Frequently Asked Questions
If you have a regulatory question, please contact us by e-mail at firstname.lastname@example.org.
Q: What is GxP?
A: This refers to the "Good Practices" whose rulings are observed within the medical device and pharmaceutical industry. These are Good Laboratory Practice (GLP), Good Automated Manufacturing Practice (GAMP), Good Manufacturing Practice (GMP) and Good Clinical Practice (GCP). The 'x' is merely a placeholder.
Q: What is Good Laboratory Practice?
A: The GLP regulations are found in 21 CFR Part 58: Good Laboratory Practice for Nonclinical Laboratory Studies. FDA promulgated these regulations in response to public concerns that several important studies supporting the safety of FDA-regulated products were seriously flawed due to poor research practices and laboratory misconduct. The GLP regulations apply to nonclinical laboratory studies supporting research or marketing applications for FDA-regulated products (21 CFR 58.1). These regulations set forth the minimum basic requirements for study conduct, personnel, facilities, equipment, written protocols, operating procedures, study reports, and a system of quality assurance oversight for each study to help assure the safety of FDA-regulated products.
Q: What is a nonclinical laboratory study?
A: A nonclinical laboratory study is an in vivo or in vitro experiment in which a test article is studied prospectively in a test system under laboratory conditions to determine its safety (21 CFR 58.3(d)). A test article is a medical device for human use, or any other article subject to regulation under the Federal Food, Drug, and Cosmetic Act (the Act) or under sections 351 and 354-360F of the Public Health Service Act (21 CFR 58.3(b)). A test system is any animal, plant, microorganism, or subparts thereof to which the test or control article is administered or added for study. A test system also includes appropriate groups or components of the system not treated with the test or control articles (21 CFR 58.3(i)). Examples of nonclinical laboratory studies include in vitro and in vivo biocompatibility testing and animal studies used to evaluate the potential for adverse responses to a medical device. Bench tests, such as chemical or physical testing, and any other studies that do not involve use of an animal, plant, or microorganism, are not included. Studies utilizing human subjects, human specimens, clinical studies, or field trials in animals (e.g., wildlife studies) are not included, nor are basic exploratory studies carried out to determine whether a test article has any potential utility, or to determine physical or chemical characteristics of a test article.
Q: Which device applications and submissions are subject to the GLP regulations?
A: FDA promulgated the GLP regulation under section 701(a) of the Act, 21 U.S.C. §371, to assure the quality and integrity of safety data in support of FDA-regulated products. The scope of the GLP regulations (21 CFR 58.1(a)) includes nonclinical laboratory studies that support research or marketing applications across medical products, including devices marketed under section 510(k) of the Act, 21 U.S.C. § 360(k), PMAs and product development protocols under section 515 of the Act, 21 U.S.C. § 360e, and HDEs and IDEs under section 520 of the Act, 21 U.S.C. § 360j. See also 43 FR 59988.
Q: Do the GLP regulations apply to nonclinical feasibility studies conducted in the early phases of product development or nonclinical effectiveness studies?
A: No. The GLP regulations only apply to nonclinical laboratory studies that support research or marketing applications. Per 21 CFR 58.3(d), “nonclinical laboratory study” does not include “basic exploratory studies carried out to determine whether a test article has any potential utility . . . .” Therefore, basic exploratory studies carried out to determine whether a device has any potential utility, or to determine physical or chemical characteristics of a device, are not subject to the GLP regulations (21 CFR 58.3(d)). However, the design and implementation of such studies should be based on good science, and data collection should be such that the integrity and quality of the study remain robust.
Q: Is a certification form to demonstrate compliance with GLPs required to be submitted?
A: No, a certification form is not required. Facilities conducting studies in accordance with the GLP regulations are required to have a Quality Assurance (QA) Unit to monitor each study to assure conformance with the regulation (21 CFR 58.35). The final study report should include a signed statement from the QA Unit with the dates the study was inspected and findings reported. In support of research and marketing approval applications for medical devices, the applicant must include a statement that such studies have been conducted in compliance with Part 58, or, if a study was not conducted in compliance with such regulations, a brief statement of the reason for the noncompliance must be included in the submission (21 CFR 812.27(b)(3) and 21 CFR 814.20(b)(6)(i)). Similar statements indicating compliance with applicable requirements or providing the reason for any noncompliance should also be included with any nonclinical study reports provided in a 510(k) submission in which the purpose of the report is to provide information regarding the safety of the device.
