July 8, 2004
Division of Dockets Management (HFA-305)
Food and Drug Administration
5630 Fishers Lane
Rockville, MD 20852
Via Email: firstname.lastname@example.org
Re: Docket 2004N-0133, “Electronic Records; Electronic Signatures; Public Meeting”
Dear Docket Officer:
AABB is the professional association for approximately 8,000 individuals and 2,000 institutions advancing transfusion and cellular therapies worldwide. Our members are responsible for virtually all of the blood collected and more than 80 percent of the blood transfused in this country. For over 50 years AABB has established voluntary standards for the blood banking community. Our standards setting program has expanded to include standards for human cell- and tissue-based products. AABB’s highest priority has been to maintain and enhance the safety and availability of the nation's blood supply.
AABB is pleased to have this opportunity to comment on electronic records and electronic signatures as the Food and Drug Administration (FDA) begins to re-examine part 11 as it applies to all FDA-regulated products. We wish to recognize and applaud FDA’s commitment to quality as evidenced by the bold and unprecedented action taken with the recall of the 21 CFR Part 11 guidance documents on validation, glossary of terms, time stamps, maintenance of electronic records and electronic copies of electronic records. The regulation (part 11) is excellent and appropriate regulatory action. With additional and appropriate FDA guidance documentation and collaboration between the FDA and industry, AABB agrees that quality control and, ultimately, patient safety will be enhanced through this overall regulatory approach.
AABB recognizes that organizations seeking to use computer records rather than paper-based systems must employ procedures that will ensure that the electronic records are as reliable and accurate as paper records (including handwritten signatures). Blood bank computer systems and electronic record keeping are superior to traditional paper records and are widely used to control all aspects of collecting, preparing and maintaining a safe blood supply.
AABB believes that part 11 contains a fundamental flaw that must be addressed in future guidance regarding implementation of part 11. Part 11 fails to specifically tie each requirement to the party responsible for addressing the issue. Without that correction, it is impossible to ensure that all systems will have the controls sought by FDA. There are certain functions of the regulation that can only be addressed by the software developers. Conversely, there are requirements that only the user can address. All responsibilities to address requirements under the regulation need to be clearly identified. An appropriately drafted guidance document can address this flaw. Moreover, AABB believes that once guidance documents are published that clearly require identification of each party responsible for a functional requirement, it will become apparent that many of the requirements specified by part 11 are in place with respect to blood bank computer systems. Developers also will be able to demonstrate effective compliance during the required 510k review process.
We offer the following specific comments to questions posed in the April 08, 2004 Federal Register docket.
Subpart A – General Provisions
- Should part 11 be revised to implement the narrow interpretation described in the August 2003 Guidance for Industry “Part 11, Electronic Records; Electronic Signatures – Scope and Application?”
FDA is correct in deciding to narrow the scope of part 11 in an effort to avoid unnecessary controls and costs that would discourage innovation and technological advances without providing added benefit to the public health. We believe, however, that current guidance is too vague to be of assistance to blood establishments attempting to implement the requirements of part 11. We request that FDA explain in more detail how the rule applies to the blood community.
- Will revised definitions in part 11 help clarify a narrow approach?
AABB notes that part 11 lacks definitions to clearly separate audit trail requirements for computer systems that maintain electronic records from the requirements for the appropriate use of electronic signatures in computer systems. For example, without adequate guidance, blood establishments may assume that every transaction logged on a computer requires the application of an electronic signature.
- Should part 11 provide clarification with regard to which records are required by predicate rules and are therefore required to be part 11 compliant?
Clarification of the records required by predicate rules to be compliant with part 11 will be of great benefit to blood centers as they perform a gap analysis between the functionality of their current computer system and compliance requirements of part 11.
Subpart B – Electronic Records
- Are there examples of areas other than validation, audit trail, record retention and record copying that should incorporate the concept of a risk-based approach (e.g., those that require operation system and device checks)?
It is important to note that blood establishments must be able to identify operational areas and processes that could adversely affect product quality and safety, and record integrity. We recommend that FDA develop guidance on risk assessment methodology, specific to the blood community, to assist blood establishments in determining the answer to this question.
- Is additional clarity needed regarding how predicate rule requirements related to subpart B can be fulfilled?
It is important to identify the party responsible for fulfilling the requirements of part 11. As noted earlier, AABB believes that part 11 contains a fundamental flaw whereby it fails to specifically tie each requirement to a responsible party (e.g., software developer vs. end user).
