8-Mar-2004

Have you complied?

Abstract

Barry Hill, director of Facility Monitoring Systems, and Morgan Polen, VP of Applications Technology at Lighthouse Worldwide Solutions, discuss Facility Monitoring Systems and 21 CFR Part 11 Compliance

The United States Food and Drug Administration (FDA) is the government agency responsible for the approval of new drugs and the controls for manufacturing of pharmaceuticals that are consumed in the USA. All drugs manufactured in the USA and all drugs imported are subject to FDA regulations. Different national regulations are similar to the FDA regulations in purpose but the importance of the US market is such that it is the FDA regulations that are given prominence. The FDA requires that all drugs are manufactured in accordance with current Good Manufacturing Practice (GMP) regulations. The pharmaceutical manufacturing company must prove it is in compliance with these regulations at all stages before a drug can be released to the end users. Part of the proof is the collection and storage of data. The collection and storage of manufacturing data is of such fundamental importance that it is not surprising there are many regulations that cover proper record keeping. Over the past decade computer systems have become fundamental to the process of collecting manufacturing process data. It to be expected that regulations would be introduced to address the problems inherent in electronic record keeping and the submission of records to the FDA in electronic form. The objective of these FDA regulations is to ensure any data submitted to support any product is trustworthy and can be relied upon. These regulations were introduced in 1997 as "Electronic Records; Electronic Signatures"1 commonly known as 21 CFR Part 11 or just 21CFR114. There have been several FDA guidance documents issued on the application of 21 CFR Part 11, all of which were superseded in August 2003 by a revised "Guidance for Industry Part 11, Electronic Records; Electronic Signatures Scope and Application"2. The revised FDA guidance changed the FDA's approach to the scope and applicability of 21 CFR Part 11 by basing it on a risk-based assessment for regulatory compliance. This change was to counter the consequences of the original guidance3 where producers were adopting strategies that avoided the use of electronic records rather than exploiting computer systems to simplify the collection and reporting of manufacturing information. Many pharmaceutical manufacturing facilities have automated data collection systems for measuring environmental parameters such as particle counts, pressures, temperatures and humidities. These systems are often known as Facility Monitoring Systems (FMS).

Facility Monitoring Systems A typical FMS (see Fig. 1) has a computer that controls input via a network of some description sensors. The data from these sensors is time stamped, stored in a database and displayed. Usually the collected data is compared with alarm limits and, where necessary, alerts are signalled to staff using lights and sounders. An FMS will include reporting facilities. The reports usually include graphs, statistics and tables of collected data. These reports are basic evidence to support a production batch. FMS installations are, naturally, subject to 21 CFR Part 11.

Compliance with 21 CFR Part 11 It is not possible for any computer system to be 21 CFR Part 11 compliant per se. This is because compliance includes staff, training, physical environment and security, all of which are outside the control of any FMS supplier. The end users can only judge compliance, as they are the people ultimately responsible to the FDA and any other regulatory body. When a supplier claims "21 CFR Part 11 Compliance" they are usually aware of the problems with such a claim but use it as shorthand for "Providing the necessary facilities to permit an FMS to be made a part of a 21 CFR Part 11 compliant installation". Because the end user is the final arbiter in determining compliance with 21 CFR Part 11 this causes problems for suppliers of FMS software. First, there is the question "Is it necessary for a particular facet to be compliant," and second "What is compliance?" as some interpretations are contradictory, and in some cases, mutually exclusive. The FDA's 'risked-based' approach infers some of the regulations can be considered optional, but from an FMS supplier's point of view, this means compliance with all regulations is required because any end user may demand, quite properly, that their version of 21 CFR Part 11 is complied with. This is, in effect, no different from the previous guidance where little was optional.

