Six Steps to Part 11 Compliance

Oct. 18, 2002
By developing a master plan for 21 CFR 11 compliance, pharmaceutical companies can make the process fairly painless — and profit from it as well

Regulatory compliance is nothing new to the pharmaceutical industry. The U.S. Food and Drug Administration (FDA) has been keeping tabs on industry processes since the late 1800s, when a single chemist was responsible for investigating pharmaceutical fraud and medicinals such as "wizard oil."

Over the years, consumers and FDA began to demand more stringent safety regulations, and manufacturers made efforts to keep their own detailed records on how products were designed, manufactured, packaged and sold. Until recently, paper records and hand signatures were the only options, so companies documented and filed huge amounts of paper reports in an effort to keep an accurate history.

With the ability to store information digitally came the opportunity to shift to electronic records and signatures, a move that could potentially save manufacturers huge amounts of time and money on filing alone. But these electronic records have even bigger benefits--they allow manufacturers to share information quickly and easily, store and analyze information in ways not possible with paper, and improve documentation quality and security by decreasing human access and error.

What it all means

Manufacturers who decide to move to electronic records and signatures should, by now, be aware of FDA's Title 21 Code of Federal Regulations Part 11 (21 CFR Part 11) regulations. This rule is FDA's regulatory mandate for electronic records. First announced in 1997, it states that manufacturers using electronic records must prove that both new and legacy systems can effectively store, process and transmit electronic records and associated electronic signatures without fail.

Although FDA has said in the past that modification to legacy systems could take more time than the creation of new systems, 21 CFR Part 11 does not "grandfather in" legacy systems. The agency expects pharmaceutical companies using legacy systems to take steps to achieve full compliance across all systems.

On the surface, these regulations might look like they impose a greater administrative burden on manufacturers. However, in the long-term, they offer a standard methodology for electronic records that can help ensure authenticity, reliability and trustworthiness of electronic records, create legally valid electronic records and reduce the overall paperwork load on the industry.

By replacing obsolete or inefficient equipment with automated technology, manufacturers potentially can reduce data error, enhance process control, improve data collection and retrieval, and increase the speed of information exchange. In the end, these improvements can lead to more streamlined data transfer and management processes, smoother project integration and easier dissemination of information across the enterprise. Although daunting, a new approach to meeting the regulations is helping manufacturers to see both the challenges and the benefits and to create a plan for the future.

Key compliance elements

Despite the claims of some, 21 CFR Part 11 compliance involves more than new control and information management software. Although software can enable facility compliance, the ongoing ability to manage electronic records is what allows a company to meet the regulations.

Instead of evaluating point solutions for compliance, manufacturers are taking a new approach. They are looking at the company's overall ability to authenticate users, manage electronic signatures, manage audit trails and archive electronic records , the main functions that define 21 CFR Part 11 compliance.

Authentication. To comply with 21 CFR Part 11, manufacturers must provide authentication of all users who have access to system functionality. Controlled access to the editing tools required to change processes is the most effective and pro-active way to prevent unauthorized change. This type of prevention method should be installed on all systems that record data, including recipe management systems, electronic batch recording systems, quality systems, human-machine interface (HMI) terminals, programmable logic controllers (PLCs), distributed control systems (DCSs) and other computerized systems.

For example, programming applications should use electronic authentication at the user log-in to trigger proper security controls for each user. This step can limit access to application functionality based on each user's security level, denying actions such as online PLC program changes or new control program downloads. Individ-ual security profiles should be set up by the administrator to allow or disallow actions for each person. 

A Six-Step Program

Step 1. System identification. Before beginning any compliance program, a facility first should develop an inventory of its systems and applications. Understanding exactly what the compliance team has to work with will eliminate any missed systems or applications later in the process. Although many companies believe they know every system in place, a complete written list also can help in developing a timeline and other planning documents.

Step 2. Assessment strategy. After identifying all the systems and applications in place, the facility should prioritize each based on how critical it is to compliance. Systems and applications that are the most critical (batch controls, HMI, etc.) should be positioned at the head of the list and addressed early in the compliance process.