- Should the requirements for electronic records submitted to FDA be separate from electronic records maintained to satisfy predicate rule requirements?
Yes. The records are created for different purposes and should be controlled by requirements that are specific for their intended purpose.
- Should part 11 continue to differentiate between open systems and closed systems?
There is no advantage to differentiation between open and closed systems. Both must comply with current Good Manufacturing Practices (cGMP) and validation requirements contained elsewhere in FDA regulations and guidances (21 CFR parts 211 and 820).
Subpart B – Individual Controls
- Should we retain the validation provision under part 11.10 required to ensure that a system meets predicate rule requirements for validation?
We recommend that a validation provision not be retained under part 11.10. Existing requirements and standards for validation are adequate (21 CFR parts 211 and 820). There is no need to duplicate the requirements in part 11.
- Are there any related predicate rule requirements that you believe are necessary to preserve the content and meaning of records with respect to record copying and record retention? What requirements would preserve record security and integrity and ensure that records are suitable for inspection, review, and copying by the agency?
Existing objectives of validation address the accuracy and completeness of copied records sufficiently without adding additional layers of requirements. However, this is an additional example where clearly identified responsibility would ensure that development standards within the software design process would mandate these types of safeguards.
Provision of electronic copies under part 11 as presently written will be a significant technical challenge for the blood community. Further clarification of the difference between a paper report generated from a blood bank computer system and a copy of an electronic record is necessary. AABB believes that blood establishments should be able to meet the requirements for providing records that are suitable for inspection and review by providing paper reports or PDF files of the requested data, or by allowing inspectors to review the records on existing systems while complying with the organization’s procedures to access the records.
- Should audit trail requirements include safeguards designed and implemented to deter, prevent, and document unauthorized record creation, modification, and deletion?
Yes. This presents another example of the importance of identifying the party responsible for each requirement of part 11. The cGMP requirements adhered to by blood establishments require that access to records be controlled by facility determination and that standard operating procedures be in place to prevent sharing of log-on information and define how records are to be created, modified or deleted. However, the user of a computer system has no way of determining whether a computer system maintains adequate safeguards designed to deter, prevent, and document unauthorized record creation, modification, and deletion of records. This requirement should be proven during the 510k review process.
- In light of how technology has developed since part 11 became effective, should part 11 be modified to incorporate concepts, such as configuration and document management, for all of a system’s software and hardware?
Detailed requirements for validation of changes to hardware and software in a cGMP environment are well defined in 21 CFR parts 211 and 820 and FDA guidance documents. There is no need to duplicate the requirements in part 11.
Subpart C – Electronic Signatures
- Should part 11 address investigations and follow-up when security breaches (unauthorized access) occur?
The cGMP environment requires that SOPs exist to define access to records as well as the steps to follow to create, modify or delete records. This is true for paper records and electronic records. SOPs also exist in the cGMP environment to require an investigation of deviations from standard procedures as well as documentation of the investigation and follow-up measures. There is no need to duplicate the requirements in part 11.
Additional Questions for Comment
- Is there a need to clarify in part 11 which records are required by predicate rules where those records are not specifically identified in predicate rules? If so, how could this distinction be made?
Yes. While we appreciate the effort to limit the scope of part 11, it remains unclear what records are considered affected. The focus should be on records that have high impact on safety, quality, purity and identity vs. low impact records (in-process records that may be used temporarily).
- In what ways can part 11 discourage innovation?
Software developers and organizations wishing to develop internal applications that are more efficient, and introduce greater levels of safety into blood establishment procedures, are reluctant to do so because the requirements of part 11 are difficult to understand and implement.
- Can the use of risk mitigation and appropriate controls eliminate concerns regarding legacy systems?
Effective validation will eliminate concerns regarding legacy systems because effective validation includes risk recognition and management.
- Should part 11 address record conversion?
We encourage the inclusion of appropriate controls and safeguards in part 11 for record conversion with focus on “significant content and meaning” of the records.
Again, AABB wishes to applaud FDA’s decision to re-examine part 11. With adequate FDA guidance documentation that is specific to the needs of the blood community and identifies the party responsible for fulfilling each requirements of part 11, we believe that quality control and, ultimately, patient safety will be enhanced.
AABB strongly supports initiatives that improve the safety of blood donors and transfusion recipients and stands ready to interact with the FDA as necessary.
Questions concerning these comments may be directed to M. Allene Carr-Greer, Deputy Director, Regulatory Affairs, AABB (email@example.com).
Kathleen J. Sazama, MD, JD