they will be.

One tactic I like to suggest is for companies to put themselves in the position of the regulator and look at the intent of the regulations. Ultimately, Part 11, data integrity and all other regulatory guidelines are in place to ensure that all products put on the market for public health purposes are high quality, safe and effective.

One concept worth highlighting is that compliance guidelines are not documented in a procedural format. Regulators rarely prescribe technologies or strategies for achieving compliance. The systems companies put in place for record and data management are simply their own approach or a strategy for ensuring data quality.

To illustrate this, I often use the example of automobile break lights. By law, the taillights on vehicles need to be red. It stands to reason that the method — or strategy — for meeting this requirement is to install red light bulbs in every vehicle. This is not the only way to set up red lights. You can get the same color of light using a clear bulb behind a red lens or installing a light emitting diode (LED). The bottom line is regulators have specific expectations for end results, it’s up to companies to deliver on that using whatever methods they choose.

Q: How would you recommend companies go about harmonizing Part 11 and data integrity?

Matt: First, I recommend adopting a “data as the product” perspective. To improve the quality of data, companies are applying critical thinking to better understand their data flow. Mapping data flows and treating data as the product helps others know which data is critical and why.

Next, consider regulator intent as part of your risk-based approach. When I suggested companies put themselves in the position of the regulator, a question that comes to mind is “would you enforce regulations based on product requirements or system requirements?” Naturally, the patient is the priority, so regulations that render quality, safe and effective products would get precedence. Using a “what is important for the patient?” approach is a good benchmark for risk assessment.

Finally, I recommend implementing a modular strategy to achieving compliance. What I mean by that is clearly define each task in every process that needs to be completed for compliance with both Part 11 and data integrity, such as data management, record retention, documentation, change control and so forth. Giving consistent attention to each individual focus area is a good way to keep processes manageable and prevent overlooking critical tasks.

In summary, understanding the intent of the regulations makes it easier to cover all the bases of effective quality management and achieving compliance with both Part 11 and data integrity. On a wider scale, this fosters a culture of continuous improvement and innovation.