FDA’s Data Integrity (2016), Part 11 (1997) and “Appropriate Controls” (1978) – are we back to the future?
Over 25 years ago, as an Automation Engineer, I was responsible for process automation systems (DCS and PLC’s) at a pharmaceutical company. The company happened to be the very first one to get an FDA “Warning Letter” on “computerized systems”. Computerized systems within the industry were regulated at that time solely by 21 CFR 211.68. In 2015 and 2016, approximately 80 percent of all warning letters include a “data integrity” component. The leading observation within that 80% continues to be based on 21 CFR 211.68, a 40-year-old ruling.
At the time we received the “Warning Letter”, a task-force of Automation Engineers was formed to understand the FDA’s 211.68 ruling (1978). We found the 1983 “Guide To Inspection of Computerized Systems in Drug Processing” used by FDA Inspectors to be the most useful tool to understand not only the technical aspects to address the regulation but also the “spirit” of the regulation.
We found that 211.68 had a peculiar statement, “appropriate controls”. For a control system engineer, those type of subjective words – especially when referring to “controls” – was very challenging. But, the ruling (and the “Guide”) where very clear and it required, among other things, that the computerized (control) system and “records are instituted only by authorized personnel” and that the system is “designed to assure that backup data are exact and complete and that it is secure from alteration, inadvertent erasures, or loss shall be maintained”. Reading further along the “Guide” you could find significant detail and technical information as to “how” the FDA expected you to achieve such “appropriate controls”. Following the “Guide”, as well as “Good Engineering Practices” and basic common sense, could assure you with at least 98% that you will be in the non-observations zone.
It was clear to me right there and then that it was more about consistent execution than understanding (or lack thereof) of a rule or a guide.
Twenty (20) years after 21 CFR 211.68 was created, Part 11 came along written for “Electronic Records; Electronic Signatures”. The “electronic records” part was basically already covered by 211.68. However, Part 11 ruling did provide more detail as to the “how” within the ruling, and also included a “Preface” with a summary of the comments provided by the industry towards the draft of the ruling and then the FDA response and position for such comments. That section, with 35 of the 38 pages of the document provided much insight as to “how” the FDA expected you to comply.
If you removed the “Electronic Signature” portion of Part 11 and its preface (“comments”), over 90% was already addressed, in a different way and format, within other industry documents whether FDA guideline documents or industry standards (GAMP, ISPE, etc.) that had been developed through the knowledge gain by the industry and the FDA.
Once again, it was clear to me that it was more about consistent execution than understanding (or lack thereof) of a rule or a guide.
Well, little did I know that 40 years later I was going to experience, for the third time, the exact same challenges. In 2016, the FDA came out with the “Guide to Industry for Data Integrity and Compliance With CGMP”. For the past two years, PACIV have been assisting our clients to ensure compliance with this Guide, just like we did when Part 11 came along. We found ourselves addressing the same gaps regarding security, audit trails, backup and restore, record retention, validation and “appropriate controls” that I had been working on 30 years ago!
The industrial automation technologies have truly evolved in 30 years. Certainly, innovation has been at the forefront with automation. However, the fundamental principles of its regulatory compliance within the Life Sciences industry is almost identical – with minor adjustments for those new capabilities like “Electronic Signatures”.
It seems to me that as the FDA encounters non-compliance within the Life Science industry regarding its ruling, it tries to address it by putting out new rules or a new guide. This for sure creates awareness of the situation, sometimes even an industry “frenzy” and overall compliance improves.
However, after 30 years within the industry, I am convinced that the issues the industry face in its quest for compliance within its “computerized systems” have to do more with leadership, governance, discipline and the sustainable implementation of the required processes and systems needed to be in place to execute consistently.
Did you find this article interesting? Would you like to be updated when we post the next one?
Sign up for our mailing list by clicking here, and stay up to date with the latest news and articles on the Industry.
Jorge L. Rodriguez, P.E., CEO at PACIV Jorge has over 25 years of experience within the Instrumentation and Controls (I&C) industry. Prior to founding PACIV, Jorge held various positions as Control System Engineer for Eli Lilly, Janssen (J&J) and Westinghouse, working in multiple sites within the United States and Puerto Rico. Jorge is a Licensed Professional Engineer (P.E.) in Control Systems and holds a Graduate Degree from Harvard Business School, a Master in Business Administration (MBA) from University of Puerto Rico and a Bachelor’s of Science in Electrical Engineering from Syracuse University in New York.
LinkedIn: Jorge Luis Rodriguez