Have Part 11 Inspections Disappeared? Understanding Current Regulatory Trends

Current Status of FDA Warning Letters

The FDA publishes all warning letters on its website. While warning letters explicitly citing 21 CFR Part 11 have indeed decreased since 2011, this does not mean that Part 11 inspections have been discontinued. Rather, FDA’s inspection strategy has evolved toward a more sophisticated approach.

In fiscal year 2024, the FDA issued 111 warning letters, representing a significant increase from 94 letters in the previous year. Critically, approximately 79% of these warning letters contained observations related to data integrity.

FDA Inspection Policy: Emphasis on Predicate Rules

In fact, from its inception, FDA has maintained a clear policy of not conducting inspections focused solely on Part 11. Inspections are conducted according to predicate rules (such as 21 CFR Part 211 for GMP and 21 CFR Part 820 for QSR), and warning letters are also issued based on these predicate rules.

Analysis of recent warning letters reveals that while Part 11 may not be explicitly mentioned, there are extensive observations related to electronic records, Excel spreadsheets, computerized systems, and validation. The most frequently cited regulations include:

21 CFR 211.68(b): Regulations regarding automatic, mechanical, and electronic equipment, directly related to electronic record and system access controls, audit trails, and data integrity
21 CFR 211.194: Regulations regarding laboratory records, requiring authenticity and integrity of electronic records
21 CFR 211.100(a): Regulations regarding written procedures for production and process control

Specific examples from multiple 2024 warning letters include the following issues:

Data acquisition systems for analytical instruments such as HPLC, GC, and UV-Vis had audit trail functionality disabled or not implemented
Laboratory staff had administrator privileges enabling deletion or modification of raw data files
Cell formulas in electronic worksheets (Excel spreadsheets) were not validated, generating erroneous data
Shared password usage prevented creation of individually attributable audit trails
Inadequate backup and recovery procedures for electronic records

Reality of Form 483 Observations

Since Form 483 (inspection observations) issued by investigators at the conclusion of inspections are not publicly disclosed, actual observations are presumed to be far more numerous than warning letters suggest. In fiscal year 2024, the FDA issued 561 Form 483s related to drugs alone. When companies provide inadequate responses to these Form 483s, they escalate to warning letters.

Significantly, data integrity violations have become a primary cause of repeated observations. The FDA particularly emphasizes data integrity issues as indicators of broader quality system vulnerabilities, not merely procedural non-compliance.

Importance of Electronic Record Reliability (Data Integrity)

In contemporary operations, conducting business without using electronic records (computerized systems) is inconceivable. However, electronic records carry risks not present with paper records, including falsification, deletion, and unauthorized access.

When conducting inspections, the FDA intensively investigates whether electronic records are trustworthy (Data Integrity). Data integrity is evaluated based on the following principles:

ALCOA+ Principles:

Attributable: Clear identification of who did what and when
Legible: Records are readable and understandable
Contemporaneous: Recording occurs simultaneously with the activity
Original: Maintains the originally recorded format
Accurate: Records accurately reflect facts
Complete: All relevant data is included
Consistent: No contradictions exist among data
Enduring: Readable throughout the record retention period
Available: Rapidly accessible when needed

Evaluation of electronic record systems based on these principles can be considered equivalent to Part 11 inspections.

Historical Background and Current Position of Part 11

Part 11 took effect on August 20, 1997, and has never been revised since. Regulations premised on late-1990s computer technology remain legally valid after more than 28 years.

However, because the initial regulations were too broad and compliance costs were high, the FDA issued “Scope and Application” guidance in September 2003, clarifying the shift to a risk-based approach. This guidance enabled companies to prioritize responses based on risk assessment of three elements:

Patient Safety: The extent to which system or record failures affect patient health and safety
Record Integrity: Whether metadata such as audit trails, timestamps, and electronic signatures are completely maintained
Product Quality: The degree of impact on final product quality

While “patient safety” and “product quality” are relatively clear, “record integrity” may be somewhat difficult to understand. Record integrity refers to the complete maintenance and verifiable availability of metadata such as audit trails, timestamps, electronic signatures, and change history. When record integrity is compromised, investigators cannot trust the electronic records and cannot conduct proper inspections, potentially resulting in approval delays or market withdrawal.

