21 CFR Part 11 – Electronic Records
Part 11 of the Code of Federal Regulations applies to drug makers, medical device manufacturers, biotech companies, biologics developers, CROs, and other FDA-regulated industries, with some specific exceptions in regards to electronic record keeping.  It requires that they implement controls, including audits, system validations, audit trails, electronic signatures, and documentation for software and systems involved in processing the electronic data that FDA predicate rules require them to maintain. A predicate rule is any requirement set forth in the Federal Food, Drug and Cosmetic Act, the Public Health Service Act, or any FDA regulation other than Part 11. 
Broad sections of the regulation have been challenged as “very expensive and for some applications almost impractical”,  and the FDA has stated in guidance that it will exercise enforcement discretion on many parts of the rule. This has led to confusion on exactly what is required, and the rule is being revised. In practice, the requirements on access controls are the only part routinely enforced. The “predicate rules”, that required organizations to keep records in the first place, are still in effect. If electronic records are illegible, inaccessible, or corrupted, manufacturers are still subject to those requirements.
When it comes down to the real situation either firms have authoritative “hard copies” of all required records, or they have all files on an electronic system. Depending on which of the two sources has all required documents, it will be deemed the authoritative source. Firms should be careful to make a claim that the “hard copy” of required records is the authoritative document. For the “hard copy” produced from electronic source to be the authoritative document, it must be a complete and accurate copy of the electronic source. The manufacturer must use the hard copy (rather than electronic versions stored in the system) of the records for regulated activities. The current technical architecture of computer systems increasingly makes the Part 11, Electronic Records; Electronic Signatures — Scope and Application for the complete and accurate copy requirement extremely high.
Which leads us to Private Cloud Systems…
Cloud Systems can be 21 CFR Part 11 compliant, cost effectively deployed to meet accelerated timelines, more secure than in-house deployments, and can assure potential investors/acquirers of the integrity of your firm’s data. These goals can be achieved by creating a qualified private cloud in an agreement with a cloud vendor.
The cloud Software as a service (SaaS) business is a fast-growing and evolving market with multiple options and prices that can get expensive quickly if not managed properly. Please be aware, there are no “out of the box” (free or discounted) cloud solutions will be 21 CFR Part 11 compliant. Below are some of the critical components to ensure that your system is compliant:
- Open and Closed system differentiation – need to define what is inside network or intranet (which needs to be encrypted and protected as such), and what is outside the intranet and available to share on global internet.
- Cloud systems are rigorously validated –just like an on-premise software validation, a cloud validation is mandatory and includes many stages:
- The creation of a Validation Plan
- The User Requirements Specification (URS) describes the business needs for what users require from the system.
- Then follows the System Configuration Specification (SCS) and Software Design Specification (SDS), which needs to be exhaustively documented.
- Once the frameworks have all been developed and validated, then the System Build can begin, as the system develops it must go through iteration of the IQ > OQ > PQ cycle
- Installation Qualification (IQ): Verifies the installation of the software in the selected environments and its documentation.
- Operational Qualification (OQ): Verifies that the software will function according to its operational specifications in the selected environment.
- Performance Qualification (PQ): Verifies that the software consistently performs to the specification for its day to day use (routine).
- Validation Report: Summarizes the executed validation process, documents any deviations and their remediation, and acts as a final sign off on the validation of the system.
- By leveraging a regulated cloud, the cloud software can conduct all validation steps (including IQ and OQ), leaving only the PQ to the customer. 
- Open for inspection – All Validated Cloud SOPs and non-customer-specific documentation are fully auditable, as is the host’s data center.