Step 3. Gap analysis.The next step is to develop a gap analysis. The facility should look at each system (recipe management, quality systems, etc.) individually to determine the gaps that exist in each system. It should take into account each device in the system to determine where compliance gaps might exist. These gaps must be eliminated before the system can become compliant.

Step 4. Remediation plan and schedule.The plant should consider any systems that will need to be replaced or upgraded to achieve compliance. Looking at each system and application, it then should create a plan to replace or upgrade each in the most cost-effective manner, making sure the new system or application will or can be compliant-enabled. Once a plan has been developed for remediation, the facility should develop a schedule for action.

Step 5. Project implementation. Using the schedules and prioritized lists developed earlier in the process, the facility should implement the compliance program in accordance with activities. In this step, it is also important that all operators and managers are trained on new procedures or systems that have been put into place.

Step 6. Ongoing evaluation. The facility should have a plan in place for ongoing evaluation of all systems. It is important to evaluate systems, on an ongoing basis, to ensure new systems are working properly and older or upgraded systems have transitioned according to plan. The plant regularly should check new systems or applications that must be compliant.

These six steps can help companies develop a master 21 CFR Part 11 plan. The plan helps ensure the transition to electronic records and system modification is business and user driven, not hardware and software driven. The plan also identifies how to get the most from existing installed systems and how to move forward with new application and system implementation.

Electronic signatures. Critical operations in a process might require more significant authentication steps to ensure the correct individuals have the rights and authority to perform certain actions. By incorporating the capability to require users to sign changes before they affect the process or by requiring an additional authorization signature before the modification is made, plants can attain this security.

All electronic signatures made by individuals performing or authorizing a change should create an audit trail. The human interface should also provide electronic signature and verification for additional security checks before users are allowed to download setpoints or issue commands. The users should be required to provide a username, password, new value, comments and, if necessary, a supervisor signature.

Auditing. For users at all security levels, 21 CFR Part 11 requires manufacturers to provide documentation of all process changes, including device configurations. During system configuration, administrators determine which actions require audits and authorization signatures; once deployed, changes to information such as PLC/DCS applications, recipe values, electronic work instructions, recorded historical data and quality systems are logged automatically. A detailed audit trail also can be generated from user actions, showing exactly who did what, when, where and why for compliance.

Archiving. Document archiving is another requirement of 21 CFR Part 11. A document management system integrated with other applications such as device configuration editors and HMI applications can allow users to archive process data and system configurations, as well as computer-assisted design (CAD) files and standard operating procedures (SOPs). This also can provide features such as check-out/check-in, file locking, "mastering" the current revision and automatic revision numbering. Additionally, all transactions with the document management repository should create an audit trail to maintain records in compliance with 21 CFR Part 11 regulations.

Start with a plan

Once a company understands the main functions defining 21 CFR Part 11, it is important to develop a plan for meeting compliance. The steps detailed in the sidebar ("A Six-Step Program") can help pharmaceutical facilities develop a master compliance plan. As the facility completes each step, it should clearly see the areas that require compliance-enabling systems.

Many companies do not yet have the bandwidth or past experience to brave compliance on their own. In these cases, 21 CFR Part 11 consultants are available to help interpret the code and define areas of the facility in which 21 CFR Part 11 will have an impact.

One of the most beneficial aspects of a consultant is single-source accountability. This one-point contact helps coordinate multiple production areas, promoting consistency between groups and reducing internal resource requirements. Consultants can help assess, develop and implement master compliance plans to cover both new and legacy systems.

For many pharmaceutical companies, compliance with government regulations still seems like a necessary evil instead of an opportunity to increase profitability. Despite its number of controls, 21 CFR Part 11 is one of the few regulatory actions that industry sought to enable the use of advances in electronic documentation.

By combining an understanding of the regulations with a solid plan of action, industry knowledge and expertise, and the right technology, companies now can make the leap to compliant systems through a fairly painless process.

About the Author

Tad Palus | Vertical Market Champion, Life Sciences, Rockwell Automation

About the Author

Charlie Norz | Senior Marketing Engineering, Rockwell Automation