Coming to Grips with CFR 21 Part 11
by Alex Woodie
Five years ago, the Food and Drug Administration enacted a rule governing how companies in the pharmaceutical industry should handle electronic records. This rule, known as CFR 21 Part 11--or simply Part 11--pales in comparison with other IT mandates, such as Y2K, HIPPA, or the Euro conversion. However, there is some evidence that the FDA is stepping up its enforcement of Part 11, which is helping to create a market for Part 11 compliance tools.
Although the FDA's Part 11 rule occupies only one written page, it has spawned thousands of pages of interpretation. The basic wording of Part 11 instructs companies to build the same level of accountability for electronic documents as the companies are required to have for their paper-based equivalents. In the end, Part 11 is designed to protect the public from bad batches of pharmaceuticals--or at least to ensure that a suitable audit trail exists, in order to aid investigation when things go wrong. For the pharmaceutical companies, Part 11 means, in addition to aiding in the efficiency of their new electronic processes, protection from potential consumer lawsuits and the ability of the FDA to shut them down and levy steep fines.
Industry experts say that compliance with Part 11 requires companies to alter the ERP systems they used to automate their manufacturing processes, so that every time an employee makes a change to certain electronic documents or to sensitive fields in an application (such as changes made to a batch of raw material used in the production of a drug), there is an electronic signature (or equivalent mark) that proves that the employee made the change to the system.
The problem is that most of the popular ERP and MRP systems on the market do not support the things that Part 11 requires. Many of these ERP vendors are working on delivering patches, or add-ons, that would allow drug makers to comply with the rule. However, these software makers seem to be taking the same "wait and see" approach that most pharmaceutical companies have taken toward the situation, which doesn't help the companies that prefer a more proactive approach in order to avoid a potential problem.
Boehringer Ingelheim, a privately held international pharmaceutical company headquartered in Germany, is one of the companies that could be grouped into the "proactive" category. A division of Boehringer Ingelheim in the United States that makes drugs for animals is currently evaluating its Part 11 options. This division runs a popular OS/400-based ERP system from a large and well-known ERP software vendor that is taking a wait-and-see approach toward Part 11.
Michael Cannon, Ph.D., is in charge of this division's quality assurance program. Dr. Cannon has contacted his ERP software vendor and approves of the direction that it's taking, but he doesn't want to wait for the vendor to decide what to do about his Part 11 problem. "We want to get Part 11 behind us, so we know we'll be compliant and be able to manufacture product," he said. "If the government decided that my company was not being compliant, they could come and shut us down. If the government thought we weren't being proactive, our customers would go elsewhere. . . . If the government wants us to be Part 11-compliant, that's ultimately" what matters.
Cannon is evaluating a third-party auditing tool that could solve his company's Part 11 dilemma. The tool, called DataThread, was introduced last year by Innovatum, a small, Sugar Hill, Georgia, software and services company. Innovatum has focused on serving the pharmaceutical and food industries during its 20-year history, particularly with clients who use the BPCS and PRISM ERP systems, although it has experience with others as well.
Innovatum's decision to develop a Part 11 solution came from that experience in the pharmaceutical industry, said Ardi Batmanghelidj, Innovatum's vice president of business development. "We're well aware of the vigorous requirements [of Part 11] and knew there would be a market for a solution for CFR 21 Part 11," he said. "It just made sense."
DataThread is built on and uses the database management functions of the OS/400 platform's native DB2/400 database. In a nutshell, DataThread detects any changes made to a database record, through triggers and journaling, and captures those changes for storage in a separate, secure repository. The utility satisfies the Part 11 requirement for electronic signatures by using OS/400 user IDs and passwords (an acceptable replacement for an actual signature). Alternatively, DataThread can be used with biometric devices, such as fingerprint or retinal scanners, to satisfy the signature requirement. Although Innovatum developed DataThread specifically for Part 11, its data auditing and workflow capabilities can be applied to just about any industry, the company said.
Dr. Cannon has researched DataThread and says it could provide a suitable patch to bring Part 11 compliance to his company's ERP system. As part of his research, Cannon recently conducted an audit of Innovatum and found the company to be satisfactory. "They do have a quality system," he said.
Innovatum is not the only OS/400 software vendor providing Part 11 solutions. Dynamic Systems Solutions, a Pompano Beach, Florida, vendor of database and security utilities for the OS/400 platform, provides Part 11 remediation capabilities in its Auditron400 utility. Although not designed specifically for Part 11, Auditron400's ability to detect field-level changes in data and provide audit trails is exactly what is called for in complying with Part 11. This summer, Dynamic Systems Solutions announced that a major pharmaceutical company had installed Auditron400 earlier this year to help comply with Part 11.
Other software vendors are starting to realize the potential market that Part 11 is creating in the IT industry. Earlier this month, PentaSafe Security Technologies announced the introduction of a joint product offering designed to help life sciences companies understand the ramifications of Part 11. PentaSafe, which is awaiting approval of a planned acquisition by NetIQ, partnered with an unrelated European firm named QinetiQ to offer a 21 CFR Part 11 content module for VigilEnt Policy Center, PentaSafe's application for managing security policies. This content module contains a best-practice policy library, documents, quizzes, and other supporting documentation that facilitates compliance with Part 11.
Pharmaceutical companies are just now beginning to recognize the potential disruption and million-dollar fines that Part 11 could bring. "In the same way that HIPPA is just starting to take up steam, a lot of these [pharmaceutical] companies are waiting to see how much enforcement takes place and how important it becomes," Innovatum's Batmanghelidj said. "More and more pharmaceutical companies are getting the concept: If they don't comply, there will be serious consequences."
For more information about 21 CFR Part 11, see www.21cfrpart11.com. For more information on Part 11 remediation tools, see Innovatum's Web site at www.innovatum.com or the Dynamic Systems Solutions Web site at www.dynamicsys-solutions.com.
Contact the Editors
Last Updated: 10/29/02
Copyright © 1996-2008 Guild Companies, Inc. All Rights Reserved.