Docket No. 2004N-0133 - Comments on 21 CFR Part 11From: Pik, Alex [JanBe] [APIK@janbe.jnj.com]
Sent: Thursday, July 08, 2004 11:31 AM
To: 'fdadockets@oc.fda.gov'
Subject: Docket No. 2004N-0133 - Comments on 21 CFR Part 11

Dear Sir, 
Please find below the comments on 21 CFR Part 11 (Docket No. 2004N-0133), as you requested in your 'Notice of public meeting', published on April 8, 2004.

These comments were gathered from several sites in Europe of our company Janssen Pharmaceutica, both Drug Product Manufacturing sites as well as Active Pharmaceutical Ingredient Manufacturing sites.

We structured our comments according to the paragraphs with specific issues in your published Notice. 

I also would like to express our sincere appreciation that you gave us the opportunity to send our comments, thank you. 

Regards, 

Alex Pik 
Sr. Manager CSV-QA 
Janssen Pharmaceutica - Belgium 
apik@janbe.jnj.com 



IV. Topics for Discussion and Comment 
FDA would like public input to assist with our re-examination of part 11. 
We invite discussion on the scope of part 11, risk-based approaches, validation, audit trails, record retention, record copying, and legacy systems. We present the following specific issues and questions for comment in the public meeting.

A. Part 11 Subpart A-General Provisions 
Within the context of subpart A of part 11, we would like interested parties to address the following: 

1. In the part 11 guidance document, we clarified that only certain records would fall within the scope of part 11. For example, we stated that under the narrow interpretation of its scope, part 11 would apply where records are required to be maintained under predicate rules or submitted to FDA, and when persons choose to used records in electronic format in place of paper format. On the other hand, when persons use computers to generate paper printouts of electronic records, those paper records meet all the requirements of the applicable predicate rules, and persons rely on the paper records to perform their regulated activities, FDA would generally not consider persons to be "using electronic records in lieu of paper records" under $11.2(a) and (b). In these instances, the use of computer systems in the generation of paper records would not trigger part 11. We are interested in comments on FDA's interpretation of the narrow scope of part 11 as discussed in the part 11 guidance and whether part 11 should be revised to implement the narrow interpretation described in the guidance.

  a.. Part 11 should be revised to include this clarification, any improvement in clarity will be helpful to avoid different interpretations and discussions. 
  b.. Where clarification would be beneficial on this topic: what actions are permitted on the electronic version, without loosing the position that the electronic version is only 'incidental'. Examples range from chromatographic systems where an integration is calculated before the test-results are printed, to spreadsheets where calculations are performed before it is printed. Clear definitions, detailed guidelines, if possible with relevant examples, would be beneficial. 
  c.. When paper records meet all requirements of the applicable predicate rules (have always been that before the issuance of Part 11), but do not contain all the information that is available on the electronic version, would this trigger Part 11? 
  d.. The rationale applied in a particular site (following review by a consultant -editor of GAMP) is such that if people use the electronic record subsequent to its approval on paper, then the electronic document must be considered to be the master overriding any of the above arguments, as the electronic document is no longer incidental to the creation of a paper document but supports subsequent decision making processes.  Thus from this perspective if paper is considered the master record, the electronic record should be destroyed to prevent changes to the information. 
  e.. It would be helpful if the records that can be classified as subject to Part 11 if they are electronic, are explicitly listed by the FDA, rather then leaving each company on its own to make the decision.  The same comments go for e-sigs. 

2. We are interested in comments on whether revisions to definitions in part 11 would help clarify a narrow approach and suggestions for any such revisions.

  a.. Another criterion that is broadly used is whether the records are saved on a durable medium or not. If this is regarded as a valid criterion, it might be included in the official text as well. 
  b.. Explicit specification whether software (source code, but also executables) and configuration settings for the system should be regarded as within the scope of Part 11 or not. 
  c.. It should be explicitly stated that it is at the discretion of the company to declare what they consider to be electronic records, even if this requires a rationale (from the company) as to why it has made the declaration. 
  d.. It should be not left to the discretion of the company to make the risk assessment what they consider e-records.  It should be their decision how they implement Part11, validate, timing, technical solution, etc., but the basic risk assessment is universal. 

