Since we're up in Toronto this week attending Microsoft's Worldwide Partner Conference, we thought we'd repost an article from our archives. This article was originally written by Merit Solutions' President Bill Burke, and was published by Pharmaceutical Processing in March of 2004. It's an oldie (but goodie) - Enjoy!
"Think that because you have strong controls for lot tracking and traceability you are fully compliant with FDA CFR 21 Part 11?
Think again! The truth is, lot tracking is more tangential to what FDA CFR Part 11 is all about, and far from being the pith of the matter. Yes, you must address lot tracking to be FDA-compliant, because lot tracking with integrity is an essential part of FDA-mandated GMPs (Good Manufacturing Practices). But lot tracking and other ingredients of product accountability are NOT what FDA CFR Part 11 is about. Rather, Part 11 addresses the closely related but separate matter of your data accountability.
"Data accountability--- huh????" you ask. "What's that?" Okay, let's consider the nightmare scenario that someone over at the FDA is probably already thinking about for another industry, and how 21 CFR Part 11 would look for them. Imagine a day when incidences of so-called mad cow disease become widely prevalent such that tight controls along the lines of FDA CFR 21 Part 11 are seen as necessary.
If that horrid day arrives and you, the farmer, unwittingly think that FDA CFR 21 Part 11 is just about lot tracking, you would dutifully put tracking numbers on every cow (just as they do in Canada) and mistakenly feel comfortable that your operation is fully compliant with FDA CFR 21 Part 11. This would be a very important step-i.e. numbering all cows in the herd. However, data accountability would mean that you not only can trace herd numbers, but also you have a complete historic record of where each animal ate, what it ate, where this food came from, when the animal ate it, who fed the cow, what the cow weighed before and after it was fed, where it slept, any exposures to cows in other lots, etc. You, the farmer, would not only need to keep this data, but you would probably need the equivalent of a dual password on a computer screen to get access to cows in a particular pen, and certainly would need such password protection before you were able to gain access to move cows out of a pen. Each and every time you or any and every farmhand did something with the cow, you would need to record it or track it, such that there is a complete data record of every cow's lifetime for every cow in the herd.
If you think that sounds potentially complicated, you couldn't be more right. And that is probably one reason why the FDA has NOT run to demand FDA CFR 21 Part 11 compliance to minimize the already miniscule incidence of Bovine Spongiform Encephalopathy. However, the FDA DOES demand that this type of life cycle data be recorded in great detail for pharmaceuticals. In fact, if you haven't invested in electronic systems that are known to be fully compliant with FDA CFR 21 Part 11, you might need to spend as much as $500,000 to write custom tracking automation software that brings you in reach of compliance on top of whatever pretty penny you have already spent to put in non-FDA compliant systems. Luckily, there are workable systems that are fully-FDA CFR 21 Part 11 compliant that do not come with that kind of price tag, especially if you are a mid-sized firm.
What FDA CFR 21 Part 11 is about, is the reliability and auditability of your electronic systems en toto. Even before the post-9/11 consciousness of how terrorists might try to wreak havoc, the FDA's regulations had the wherewithal to demand that data integrity be airtight. Let's take a look at some of the specific requirements and what this means for you and every pharmaceutical manufacturer.
Section 11.10 c, for instance, mandates "Protection of records to enable their accurate and ready retrieval throughout the records retention period." That means that your business systems need to capture all transactions, including updates and changes, and archive them in an accessible database that can be viewed, printed, exported and/or downloaded throughout the records retention period. "Ready retrieval" doesn't mean you can let your IT staff come up with some sort of procedure if and when the FDA requests data-it means you need to have this information accessible in keystrokes right away if and when it is required AND that this data is not changeable by happenstance.
Section 11.30 c, for example, stipulates that "loss management procedures to electronically deauthorize lost, stolen, missing, or otherwise potentially compromised tokens, cards, and other devices that bear or generate identification code or password information, and to issue temporary or permanent replacements using suitable, rigorous controls." This means that your manufacturing systems need to automatically disable a user account in the event of password loss or theft to protect data security.
Thus, in these as with all other details, FDA CFR 21 Part 11 is about data accountability. You either have it or you don't.
Sad to say, far too many pharmaceutical manufacturers seem to not only not be FDA CFR 21 Part 11 compliant, but to fail to even grasp what having it would require. Consider the firm that invests in ERP systems widely used in other industries, without considering if FDA compliance has been either built-in to the system or available as add-ons. And consider the potential that those with malevolent intent have to ravage the integrity of data essential to the profitable operations of your business. However carefully you consider this problem, know that the FDA already has, and the sum of their concerns is called FDA CFR 21 Part 11."
Learn more about MAXLife, Merit Solutions' pharmaceutical software for 21 CFR Part 11 compliance.