21 CFR Part 11 Compliance Roadmap

According to some analysts, the cost of 21CFR Part 11 compliance could vary from $5 million to $400 million, depending on a company's size and current state of systems. Companies with computer systems that are not compliant with 21 CFR Part 11 must prioritize which systems to upgrade first. They are now beginning to use a risk-based methodology to create a roadmap for compliance. This paper explains the 21CFR part 11-system requirements, discusses a risk-based methodology to create a compliance roadmap and identifies popular first steps in the roadmap for most companies.

cGMP - the Basis for 21CFR Part 11
Current Good Manufacturing Practices (cGMP) are mandated by the FDA to ensure that the products manufactured by the industries such as pharmaceutical, biotech and medical devices, meet specific requirements for identity, strength, quality, and purity. cGMP regulations are specified in 21 CFR Part 210 (Current Good Manufacturing Practice in Manufacturing, Processing, Packing, or Holding of Drugs; General Part) and 21 CFR Part 211 (Current Good Manufacturing Practice for finished Pharmaceuticals).

In order to comply with cGMP, companies are required to record, track, manage, store and easily access various production documents and their detailed change history including

Standard Operating Procedures (SOP): SOPs are documents that describe how to perform various routine procedures in a cGMP facility. SOPs relate to both tools and equipment. SOPs contain step-by-step instructions that technicians in production, QC, maintenance and material handling must consult daily in order to complete their tasks reliably and consistently. They make it clear how the task will be performed (procedure), who will perform the task (responsibility), why it will be performed (purpose), and what limits of use apply (scope).

Master Production Batch Record (MPBR) or Production Batch Record (PBR): A master production batch records (MPBR) is a detailed, step-by-step description of the entire production process for a specific drug. The MPBR explains exactly how the product is produced, indicating specific types and quantities of components and raw materials, processing parameters, in-process quality controls, environmental controls, etc. Production Batch Records (PBR) documents the production events, quality charts, environmental monitoring records and inspection reports for the entire production process for a specific batch.

Equipment Log Books: Log books are kept for all major equipment in a cGMP facility so that a chronological record of all equipment-related activities can be maintained. Minimum log book entries include date, time, the name of the technician and the event, but could also include a list of tasks that permits the technician to check off, sign, and date each event in the list of tasks as s/he performs them.

Why 21 CFR Part 11?
Historically, all the quality documents including SOPs, MPBRs, PBRs and log books have been maintained on paper by companies in order to comply with FDA’s cGMP. Even as companies automated their production and quality processes, they were still being forced to maintain and track paper records. The code of Federal Regulations (CFR) Part 11 was implemented in 1997 to let the FDA accept electronic records and signatures in place of paper records and handwritten signatures for compliance. The regulation outlines controls for ensuring that electronic records and signatures are trustworthy, reliable, and compatible with FDA procedures and as verifiable and traceable as their paper counterparts.

Hence, 21 CFR Part 11 also specifies a number of requirements for software systems to enable trustworthy and reliable electronic records and signatures. These software requirements must be met for the resulting electronic records to comply with FDA’s cGMP. If an organization does employ electronic records and signatures, but fails to comply with these system requirements, the FDA will cite the firm for violating the underlying regulation. For example, if a drug company maintains its written complaint records, required by 21 CFR 211.198(b), in electronic form, but the agency finds for some reason that these records are unacceptable substitutes for paper records, then the FDA would charge the firm with violating 211.198(b) – "Master production records are generated from a computer as electronic records without any apparent controls to assure authenticity and integrity [21 CFR 211.186(a)]."

21 CFR Part 11 Software Requirements
The following are the specific software requirements specified in Section 11.10:

• Validation of systems to ensure accuracy, reliability, consistent intended performance, and the ability to discern invalid or altered records
• The ability to generate accurate and complete copies of records in both human readable and electronic form
• Protection of records to enable their accurate and ready retrieval throughout the records retention period
• Limiting system access to authorized individuals
• Use of secure, computer-generated, time-stamped audit trails
• Use of operational system checks to enforce permitted sequencing of steps and events
• Use of authority checks to ensure that only authorized individuals can use the system, electronically sign a record, access the operation or computer system input or output device, alter a record, or perform the operation at hand
• Use of device checks to determine the validity of the source of data input or operational instruction
• Determination that persons who develop, maintain, or use electronic record/electronic signature systems has the education, training, and experience to perform their assigned task
• The establishment of, and adherence to, written policies that hold individuals accountable and responsible for actions initiated under their electronic signatures
• Use of appropriate controls over systems documentation

Scope of 21CFR Part 11 Requirements Source: CGE&Y
(Please click on image for enhanced version)

Building a Roadmap for compliance with 21 CFR Part 11
According to analysts who track FDA regulations, the cost of Part 11 compliance could vary from $5 million to $400 million, depending on a company's size and requirements. Companies with low budgets and lots of computer systems that aren't compliant with 21 CFR Part 11 must prioritize which systems to fix first. They are now beginning to use risk-based methodology to create a compliance plan for their systems.

