[Federal Register Volume 64, Number 146 (Friday, July 30, 1999)]
[Notices]
[Pages 41442-41443]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 99-19477]
[[Page 41442]]
-----------------------------------------------------------------------
DEPARTMENT OF HEALTH AND HUMAN SERVICES
Food and Drug Administration
[Docket No. 99D-1458]
Enforcement Policy: Electronic Records; Electronic Signatures--
Compliance Policy Guide; Guidance for FDA Personnel
Note: On July 21, 1999 (64 FR 39146), this document was
published with some inadvertent errors. For the convenience of the
reader, the document is being republished in its entirety.
AGENCY: Food and Drug Administration, HHS.
ACTION: Notice.
-----------------------------------------------------------------------
SUMMARY: The Food and Drug Administration (FDA) is announcing the
availability of a new Compliance Policy Guide (CPG) section 160.850
entitled ``Enforcement Policy: 21 CFR Part 11; Electronic Records;
Electronic Signatures.'' This CPG is intended to represent the agency's
current thinking on how to comply with the regulations for electronic
records and electronic signatures. It also provides that agency
decisions on whether or not to pursue regulatory actions will be based
on a case-by-case evaluation. The text of the CPG is included in this
document.
DATES: Written comments may be submitted at any time.
ADDRESSES: Submit written requests for single copies of CPG section
160.850 entitled ``Enforcement Policy: 21 CFR Part 11; Electronic
Records; Electronic Signatures'' to the Division of Compliance Policy
(HFC-230), Office of Enforcement, Office of Regulatory Affairs, Food
and Drug Administration, 5600 Fishers Lane, Rockville, MD 20852. Send
two self-addressed adhesive labels to assist that office in processing
your requests. Written comments should be identified with the docket
number found in brackets in the heading of this document and should be
sent to the Dockets Management Branch (HFA-305), Food and Drug
Administration, 5630 Fishers Lane, rm. 1061, Rockville, MD 20852. A
copy of the CPG is available on FDA's website at ``http://www.fda.gov/
ora/compliance__ref/cpg/cpggenl/default.htm''. Scroll down the CPG page
to locate section 160.850.
FOR FURTHER INFORMATION CONTACT: James F. McCormack, Division of
Compliance Policy (HFC-230), Office of Enforcement, Office of
Regulatory Affairs, Food and Drug Administration, 5600 Fishers Lane,
Rockville, MD 20852, 301-827-0425.
SUPPLEMENTARY INFORMATION: FDA is announcing the availability of a new
CPG section 160.850 entitled ``Enforcement Policy: 21 CFR Part 11;
Electronic Records; Electronic Signatures.'' The CPG is an update to
the Compliance Policy Guides Manual (August 1996 ed.). It is a new CPG
and will be included in the next printing of the Compliance Policy
Guides Manual. The CPG is intended for FDA personnel and is available
electronically to the public. See the ADDRESSES section for electronic
access to the CPG. The CPG is a level 2 guidance which is being issued
consistent with FDA's good guidance practices (62 FR 8961, February 27,
1997). It does not create or confer any rights for or on any person and
does not operate to bind FDA or the public. An alternative approach may
be used if such approach satisfies the requirements of the applicable
statute, regulation, or both.
The text of the CPG follows:
Section 160.850
Title: Enforcement Policy: 21 CFR Part 11; Electronic Records;
Electronic Signatures (CPG 7153.17)
Background:
This compliance guidance document is an update to the Compliance
Policy Guides Manual (August 1996 edition). This is a new Compliance
Policy Guide (CPG) and will be included in the next printing of the
Compliance Policy Guides Manual. The CPG is intended for Food and
Drug Administration (FDA) personnel and is available electronically
to the public. This guidance document represents the agency's
current thinking on what is required to be fully compliant with 21
CFR Part 11, ``Electronic Records; Electronic Signatures'' and
provides that agency decisions on whether or not to pursue
regulatory actions will be based on a case by case evaluation. The
CPG does not create or confer any rights for or on any person and
does not operate to bind FDA or the public. An alternative approach
may be used if such approach satisfies the requirements of the
applicable statute, regulation, or both.
