21 CFR Part 11 and Systems Assessment
By establishing the criteria under which electronic records and electronic signatures are considered equivalent to paper records and handwritten signatures executed on paper, 21 CFR Part 11 has given the pharmaceutical industry a universally accepted, industry standard for paperless record keeping. Included in the regulation are electronic records that are created, modified, maintained, archive...
By establishing the criteria under which electronic records and electronic signatures are considered equivalent to paper records and handwritten signatures executed on paper, 21 CFR Part 11 has given the pharmaceutical industry a universally accepted, industry standard for paperless record keeping. Included in the regulation are electronic records that are created, modified, maintained, archived, retrieved, or transmitted under any records requirements set forth in U.S. Food and Drug Administration regulations and/or submitted to the FDA.
For process operators to comply with 21 CFR Part 11, they must meet stringent requirements on the authenticity, integrity, and confidentiality of electronic records and signatures. In addition, software used to comply with the standard must be validated according to generally accepted industry standards associated with an established software system life cycle to ensure accuracy, reliability, consistency, effectiveness, and ability to identify invalid or altered records. FDA defines software validation as: "confirmation by examination and provision of objective evidence that software specifications conform to user needs and intended uses, and that the particular requirements implemented through software can be consistently fulfilled." Systems must offer output as readable text as well as electronic means. The FDA also requires system checks to enforce sequencing of events, authority checks to enforce limited access, and device checks to enforce limited input facilities.
In August 2003, FDA issued a revised current Good Manufacturing Practice (cGMP) document for pharmaceutical products, which emphasizes the FDA's intention to "exercise enforcement discretion with regard to Part 11 requirements for validation, audit trail, record retention, and record copying" and highlights provisions fundamental to FDA rules:
Limiting system access to authorized individuals, controlling levels of access, characterization of individuals, minimum levels of education, training and experience in those individuals;
Use of operational system checks;
Use of authority checks;
Use of device checks;
Determination that persons who develop, maintain, or use electronic systems have the education, training, and experience to perform their assigned tasks;
Establishment of and adherence to written policies that hold individuals accountable for actions initiated under electronic signatures; and
Establishment of appropriate controls over systems documentation.
The document also lists four classes of electronic records that fall within Part 11 scope:
Records maintained electronically in place of paper format and are required to be maintained by predicate rules;
Records maintained electronically in addition to paper format and are relied on to perform regulated activities;
Electronic signatures intended to be the equivalent of handwritten signatures, initials, and other general signings required by predicate rules; and
Electronic records that will be submitted to the FDA even if they are not specifically required by FDA regulations to be submitted.
To achieve the electronic procedures included above, Part 11 provides for a set of electronic protocols on which procedures rely:
Biometrics: reliance on an individual's physical feature(s) for electronic identification, such as iris recognition;
Closed system: an environment in which system access is controlled by closed set of identified, responsible individuals (private network);
Digital signature: cryptographic validation of identity;
Electronic signature: use of symbols to substitute written signature; and
Electronic record: any combination of text, graphics, data, audio, pictorial, or other information in digital form.
System security, functionality
Clearly, these electronic protocol considerations focus on the security of the resulting data and reports. This involves the physical security of the application and the inherent security in the hardware and software. In addition, keyboards and other input devices of the human machine interface (HMI) must be capable of "locking," for the unique biometric keys referred to above, and for enabling lock-out of unwanted/illegal individuals or inaccurate/untimely data or instructions.
Integrity of electronic records must be secured by hardware, software, security locks, and best practice procedures to guarantee origins and accuracy.
Pharmaceutical plant managers and operators looking to implement or devise a process management system that can support the policies, procedures, and best practices of paperless reporting within FDA-regulated environments should look for key features in the systems they install, such as:
An open database connectivity (ODBC) and batch-configured plant information management system compliant with Fieldbus Foundation and OPC Foundation standards;
For best security and functionality, the system should be located within a virtual private network; and
S88-based information environment for collecting, storing, and displaying current and historical data from batch production, equipment and recipe sources, and facilitating user access for decision support, production planning, production scheduling, analysis, process improvement, quality, and legislative compliance via detailed audit trails and electronic record and signature management capabilities.
These features, and 21 CFR Part 11 compliance capability, provide an optimal approach by delivering a comprehensive batch information management system for validation.
Nigel Bowden is managing director of UK-based process and management execution systems development and integration for Yokogawa;