Upcoming Events:

Click here to check out the brand new ISPE Boston Area Chapter Blog!

Standard Goes Live for Life Sciences: A new approach to navigating regulatory requirements

by Glenn Restivo 
June 2004

Life sciences organizations today might view compliance with government regulations as a necessary evil rather than an opportunity to increase profitability. Yet despite its large number of controls, 21 CFR Part 11 is a regulatory action that, in the long run, can help companies take advantage of the advances and increased efficiencies electronic documentation can bring. Adherence to the 21 CFR 11 standard for health care and life sciences companies has been slow in coming. When the regulation went live in the second half of 1997, most organizations were too heavily focused on dealing with year 2000 information technology (IT) infrastructure updates to give the issue much attention. With Y2K a distant memory, companies thought 21 CFR Part 11 would take center stage. Their efforts to conform slowed after information management technologies evolved, and the regulation affected more diverse industries. Although many companies had already started assessing their facilities, they underestimated the amount of remediation they would need. As a result, only now are IT and process control specialists beginning to collaborate on plant-wide compliance solutions. While the U.S. Food and Drug Administration (FDA) knows manufacturers need time to meet the requirements for existing systems, it expects pharmaceutical companies to take more aggressive steps to fully comply. In fact, the FDA is hastily increasing inspectors (and their knowledge) to ensure they understand the role of information and control computer systems in pharmaceutical production. With such FDA steps already underway, today's pharmaceutical companies need a long-term plan to comply and a detailed road map on exactly how to proceed.

A New Approach

Last summer, the FDA announced regulation enhancements of pharmaceutical manufacturing and product quality-they would use a science and risk-based approach to current good manufacturing practices. The approach focuses on veterinary and human drugs, including human vaccines, so companies would not apply the same level of compliance to all types of processes, records, or computer-related systems. Instead, you could perform a risk assessment-identifying and recording appropriate controls based on predicate rule requirements, how critical the process is, and the risk to product safety, purity, and strength. Under this approach, you should document user requirements and the risk analysis. The goal is to define what evidence you will need to demonstrate a system is validated for its intended use. This past February, the FDA reexamined Part 11 as it applies to all FDA-regulated products. It replaced its enforcement policy for Part 11 with Part 11, Electronic Records; Electronic Signatures - Scope and Application. The new guidance document will mostly impact life sciences companies' total number of records and systems subject to 21 CFR Part 11 compliance.

Where to Begin

There is no magic formula for bringing systems into compliance. But companies will need to evaluate manufacturing practices associated with creating electronic records. Review an inventory of all installed systems. Then, determine whether a system has to comply with the Part 11 requirements. Does the system generate or manage electronic records? If yes, then it must comply. At that point, perform a full Part 11 assessment of those systems. Third-party computerized systems and automation partners offer services that can help companies assess a facility. These vendors can simplify documentation using proven methodologies, international standards, and global manufacturing integration practices. Other services include auditing, analysis, remediation, validation, program management, and training to ensure companies establish long-term plans.

Safety First

The FDA is most interested in protecting public safety. So if you are a pharmaceutical company, start evaluating your systems by determining which systems have a direct impact on product quality and safety. Assess electronic systems that record and report on production, product quality, and product safety. Closely examine any electronic systems used for security and quality assurance to determine whether or not they conform to Part 11 regulations. After identifying appropriate systems, implement remediation plans to detail the timing and sequence of any needed upgrade projects. 21 CFR Part 11 is not intended to simply force companies to replace paper records with electronic records. In fact, many experts make the case that the rule is really aimed at improving efficiency in the quality control and assurance process. During upgrade assessments, determine which paper-based activities would best benefit from an electronic system replacement. If you have a paper-based batch record, your company might be a good candidate for an electronic recording system, especially if you expect a 65% reduction in product quarantine time, a 50% reduced quality assurance labor cost, and a return on investment in less than a year. You can purchase software programs that automate paper-based procedures using an interactive, Web-enabled interface to manage, sequence, and document manufacturing operations. The best versions of such software can also enforce electronic signature sign off in keeping with 21 CFR Part 11 standards. Because most companies will likely have at least some electronic record-keeping systems that do not meet government regulations, they will need to immediately identify such noncompliant systems. Implement your remediation plan to determine whether you have the correct security models and controls in place, including any electronic signatures. It is not merely a manufacturing or IT issue to comply with 21 CFR Part 11. Its ramifications reach throughout an enterprise. In fact, what makes Part 11 such a watershed ruling is that it affects the entire spectrum of electronic information management, from creating, transmitting, and storing electronic records to retrieving and modifying them. Although the regulation does not govern any specific technology, it does impact all aspects of regulated operations. Therefore, it is critical to have companywide involvement and support for a 21 CFR Part 11 compliance program to be successful.

Right People, Right Technology

When comparing regulatory compliance service providers, look for partners who have solid experience in developing audit plans. Effective partners should be well versed in remediation, validation, and compliance planning. FDA inspectors looking for 21 CFR 11 compliance will likely evaluate all existing production processes, documentation, and systems. Most companies will navigate this inspection process successfully if they have established remediation and assessment plans. Yet these plans can be complex. If you are working alone, you might have problems proceeding quickly. The best protection against delays in your compliance plan is to work closely with outside consultants-regulatory compliance service providers and suppliers of computer-based automation management systems. Consultants can help you develop master compliance plans to cover new and legacy systems. They can also provide different viewpoints for a vast array of clients. Having one point of contact helps coordinate multiple production areas. It also promotes consistency between groups and reduces internal resource requirements. After you complete your initial assessment and identify opportunities for compliance, carefully review the compliance-enabling technologies present in your current systems. Evaluate the experience level of the product vendor in the regulated environment. Look for suppliers that provide compliance-enabling software solutions throughout the entire drug-development life cycle, from research and development through all phases of clinical trials, up to and including commercial production. Suppliers that offer a scalable, modular approach, embracing open systems technology, are ideal for today's regulated industries, because they give companies the greatest flexibility. You will also need to ensure your company can readily retrieve electronic records throughout the record-retention period. You can trace records and manage them in real time as they move through a facility with software that can support this need. The software should control access to the electronic record-producing system in a secure, audit-friendly environment to protect record and system integrity. Choose a hybrid control system that leverages a single, integrated control architecture if you want reliable process control systems. A hybrid control system will give you more accurate information and stronger security. You will also be able to coordinate control across applications. This hybrid control system allows you to execute sequential, batch, process, and motion control from a common environment. It also tightly integrates with the information management needs of the enterprise. You can integrate original equipment manufacturer skid equipment into this architecture.

Tools to Help You Comply

An important component of 21 CFR Part 11 is the auditing, storage, and retrieval of records a system creates. Many current systems fail to deliver when it comes to archiving and retrieving data in a secure form. One way to help is to automate procedures using an interactive, Webenabled interface to manage, sequence, and document manufacturing operations. This type of interface would force electronic signature sign off. You will also want to protect your electronic records so you can accurately retrieve them throughout the record-retention period. A tracking system that gives you real-time material management and traceability of electronic records as they move through a facility would help. Controlling access to the electronic record-producing system in a secure and auditable environment is important for protecting records as well as the system. An integrated, component-based human-machine interface software solution for monitoring and controlling factory automation processes that would work in conjunction with Microsoft Windows NT or Windows 2000 security would help prevent unauthorized access to data files and the operating system.



Page last updated: 5 March 2009