Latest FDA Expectations: PIC/S GMP Annex 11 and Its Revision

In the rapidly evolving world of computer technology, the text of Part 11 created in 1997 alone cannot address modern complex IT environments. Where, then, can we learn about the latest FDA expectations and guidance?

In fact, while Part 11 itself has not been revised, the latest FDA expectations and guidance are reflected in PIC/S GMP Annex 11 “Computerised Systems”. The current Annex 11 was issued in 2011, but a major revision draft was published in July 2025 and is currently in public comment period (July 7 to October 7, 2025). This revised version is scheduled for official implementation in summer 2026.

Key Points of the Annex 11 Revision

The revised Annex 11 (2025 draft) has been significantly expanded from 5 pages to 19 pages and includes the following major changes:

Seven Newly Established Chapters:

System Requirements
Alarms
Cloud Services
AI/ML Systems
Enhanced Cybersecurity
Detailed Handling of Data
Disaster Recovery and Business Continuity

Enhanced Focus on Cybersecurity:

Clarification of firewalls, patch management, and antivirus measures
Requirements for regular penetration testing of high-risk systems
Alignment with ISO 27001 (Information Security Management Systems)

Response to Cloud Computing:

Validation requirements for cloud-based systems
Data sovereignty and data location management
Supplier qualification and management of service providers

Response to AI/ML Systems:

Linkage with newly established Annex 22 (Artificial Intelligence)
Algorithm transparency and traceability
Model validation and continuous monitoring

Detailed Audit Trail Requirements:

Audit trails must be uneditable
Normal users must not be able to disable audit trail functionality
Clear expectations regarding audit trail review frequency
Distinction and management of audit trail data and log data

Alignment with Other International Standards

The revised Annex 11 is also aligned with the following latest international standards and guidelines:

GAMP 5 Second Edition (2022): Validation approach for computerized systems
ICH Q9(R1) (2023): Quality Risk Management
FDA Computer Software Assurance Guidance (2022): Risk-based software validation
OECD GLP 25 (2024): GLP principles on IT security
ISO 27001: Information Security Management Systems

Regulatory Trends from 2025 Onward

FDA Computer Software Assurance (CSA)

In 2022, the FDA issued “Computer Software Assurance (CSA)” guidance, promoting a shift from traditional Computer System Validation (CSV) to a more risk-based and efficient approach. CSA features:

Testing focused on critical functions and high-risk areas
Reduction of non-value-added activities
Emphasis on critical thinking
Utilization of vendor-provided test evidence

Development of Data Integrity Guidance

The FDA and regulatory authorities have issued multiple guidance documents on data integrity:

FDA Guidance on Data Integrity and Compliance (2018): Data integrity in cGMP environments
MHRA GXP Data Integrity Guidance (2018): Data integrity guidance from UK regulatory authority
WHO Guidance on Data Integrity (2021): Global perspective on data integrity principles from WHO

Practical Recommendations for Pharmaceutical and Medical Device Companies

In the current and future regulatory environment, companies are recommended to implement the following responses:

Short-term Response (Immediate to 6 months)

Gap Analysis of Existing Systems
1. Compare current computerized systems against Annex 11 (2025 draft) requirements
1. Conduct data integrity risk assessments
1. Evaluate current state of cybersecurity measures
Strengthen Audit Trail Implementation and Management
1. Verify that audit trails are enabled and uneditable in all critical systems
1. Establish regular audit trail review processes (critical systems: weekly/per batch, non-critical systems: monthly/quarterly)
1. Implement anomaly detection systems
Review Access Controls
1. Eliminate shared passwords
1. Implement Role-Based Access Control (RBAC)
1. Consider Multi-Factor Authentication (MFA) implementation

Medium-term Response (6 months to 2 years)

System Modernization
1. Gradual renewal of legacy systems
1. Consider migration to cloud-based solutions
1. Implement integrated electronic Quality Management Systems (eQMS)
Establish Cybersecurity Programs
1. Build security management systems compliant with ISO 27001
1. Conduct regular vulnerability assessments and penetration testing
1. Develop and train incident response plans
Review Validation Strategy
1. Adopt CSA approach
1. Risk-based validation planning
1. Optimize vendor audit programs

