Managing Software: Are new FDA regulations headed your way?
Does a food company need to concern itself about Part 11? Roddy Martin of AMR Research believes it should. “Rest assured that the FDA Part 11 regulations will reach the food industry. For those who have taken an electronic versus paper-based approach to HACCP, it is already here.”
The FDA has been gearing up for Part 11. To date, they have trained over 700 inspectors in computerized systems that are now beginning to audit systems.
The FDA introduced 21 CFR Part 11 in August 1997 to guide all FDA regulated manufacturers’ handling of electronic records, signatures, authorization processes and traceability. The detailed FDA requirements must be adhered to if an organization chooses to maintain electronic records, including electronic signatures, as part of its compliance procedures. Since Part 11 only applies to electronic records, you only need to follow it if you use electronic records.
Although Part 11 is optional, it may already apply to you. Part 11 covers any records that are subject to FDA inspection. If you use automation to collect or maintain these records, you must comply. Even if you use the computer as a typewriter and later print out the records to be managed manually, Part 11 applies.
One area of FDA concern is HACCP. Companies have taken three approaches to HACCP. A manual paper-based approach uses no computerization. An automated approach uses computer-assisted methods to collect and manage HACCP information. Many of these systems are based upon MES or ERP systems and many are custom written. A hybrid approach uses some manual records and some computerized records.
Since a manual approach does not involve electronic records, Part 11 does not apply. At the other end of the automation spectrum, some companies have fully automated their HACCP efforts. These systems must meet the requirements of Part 11. The portions of hybrid approaches that use automation must meet the same requirements as systems that are 100% automated. The manual components of a hybrid system do not need to meet the requirements. However, you must be able to demonstrate how the manual and automated portions of a hybrid system work together and how the records stay in synch.
The key requirements of Part 11 are security, e-signatures, and records management. Part 11 sets security requirements that go beyond that which is available on most software products. For example, records must include the full name of individuals, not just user ID. Security must provide automatic session timeouts after a predetermined period of inactivity. Any unauthorized system access attempts must result in automatic notifications to the security officer.
Most transactions require electronic signatures or e-signatures. Electronic signatures serve as a legal signature and the related document is a legal document.
Since all records are in electronic format, Part 11 sets forth requirements on records management. For example, audit functions must record all changes or deletions to records. In all cases, the system must be able to reconstruct what the database looked like on a past date.
What should you do about Part 11? Does it apply to you? If areas of compliance involve records that are collected or maintained, in any way, electronically, Part 11 applies. If your computer systems are from a packaged software vendor, talk to the vendor about compliance. If the vendor enables Part 11 compliance, this may be your most inexpensive and quickest solution.
If the systems are custom, heavily modified versions of packages or just old, you face a bigger challenge. You may need to replace the existing systems. Both ERP and MES vendors are now touting systems that can help you comply. Be aware that the FDA does not validate software products. But software suppliers can assist you in compliance.
Software products also exist which connect to a variety of systems, (QA, MES, ERP, manual) and assist in bringing your legacy plus manual systems into compliance.
The FDA Compliance Policy Guide, can be accessed at http://www.fda.gov/ora/compliance_ref/cpg/.
What does the future hold? Roddy Martin tells us, “With the FDA training more specialist inspectors in computer based systems, we can expect more attention to our IT systems, infrastructure, and information security. Increasing integration of systems means that information traceability is an increasingly critical thread across your entire extended supply chain.”