It happens at least a few times a year as I interface with pharma/bio/med tech clients. We start talking about computerized system use or data integrity of records, and I invariably hear some version of:
“Our electronic data is printed out and stored as ‘original data,’ so there is no computerized systems data integrity issue.”
And honestly, even though I know this is patently untrue, I can understand how we all got here. The Pharmaceutical Industry originally asked the FDA for guidelines around using computer systems to eliminate paper records in the early 1990s – back when some of us were still saving data to floppy disks. A task force was convened and the final rule for 21 CFR Part 11 was published in 1997.
21 CFR Part 11 Electronic Records, Electronic Signatures (“Part 11”) applied to all FDA program areas and stated that electronic records were not mandatory. Just that comment alone created widespread confusion. In 1999, a Compliance Policy Guide (CPG) and five guidance documents were drafted to try to help clear the confusion. However, the consensus was that the CPG and associated guidance documents significantly increased the cost of using technology, thereby discouraging technological innovation and restricting the use of technology and basically, having the complete opposite impact that was hoped.
Then in 2003, the FDA revoked the CPG and the five guidance documents. It was replaced by the Guidance Document on the Scope and Application of Part 11 (released September 3, 2003). It was widely known that there would purposely be a narrower interpretation of which records would be subjected to the full authority of Part 11. The guidance document states explicitly when records that must be maintained under predicate rules (like 21 CFR 211 or 21 CFR 820) or submitted to FDA are maintained in electronic format, Part 11 applies. On the other hand, when computers are used to generate a permanent paper record, Part 11 does not apply. This is also known as the ‘typewriter clause’ because just as a typewriter would not be subject to inspection, the computer that generated a document will not be inspected as long as the document itself is the authentic and official record.
In addition, it was understood that systems in which records existed in electronic form and in traditional paper format may or may not be subject to Part 11. If you use the electronic portion of the system for any GxP function, then the electronic system would fall under Part 11 jurisdiction. However, if you keep records in both formats but use the paper form as the sole means for making any regulated decisions, then Part 11 does not apply. I am finding it is commonly believed that if you have electronic system assessments that fully document these decisions, then it can be shown that the implications were thought through proactively, and therefore, the system is protected from regulatory scrutiny.
However, the understanding and application of the treatment of electronic data has changed, especially in the past several years. Through 483 observational and Warning Letter trends, it is clear that the implementation of the Part 11 rules and its relation to the integrity of data has become more consistent. With the release of the Data Integrity and Compliance with Drug CGMP, Guidance for Industry (December 2018), the regulatory framework for the treatment of electronic data in relation to the ability to fully comply with 21CFR211 has been clearly stated.
So, simplistically, if you print the electronic data and store it as a paper record…that’s nice. But it’s not the original record. The original record is the electronic data held within the computerized system. The good news is that the most recent computer operating systems have features that easily enable Part 11 data integrity compliance. However, as with most things in life, it’s not that easy. These features are not automatic, and data integrity practices do need to be deliberately implemented.