Risks & Costs to consider:
Of course, no solution is without problems and learning experiences, setting up a cloud system can become more complicated in real world situations with multiple cloud environments, different data sources, internal and acquired content and well as security challenges and other integration issues. In addition, any firm will need to expect large expenditures to make a cloud system a reality. Below is an estimation of costs for a medium sized firm employing about 50-200 to run and maintain a cloud system (these figures might vary greatly from real costs and depend on vendor and solutions purchased):
|Required Component||Estimated Annual Cost|
|Personnel||$200 – 300,000|
|Hardware/Infrastructure||$100 – 150,000|
|Backup & Support||$15 – 20,000|
|Apps & Software Licenses||$15 – 30,000|
|Est. Total Price Range:||$330,000 – 500,000|
However, given the other option which is on premise software database, these costs can be doubled or tripled for a couple reasons. First, there is the constant need to upgrade and replace old hardware, usually faster than it depreciates and at greater cost than the cloud vendors. Second, there is much more technical and personnel experience required, greatly increasing costs and having to compete with the likes of Google and Amazon for cloud engineers and other talent. Another reason is scalability and flexibility, as cloud solutions can scale or decrease depending on the businesses data volume and demand. For an on-premise software solution, a firm would have to purchase more high cost equipment to expand capacity and size, instead of a cloud data provider renting out a few more instances in their data center for the firm.
If a firm has the need to migrate or create an electronic record system to comply with 21 CFR Part 11 and understands the risks and costs, it is usually the best course of action to research and look into right solution for your firms needs. Some firms to explore for potential storage solutions may include: Box, DropBox, Google Cloud, RegDocs365 or AWS Cloud.
- “CFR – Code of Federal Regulations Title 21”. U.S. Food & Drug Administration. U.S. Food & Drug Administration. Retrieved 15 September 2016.
- ^“Food and Drug Administration CFR Title 21 Part 11”. U.S. Food & Drug Administration. U.S. Food & Drug Administration. Retrieved 15 September 2016.
- ^“Part 11, Electronic Records; Electronic Signatures — Scope and Application”. U.S Food & Drug Administration. U.S Food & Drug Administration. Retrieved 15 September 2016.
- ^”https://www.veeva.com/blog/a-validated-system-in-the-cloud-its-not-a-myth-2/ “. Veeva.com Blog. Written 16 January 2013 by Steve Harper.
On July 31, 2019 I had the opportunity to listen into a PricewaterhouseCoopers (PwC) webinar hosted by SDRAN discussing how to build a risk strategy utilizing emerging technologies such as Artificial Intelligence, Blockchain and IOT to improve quality, strengthen compliance and controls such as adverse event controls, reporting and reduce non-conformances.
As technology has advanced, the amount of data being produced by corporations is enormous and at best only a small fraction (PwC estimates .5%) is currently analyzed leaving a huge opportunity for anyone willing to invest in these emerging technologies. A more data driven focused approach can assist in accuracy, completeness and timeliness of reporting and compliance.
Underlying the point of adoption of emerging technologies in large firms, PwC conducted a survey of 7,300 respondents in 123 territories with the majority of respondents being senior executives. The results showed that continuous monitoring of network and email for security is showing the greatest adoption at 40% of respondents utilizing the tech. Anomaly detection, proactive detection of threats and data dashboards all have around 30% adoption and are a critical component of an analytics focused company. The leading edge is using data scientists and AI (with 17% and 11% adoption respectively) to use big data to solve ranges of issues to combat fraud, advance automation projects and streamline operations and workflows.
The three main areas of focus that are ready for enterprise adoption now are: Artificial Intelligence (defined as a collection of “smart” technologies and algorithms that are aware of and can learn from their environment to assist /augment human decision making), Blockchain (immutable, publicly distributed ledger) and IOT or Internet of Things (“Devices utilize embedded technology to communicate, record, and interact with the external environment using the internet as a means of communication”), with a synchronicity or convergence of these technologies allowing for benefits to rise while negating some of the downsides as well as the potential for true disruption.
Side note: In the mid-term (3-5 yrs.) 3D printing and robotics are coming up for wide scale enterprise use, followed by nanotechnology and quantum computing in the next 5-10+ yrs.
By demonstrating some case studies and best practices, it made these topics more relevant and realistic for those looking to adopt these strategies. Some examples of how adoption of these three emerging technologies is and could play out around the areas of Risk and Regulatory Affairs:
Registration and License Tracking can benefit from securing data sharing to guarantee patient data privacy through securing the credentialing process using an immutable anonymous ledger or blockchain.
Regulatory Intelligence and Complaint processing could benefit from Unstructured data mining using NLP (natural language processing) and using risk algorithms to determine fraud.
Regulatory Submissions and Clinical Trial Data Analysis could benefit from machine learning algorithms, using NLP as well as well using automated scripts in the cloud or on servers to reduce manual inputs and better manipulate, pull, label and organize data across an IT system.
