Keeping pace with 21 CFR Part II

InTech, Sep 2003 by Collier, Neal

Integrator's Corner

Signed into law in 1997, 21 CFR Part 11 is a U.S. Food and Drug Administration (FDA) regulation that affects all pharmaceutical companies, medical device manufacturers, and other entities that store data governed by the FDA.

All FDA-regulated industries, such as biopharmaceutical, food, beverage, personal care products, and medical devices, must document conditions and events throughout the manufacturing process to receive validation. Storing data records of conditions and events helps ensure that manufacturers follow exact procedures so they can make consistent and repeatable products. Data storage also provides an accurate record of all phases of the manufacturing process for historical retrieval, review, and study. If companies choose to store this data electronically, manufacturers must design and develop their processes for 21 CFR Part 11 compliance.

The scope of the regulation includes requirements for verifying electronic signatures. It also specifies required conditions needed to maintain the integrity of electronic data stored and modified on computer systems.

Electronically "signed" documents must be reviewed, securely stored, and available for review by the FDA.

A few 21 CFR Part 11 compliance issues are:

SECURITY

To validate electronic records, there must be a means of authentication/logging of the user or operator.

In most supervisory control and data acquisition (SCADA) software packages, the security tools do not address issues such as password aging, invalid retry lockouts, or centralized management. The assumption is that the PC operating system security methods and policies fulfill the compliance requirements.

DATA LOGGING

All SCADA software products archive process and event data to some degree; however, the data either logs to a proprietary or open (e.g., database) format.

It is difficult to verify that data is unaltered in open formats, because generic editors can modify these formats. Although secure, proprietary formats limit the types of data that you can store and the methods by which you can retrieve the data.

RECIPE MANAGEMENT

Electronic recipe files are also required to be 21 CFR Part 11 compliant. Most recipe files created by SCADA products are text or spreadsheet-based formats that you can modify without audit trails. Additionally, version controls require strict procedures for handling modifications to a given recipe.

Developing recipes with third-party software (e.g., MS SQL Server) provides a flexible set of tools for modifying, archiving, and automatically attaching versions to recipes. Change "triggers" also generate audit trails to provide recipe version history.

AUDIT TRAILS

Part 11 does not state data cannot be modified; however, it does state that if data is modified, the original data must be preserved. You must also maintain an audit trail showing what was modified, who modified it, and when (time and date) it was modified. High-end database products (e.g., MS SQL Server) offer the flexibility, speed, and accuracy of an open database, as well as comprehensive query models that allow modification of data from its original form.

VERSION CONTROL

Currently, no tools are available for ensuring Part 11 compliance for development environments (e.g., SCADA or PLC); therefore, all software and documents must have version control software.

REPORTING

Part 11 does not regulate reported data but insists the original data not be modified; however, this means extracting data from a secured database into other software (such as Excel) for the purpose of generating reports can leave data exposed to unaudited modification. The system must configure report generation so the information in reports exactly matches the original data.

Present technology places the responsibility of 21 CFR Part 11 compliance for control and information systems on both the system owner and system integrator. Currently, off-the-shelf software can only assist in the achievement of this compliance. Many software providers claim compliance, but you cannot achieve compliance merely by purchasing an application and installing it on a PC. Compliance comes through the integration and application of the software product, standard operating procedures, and custom code.

Neal Collier is operations manager for Total Systems Design, Inc., a West Chester, Pa., firm that provides integrated control and information system solutions to companies in the food, pharmaceutical/biotech, and other industries. TSD, a founding member of the Control and Information System Integrators Association, is a registered member of the association. His e-mail is neal.collier@totalsystemsdesign.com.