Understanding, experience and technology for success
According to some analysts, the cost of 21CFR Part 11 compliance could vary from $5 million to $400 million, depending on a company's size and current state of systems. Companies with computer systems that are not compliant with 21 CFR Part 11 must prioritize which systems to upgrade first. They are now beginning to use a risk-based methodology to create a roadmap for compliance. This paper explains the 21CFR part 11-system requirements, discusses a risk-based methodology to create a compliance roadmap and identifies popular first steps in the roadmap for most companies.
cGMP - the Basis for 21CFR Part 11
Current Good Manufacturing Practices (cGMP) are mandated by the FDA to ensure that the products manufactured by the industries such as pharmaceutical, biotech and medical devices, meet specific requirements for identity, strength, quality, and purity. cGMP regulations are specified in 21 CFR Part 210 (Current Good Manufacturing Practice in Manufacturing, Processing, Packing, or Holding of Drugs; General Part) and 21 CFR Part 211 (Current Good Manufacturing Practice for finished Pharmaceuticals).
In order to comply with cGMP, companies are required to record, track, manage, store and easily access various production documents and their detailed change history including
Standard Operating Procedures (SOP): SOPs are documents that describe how to perform various routine procedures in a cGMP facility. SOPs relate to both tools and equipment. SOPs contain step-by-step instructions that technicians in production, QC, maintenance and material handling must consult daily in order to complete their tasks reliably and consistently. They make it clear how the task will be performed (procedure), who will perform the task (responsibility), why it will be performed (purpose), and what limits of use apply (scope).
Master Production Batch Record (MPBR) or Production Batch Record (PBR): A master production batch records (MPBR) is a detailed, step-by-step description of the entire production process for a specific drug. The MPBR explains exactly how the product is produced, indicating specific types and quantities of components and raw materials, processing parameters, in-process quality controls, environmental controls, etc. Production Batch Records (PBR) documents the production events, quality charts, environmental monitoring records and inspection reports for the entire production process for a specific batch.
Equipment Log Books: Log books are kept for all major equipment in a cGMP facility so that a chronological record of all equipment-related activities can be maintained. Minimum log book entries include date, time, the name of the technician and the event, but could also include a list of tasks that permits the technician to check off, sign, and date each event in the list of tasks as s/he performs them.
Why 21 CFR Part 11?
Historically, all the quality documents including SOPs, MPBRs, PBRs and log books have been maintained on paper by companies in order to comply with FDA’s cGMP. Even as companies automated their production and quality processes, they were still being forced to maintain and track paper records. The code of Federal Regulations (CFR) Part 11 was implemented in 1997 to let the FDA accept electronic records and signatures in place of paper records and handwritten signatures for compliance. The regulation outlines controls for ensuring that electronic records and signatures are trustworthy, reliable, and compatible with FDA procedures and as verifiable and traceable as their paper counterparts.
Hence, 21 CFR Part 11 also specifies a number of requirements for software systems to enable trustworthy and reliable electronic records and signatures. These software requirements must be met for the resulting electronic records to comply with FDA’s cGMP. If an organization does employ electronic records and signatures, but fails to comply with these system requirements, the FDA will cite the firm for violating the underlying regulation. For example, if a drug company maintains its written complaint records, required by 21 CFR 211.198(b), in electronic form, but the agency finds for some reason that these records are unacceptable substitutes for paper records, then the FDA would charge the firm with violating 211.198(b) – "Master production records are generated from a computer as electronic records without any apparent controls to assure authenticity and integrity [21 CFR 211.186(a)]."
21 CFR Part 11 Software Requirements
The following are the specific software requirements specified in Section 11.10:
Scope of 21CFR Part 11 Requirements Source: CGE&Y
(Please click on image for enhanced version)
Building a Roadmap for compliance with 21 CFR Part 11
According to analysts who track FDA regulations, the cost of Part 11 compliance could vary from $5 million to $400 million, depending on a company's size and requirements. Companies with low budgets and lots of computer systems that aren't compliant with 21 CFR Part 11 must prioritize which systems to fix first. They are now beginning to use risk-based methodology to create a compliance plan for their systems.
Risk-based compliance methodology begins with an inventory of all the existing systems and carefully identifies all systems that are either paper-based or non-compliant. The approach then carefully analyzes each system to assess their risk, as well as, the cost of either converting paper-based system or upgrading/replacing a non-compliant system to comply with the regulations. A key aspect to determining risk is assessing the computer system’s potential impact on affecting consumer safety. Incorporated in this assessment must be the role that system plays in the product life cycle, as well as the potential capability of the company’s products to injure the consumer as a result of the use of that system. Another aspect to determining risk relates to system’s potential to fail due to issues such as software code complexity, lack of good vendor support or lack of change control procedures. Finally, the company must consider the risk of intervention by FDA during an inspection, leading to a large fine or delay in drug approval or a consent decree. While calculating the cost of upgrading, one should determine if the total costs of legacy system upgrade and validation is more expensive than its replacement.
This information is then plotted on an X-Y matrix that measures, from low to high, the risk to security of the data (X-axis) and the cost of upgrading (Y-axis). Then the company may prioritize its systems and processes needing conversion or replacement based on where they fall in the matrix. Computer systems, for example, that fall in the "high data security risk, low conversion cost" area of the matrix could be targeted first for compliance validation.
Source Clarkston Consulting
(Please click on image for enhanced version)
Low Hanging Fruits in the Roadmap for Compliance with 21 CFR Part 11
Based on research by various analysts and consulting firms, one of the low hanging fruits is upgrading quality management systems to become compliant with 21CFR part 11. Such systems provide a core infrastructure for electronic records for SOPs & training/certification, implement strict change control and enable auditable corrective action processes. Hence, these systems are considered quick hits because of their high-risk (high risk of FDA intervention due to direct correlation with cGMP) and lower-cost (relatively lower cost of replacement than a manufacturing system) profile. Quality Management systems should support multi-plant and multi-organization architecture, including any outsourced operations such as clinical trials, R&D or production. Multi-organization architecture enables companies to ensure consistency of practices and processes across the entire internal supply chain leading to a reduction of overall risk of customer-safety. Since existing implementations of quality management systems do not have the architecture to support global operations, enhancements to existing legacy systems is more expensive than implementing a new solution with a global architecture.
Capabilities addressed by Quality Management Systems include:
AMR, an industry analyst firm based in Boston, in a report on the Risk from the current systems to support FDA compliance stated that “Information Technology (IT) applications have not been integrated to support end-to-end compliance business processes. This issue will come under increasing regulatory pressure as the FDA targets a top-down, risk-based approach to consumer product safety. Product integrity and consumer safety are still disconnected across product supply and customer-facing processes because IT environments today support prioritized quality applications at local sites. These applications include CAPA, quality monitoring and Laboratory Information Management System (LIMS) applications, complaint management, and adverse event management. No enterprise-wide straw man exists for managing compliance and quality across global operations.”
Leading pharmaceutical, drug discovery and development companies are aggressively investing in quality management systems through initiatives that
Risk-based methodology enables companies to create a prioritized roadmap for compliance with 21CFR Part 11, while staying within their budgets. This roadmap allows IT organization to start selecting and implementing new systems such as an enterprise-wide Quality Management System and upgrading existing production systems that create batch records.