White Paper

21 CFR Part 11—

Are You Ready for an
FDA Inspection?
When the U.S. Food and Drug Administration (FDA) issued 21 CFR Part 11 in 1997,1 the internet existed but it was not as
ubiquitous as it is today. Google wasn’t around yet. Life science companies submitted documents to the FDA by the truckload
because paper records were the norm.

In many ways, Part 11 was an acknowledgement of the inevitable movement toward the use of electronic systems in compliance.
The regulation established the criteria for the use of electronic records and electronic signatures by organizations that comply
with the Food, Drug, and Cosmetic Act and the Public Health Service Act. It applies to all FDA-regulated companies.

Part 11 has been scrutinized and criticized over the years, but it remains in effect today. Given the pervasive automation of
processes and digitization of data today, the regulation is more relevant than ever.

What Part 11 Means

The FDA released a guidance in 2001 to explain Part 11’s application, but it was eventually withdrawn. The agency issued another
document in 2003 titled “Guidance for Industry: Part 11, Electronic Records; Electronic Signatures—Scope and Application.” To
this day it remains the key to the FDA’s thinking about the use of electronic systems in compliance.2

Part 11 does not mandate the use of electronic systems. Rather, it specifies the requirements for companies that choose to use
computerized systems in their compliance efforts. “When persons choose to use electronic records in place of paper format, Part
11 would apply,” according to the 2003 guidance.3

The importance of Part 11 is directly tied to compliance with predicate rules such as the Current Good Manufacturing Practice
(CGMP), Good Laboratory Practice (GLP), and Good Clinical Practice (GCP) regulations.

The FDA guidance provides: “Persons must comply with applicable predicate rules, and records that are required to be
maintained or submitted must remain secure and reliable in accordance with predicate rules.”4

Part 11 is meant to allow the use of electronic records as much as possible and at the same time safeguard the integrity of data
and systems and the validity (or nonrepudiation) of electronic signatures. For the FDA, data integrity is a vital part of ensuring
the safety of medical products.

How to Comply with Part 11

Electronic records generated to comply with predicate rules are subject to Part 11. For those records, the FDA will exercise
“enforcement discretion” in these areas: validation, audit trails, record retention, and record copying.

The agency does not grandfather legacy systems (meaning systems that were operational before Part 11 took effect on Aug. 20,
1997). Companies that still use legacy systems are responsible for taking the necessary steps to make those old systems fully
compliant.5

4 Areas of Compliance

To avoid overdoing Part 11 application, the agency recommends using risk assessment in the following areas highlighted in the
2003 guidance. Risk assessment refers to “a determination of the potential effect of a system on product quality and safety.”

#1 Validation: The most common question people ask is, which computer systems need to be validated under Part 11? The
regulation applies to “records in electronic form that are created, modified, maintained, archived, retrieved, or transmitted,
under any records requirements set forth in agency regulations.”6

For example, a computer system used by a pharmaceutical company’s accounting department to generate the payroll doesn’t
need to be validated because it has no impact on the quality of the allergy pill the company manufactures.

However, a software system used by the company for maintaining clinical trial documents that constitute the Trial Master File
(TMF) needs to be validated. The TMF has direct bearing on the quality of the company’s product because it will show any
serious adverse events during the clinical trial, whether GCP requirements were fulfilled, and patient rights protected, among
other things.

White Paper: 21 CFR Part 11 — Are You Ready for an FDA Inspection?
For every electronic system that requires validation, a company must be able to demonstrate that the system consistently
performs as it is intended to do. It must meet company requirements for each purpose for which it’s used.

An FDA investigator is likely to ask for a list of users and functional and design requirements and how the system meets those
requirements. “If it isn’t documented, it didn’t happen” is the common thinking within the FDA.

Installation qualification (IQ), operational qualification (OQ), and performance qualification (PQ) are the most common
methodologies, whether it is the initial validation or after an upgrade of the software system. IQ and PQ must be validated at the
location the software is being used. It is necessary to conduct PQ for critical business processes and other processes that impact
product quality and safety.

#2 Audit Trail: The use of electronic records has grown exponentially since Part 11 was issued, making the audit trail more
crucial today. The FDA guidance says, “Even if there are no predicate rule requirements to document, for example, date, time,
or sequence of events in a particular instance, it may nonetheless be important to have audit trails, or other physical, logical, or
procedural security measures in place to ensure trustworthiness and reliability of the records.”7

The audit trail can help reveal data tampering or fabrication of results. It is particularly appropriate for users who create, modify,
or delete regulated records.

#3 Copies of Records: Part 11 requires that electronic systems should be able “to generate accurate and complete copies of
records in both human readable and electronic form for inspection, review, and copying by the agency.”8

The FDA guidance specifies that during inspection, a company should provide the FDA investigator with reasonable access to
records. It should allow inspection, review, and copying of records using company hardware at the site and following established
procedures for accessing records.

