Coming to Grips with CFR 21 Part 11

by Alex Woodie

Five years ago, the Food and Drug Administration enacted a rule governing how companies in the pharmaceutical industry should handle electronic records. This rule, known as CFR 21 Part 11--or simply Part 11--pales in comparison with other IT mandates, such as Y2K, HIPPA, or the Euro conversion. However, there is some evidence that the FDA is stepping up its enforcement of Part 11, which is helping to create a market for Part 11 compliance tools.

Although the FDA's Part 11 rule occupies only one written page, it has spawned thousands of pages of interpretation. The basic wording of Part 11 instructs companies to build the same level of accountability for electronic documents as the companies are required to have for their paper-based equivalents. In the end, Part 11 is designed to protect the public from bad batches of pharmaceuticals--or at least to ensure that a suitable audit trail exists, in order to aid investigation when things go wrong. For the pharmaceutical companies, Part 11 means, in addition to aiding in the efficiency of their new electronic processes, protection from potential consumer lawsuits and the ability of the FDA to shut them down and levy steep fines.

Industry experts say that compliance with Part 11 requires companies to alter the ERP systems they used to automate their manufacturing processes, so that every time an employee makes a change to certain electronic documents or to sensitive fields in an application (such as changes made to a batch of raw material used in the production of a drug), there is an electronic signature (or equivalent mark) that proves that the employee made the change to the system.

The problem is that most of the popular ERP and MRP systems on the market do not support the things that Part 11 requires. Many of these ERP vendors are working on delivering patches, or add-ons, that would allow drug makers to comply with the rule. However, these software makers seem to be taking the same "wait and see" approach that most pharmaceutical companies have taken toward the situation, which doesn't help the companies that prefer a more proactive approach in order to avoid a potential problem.

Boehringer Ingelheim, a privately held international pharmaceutical company headquartered in Germany, is one of the companies that could be grouped into the "proactive" category. A division of Boehringer Ingelheim in the United States that makes drugs for animals is currently evaluating its Part 11 options. This division runs a popular OS/400-based ERP system from a large and well-known ERP software vendor that is taking a wait-and-see approach toward Part 11.

Michael Cannon, Ph.D., is in charge of this division's quality assurance program. Dr. Cannon has contacted his ERP software vendor and approves of the direction that it's taking, but he doesn't want to wait for the vendor to decide what to do about his Part 11 problem. "We want to get Part 11 behind us, so we know we'll be compliant and be able to manufacture product," he said. "If the government decided that my company was not being compliant, they could come and shut us down. If the government thought we weren't being proactive, our customers would go elsewhere. . . . If the government wants us to be Part 11-compliant, that's ultimately" what matters.

Cannon is evaluating a third-party auditing tool that could solve his company's Part 11 dilemma. The tool, called DataThread, was introduced last year by Innovatum, a small, Sugar Hill, Georgia, software and services company. Innovatum has focused on serving the pharmaceutical and food industries during its 20-year history, particularly with clients who use the BPCS and PRISM ERP systems, although it has experience with others as well.

Innovatum's decision to develop a Part 11 solution came from that experience in the pharmaceutical industry, said Ardi Batmanghelidj, Innovatum's vice president of business development. "We're well aware of the vigorous requirements [of Part 11] and knew there would be a market for a solution for CFR 21 Part 11," he said. "It just made sense."

DataThread is built on and uses the database management functions of the OS/400 platform's native DB2/400 database. In a nutshell, DataThread detects any changes made to a database record, through triggers and journaling, and captures those changes for storage in a separate, secure repository. The utility satisfies the Part 11 requirement for electronic signatures by using OS/400 user IDs and passwords (an acceptable replacement for an actual signature). Alternatively, DataThread can be used with biometric devices, such as fingerprint or retinal scanners, to satisfy the signature requirement. Although Innovatum developed DataThread specifically for Part 11, its data auditing and workflow capabilities can be applied to just about any industry, the company said.

Dr. Cannon has researched DataThread and says it could provide a suitable patch to bring Part 11 compliance to his company's ERP system. As part of his research, Cannon recently conducted an audit of Innovatum and found the company to be satisfactory. "They do have a quality system," he said.

Innovatum is not the only OS/400 software vendor providing Part 11 solutions. Dynamic Systems Solutions, a Pompano Beach, Florida, vendor of database and security utilities for the OS/400 platform, provides Part 11 remediation capabilities in its Auditron400 utility. Although not designed specifically for Part 11, Auditron400's ability to detect field-level changes in data and provide audit trails is exactly what is called for in complying with Part 11. This summer, Dynamic Systems Solutions announced that a major pharmaceutical company had installed Auditron400 earlier this year to help comply with Part 11.

Other software vendors are starting to realize the potential market that Part 11 is creating in the IT industry. Earlier this month, PentaSafe Security Technologies announced the introduction of a joint product offering designed to help life sciences companies understand the ramifications of Part 11. PentaSafe, which is awaiting approval of a planned acquisition by NetIQ, partnered with an unrelated European firm named QinetiQ to offer a 21 CFR Part 11 content module for VigilEnt Policy Center, PentaSafe's application for managing security policies. This content module contains a best-practice policy library, documents, quizzes, and other supporting documentation that facilitates compliance with Part 11.