Post Marker Regulatory Change Management could become more efficient and benefit in reduced manual processes using AI algorithms and cloud synchronization across IOT devices.
Adverse Event Reporting has many different sources (Mobile texts, Email, information in excels, dashboard or internal tools, etc.) and can all be merged using cloud hosted data source to ingest the data into a separate database for processing. There the data is read through NLP nodes to identify and label key entities. Finally, the data is interpreted with machine learning and rules-based models perform interpretation and then sent back to the appropriate workflow across the IT system. All the while, the entire process is being tracked and monitored by humans through a detailed user interface.
Centralizing and streamlining Health Data to create virtual consultations and analysis. One further application which currently is being led by IOT devices such as the Apple Watch, is tracking, monitoring and packaging health data progression over time to be sent to physicians. A case study provided was where PwC partnered with iBData to create a single process for capturing and transmitting IBD progress in a way that is easy for the patient and informative for the clinician. This resulted in Clinicians being able to compile a comprehensive patient profile and develop a targeted treatment plan with standardized updates on a patient’s symptoms.
The speakers did caveat this with the fact that biases are inherent in AI designed systems by the programmers and inputs, so best to be as objective with data as possible and conduct data audits and set clear baselines and review all model outputs. Other suggestions include setting clear validation tests for the model with real and created inputs. Furthermore, to really make these technologies work cohesively they need to constantly be a work culture of testing and looking at data, defines clear objectives of models and improve the model to get closer to answers that meet the objective as well as ensure it is reverse engineerable and explainable/auditable.
Background art source: https://www.lightfarmbrasil.com/
One of FDA’s many responsibilities is to review imported products regulated by the agency to determine admissibility. This job has become increasingly challenging with growing volumes of imports of FDA-regulated products each year — from six million import entries in 2002 to 35 million in 2015.
To help meet that challenge in a way that benefits both government and the trade community, import entries of products regulated by FDA are submitted through an electronic system called the Automated Commercial Environment (ACE). A final rule published on November 29 in the Federal Register specifies certain data that must be submitted in ACE when an FDA-regulated product is offered for import into the United States. The effective date of the rule is December 29, 2016, 30 days from the date of publication.
The trade community helped us pilot ACE, which is operated by U.S. Customs and Border Protection (CBP), from August 2015 to May 2016. In July 2016, ACE became the sole CBP-authorized system for electronic submissions of entries that contain FDA-regulated products.
The rule also includes technical revisions to certain sections of FDA regulations:
- The owner or consignee of an FDA-regulated product is now defined as the importer of record. This brings FDA regulations up to date with previous revisions to customs laws. (21 CFR 1.83 and 21 CFR 1005.2)
- FDA will now directly provide a notice that an FDA-regulated product is to be sampled, rather than having to go through CBP to provide that notice. (21 CFR 1.90)
- FDA may now provide written notices electronically to the importer of record about FDA actions to refuse FDA-regulated products and/or subject certain drug products to administrative destruction. (21 CFR 1.94)
- The rule clarifies that FDA can reject an entry for failure to provide through ACE the complete and accurate information required by the rule.
As a result of the more streamlined import process for FDA-regulated products provided by ACE, the rule is expected to lead to an efficient use of FDA and importer resources, and more effective enforcement of laws and regulations enforced by FDA.
Key compliance dates in the UDI final rule.
|September 24, 2014||All Class III devicesThe labels and packages of class III medical devices and devices licensed under the Public Health Service Act (PHS Act) must bear a UDI. § 801.20.Dates on the labels of these devices must be formatted as required by § 801.18. Data for these devices must be submitted to the GUDID database. § 830.300.
A 1-year extension of this compliance date may be requested under § 801.55; such a request must be submitted no later than June 23, 2014.