3. In the part 11 guidance we announced that we did not intend to take enforcement action to enforce compliance with the validation, audit trail, record retention, and record copying requirements of part 11 in the manner described in the part 11 guidance. We emphasized that records must still be maintained or submitted in accordance with the underlying predicate rules, and the agency could take regulatory action for noncompliance with such predicate rules. 

We are interested in comments on the need for clarification in part.11 regarding which records are required by predicate rules and are therefore required to be part 11 compliant?

  a.. See also comments above.
  The difficulty to include these kind of clarifications in Part 11, is probably the fact that they are area dependent (Medical devices, Pharmaceutical drug product manufacturing, API manufacturing, ...), so a more practical way might be to leave them out of the Part 11 text itself, but provide guidance documents that are area specific. 

B. Part 11 Subpart B-Electronic Records 
Within the context of subpart B, the agency wants to solicit ideas on how to ensure that controls to safeguard records are appropriate and reasonable.

There may be instances where persons believe that there are acceptable alternative approaches for implementing controls, with appropriate justification. We want to solicit ideas about how decisions for using alternative controls should be made, such as using a risk assessment. We would like interested parties to address the following:

1. As mentioned previously, the part 11 guidance identified four areas where we do not intend to take enforcement action under the circumstances described in the part 11 guidance, including the validation, audit trail, record retention, and record copying requirements of part 11. The part 11 guidance further recommends that decisions on whether or not to implement part 11

requirements on validation, audit trail, record retention, and record copying should be based on a justified and documented risk assessment and a determination of the potential of the system to affect product quality and safety, and record integrity. 

We are interested in comments on whether there are other areas of part 11 that should incorporate the concept of a risk-based approach, detailed in the part 11 guidance (e.g., those that require operational system and device checks).

  a.. Beneficial to include operational checks and device checks; these are for certain type of systems not applicable or not critical and this could be assessed and documented during the initial risk assessment. 

2. Is additional clarity needed regarding how predicate rule requirements related to subpart B can be fulfilled? 

  a.. What are the predicate rules for API manufacturing?  (ICH Q7a being a guideline?) 
  b.. How to apply Part 11 requirements on embedded systems, for example a lab equipment (Metrohm Karl Fischer type 701) for water determination?  Since those types of systems often do not allow technical implementation of a requirement, is procedural control adequate?  Or can those systems exempted completely of Part 11? 

3. Under the current part 11, the controls that apply to electronic records that are maintained also apply to electronic records that are submitted to FDA.

Should the requirements for electronic records submitted to FDA be separate from electronic records maintained to satisfy predicate rule requirements?

  a.. The requirement for records which are to be maintained to satisfy predicate rules regarding retrieval during the entire retention period should not be applied to those records required to be submitted to the FDA.  These records do not have to be submitted on a media, and in a format, that should have to be retrievable in up to 50 years time, in the case of Medical Device records, provided they are also maintained on site.  All other provisions can be the same for maintained and submitted records. 

4. The controls for electronic records in subpart B distinguish between open systems (an environment where system access is not controlled by persons who are responsible for the content of electronic records that are on the system) and closed systems (an environment where system access is controlled by persons who are responsible for the content of electronic records that are on the system). 

Should part 11 continue to differentiate between open systems and closed systems? 

  a.. There are sufficient requirements for the authenticity, integrity and confidentiality of closed systems that also cover the requirements for open systems.  At present the only requirements that are given (document encryption and digital signatures) are actually ways of meeting the requirements of authenticity, integrity and confidentiality.  This may cause to limit creativity in the way the requirements are met. 
  b.. Differentiation remains important, although in some instances a technical solution that would satisfy the open network requirements might also be implemented for a close system, this cannot be mandatory from a cost perspective! 
  c.. Regardless wether differentiation is made or not, clear definitions and requirements (not a required solution, this would limit/discourage future innovation), detailed guidelines as acceptable possible alternatives, with relevant examples for Internet based systems, would be beneficial. 