#4 Record Retention: How long should a company keep regulated records? The FDA guidance recommends maintaining
records based on predicate rule requirements and on a justified risk assessment of the value of the records over time. Any record
retention and copying process should be able to preserve the content and meaning of the records.

When it comes to signatures, electronic and handwritten signatures can co-exist in “hybrid” situations as long as predicate rule
requirements are met. An example of hybrid situation is when a company uses handwritten signatures to execute electronic
records.

In the Forefront of Part 11

MasterControl closely followed the development of 21 CFR Part 11, its subsequent release in 1997, and its enforcement over the
years. In 1998, MasterControl was among the first to release a software solution specially designed to comply with Part 11.

Since then, it has helped hundreds of FDA-regulated companies comply with Part 11 requirements through solutions that provide
document control, change control, a time-stamped audit trail, and reporting and electronic-signature capabilities. MasterControl
supports customers in their validation efforts through an array of validation products and services.

MasterControl’s Principles of Validation

MasterControl recognizes that validation is a crucial component of Part 11 compliance. Drawing on FDA regulations and the
Good Automated Manufacturing Process (GAMP) framework, MasterControl has developed a validation approach based on the
following principles.9

1. Implement a robust change control process.

2. Incorporate validation as part of change control, rather than its own activity or process.
3. Practice risk-based testing through effective risk assessments.
4. Leverage the vendor’s test efforts and documentation.
5. Perform the remaining testing based on impact to critical business processes (CBP).

2
MasterControl’s approach has helped many customers reduce the time and effort in their own validation efforts. With the
fourth principle in particular, organizations can avoid duplication of efforts by taking advantage of MasterControl’s validation
documentation. MasterControl conducts extensive testing as part of its software development lifecycle, including unit testing,
manual functional testing, regression testing, defect and enhancement verification, and scalability testing. It generates validation
and support documentation of IQ and OQ in the form of an automated transfer OQ (ATOQ).

MasterControl products and services simplify and speed up the validation process for companies that use its software.10
Its Validation Toolkit provides procedure templates that customers can adopt. MasterControl offers IQ protocols that are
automatically completed for a customer’s approval upon software installation or upgrade. Its state-of-the-art ATOQ product has
made the traditional use of manual OQ validation unnecessary. The ATOQ provides additional benefits over a manual execution,
including cleaner documentation, fewer user errors, inline screenshots and execution notes, and a full video recording of each
execution.

MasterControl Spark, hosted quality management system for organizations with fewer than 50 employees, includes transfer PQ
(TPQ) documentation so Spark customers need not execute PQ at all.

The company’s experienced Validation Services and Solutions team works closely with customers through a spectrum of
services: validation training course, validation planning, TOQ implementation review, custom protocol development, and GxP
documentation services.

Inspection Readiness

To maintain constant inspection readiness, a company should begin by evaluating all areas impacted by Part 11. Assemble a team
consisting of members from quality assurance, operations, information technology, regulatory affairs, and compliance to conduct
the evaluation. Once all core processes and systems are identified, they should be examined and prioritized.

In preparing for inspection, a company should not lose sight of the spirit of 21 CFR Part 11. The FDA’s concern remains the same
since the advent of Part 11—all electronic records in support of regulated activities should be accurate and valid. Anything that
calls data integrity into question can potentially lead to regulatory action.

Companies should view the FDA recommendations in its guidance not as a regulatory hurdle but as an opportunity to
improve the security and accountability in document-based and record-generating processes. They should aim to maintain
documentation that can stand up to scrutiny not only during inspection, but throughout the retention period.

References

(1,8) 21 CFR Part 11, Electronic Records and Electronic Signatures

(2-4,6-7) Guidance for Industry: Part 11, Electronic Records; Electronic Signatures Scope and Application
(5) Inspections, Enforcement, Compliance, & Criminal Investigations
(9) Learn more about MasterControl Validation Strategy and Advantages.
(10) Learn more about MasterControl’s validation products and services.

Related Videos

Passing Audits and Inspections with MasterControl

How MasterControl Makes Your Job Easier

Using MasterControl for FDA Compliance

White Paper: 21 CFR Part 11 — Are You Ready for an FDA Inspection?
About MasterControl Inc.

MasterControl Inc. produces enterprise software solutions that enable life science and other regulated companies to deliver
life-improving products to more people sooner. MasterControl’s integrated solutions securely manage a company’s critical
information throughout the entire product lifecycle while reducing overall costs and increasing internal efficiencies. More
than 1,000 companies worldwide ranging from five employees to tens of thousands use MasterControl’s suite of scalable cloud
solutions for document management, quality management, electronic batch record management, supplier management, and
clinical and regulatory information management. MasterControl solutions are known for being easy to implement, easy to
validate and easy to use. For more information, visit www.mastercontrol.com.

© 2017 MasterControl Inc. All rights reserved.

WPXXXXUSENLT-04/17

4
Contact information and addresses for other
regional MasterControl offices and MasterControl
partner offices are listed on the MasterControl
website at www.mastercontrol.com.