Class III stand-alone software must provide its UDI as required by § 801.50(b).
|September 24, 2015||Class II Implantable, life-saving, and life-preserving DevicesThe labels and packages of implantable, life-supporting, and life-sustaining devices must bear a UDI. § 801.20.Dates on the labels of these devices must be formatted as required by § 801.18.|
|A device that is a life-supporting or life-sustaining device that is required to be labeled with a UDI must a bear UDI as a permanent marking on the device itself if the device is intended to be used more than once and intended to be reprocessed before each use. § 801.45.Stand-alone software that is a life-supporting or life-sustaining device must provide its UDI as required by § 801.50(b).|
|Data for implantable, life-supporting, and life-sustaining devices that are required to be labeled with a UDI must be submitted to the GUDID database. § 830.300.|
|September 24, 2016||Remaining Class II DevicesThese are required to be labeled with a UDI must bear a UDI as a permanent marking on the device itself if the device is a device intended to be used more than once and intended to be reprocessed before each use. § 801.45.|
|The labels and packages of class II medical devices must bear a UDI. § 801.20.Dates on the labels of these devices must be formatted as required by § 801.18.Class II stand-alone software must provide its UDI as required by § 801.50(b).|
|Data for class II devices that are required to be labeled with a UDI must be submitted to the GUDID database. § 830.300.|
|September 24, 2018||All Remaining DevicesDevice that is required to be labeled with a UDI must bear a UDI as a permanent marking on the device itself if the device is a device intended to be used more than once and intended to be reprocessed before each use. § 801.45.|
|The labels and packages of class I medical devices and devices that have not been classified into class I, class II, or class III must bear a UDI. § 801.20.Dates on the labels of all devices, including devices that have been excepted from UDI labeling requirements, must be formatted as required by § 801.18.|
|Data for class I devices and devices that have not been classified into class I, class II, or class III that are required to be labeled with a UDI must be submitted to the GUDID database. § 830.300.Class I stand-alone software must provide its UDI as required by § 801.50(b).|
|Compliance dates for all other provisions of the final rule. Except for the provisions listed above, FDA requires full compliance with the final rule as of the effective date that applies to the provision.|
These compliance dates will impact 510k and PMA submissions. Contact us and our FDA Regulatory Consultant will help you guide your firm through the new paradigm.
The purpose of the FDA Pre-Submission Program* (formerly Pre-IDE) and Meeting with FDA is to provide a mechanism for applicants through which they can request feedback from the Food and Drug Administration (FDA) regarding potential or planned
1) Medical device Investigational Device Exemption (IDE) applications,
2) Premarket Approval (PMA) applications,
3) Humanitarian Device Exemption (HDE) applications,
4) De novo Petitions (Evaluation of Automatic Class III Designations ),
5) Premarket Notification (510(k)) Submissions,
6) Clinical Laboratory Improvement Amendments (CLIA) Waiver by Application,
FDA Feedback may include
a) Written feedback by email
b) Conference call (max 1 hour)
c) Face-to-Face Meeting (max 1 hour)
For #a and #b – Meeting minutes must be drafted and submitted for FDA review. Approved minutes become part of the Pre-Submission record
Contact Glen Feye -FDA regulatory consultant– at glen@accuratefdaconsultanting for help with planning, submitting and leading Pre Submission meeting
*Per 2012 Draft FDA Guidance titled- The Pre-Submission Program and Meetings with Food and Drug Administration Staff
IN LIMBO ON THE BORDER – by Glen Feye
FDA is the main gatekeepers for foreign Medical Devices and Drugs imported into the United States.
If your shipment is questioned by FDA and receive a “Notice of FDA Action” contact your US Agent and you may need a FDA Compliance Consultant .
If your shipment is non compliant- expect “HOLD DESIGNATED”
If the appropriate action is not taken in a timely manner- expect ” REFUSAL OF ADMISSION”
FDA wants these products out of the country or distroyed in a timely manner
1) Letter of Authorization
All FDA communications must include the Entry Number
If you are working with a third-party consultant – FDA requires a Letter of Authorization from firm
2) Current FDA Registration and Device Listing-
Note-This is an annual process- and medical devices manufacturers must pay the appropriate User Fee by the beginning of the upcoming year
3) Regulatory Status- Devices and Drugs
Define product mix. Develop a comprehensive spreadsheet which defines the following:
Define device classification based on intended use of device as well as the appropriate product code and device listing
Identify 510k or PMA number(s)
Device accessories are devices
Components are not devices
Define drug based, – obtain the NDC numbers.
Navigating through this process and getting proper communication with FDA is challenging.
Contact www.accuratefdaconsulting.com or call a FDA Consultant to get help to properly remediate these import complications