[Federal Register Volume 64, Number 146 (Friday, July 30, 1999)]
[Notices]
[Pages 41442-41443]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 99-19477]



[[Page 41442]]

-----------------------------------------------------------------------

DEPARTMENT OF HEALTH AND HUMAN SERVICES

Food and Drug Administration
[Docket No. 99D-1458]


Enforcement Policy: Electronic Records; Electronic Signatures--
Compliance Policy Guide; Guidance for FDA Personnel

    Note: On July 21, 1999 (64 FR 39146), this document was 
published with some inadvertent errors. For the convenience of the 
reader, the document is being republished in its entirety.
AGENCY: Food and Drug Administration, HHS.

ACTION:  Notice.

-----------------------------------------------------------------------

SUMMARY: The Food and Drug Administration (FDA) is announcing the 
availability of a new Compliance Policy Guide (CPG) section 160.850 
entitled ``Enforcement Policy: 21 CFR Part 11; Electronic Records; 
Electronic Signatures.'' This CPG is intended to represent the agency's 
current thinking on how to comply with the regulations for electronic 
records and electronic signatures. It also provides that agency 
decisions on whether or not to pursue regulatory actions will be based 
on a case-by-case evaluation. The text of the CPG is included in this 
document.
DATES: Written comments may be submitted at any time.

ADDRESSES:  Submit written requests for single copies of CPG section 
160.850 entitled ``Enforcement Policy: 21 CFR Part 11; Electronic 
Records; Electronic Signatures'' to the Division of Compliance Policy 
(HFC-230), Office of Enforcement, Office of Regulatory Affairs, Food 
and Drug Administration, 5600 Fishers Lane, Rockville, MD 20852. Send 
two self-addressed adhesive labels to assist that office in processing 
your requests. Written comments should be identified with the docket 
number found in brackets in the heading of this document and should be 
sent to the Dockets Management Branch (HFA-305), Food and Drug 
Administration, 5630 Fishers Lane, rm. 1061, Rockville, MD 20852. A 
copy of the CPG is available on FDA's website at ``http://www.fda.gov/
ora/compliance__ref/cpg/cpggenl/default.htm''. Scroll down the CPG page 
to locate section 160.850.

FOR FURTHER INFORMATION CONTACT:  James F. McCormack, Division of 
Compliance Policy (HFC-230), Office of Enforcement, Office of 
Regulatory Affairs, Food and Drug Administration, 5600 Fishers Lane, 
Rockville, MD 20852, 301-827-0425.

SUPPLEMENTARY INFORMATION:  FDA is announcing the availability of a new 
CPG section 160.850 entitled ``Enforcement Policy: 21 CFR Part 11; 
Electronic Records; Electronic Signatures.'' The CPG is an update to 
the Compliance Policy Guides Manual (August 1996 ed.). It is a new CPG 
and will be included in the next printing of the Compliance Policy 
Guides Manual. The CPG is intended for FDA personnel and is available 
electronically to the public. See the ADDRESSES section for electronic 
access to the CPG. The CPG is a level 2 guidance which is being issued 
consistent with FDA's good guidance practices (62 FR 8961, February 27, 
1997). It does not create or confer any rights for or on any person and 
does not operate to bind FDA or the public. An alternative approach may 
be used if such approach satisfies the requirements of the applicable 
statute, regulation, or both.
    The text of the CPG follows:

Section 160.850

Title: Enforcement Policy: 21 CFR Part 11; Electronic Records; 
Electronic Signatures (CPG 7153.17)

 Background:

    This compliance guidance document is an update to the Compliance 
Policy Guides Manual (August 1996 edition). This is a new Compliance 
Policy Guide (CPG) and will be included in the next printing of the 
Compliance Policy Guides Manual. The CPG is intended for Food and 
Drug Administration (FDA) personnel and is available electronically 
to the public. This guidance document represents the agency's 
current thinking on what is required to be fully compliant with 21 
CFR Part 11, ``Electronic Records; Electronic Signatures'' and 
provides that agency decisions on whether or not to pursue 
regulatory actions will be based on a case by case evaluation. The 
CPG does not create or confer any rights for or on any person and 
does not operate to bind FDA or the public. An alternative approach 
may be used if such approach satisfies the requirements of the 
applicable statute, regulation, or both.
    In the Federal Register of March 20, 1997 at 62 FR 13429, FDA 
issued a notice of final rulemaking for 21 CFR, Part 11, Electronic 
Records; Electronic Signatures. The rule went into effect on August 
20, 1997. Part 11 is intended to create criteria for electronic 
recordkeeping technologies while preserving the agency's ability to 
protect and promote the public health (e.g., by facilitating timely 
review and approval of safe and effective new medical products, 
conducting efficient audits of required records, and when necessary 
pursuing regulatory actions). Part 11 applies to all FDA program 
areas, but does not mandate electronic recordkeeping. Part 11 
describes the technical and procedural requirements that must be met 
if a person chooses to maintain records electronically and use 
electronic signatures. Part 11 applies to those records required by 
an FDA predicate rule and to signatures required by an FDA predicate 
rule, as well as signatures that are not required, but appear in 
required records.
    Part 11 was developed in concert with industry over a period of 
six years. Virtually all of the rule's requirements had been 
suggested by industry comments to a July 21, 1992 Advance Notice of 
Proposed Rulemaking (at 57 FR 32185). In response to comments to an 
August 31, 1994 Proposed Rule (at 59 FR 45160), the agency refined 
and reduced many of the proposed requirements in order to minimize 
the burden of compliance. The final rule's provisions are consistent 
with an emerging body of federal and state law as well as commercial 
standards and practices.
    Certain older electronic systems may not have been in full 
compliance with Part 11 by August 20, 1997, and modification to 
these so called ``legacy systems'' may take more time. As explained 
in the preamble to the final rule, Part 11 does not grandfather 
legacy systems and FDA expects that firms using legacy systems will 
begin taking steps to achieve full compliance.

 Policy:

    When persons are not fully compliant with Part 11, decisions on 
whether or not to pursue regulatory actions will be based on a case 
by case evaluation, which may include the following:
     Nature and extent of Part 11 deviation(s). FDA will consider 
Part 11 deviations to be more significant if those deviations are 
numerous, if the deviations make it difficult for the agency to 
audit or interpret data, or if the deviations undermine the 
integrity of the data or the electronic system. For example, FDA 
expects that firms will use file formats that permit the agency to 
make accurate and complete copies in both human readable and 
electronic form of audited electronic records. Similarly, FDA would 
have little confidence in data from firms that do not hold their 
employees accountable and responsible for actions taken under their 
electronic signatures.
     Effect on product quality and data integrity.  For example, FDA 
would consider the absence of an audit trail to be highly 
significant when there are data discrepancies and when individuals 
deny responsibility for record entries. Similarly, lack of 
operational system checks to enforce event sequencing would be 
significant if an operator's ability to deviate from the prescribed 
order of manufacturing steps results in an adulterated or misbranded 
product.
    Adequacy and timeliness of planned corrective measures. Firms 
should have a reasonable timetable for promptly modifying any 
systems not in compliance (including legacy systems) to make them 
Part 11 compliant, and should be able to demonstrate progress in 
implementing their timetable. FDA expects that Part 11 requirements 
for procedural controls will already be in place. FDA recognizes 
that technology based controls may take longer to install in older 
systems.
    Compliance history of the establishment, especially with respect 
to data integrity. FDA

[[Page 41443]]

will consider Part 11 deviations to be more significant if a firm 
has a history of Part 11 violations or of inadequate or unreliable 
recordkeeping. Until firms attain full compliance with Part 11, FDA 
investigators will exercise greater vigilance to detect 
inconsistencies, unauthorized modifications, poor attributability, 
and any other problems associated with failure to comply with Part 
11.

 Regulatory Action Guidance:

    Program monitors and center compliance offices should be 
consulted prior to recommending regulatory action. FDA will consider 
regulatory action with respect to Part 11 when the electronic 
records or electronic signatures are unacceptable substitutes for 
paper records or handwritten signatures, and that therefore, 
requirements of the applicable regulations (e.g., CGMP and GLP 
regulations) are not met. Regulatory citations should reference such 
predicate regulations in addition to Part 11. The following is an 
example of a regulatory citation for a violation of the device 
quality system regulations.
    Failure to establish and maintain procedures to control all 
documents that are required by 21 CFR 820.40, and failure to use 
authority checks to ensure that only authorized individuals can use 
the system and alter records, as required by 21 CFR 11.10(g). For 
example, engineering drawings for manufacturing equipment and 
devices are stored in AutoCAD form on a desktop computer. The 
storage device was not protected from unauthorized access and 
modification of the drawings.

    Dated: July 23,1999.
 William K. Hubbard.
 Senior Associate Commissioner for Policy, Planning and Coordination
[FR Doc. 99-19477 Filed 7-29-99; 8:45 am]
BILLING CODE 4160-01-F