In February, the US Food and Drug Administration's Center for Drug Evaluation Research (CDER) released its 2009 schedule for upcoming regulatory guidance documents and regulation changes – on page two is a simple bulleted item, "21 CFR Part 11." Is the FDA ready to release its long-awaited revisions to Part 11 on electronic records and electronic signatures? The answer, as I noted in my 2009 forecast, appears to be an unequivocal "yes."

And this leaves us with a choice – do we take a wait and see approach, leaving the initiative in the hands of the regulators? Or, do we adopt a more proactive style, grab some of the initiative, and look to define risks and control costs as fast as we can?

For one of my start-up clients, I crafted a strategy for how they could establish and put in place an FDA-compliant quality system for $25,000 (USD) or less. To get ready for the revised FDA Part 11, let's set a similar goal. Assume that Part 11 is one of ten key components to any 21st century quality system (that is, Part 11 is 10% of your overall FDA compliance program) – can we define and put in place a cost-effective revised Part 11 compliance program for $2,500 or less?

Part 11 Estimations

The first step in tackling any undertaking is grasping its nature. In the case of the revised Part 11, the quickest – and most cost-efficient – approach is to search the Internet for resource material. A Google search on the terms "revised FDA Part 11" and "revised FDA 21 CFR Part 11" and "revised Part 11" will turn up only a handful of sites (at the time of this writing).

With our $2,500 budget to plan and implement our new Part 11 strategy, we can afford all of the material. Let's be conservative though, and confine ourselves to all of the articles and any blog postings, plus one online seminar from each offering site so long as the seminar comes with additional reference material (the speaker's presentation by itself may not tell us more than we could put together with just the articles, so with our limited budget, we need to concentrate on getting as much as we can; presentations plus reference material like sample standard operating procedures, checklists, templates, FDA warning letters, etc., fit the bill nicely). We now have approximately $1,700 left in our budget.

Risk Disposition

A review of the material will make two things immediately clear:

1. The revised Part 11 emphasizes a risk-based approach; and

2. Validation is to be risk-based and systemic in nature (e.g., the computerized system in its entirety).

We need, then, to define a risk management methodology. Most of my clients already have a risk management standard operating procedure (SOP), typically one that is geared toward medicinal product risk. A tricky bit of work is to revise such an SOP to allow it to be used for both medicinal product risk-management and other internal, more operational quality systems decision-making (such as in the case of risk-based Part 11 decisions). If you are unsure about how to go about this, either create a second SOP focused on your internal, operational aspects or get outside help. There are pros and cons either way. A second SOP is bound to create difficulties (not to mention the additional overhead of maintaining it plus conducting training, auditing, and so on).

An outside expert will cost somewhere between $900 - $1,300, depending on how much re-work needs to be done. Is this a lot for "fixing an SOP"? That depends upon two things: your internal costs and your level of knowledge. There's an old story about a mechanic showing up to fix a car. The mechanic looks at the car for a few minutes, then takes out his wrench, twists a single nut a half-twist, and voila, the car starts right up! The customer is impressed. "How much?" asks the customer. "Ninety-five dollars," says the mechanic. "Ninety-five dollars!?" exclaims the customer. "Yes," says the mechanic. "That's 25¢ for turning the nut, and $94.75 for knowing which nut to turn."

Even at $1,300 for fixing our risk management SOP, the expert still leaves us with $400.

Planning Controls

At this point, we need to start defining our overall risk management strategy. Remember: risk management is not risk elimination, it's risk control (eliminating a risk is just one means of control).

In my speeches and seminars on FDA-compliant supplier management, I walk attendees through how to define a reasonable set of risk-based controls, including basing the number of controls required on a matrix that correlates the number of quality systems controls with the desired level of risk mitigation and the desired level of cost. Taken holistically, a computer system and a vendor are both just "systems" and can be managed as such. If you have a copy of the recorded version of my seminar and resource kit, Managing Supplier Risk – FDA Expectations (download a copy at:, then just use that.

If you don't have this available, you can work with your team (and perhaps an in-house statistician) to put together your own matrix of risks, controls, and costs. Remember that in terms of holistic systems, controls do not need to be confined to what you can automate on the computer (if you have the Part 11 self-assessment from my seminar on Part 11, you have 27 possible controls to choose from, most of which do not involve automation). You may also want to hire an expert, but this can be pricey since it's somewhat open-ended and dependent upon knowledge of your company and environment. Be cautious and remember that we only have $400 left in our budget (which we may want to save for a "just-in-case" buffer).

After identifying your long list of possible quality systems controls – from SOPs to write or revise, security rules, records management audits, and so on – it's now time to set pen to paper and sketch out our timeline for implementation.

Look for the proverbial low-hanging fruit first, anything that can be done in 30 days or less (and for $400 or less). These are prime targets for activities to take while waiting for the agency to finally make public the Part 11 revisions. Undertake a series of these to accomplish small steps toward revised Part 11 compliance, build momentum, and buy yourself time and labor savings for any in-depth, more costly work necessitated once the revisions are publicly released. This is just the type of small-scale initiative you can tackle and succeed with while waiting for the FDA, without leaving your business decisions in the hands of the regulators.

Final Thoughts

Two thousand five hundred years ago, Sun Tzu wrote, "If it is to your advantage, make a forward move." Companies that seize the initiative in the steps I've laid out above will drive down costs and risks, turning their FDA compliance into competitive advantage.

Are you ready?

About the Author John Avellanet is the founder of the FDA regulatory intelligence and lean compliance program for executives and business owners, SmarterCompliance™. He is the author of more than 35 articles on lean compliance and quality systems, a co-author of the book Best Practices in Biotechnology Business Development, and a frequent speaker with FDA officials. He can be directly reached through his independent advisory firm, Cerulean Associates LLC, on the web at