The quickest, dirtiest breakdown of Part 11 for monitoring systems EVER!

Pharmaceuticals manufacturing
Paul Daniel, Vaisala
Senior GxP Regulatory Compliance Expert
Industrial Manufacturing and Processes
Life Science

In this week's blog, Senior Regulatory Expert Paul Daniel gives a brief (very brief) overview of 21 CFR Part 11 and Annex 11. Paul has Part 11 on the brain because he is currently updating our White Paper on how our monitoring solution handles the requirements of the regulation -- the next version will include EMA's Annex 11.
Paul writes:

Computerized systems are extremely common in the pharmaceutical, medical device, and biotechnology manufacturing and distribution operations. And, since these systems differ from paper-based systems, on which we used to depend for creating and archiving records, they need to be assessed differently. This is the idea behind 21 CFR Part 11 and Annex 11 (published by the FDA and EMA respectively): that quality should not suffer as a result of computerized systems replacing a manual system.

According to Annex 11:
"Where a computerized system replaces a manual operation, there should be no resultant decrease in product quality, process control or quality assurance. There should be no increase in the overall risk of the process."
The FDA similarly says that the purpose of Part 11 is to make sure electronic records are:
"...trustworthy, reliable, and generally equivalent to paper records."

The important system controls of Part 11 and Annex 11 include the following elements:
  • Validation
  • Human Readable Copies
  • Protection and Retention of records
  • Audit trails
  • Restricted access for authorized users only
  • Authority checks
  • Device checks
  • Training
  • Written procedures
  • System documentation

With regard to validation, Part 11 lays out the need for validation in the first item of Section 11.10: "Controls for Closed Systems":
(a) "Validation of systems to ensure accuracy, reliability, consistent intended performance, and the ability to discern invalid or altered records." For Vaisala's systems, we provide an IQOQ set of protocols and, if the customer desires, we execute as well. Furthermore, our systems are designed to prevent and identify alteration of records.

The next item in "Controls for Closed Systems" states: (b) "The ability to generate accurate and complete copies of records in both human readable and electronic form suitable for inspection, review, nd copying by the agency." The fact that there is a specific regulation regarding human-readable copies demonstrates how far the software industry has evolved. It would be hard today to imagine a user-friendly system that did not allow printing of documents and data. For most monitoring systems, the records of interest are the actual historical monitoring values. And for most systems, creating a human-readable copy likely means that historical data and event logs may be printed out in a secure format, such as a PDF document.

The protection and retention of records, as described in Section 11.10 (c) means that whatever data your system produces, it may not be altered. In addition, to meet the requirement of "ready retrieval throughout the records retention period," your data needs to be archived in a way that it can be conveniently restored – you don’t want to make an auditor wait! Or, if you store the data permanently within your database, the database should be designed in such a way system's performance should not degrade as the database grows over time. How you meet this requirement may have as much to do with the design of your system as it does with your system administration policies around archival.

Item (e) in Section 11.10 - Controls for Closed Systems states:
"Use of secure, computer-generated, time-stamped audit trails to independently record the date and time of operator entries and actions that create, modify, or delete electronic records. Record changes shall not obscure previously recorded information. Such audit trail documentation shall be retained for a period at least as long as that required for the subject electronic records and shall be available for agency review and copying."

In terms of an environmental monitoring system, this means that the electronic records (data and events) cannot be manually created, modified, or deleted. The Audit Trail of your system needs to capture any changes to metadata (schedules and report templates) and configuration data without obscuring earlier entries. Even better if your system doesn’t allow any changes to sensitive records.

As a closed system, your monitoring system needs to limit access to only "authorized individuals." That's item (d) in Section 11.10. Typically this means that all who have access to the system have a distinct username and secure password. Often a system will integrate with your OS authentication to leverage commonly used, pre-existing password management tools.

There is a lot more I could say about Part 11 - but is should be clear by now that it's really about risk management for electronic records and the new technology of digital signatures. The key idea is that validation and monitoring system security measures are most important when they pertain to critical records - that is, records that represent the effects of your Quality System. Less effort can be devoted to less critical records.

Part 11 and Annex 11 were introduced to address the key differences between computerized and manual systems and make electronic records equivalent to paper records as evidence of quality process execution. Today, most environmental monitoring systems used in GxP compliant firms are inherently aligned with the requirements of both the "Elevens." However, the risk comes not from the systems themselves, but in how they are implemented and maintained.

Although your monitoring system probably included User and Administrator manuals and CDs that are fairly easy to integrate into your Document Management System, the procedures that control documentation are still your responsibility. As good as your monitoring system may be (and, if you have a Vaisala system, it's awesome!), only the procedures of your Quality System keep you in compliance with Part 11/Annex 11.

PS – I know some of you are concerned about Electronic Signatures as well. Managing electronic signatures is a specialized software function. Specialty enterprise software exists for implementing Electronic Signatures within an Electronic Document Management System (EDMS). For Vaisala's monitoring solution, we recommend a "hybrid" system, which means it uses electronic records combined with handwritten signatures, wherein the PDF outputs can be imported into and EDMS.

Stay tuned for an updated version of our White Paper: "Assessment of Vaisala Veriteq viewLinc Continuous Monitoring System Compliance to 21 CFR Part 11 Requirements".




We received a great email from one of our blog readers. Here is a comment from blog reader Christopher R. Lee.

Thank you, Mr. Lee, for sending us your comments! (posted below)

Paul's reply to these comments was:
"Very cool! I like his viewpoint -- seems like a front-line explanation of a risk-based approach, combined with the experience of someone who has had to ensure quality both within and outside of a strict corporate structure." PD

Christopher R. Lee wrote:

How about a dissident view?

21 CFR 11 had been around a long time before I retired, & I was fortunate enough to retire a fairly long time ago. It seems that nothing has changed and that the regulators have no idea how things work in real life, including sending space shots to the edge of the solar system.
The current implementation of GxP, and particularly of compliant computerized systems, is stupid because it supposes that everyone involved can think of every tiny detail in advance, that nothing ever goes wrong with the equipment, and that with a PhD is capable of calculating 2+2. If a calibration certificate has expired by one day, an expensive the batch might be lost; better keep the documentation on paper so you can fix the date or the instrument reference.

If you want to set up a spreadsheet to calculate content uniformity according to the pharmacopeias, you can't, because IT will take 2 years to decide if the project is worth considering. It's much easier to pay someone to spend hours on each calculation using a (qualified?) pocket calculator.
I often hear my pharmacist tell customers that a product that has been prescribed will not be available for weeks or months. I'm convinced the only way forward is to accept the notion that errors exist, and to allow a certain amount of retrospective adjustment to documentation.
Perhaps I'm getting old.
Christopher R. Lee

Exploring Analytical Chemistry

Paul Daniel, Vaisala

Senior GxP Regulatory Compliance Expert

Paul Daniel has worked in the GMP-regulated industries for over 25 years helping manufacturers apply good manufacturing practices in a wide range of qualification projects.  His specialties include mapping, monitoring, and computerized systems.  At Vaisala, Paul oversees and guides the validation program for the Vaisala viewLinc environmental monitoring system.  He serves as a customer advocate to ensure the viewLinc environmental monitoring system matches the demanding requirements of life science and regulated applications.  Paul is a graduate of University of California, Berkeley, with a bachelor’s degree in biology.

Add new comment