Q: Are nonclinical laboratory studies conducted outside the U.S. (OUS) that support a U.S. marketing or research submission subject to the GLP regulations?
A: Yes, the GLP regulations govern nonclinical laboratory studies conducted in support of FDA research and marketing applications for medical devices, regardless of where the testing is conducted.
Q: Are nonclinical laboratory studies subject to audit and inspection for compliance with the GLP regulations?
A: Yes. Testing facilities are required under 21 CFR 58.15 to permit an authorized employee of the FDA to inspect the facility and inspect all records and specimens required to be maintained regarding studies within the scope of Part 58. The FDA will not consider a nonclinical laboratory study in support of a research or marketing application if the testing facility refuses to permit the inspection (21 CFR 58.15(b)).
Q: Can a vendor guarantee compliant software for CFR 21 Part 11?
A: It is not possible for any vendor to offer a turnkey 'Part 11 compliant system'. Any vendor who makes such a claim is incorrect. Part 11 requires both procedural controls (i.e. notification, training, SOPs, administration) and administrative controls to be put in place by the user in addition to the technical controls that the vendor can offer. At best, the vendor can offer an application containing the required technical elements of a compliant system.
Q: What is the definition of hybrid system? Could you give an example of one?
A: A 'Hybrid System' is defined as an environment consisting of both Electronic and Paper-based Records (Frequently Characterized by Handwritten Signatures Executed on Paper). A very common example of a Hybrid System is one in which the system user generates an electronic record using a computer-based system (e-batch records, analytical instruments, etc.) and then is required to sign that record as per the Predicate Rules (GLP, GMP. GCP). However, the system does not have an electronic signature option, so the user has to print out the report and sign the paper copy. Now he has an electronic record and a paper/handwritten signature. The 'system' has an electronic and a paper component, hence the term, hybrid.
Q: If using a 'hybrid system' approach to e-signatures, how do you link the handwritten signature to the e-record?
A: Since Part 11 does not require that electronic records be signed using electronic signatures, e-records may be signed with handwritten signatures that are applied to electronic records or handwritten signatures that are applied to a piece of paper. If the handwritten signature is applied to a piece of paper, it must link to the electronic record. The FDA will publish guidance on how to achieve this link in the future, but for now it is suggested that you include in the paper as much information as possible to accurately identify the unique electronic record (e.g., at least file name, size in bytes, creation date and a hash or checksum value.)
Q: What are some examples of audio data that may be captured in the Pharmaceutical Industry? Specific Examples?
A: Audio recordings of regulated patient information or experimental observations are infrequent, but sometimes acquired. Also, audio conferences discussing projects, reports, data are common in the pharma industry. If the data therein is required to be maintained by predicate rules, and the audio file is saved to durable media, Part 11 would apply.
Q: I keep electronic records but have signatures on paper (hybrid systems). Is there a deadline for converting to electronic signatures?
A: No. There is no deadline for converting to electronic signatures. Having handwritten signatures on paper is acceptable if signature are linked to electronic records so signers cannot repudiate records.
Q: When does an audit trail begin?
A: Audit Trail initiation requirements differ for data vs. textual materials. For data: If you are generating, retaining, importing or exporting any electronic data, the Audit Trail begins from the instant the data hits the durable media. For textual documents: if the document is subject to approval and review, the Audit Trail begins upon approval and release of the document.
Q: Should execution of a signature be audit trailed?
A: Yes, execution of a signature must be audit trailed.
Q: Are e-mails controlled documents?
A: If the text in an email supports such activities as change control approvals or failure investigations, then the e-mails have to be managed in a compliant way. Your IT department or designee should be managing and backing up all e-mail and electronic data per standard operating procedures (SOPs),
Q: Can a single restricted login suffice as an electronic signature?
A: No. The operator has to indicate intent when signing something, and he has to re-enter the user ID/password (shows awareness that he is executing a signature) and give the meaning for the e-sig. To support this, Part 11 §11.50, states that signed e-records shall contain information associated with the signing that indicates the printed name of the signer, the date/time, and the meaning, and that these items shall be included in any human readable form of the record.
Q: When are e-signatures required?
A: The predicate rules mandate when a regulated document needs to be signed.
Q: Should a company individually certify that every associate's electronic signature is legally binding?
A: No. The required one-time e-sig certification is for an organization as a whole. Its intent is to certify that a company recognizes that its e-signatures are equivalent to their hand-written signatures.