Long-term Response (2 years+)

Digital Transformation
1. Implement Industry 4.0 / Pharma 4.0 technologies
1. Real-time data analysis and Process Analytical Technology (PAT)
1. Appropriate implementation and validation of AI/ML systems
Cultivate Quality Culture
1. Establish data integrity as organizational culture
1. Continuous training programs
1. Promote whistleblower protection and transparency
Global Harmonization
1. Unified response to PIC/S, FDA, WHO, and national regulatory requirements
1. Establish global quality systems
1. Unified SOPs and system requirements

Summary: The True Nature of Part 11 Inspections

Part 11 inspections have not “disappeared” but have “evolved.” The FDA focuses not on formal compliance with the specific regulation called Part 11, but rather on ensuring the reliability of electronic records and systems, data integrity, and ultimately patient safety and product quality through predicate rules.

Examining enforcement trends in 2024-2025, FDA inspections have become more systematic and detailed, with significantly reduced tolerance for data integrity issues. Companies must understand and practice not just the text of Part 11, but the principles behind it—namely, the authenticity, reliability, and integrity of electronic records.

The 2025 revision of PIC/S GMP Annex 11 provides an important regulatory framework for addressing modern technological challenges such as cloud computing, AI/ML, and cybersecurity. Pharmaceutical and medical device companies should view this revision not merely as a compliance challenge but as an opportunity to strengthen quality systems and drive digital transformation.

Responding to the latest regulatory requirements and building robust data integrity programs is not simply about preparing for inspections. It forms the foundation for protecting patient safety, ensuring product quality, and achieving sustainable organizational growth.

About the Regulatory Landscape

Aspect	Details
Part 11 Status	Issued August 20, 1997; never revised; risk-based approach clarified September 2003
Current Enforcement	FY2024: 111 warning letters (79% data integrity-related); 561 Form 483s for drugs
Key Citations	21 CFR 211.68(b), 211.194, 211.100(a) most frequently cited
Annex 11	Current: 2011 version; Draft: July 2025; Expected implementation: Summer 2026
Page Count	Original Annex 11: 5 pages → Revised draft: 19 pages (nearly 4x expansion)
New Technologies	Cloud services, AI/ML, enhanced cybersecurity, disaster recovery

ALCOA+ Principles for Data Integrity

Principle	Meaning	Regulatory Expectation
Attributable	Who, when, what is clear	Individual user accounts, no shared passwords
Legible	Readable and understandable	Proper formatting, no degradation over time
Contemporaneous	Recorded simultaneously	Real-time or near-real-time data entry
Original	First recorded format preserved	Original data with audit trail of changes
Accurate	Factually correct	Validated systems, appropriate controls
Complete	All relevant data included	No selective deletion, all metadata retained
Consistent	No contradictions	Cross-system data consistency checks
Enduring	Readable throughout retention	Proper archival, migration planning
Available	Accessible when needed	Timely retrieval, inspection readiness

Implementation Timeline for Compliance

Phase	Timeline	Key Activities
Immediate	0-3 months	Gap analysis, audit trail verification, access control review
Short-term	3-6 months	Remediation of critical findings, training programs, SOP updates
Medium-term	6-24 months	System modernization, cybersecurity programs, validation strategy
Long-term	2+ years	Digital transformation, AI/ML implementation, global harmonization

Key Regulatory References

21 CFR Part 11 (1997): Electronic Records; Electronic Signatures
FDA Guidance (2003): Part 11 Scope and Application
PIC/S Annex 11 (2011): Current Computerised Systems guidance
PIC/S Annex 11 Draft (2025): Revised guidance (consultation period)
PIC/S Annex 22 Draft (2025): New Artificial Intelligence guidance
FDA CSA Guidance (2022): Computer Software Assurance
ICH Q9(R1) (2023): Quality Risk Management
GAMP 5 (2022): Good Automated Manufacturing Practice, Second Edition
ISO 27001: Information Security Management Systems

FDA Form 483 Response Requirements and Best Practices Previous post Can GAMP Be Used in Medical Device Companies? Next post