[Federal Register Volume 64, Number 139 (Wednesday, July 21, 1999)]
[Notices]
[Pages 39146-39147]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 99-18581]


-----------------------------------------------------------------------

DEPARTMENT OF HEALTH AND HUMAN SERVICES

Food and Drug Administration
[Docket No. 99D-1458]


Enforcement Policy: Electronic Records; Electronic Signatures--
Compliance Policy Guide; Guidance for FDA Personnel

AGENCY: Food and Drug Administration, HHS.

ACTION:  Notice.

-----------------------------------------------------------------------

SUMMARY: The Food and Drug Administration (FDA) is announcing the 
availability of a new Compliance Policy Guide (CPG) section 160.850 
entitled ``Enforcement Policy: 21 CFR Part 11; Electronic Records; 
Electronic Signatures.'' This CPG is intended to represent the agency's 
current thinking on how to comply with the regulations for electronic 
records and electronic signatures. It also provides that agency 
decisions on whether or not to pursue regulatory actions will be based 
on a case-by-case evaluation. The text of the CPG is included in this 
document.
DATES: Written comments may be submitted at any time.

ADDRESSES:  Submit written requests for single copies of CPG section 
160.850 entitled ``Enforcement Policy: 21 CFR Part 11; Electronic 
Records; Electronic Signatures'' to the Division of Compliance Policy 
(HFC-230), Office of Enforcement, Office of Regulatory Affairs, Food 
and Drug Administration, 5600 Fishers Lane, Rockville, MD 20852. Send 
two self-addressed

[[Page 39147]]

adhesive labels to assist that office in processing your requests. 
Written comments should be identified with the docket number found in 
brackets in the heading of this document and should be sent to the 
Dockets Management Branch (HFA-305), Food and Drug Administration, 5630 
Fishers Lane, rm. 1061, Rockville, MD 20852. A copy of the CPG is 
available on FDA's website at ``http://www.fda.gov/ora/compliance__ref/
cpg/cpggenl/default.htm''. Scroll down the CPG page to locate section 
160.850.

FOR FURTHER INFORMATION CONTACT:  James F. McCormack, Division of 
Compliance Policy (HFC-230), Office of Enforcement, Office of 
Regulatory Affairs, Food and Drug Administration, 5600 Fishers Lane, 
Rockville, MD 20852, 301-827-0425.

SUPPLEMENTARY INFORMATION:  FDA is announcing the availability of a new 
CPG section 160.850 entitled ``Enforcement Policy: 21 CFR Part 11; 
Electronic Records; Electronic Signatures.'' The CPG is an update to 
the Compliance Policy Guides Manual (August 1996 ed.). It is a new CPG 
and will be included in the next printing of the Compliance Policy 
Guides Manual. The CPG is intended for FDA personnel and is available 
electronically to the public. See the ADDRESSES section for electronic 
access to the CPG. The CPG is a level 2 guidance which is being issued 
consistent with FDA's good guidance practices (62 FR 8961, February 27, 
1997). It does not create or confer any rights for or on any person and 
does not operate to bind FDA or the public. An alternative approach may 
be used if such approach satisfies the requirements of the applicable 
statute, regulation, or both.
    The text of the CPG follows:

Section 160.850

Title: Enforcement Policy: 21 CFR Part 11; Electronic Records; 
Electronic Signatures (CPG 7153.17)

 Background:

    This compliance guidance document is an update to the Compliance 
Policy Guides Manual (August 1996 edition). This is a new Compliance 
Policy Guidance (CPG) and will be included in the next printing of 
the Compliance Policy Guidances Manual. The CPG is intended for Food 
and Drug Administration (FDA) personnel and is available 
electronically to the public. This guidance document represents the 
agency's current thinking on how to comply with 21 CFR Part 11, 
``Electronic Records; Electronic Signatures'' and provides that 
agency decisions on whether or not to pursue regulatory actions will 
be based on a case by case evaluation. The CPG does not create or 
confer any rights for or on any person and does not operate to bind 
FDA or the public. An alternative approach may be used if such 
approach satisfies the requirements of the applicable statute, 
regulation, or both.
    In the Federal Register of March 20, 1997 at 62 FR 13430, FDA 
issued a notice of final rulemaking for 21 CFR, Part 11, Electronic 
Records; Electronic Signatures. The rule went into effect on August 
20, 1997. Part 11 is intended to create criteria for electronic 
recordkeeping technologies while preserving the agency's ability to 
protect and promote the public health (e.g., by facilitating timely 
review and approval of safe and effective new medical products, 
conducting efficient audits of required records, and when necessary 
pursuing regulatory actions). Part 11 applies to all FDA program 
areas, but does not mandate electronic recordkeeping. Part 11 
describes the technical and procedural requirements that must be met 
if a person chooses to maintain records electronically and use 
electronic signatures. Part 11 applies to those records required by 
an FDA predicate rule and to signatures required by an FDA predicate 
rule, as well as signatures that are not required, but appear in 
required records.
    Part 11 was developed in concert with industry over a period of 
six years. Virtually all of the rule's requirements had been 
suggested by industry comments to a July 21, 1992 Advance Notice of 
Proposed Rulemaking (at 57 FR 32185). In response to comments to an 
August 31, 1994 Proposed Rule (at 59 FR 45160), the agency refined 
and reduced many of the proposed requirements in order to minimize 
the burden of compliance. The final rule's provisions are consistent 
with an emerging body of federal and state law as well as commercial 
standards and practices. Certain older electronic systems may not 
have been in full compliance with Part 11 by August 20, 1997, and 
modification to these so called ``legacy systems'' may take more 
time. As explained in the preamble to the final 1rule, Part 11 does 
not grandfather legacy systems and FDA expects that firms using 
legacy systems will begin taking steps to achieve full compliance.

 Policy:

    When persons are not fully compliant with Part 11, decisions on 
whether or not to pursue regulatory actions will be based on a case 
by case evaluation, which may include the following:
     Nature and extent of Part 11 deviation(s). FDA will consider 
Part 11 deviations to be more significant if those deviations are 
numerous, if the deviations make it difficult for the agency to 
audit or interpret data, or if the deviations undermine the 
integrity of the data or the electronic system. For example, FDA 
expects that firms will use file formats that permit the agency to 
make accurate and complete copies in both human readable and 
electronic form of audited electronic records. Similarly, FDA would 
have little confidence in data from firms that do not hold their 
employees accountable and responsible for actions taken under their 
electronic signatures.
     Effect on product quality and data integrity.  For example, FDA 
would consider the absence of an audit trail to be highly 
significant when there are data discrepancies and when individuals 
deny responsibility for record entries. Similarly, lack of 
operational system checks to enforce event sequencing would be 
significant if an operator's ability to deviate from the prescribed 
order of manufacturing steps results in an adulterated or misbranded 
product.
    Adequacy and timeliness of planned corrective measures. Firms 
should have a reasonable timetable for promptly modifying any 
systems not in compliance (including legacy systems) to make them 
Part 11 compliant, and should be able to demonstrate progress in 
implementing their timetable. FDA expects that Part 11 requirements 
for procedural controls will already be in place. FDA recognizes 
that technology based controls may take longer to install in older 
systems.
    Compliance history of the establishment, especially with respect 
to data integrity. FDA will consider Part 11 deviations to be more 
significant if a firm has a history of Part 11 violations or of 
inadequate or unreliable recordkeeping. Until firms attain full 
compliance with Part 11, FDA investigators will exercise greater 
vigilance to detect inconsistencies, unauthorized modifications, 
poor attributability, and any other problems associated with failure 
to comply with Part 11.

 Regulatory Action Guidance:

    Program monitors and center compliance offices should be 
consulted prior to recommending regulatory action. FDA will consider 
regulatory action with respect to Part 11 when the electronic 
records or electronic signatures are unacceptable substitutes for 
paper records or handwritten signatures, and that therefore, 
requirements of the applicable regulations (e.g., CGMP and GLP 
regulations) are not met. Regulatory citations should reference such 
predicate regulations in addition to Part 11. The following is an 
example of a regulatory citation for a violation of the device 
quality system regulations.
    Failure to establish and maintain procedures to control all 
documents that are required by 21 CFR 820.40, and failure to use 
authority checks to ensure that only authorized individuals can use 
the system and alter records, as required by 21 CFR 11.10(g). For 
example, engineering drawings for manufacturing equipment and 
devices are stored in AutoCAD form on a desktop computer. The 
storage device was not protected from unauthorized access and 
modification of the drawings.

    Dated: July 1, 1999.
 Margaret M. Dotzel,
 Acting Associate Commissioner for Policy.
[FR Doc. 99-18581 Filed 7-20-99; 8:45 am]
BILLING CODE 4160-01-F