Q: FDA has issued a new guideline on date and time. It is not mandatory that it is local?
A: You are correct. The Agency has reconsidered their position on local date and time stamp requirements. The draft guidance document reflects their current thinking, and supersedes the position in comment #101 of the Rule with respect to the time zone that should be recorded. The document states, "You should implement time stamps with a clear understanding of what time zone reference you use. Systems documentation should explain time zone references as well as zone acronyms or other naming conventions."
Q: Does outsourcing of a computer make a system an open system? Additionally would the external access of an external vendor for maintenance work (e.g. using a modem) to a computer system make that an open system?
A: According to the Rule, the definition of closed system is "an environment in which system access is controlled by persons who are responsible for the content of electronic records that are on the system.'' The agency agrees that the most important factor in classifying a system as closed or open is whether the persons responsible for the content of the electronic records control access to the system containing those records. A system is closed if persons responsible for the content of the records control access. If those persons do not control such access, then the system is open because the records may be read, modified, or compromised by others to the possible detriment of the persons responsible for record content. Hence, those responsible for the records would need to take appropriate additional measures in an open system to protect those records from being read, modified, destroyed, or otherwise compromised by unauthorized and potentially unknown parties.
Q: What do you mean by linking e-records to e-signatures?
A: Part 11 Sec. 11.70 states that electronic signatures and handwritten signatures executed to electronic records must be linked (i.e. verifiably bound) to their respective records to ensure that signatures could not be excised, copied, or otherwise transferred to falsify another electronic record. The agency does not, however, intend to mandate use of any particular 'linking' technology. FDA recognizes that, because it is relatively easy to copy an electronic signature to another electronic record and thus compromise or falsify that record, a technology-based link is necessary. The agency does not believe that procedural or administrative controls alone are sufficient to ensure that objective because such controls could be more easily circumvented than a straightforward technology based approach.
Q: Can you share a sample FDA Warning Letter, or is that proprietary information?
A: The FDA inspecition of finding are available upon request. Additional information can be found on the FDA web site at http://www.fda.gov/foi/warning.htm. The letters are considered public information.
Q: What is 'grand fathering'?
A: "Grand fathering" simply means the possibility that the rule may not apply to any system in existence before the rule came into effect. Part 11 does not allow for grandfathering of legacy systems. Therefore, systems installed before August 20, 1997 must be made compliant or should be replaced.
Q: What is a 'Predicate Rule'?
A: Any requirements set forth in the Act (Federal Food, Drug and Cosmetic Act), the PHS Act (Public Health Service Act), or any FDA regulation (GxP: GLP, GMP, GCP, etc.). The predicate rules mandate what records must be maintained; the content of records; whether signatures are required; how long records must be maintained, etc. If there is no FDA requirement that a particular record be created or retained, then 21 CFR Part 11 most likely does not apply to the record.
Q: How can you make sure that e-records are still readable throughout the retention period (with focus on the formats)?
A: Currently mostly proprietary formats are in use (e.g. in the lab area) and the possibility to read these formats in a few years may be difficult (especially if the vendor is changed). Printing or converting into PDF or similar is only a partly solution. 'What would/could be a long-term solution here?
There are several possible solutions being considered for long-term data re-processability. They include data migration, data emulation and system 'Time Capsules". As of today, there are no set standards, or widely accepted procedures to ensure long-term data viability.
Q: If you use Electronic Signatures, do you have to comply with Electronic Record Requirements?
A: Use of Electronic Signatures implies that your system is an Electronic Record system and, therefore, must be in compliance with all provisions of 21 CFR Part 11.
Q: Do you have a format or example for the certification for e-signatures that a company can send to the FDA?
A: For the exact wording for the e-sig certification, please consult the FDA website at www.fda.gov. One can also find wording for the certification in the preamble of the final Rule. The response to comment #120 is "…The final rule instructs persons to send certifications to FDA's Office of Regional Operations (HFC-100), 5600 Fishers Lane, Rockville, MD 20857. Persons outside the United States may send their certifications to the same office. The agency offers, as guidance, an example of an acceptable Sec. 11.100(c) certification: Pursuant to Section 11.100 of Title 21 of the Code of Federal Regulations, this is to certify that [name of organization] intends that all electronic signatures executed by our employees, agents, or representatives, located anywhere in the world, are the legally binding equivalent of traditional handwritten signatures."