Pharmaceutical companies are just now beginning to recognize the potential disruption and million-dollar fines that Part 11 could bring. "In the same way that HIPPA is just starting to take up steam, a lot of these [pharmaceutical] companies are waiting to see how much enforcement takes place and how important it becomes," Innovatum's Batmanghelidj said. "More and more pharmaceutical companies are getting the concept: If they don't comply, there will be serious consequences."

For more information about 21 CFR Part 11, see www.21cfrpart11.com. For more information on Part 11 remediation tools, see Innovatum's Web site at www.innovatum.com or the Dynamic Systems Solutions Web site at www.dynamicsys-solutions.com.

Sponsored By BCD INT'L

Develop new or extend your existing iSeries-AS/400, BPCS, MAPICS, JDE or other applications, quickly and affordably, into elegant Web/Browser based applications. Unlike many IBM AS/400 WebSphere™ sites, 95+% of BCD WebSmart users DO NOT have to upgrade their hardware, saving them $20K to $200K in costs! ====== Save $1,000 or more now. ====== Try Award Winning WebSmart, the complete development and deployment environment tool, on a FREE DOWNLOAD. Prove it out quickly. Prove the quick learning curve; prove the speed of the developed applications on small, medium or large sized AS/400s. Develop applications up front, risk free, and without obligation, then decide. Buy with confidence. WebSmart developed ILE/CGI web/browser based applications DO NOT consume interactive resources and run significantly faster than applications generated in JAVA--significantly faster. Runs really fast even on small iSeries-AS/400s. NO Proprietary data access middleware, no hidden additional costs and unlike with NT servers--NO viruses. You will soon see why BCD won 18 industry awards, including 10 awards for best Web, and iSeries-AS/400 application development tools. BCD has 1,000's of developers and 500,000+ end-users using the developed apps. http://www.bcdsoftware.com ====== Read what the EXPERTS have to say ====== -- Regarding the WebSmart developed application Formica created: "We are rolling out to new distributors every day, and the feedback has been very positive . . . I can safely say this project was a success. . . "We're serving about 16,000 unique page hits and 18 MB of data everyday." Phil Catlin, Application Development Manager, Formica Corp. -- "It took only four days from not having ever seen the software to a complete production application that was ready to be used by agents and customers." Lee Gillow, Airways Freight -- "With the reasonable acquisition cost of WebSmart it was easily cost justified. Our customers love it and we are very pleased with the end result." Dolly Newville, MIS Manager, Weigh-Tronix WebSmart users include: Altec Lansing, Affinity Insurance, Arrow Environmental, Behr Process, Baker Petrolite, Bristol Hospital, Calvin Klein, City of Moorhead, Diesel, D.J. Powers, Dole-Standard Fruit, EMED, GasBoy Int'l, General Semiconductor, Goodyear Tire & Rubber, Hoshizaki America, Hytrol Conveyer, Lamps Plus, Kauai Electric, Kelly's Kids, Kwik Trip, Labette Community College, Legacy Partners, Midwest Trophy, MSU, Nacco Materials, Oregon Dept. of Vet. Affairs, Peg-Perego, Penn Fishing Tackle, SouthTrust Bank, State of California, Testor Corp., TST/Impresso. . . ====== WebSmart Overview ====== WebSmart offers you Superior Technology that lets you create your own solutions, retain development control, plus have the FREEDOM of CHOICE. - Create, extend and deploy fast, fully secured, elegant B2B, B2C Web/browser based apps. - Run on either the iSeries 400 HTTP or Apache HTTP server (ILE/CGI), and/or on multiple platforms such as Windows (NT/2000), Linux, UNIX using WebSmart's JSE (Java Servlet Edition) that runs on WebSphere, Apache Tomcat, BEA Weblogic. . . servers. All from ONE SINGLE IDE EFFORT! Develop new or customize the 70+ FREE templates and e-Commerce apps with the PC based IDE. Extend any iSeries-AS/400 app. Price includes unlimited developer and end-user seats. A developer can have a seat at work, on their laptop traveling, and at home. Work anywhere on or off-line (with syntax checking, validation. . .), email objects for true portability. Use existing skills, requires little or no Web or iSeries-AS/400 programming, and. . . it's affordably priced. ====== FREE Download & Special Promotion ====== LIMITED TIME PROMOTION: Purchase WebSmart and get 10% off the list price, plus 30% off any other BCD product that is ordered within 45 days of a WebSmart purchase, including these: ProGen Plus, Nexus, Catapult, Spool-Explorer, Docu-Mint. . . (20% off on EZ-Pickin's). No prior sales. For a complete evaluation get the FREE DOWNLOAD and professionally written user guide. Click http://www.bcdsoftware.com, email sales@bcdsoftware.com or call us at 630-986-0800 to discuss your needs and how WebSmart can help solve them. All BCD products come with excellent support. BCD, for over 25 years, a name you can trust: Winner of 18 Industry Awards, 9,500+ customers and 23,000+ products sold. ================================================== All trademarks mentioned are trademarks of their respective owners.