Security Physical Access: This is the first layer of security. It is an unfortunate fact that employees perpetrate most malicious acts and data theft from a computer system. Restricting access to a limited number of individuals restricts the physical risk to a system. Simply locking a computer in a cabinet or office avoids unauthorised access. If you do not have a key, you cannot get access. User Access: Access to systems requires a user to prove they are permitted access, usually by providing a username and a password. Alternatives to usernames and passwords include biometrics and key cards. 21 CFR Part 11 does not specify a particular type of access control, only that a minimum of one biometric or two non-biometric tokens are used. Usernames and passwords are usually acceptable methods of identification. They are simple and cheap and do not have the problems associated with biometrics, for example fingerprint identification is useless if you have to wear gloves. However, they can be compromised as a result of discovery. Discovery can be watching someone logging in or by hacking user names and passwords (social attacks are the most likely: wife's name, cat's name, car registration, etc). These two threats can be countered easily by incorporating password ageing and terminal lockout and an alarm after a small number of failed logins. Password ageing forces a user to change the password at given intervals to a new, different, password. Network access: Computer systems are often networked to allow users remote access to data. 21 CFR Part 11 defines two types of system, open and closed. The difference between open and closed systems is a matter of much debate and, as with many things, this is a matter of opinion. A closed system is defined as a system in which the owner of the system has complete control over access to the system and its data. An open system is where the owner of the system does not have complete control over access to the system and/or data. An example of such a system is where access is via the internet. The data, unless encrypted, can be read by a third party and in principle, modified by a third party. If encrypted secure internet connections are used then this cannot (practically) happen. It could be argued that a system that uses encrypted communications is always closed as any data collected by a third party is useless. In other words, the act of making an open system secure for 21 CFR Part 11 purposes often makes it a closed system. Most FMS installations are closed systems. They are responsible for supervising well-defined areas of plant inside a factory. There is seldom any need to provide access outside the facility, hence the system has no reason to be anything but closed. An FMS that is networked needs to include access controls that allow access only by other computer systems that have been granted permission. A simple means of controlling access via TCP/IP is by using the network configuration (network mask) that can greatly restrict communications between computers even if wired together. Wider access can be restricted using IP addresses that are not recognised across the internet (such as those starting 192.168.), which not only prevent access from outside a facility, but also prevent access to systems outside the local area network (LAN) from within the facility. On one hand, proxy servers can make it possible for any system within a facility to connect to a system anywhere on the internet, but on the other hand, this can be controlled and if necessary prevented by using a network firewall.

Audit trail It is important to any 21 CFR Part 11 regime to record when users access a system and when any changes occur to the system as well as the nature of any changes. The audit trail identifies when individuals access the system and the reasons for performing the actions. Normally these actions must be signed using an electronic signature (described below). This links an action to a responsible individual. In networked systems, the computer being used also needs to be identified.

Version control When any configuration is changed it is necessary to be able, at some later date, to return to an older configuration, if only to determine the nature and effects of the changes. Version control can take the form of a comprehensive version control system that allows any combination of previous version to be recovered and tracked or simply saving time stamped copies of a configuration.

Data security There are two types of data security that are, in part, contradictory. One type of data security relates to keeping data secret, the other type of security is keeping the data accessible over long periods of time. Unless an FMS links collected data to confidential data, such as patient records, the information collected is unlikely to be useful to anyone outside the organisation; therefore the data does not have to be kept secret. However data must be reliable and alteration must be detectable and reported when found. The easiest method of data protection is to add a Cyclic Redundancy Check (CRC)6 to each data record. This can be compared with the CRC of the data each time the data is retrieved, thus verifying the date. Including record length and position information with the CRC makes alteration without detection nearly impossible. Encryption makes alteration very difficult. Encryption works by breaking up data and mixing it with a key. This makes it very difficult to alter data because what was data in a comprehensible, non-random order is turned into (for all intents and purposes) an unintelligible random sequence. An example of a simple encryption algorithm is given in reference5. The problem with encryption is that data can only be retrieved if the means of decryption exists. This can cause difficulties over long periods of time. It is possible that data may be needed to investigate the effects of drugs given to an infant on conditions in old age which may be (say) 100 years after the data was collected. Given the rate of obsolescence of computer systems, it is to be expected that the means to read encrypted data may not exist when the data is required. Encryption (and the associated technique of data compression) has the additional drawback that if any data is lost, then all the data is lost. One way to ensure long term data security it to store the data as plain text. This is more likely to be readable and interpretable over longer time scales, albeit at the risk to data confidentiality should the data be copied improperly. Ideally, a Facility Monitoring System would offer the facilities to save data using both methods as well as to achieve generally used databases such as SQL servers.

Electronic signatures An electronic signature is a token that is the same, legally, as an individual's written signature. An electronic signature is not the same as a digital signature. A digital signature is like a checksum added to a file or data record to confirm the source and validity of the file or data packet. An electronic signature can be a user's full name, for example an account name might be jbloggs but his electronic signature might be John X. Bloggs. To ensure the validity of any electronic signature, it is important that the FMS user management ensures user account names and the associated electronic signatures are unique and are not re-usable. It is also important that the electronic signature is different from the account name, as this is half the data required to log on to a FMS.

Email this story