Q: Which kind of media (CD Roms, WORMs, etc.) can be considered "21CFRPart11 compliant" from point of view of good retention period?
A: In an effort to remain technologically neutral, the FDA does not specify the kind of media that one must use for archiving. There are studies currently underway from independent sources that are trying to test the 'lifetime' of such media as CD ROM, although there is no set standard lifetime for such media. Some companies are doing their own tests on media lifetime.
Q: How do you recommend working with CROs and vendors in a timely basis?
A: The data that a CRO generates is ultimately the responsibility of the company that hires the CRO to do the research. That company must be on top of the CRO, their record keeping practices and their adherence to GxP. If a CRO is sending results back to the study sponsor, a compliant, secure, closed system is best to use. Just like with vendors, it is wise to audit the CROs and the vendors to make sure that they are up on their Part 11 (and GxP compliance).
Q: What must a vendor do to claim that their hardware and software are 'compliant' with 21 CFR Part 11?
A: No vendor can claim that his or her software products are certified Part 11 compliant. A vendor, instead, can say that he has all of the Technical Controls for 21 CFR Part 11 compliance built in to his product. Remember, it is the responsibility of the user to implement the Procedural and Administrative (and correctly and consistently) Controls along with using products with the correct Technical Controls for overall Part 11 compliance.
Q: Does Part 11 apply to instruments themselves that are not connected to computers but that have microprocessors within?
A: If such a system does not generate electronic records according to the definition of e-records in Part 11 (data starting its life written to durable media), and/or these e-records are not subject to the GxP regulations, then Part 11 does not apply.
Q: Are electronic signatures always required on the creation of electronic records?
A: The 'Predicate Rules' (GxP) regulations determine what records must be signed, not Part 11. Not all e-records need to be signed. Check your predicate rules for what records must be signed, when and by whom.
Q: Is a 'Gap Analysis' a necessary step to become 21 CFR Part 11 compliant?
A: A Gap Analysis is not a specified requirement of Part 11, however, during the process of becoming Part 11 compliant, most firms undergo a Gap Analysis as part of their assessment/remediation phase.
Q: Is an audit of a vendor enough to ensure that the technical controls (in their product) are all present and compliant?
A: In addition to a vendor audit, one must scrutinize the product itself and its implementation in your facility. Do not forget that validation of the applicable systems in your own environment is the user responsibility (not to mention implementing the procedural and administrative controls for complete adherence to Part 11.)
Q: Could you define and provide examples of systems that are critical to "data integrity"?
A: For Part 11, data integrity is related to the trustworthiness of the electronic records generated/managed by critical systems. The FDA is most concerned about systems that are involved with drug distribution, drug approval, manufacturing and quality assurance because these systems pose the most risk in terms of product quality and/or public safety.
Q: How does the digital signature verify that the document hasn't been altered after signing?
A: A digital signature is computed using a set of rules and a mathematical algorithm such that the identity of the signatory and integrity of the data can be verified. Signature generation makes use of a private key to generate a digital signature. Signature verification makes use of a public key that corresponds to, but is not the same as, the private key. Each user possesses a private and public key pair. Public keys are obviously known to the public, while private keys are never shared. Anyone can verify the signature of a user by employing that user's public key. Only the possessor of the user's private key can perform signature generation. A hash function is used in the signature generation process to obtain a condensed version of data, called a message digest. The message digest is then incorporated into the mathematical algorithm to generate the digital signature. The digital signature is sent to the intended verifier along with the signed message. The verifier of the message and signature verifies the signature by using the sender's public key. The same hash function must also be used in the verification process. The hash function is specified in a separate standard.
Q: For an HPLC system, are the parameters entered for a chromatographic run considered an electronic record?
A: For an analytical instrument, any information that is captured by a computerized workstation is considered either data or metadata. (Metadata is described as data-about-data. It's what puts the real data into logical context.) The second that any information hits the 'durable media' it then becomes an electronic record. Parameters that are typically captured by an HPLC system (i.e. flow rate, sample lot #, etc.) are considered metadata. This information should be saved and protected as part of the official electronic record.
2. “Animals and Animal Products,” Title 9 Code of Federal Regulations
- ”Definition of Terms,” Title 9 Code of Federal Regulations, Pt. 1
- “Regulations,” Title 9 Code of Federal Regulations, Pt. 2
- “Standards,” Title 9 Code of Federal Regulations, Pt. 3