For individual controls in subpart B, we request comments on the following: 

1. The part 11 guidance identified validation as one of the four areas where we intend to exercise enforcement discretion in the manner described in the guidance. Should we retain the validation provision under 11.10(b) required to ensure that a system meets predicate rule requirements for validation?

  a.. Validation is already a clear requirement in the predicate rules (at least, in ICH Q7a), there is little or no added value to duplicate this requirement as such. Beneficial would be specifications on what level of validation is required, dependent on the risk evaluation of the system (in particular, which validation activity could be reduced or even omitted for low risk systems).
  Of course, instead of putting this in Part 11, it can also be added in a revision of the predicate rule itself, when is planned for the near future. 

2. The part 11 guidance identified record retention and record copying requirements as areas where we plan to exercise enforcement discretion in the manner described in the part 11 guidance. Are there any related predicate rule requirements that you believe are necessary to preserve, the content and meaning of records with respect to record copying and record retention? What

requirements would preserve record security and integrity and ensure that records are suitable for inspection, review, and copying by the agency?

  a.. The part 11 guidance allowed keeping archives in other than electronic version of records. Is this only for records produced by retired systems, or also applicable to systems that are still active?  Could this be explained explicitly in the new text? 
  b.. If all used input parameters are printed together with the output result of a qualified system (a common practice in analytical labs), and the printout is verified, is there still any need to keep the electronic input data? In these cases, those input parameters are usually variables of the analytical method, which has been approved on paper. 

3. Should audit trail requirements include safeguards designed and 
implemented to deter, prevent, and document unauthorized record creation, modification, and deletion? 

  a.. No, since an audit trail is a (usually silent) log of what actually happened. Deterring and preventing something to happen should rather be located in the functionality of the system. 

4. Section 11.10(k) requires appropriate controls over systems 
documentation. In light of how technology has developed since part 11 became effective, should part 11 be modified to incorporate concepts, such as configuration and document management, for all of a system's software and hardware?

  a.. Yes, it would be beneficial to have specific requirements that are suitable for the new ways that documentation are made available, which are frequently internet based and also sometimes provided by the vendors of the systems. 

C. Part 11 Subpart C-Electronic Signatures 
Within the context of subpart C, we would like interested parties to 
address the following: Section 11.10(d) requires that system access be limited to authorized individuals, but it does not address the handling of security breaches where an unauthorized individual accesses the system. 

Should part 11 address investigations and followup when these security breaches occur? 

  a.. No, investigation of security breaches is going too far with this regulation.  Part 11 should only require that it is obvious when a record has been changed, and leave it up to the system administrators to investigate based on the risk.  Security breaches are either committed by someone with sufficient access to perform the act from within the system, in which case the existing audit trail requirements should be enough, or from outside the system through a "back door", where putting additional requirements on the system would by definition not record the security breach and would only serve to render more existing systems as non-compliant. 
  b.. But is 11.10(d) not a requirement for electronic records, instead of for electronic signatures? (Just to avoid misunderstandings) 
  c.. Investigation of Security Breaches is crucial for all business critical systems.  But it should not be discussed on the systems level (meaning just for one application), but on the network level for an organization.  It should be X-application control.  And it is not a specific GMP requirement. 
  d.. As a general comment re: e-sig: it is unclear what approvals are to be considered e-sig and what approval are only to be considered as status changes.  Some more guidance with explicit lists of process steps that fall under e-sig, should be helpful.  For example:  approval of a test script, authorization to perform a change, are these e-sig and under which predicate rule? 

D. Additional Questions for Comment 
In addition, we invite comment on the following questions: 

1. What are the economic ramifications of modifying part 11 based on the issues raised in this document? 

  a.. Practical guidelines that can be used as basis for the new process would reduce these costs. Therefore it would be very beneficial to have these clear guidelines included in Part 11. 
  b.. Additional requirements in any area will increase the cost of complying with the regulation, and will necessitate a further reassessment and remediation of already otherwise compliant systems. 
  c.. A more conservative approach and better restriction of the scope of what falls under Part 11 might reduce the costs significantly 

2. Is there a need to clarify in part 11 which records are required by 
predicate rules where those records are not specifically identified in predicate rules? If so, how could this distinction be made?

  a.. Examples where clarification would be beneficial: 
    o  Recipe's (detailed technical instructions for controlling automated production equipment), 
    o  Alarms (messages or signals to draw the attention of the Operator to a specific item), 
    o  Events (log of Operator actions during production). 

  b.. Yes, if Part 11 applies to predicate records which are not specifically identified, then this clarification needs to be made.  Guidance documents for each predicate rule would be a good forum for this.  