In the Federal Register of March 20, 1997 at 62 FR 13429, FDA
issued a notice of final rulemaking for 21 CFR, Part 11, Electronic
Records; Electronic Signatures. The rule went into effect on August
20, 1997. Part 11 is intended to create criteria for electronic
recordkeeping technologies while preserving the agency's ability to
protect and promote the public health (e.g., by facilitating timely
review and approval of safe and effective new medical products,
conducting efficient audits of required records, and when necessary
pursuing regulatory actions). Part 11 applies to all FDA program
areas, but does not mandate electronic recordkeeping. Part 11
describes the technical and procedural requirements that must be met
if a person chooses to maintain records electronically and use
electronic signatures. Part 11 applies to those records required by
an FDA predicate rule and to signatures required by an FDA predicate
rule, as well as signatures that are not required, but appear in
required records.
Part 11 was developed in concert with industry over a period of
six years. Virtually all of the rule's requirements had been
suggested by industry comments to a July 21, 1992 Advance Notice of
Proposed Rulemaking (at 57 FR 32185). In response to comments to an
August 31, 1994 Proposed Rule (at 59 FR 45160), the agency refined
and reduced many of the proposed requirements in order to minimize
the burden of compliance. The final rule's provisions are consistent
with an emerging body of federal and state law as well as commercial
standards and practices.
Certain older electronic systems may not have been in full
compliance with Part 11 by August 20, 1997, and modification to
these so called ``legacy systems'' may take more time. As explained
in the preamble to the final rule, Part 11 does not grandfather
legacy systems and FDA expects that firms using legacy systems will
begin taking steps to achieve full compliance.
Policy:
When persons are not fully compliant with Part 11, decisions on
whether or not to pursue regulatory actions will be based on a case
by case evaluation, which may include the following:
Nature and extent of Part 11 deviation(s). FDA will consider
Part 11 deviations to be more significant if those deviations are
numerous, if the deviations make it difficult for the agency to
audit or interpret data, or if the deviations undermine the
integrity of the data or the electronic system. For example, FDA
expects that firms will use file formats that permit the agency to
make accurate and complete copies in both human readable and
electronic form of audited electronic records. Similarly, FDA would
have little confidence in data from firms that do not hold their
employees accountable and responsible for actions taken under their
electronic signatures.
Effect on product quality and data integrity. For example, FDA
would consider the absence of an audit trail to be highly
significant when there are data discrepancies and when individuals
deny responsibility for record entries. Similarly, lack of
operational system checks to enforce event sequencing would be
significant if an operator's ability to deviate from the prescribed
order of manufacturing steps results in an adulterated or misbranded
product.
Adequacy and timeliness of planned corrective measures. Firms
should have a reasonable timetable for promptly modifying any
systems not in compliance (including legacy systems) to make them
Part 11 compliant, and should be able to demonstrate progress in
implementing their timetable. FDA expects that Part 11 requirements
for procedural controls will already be in place. FDA recognizes
that technology based controls may take longer to install in older
systems.
Compliance history of the establishment, especially with respect
to data integrity. FDA
[[Page 41443]]
will consider Part 11 deviations to be more significant if a firm
has a history of Part 11 violations or of inadequate or unreliable
recordkeeping. Until firms attain full compliance with Part 11, FDA
investigators will exercise greater vigilance to detect
inconsistencies, unauthorized modifications, poor attributability,
and any other problems associated with failure to comply with Part
11.
Regulatory Action Guidance:
Program monitors and center compliance offices should be
consulted prior to recommending regulatory action. FDA will consider
regulatory action with respect to Part 11 when the electronic
records or electronic signatures are unacceptable substitutes for
paper records or handwritten signatures, and that therefore,
requirements of the applicable regulations (e.g., CGMP and GLP
regulations) are not met. Regulatory citations should reference such
predicate regulations in addition to Part 11. The following is an
example of a regulatory citation for a violation of the device
quality system regulations.
Failure to establish and maintain procedures to control all
documents that are required by 21 CFR 820.40, and failure to use
authority checks to ensure that only authorized individuals can use
the system and alter records, as required by 21 CFR 11.10(g). For
example, engineering drawings for manufacturing equipment and
devices are stored in AutoCAD form on a desktop computer. The
storage device was not protected from unauthorized access and
modification of the drawings.
Dated: July 23,1999.
William K. Hubbard.
Senior Associate Commissioner for Policy, Planning and Coordination
[FR Doc. 99-19477 Filed 7-29-99; 8:45 am]
BILLING CODE 4160-01-F