Risk-based compliance methodology begins with an inventory of all the existing systems and carefully identifies all systems that are either paper-based or non-compliant. The approach then carefully analyzes each system to assess their risk, as well as, the cost of either converting paper-based system or upgrading/replacing a non-compliant system to comply with the regulations. A key aspect to determining risk is assessing the computer system’s potential impact on affecting consumer safety. Incorporated in this assessment must be the role that system plays in the product life cycle, as well as the potential capability of the company’s products to injure the consumer as a result of the use of that system. Another aspect to determining risk relates to system’s potential to fail due to issues such as software code complexity, lack of good vendor support or lack of change control procedures. Finally, the company must consider the risk of intervention by FDA during an inspection, leading to a large fine or delay in drug approval or a consent decree. While calculating the cost of upgrading, one should determine if the total costs of legacy system upgrade and validation is more expensive than its replacement.

This information is then plotted on an X-Y matrix that measures, from low to high, the risk to security of the data (X-axis) and the cost of upgrading (Y-axis). Then the company may prioritize its systems and processes needing conversion or replacement based on where they fall in the matrix. Computer systems, for example, that fall in the "high data security risk, low conversion cost" area of the matrix could be targeted first for compliance validation.

Source Clarkston Consulting
(Please click on image for enhanced version)

Low Hanging Fruits in the Roadmap for Compliance with 21 CFR Part 11
Based on research by various analysts and consulting firms, one of the low hanging fruits is upgrading quality management systems to become compliant with 21CFR part 11. Such systems provide a core infrastructure for electronic records for SOPs & training/certification, implement strict change control and enable auditable corrective action processes. Hence, these systems are considered quick hits because of their high-risk (high risk of FDA intervention due to direct correlation with cGMP) and lower-cost (relatively lower cost of replacement than a manufacturing system) profile. Quality Management systems should support multi-plant and multi-organization architecture, including any outsourced operations such as clinical trials, R&D or production. Multi-organization architecture enables companies to ensure consistency of practices and processes across the entire internal supply chain leading to a reduction of overall risk of customer-safety. Since existing implementations of quality management systems do not have the architecture to support global operations, enhancements to existing legacy systems is more expensive than implementing a new solution with a global architecture.

Capabilities addressed by Quality Management Systems include:

• Document Management and Control (for SOPs)
• Audit Management
• Out-of-Specifications/Non-Compliance Tracking
• Corrective and Preventive Action (CAPA)
• Change Control
• Training
• Equipment Calibrations

AMR, an industry analyst firm based in Boston, in a report on the Risk from the current systems to support FDA compliance stated that “Information Technology (IT) applications have not been integrated to support end-to-end compliance business processes. This issue will come under increasing regulatory pressure as the FDA targets a top-down, risk-based approach to consumer product safety. Product integrity and consumer safety are still disconnected across product supply and customer-facing processes because IT environments today support prioritized quality applications at local sites. These applications include CAPA, quality monitoring and Laboratory Information Management System (LIMS) applications, complaint management, and adverse event management. No enterprise-wide straw man exists for managing compliance and quality across global operations.”

Leading pharmaceutical, drug discovery and development companies are aggressively investing in quality management systems through initiatives that

• Establish and monitor company wide quality programs
• Assure compliance with company and regulatory procedures and guidelines
• Provide release and approval of all cGMP documentation, including Standard Operating Procedures (SOPs) and batch records
• Enable auditing of
  • Chemical development, medicinal chemistry, and analytical departments.
  • Manufacturing and packaging facilities
  • Analytical chemistry laboratories
  • Drug formulation facilities
  • Raw material supplier audits
  • Contract testing organization

Risk-based methodology enables companies to create a prioritized roadmap for compliance with 21CFR Part 11, while staying within their budgets. This roadmap allows IT organization to start selecting and implementing new systems such as an enterprise-wide Quality Management System and upgrading existing production systems that create batch records.