3. In what ways can part 11 discourage innovation? 

  a.. At this moment in time, many commercial packages still are not adequately equipped to make it possible to have an implementation that is fully compliant to Part 11. Although they might be clearly better versions (also in terms of compliance) when compared to the former version, they might still not allow for a 100% compliant implementation. This is in particular true for laboratories where most of the systems are commercial 'of the shelf' systems.
  A company might hesitate to implement such a system, fearing the observation to have implemented a new system that is not compliant. 
  b.. New systems are often delayed because of re-validation effort required to install the new system. 

4. What potential changes to part 11 would encourage innovation and 
technical advances consistent with the agency's need to safeguard public health? 

  a.. An addition of a rule that allow to consider the balance between improved performance and control on the one side, against the degree of compliance to Part 11 requirements (see above). 
  b.. A risk based approach to compliance where the non-implementation of a Part 11 requirement (e.g. due to technical or process related restrictions) can be accepted where it can be demonstrated that there is no risk to the patient. 
  c.. New systems are often delayed because of re-validation effort required to install the new system.  Such new system might have significant improvements.  Also, antivirus patches etc that make systems safer, could be postponed because of the requirement to go through the revalidation effort. 

5. What risk-based approaches would help to ensure that electronic 
records have the appropriate levels of integrity and authenticity elements and that electronic signatures are legally binding and authentic?

  a.. Since risks in API manufacturing are always indirect to patient safety (concerns only API quality), risk management in this area need not be as extensive as for medical devices for example. Here, a single point of risk assessment during design should be adequate, resulting in risk controls that are traced to their proper implementation. 
  b.. Another consideration is that software failures are systematic (software does not fail due to wear and tear), and therefore it is not possible to quantitatively estimate the probability of these defects. As a result the focus of software risk analysis should be on functionality and potential defects that could lead to unwanted results, not on probability estimations. 
  c.. For high-risk systems, the current requirements of Part 11 are adequate to ensure integrity and authenticity. For low-risk systems, procedural control instead of technically implemented measures, and less extensive testing might be taken into consideration. 

6. The part 11 guidance announced that the agency would exercise 
enforcement discretion (during our re-examination of part 11) with respect to all part 11 requirements for systems that otherwise were operational prior to August 20, 1997 (legacy systems), the effective date of part 11. 

What are stakeholder concerns in regards to modifications made to legacy systems in use as of August l997? 
Can the use of risk mitigation and appropriate controls eliminate concerns regarding legacy systems? 

  a.. Legacy systems are sometimes based on commercial packages of many years ago, which do not allow specific requirements of Part 11 (for example, do not allow to have audit trails, or do not allow the use of passwords). Having to make the system compliant to Part 11, means actually replacing the system, which can be a huge burden on financial cost and human resources. If adequate controls are in place to ensure record integrity and authenticity, would this not be sufficient? 
  b.. Clarification of what changes would make a previously legacy system applicable to Part 11. 

7. Should part 11 address record conversion? 

  a.. Where records are converted for archival or storage purposes, this should be validated and performed in a controlled manner.  There is no need for additional requirements regarding this process, but the previously withdrawn guidance document on copies of records gave good instructions for this process, and should be reviewed and reinstated. 

8. Are there provisions of part 11 that should be augmented, modified, or deleted as a result of new technologies that have become available since part 11 was issued?

  a.. Maybe not entirely about the question that is written here, but the current text of Part 11 would be improved when the structuring would be changed. Currently, Subpart B on electronic records contains also a clause that is actually on electronic signatures:11.10(j). 
  b.. Does the audit trail requirement of Part 11 include a requirement to keep an audit trail or log of the log-in and log-out of users?" 
  c.. More guidance should be given on conditions under which biometrics can be used.  There is a general fear in the industry which has prevented the large scale uptake of this technology. 
  d.. The regulation should be a generic as possible to avoid frequent updates as the result of new technologies.  Current Part 11 wording seems sufficiently generic.