Compliance to 21 CFR Part 11 requires an understanding of its implications.

Accountability is the name of the game in this post-911 environment. Due to both malicious and non-malicious threats, as well as the global nature of the food supply, security and traceability have become prominent issues. But defining security in the age of intranets, web-based software and wireless technology, has brought a whole new concern to our industry. Hence, 21 CFR Part 11.

For some time, food manufacturers have been observing the impact regulatory compliance has had on the pharmaceutical industry. Within that industry, the FDA is regularly issuing Part 11 non-compliance citations.

Ask food industry experts about what they see on the pharmaceutical side of the aisle and the importance of 21 CFR Part 11 to the food industry and you a get near unanimous view that it will have a significant impact. Ask when it will happen and you get a variety of answers. Rob Wiersma, responsible for food industry solutions for SSA Global, says, "Part 11 will be a requirement for the food industry. Our food industry customers see it as an absolute requirement in the future. The question is when will the FDA begin enforcement?"

John Blanchard of the ARC Advisory Group agrees. "With our food supply being a potential terrorist target, concerns about food safety have risen substantially and Washington has taken notice. We can feel comfortable that [Part 11] is coming, but no one knows for certain when. It may be here much sooner than anticipated," he says.

The truth is, the FDA likes paper records. With paper records, a single person makes a single entry. Required signatures allow for easy identification. When an individual signs paper records for the company, it puts the individual on the hook for civil and criminal penalties. With paper, signatures can easily be verified at any time in the future. And, the FDA can demand physical records be produced for review. In the world of paper, any modifications or edits to these records is readily apparent.

From tangible to intangible

In response to a world moving further and further away from paper, the FDA released Part 11 of Title 21 of the Code of Federal Regulations (CFR), or 21 CFR Part 11, in August 1997. The regulation allows companies to use electronic records and signatures. In fact, if companies use computer systems for production and/or distribution of FDA-regulated products, they must use electronic records and signatures.

Electronic records are less tangible than paper records. Significant expertise is required to track modifications and edits. On a network, modifications or edits can be made from anywhere, by anyone. For the above reasons, the integrity of electronic records is more difficult to verify.

They are also more nebulous in terms of identifying people entering and vouching for data. The entry of information requires a password or passwords for identification and proof of data integrity but the password does not necessarily guarantee a link between the individual who entered the data and the owner of the password.

To meet these concerns of reliability, security and accountability, the key requirements of Part 11 are security, e-signatures, and records management. Part 11 sets security requirements that go beyond those which are available on most operating systems or application products. For example, records must include the full name of individuals, not just user ID. Security must provide automatic session timeouts after a pre-determined period of inactivity. Any unauthorized system access attempts must result in automatic notifications to the security officer.

Much of Part 11 is aimed at normal business transactions. Section 306 of the Bioterrorism Act discusses the establishment and maintenance of these transactions, which include lot tracking and others. In fact, depending upon the organization's interpretation of the regulations, many other transactions may call for treatment under Part 11. Among those items that should be considered: formula development; purchasing, receiving and quality records; and shipping records, product returns and other records that complete the product-tracking picture.

Many, if not all, transactions require electronic signatures or e-signatures. Electronic signatures serve as legal signatures and the related documents are considered legal documents. However, the electronic signature calls for an additional level of security. First, individuals must be authorized to do the transaction and, second, they must "sign" the transaction after it has been entered with a separate password. In addition, many transactions will call for a second person to "sign" the transaction to verify the accuracy of the information and the authenticity of the first signature. Some companies have chosen to use biometrics-fingerprints, hand dimensions, eye scans, etc.-as the "password."

Since all records are in electronic format, Part 11 sets forth requirements on records management. For example, audit functions must record all changes or deletions to records, including before and after snapshots of the data. In all cases, the system must be able to reconstruct what the database looked like on a past date. Although not an absolute requirement, many vendors are encouraging users to store the electronic records on a second, secure server or even a write once/read many times storage device.

What are the risks?

The stakes are high for the industry. Failure to comply with Part 11 invalidates an electronic record in the eyes of FDA. Companies cannot rely on invalid records for compliance-to the FDA these records are non-existent.

Dealing with the regulatory agencies is only part of the risk. Today, the press stands ready to spread the news about food supply problems. "Loss of consumer confidence in your company or your brand can mean loss of an entire product line or even destruction of the company itself," Blanchard says. "The food and beverage industry and its retailers are particularly vulnerable to bioterrorism and regulatory actions that could destroy a brand or a company through loss of consumer confidence. Understanding and complying with this law can help to better manage increasing business risk."

Ultimately, the choice is yours. The FDA introduced 21 CFR Part 11 to guide all FDA regulated manufacturers' handling of electronic records, signatures, authorization processes and traceability. The specifics of how you choose to comply are determined by how you interpret the guidelines. If you decide not to use computerized records for compliance to the various FDA, USDA and other regulations, Part 11 does not impact your business.

But most companies are finding it very difficult and expensive to comply with these regulations without the use of computer-based data collection, organization, storage and retrieval. Manual effort can be difficult to afford, adding both administrative overhead and production inefficiencies. Organizational and storage requirements are difficult and expensive, and the time demands of information retrieval make it impractical, and perhaps impossible, to comply manually.

Although Part 11 is optional, it may already apply to you. One area of concern is HACCP. Companies have taken three approaches to HACCP. A manual paper-based approach uses no computerization. An automated approach uses computer-assisted methods to collect and manage HACCP information. Many of these systems are based upon MES or ERP systems and many are custom written. The third option, a hybrid approach uses a mix of manual and computerized records.

Since a manual approach to HACCP does not involve electronic records, Part 11 does not apply. At the other end of the automation spectrum, some companies have fully automated their HACCP efforts. These systems must meet the requirements of Part 11. The portions of hybrid approaches that use automation must meet the same requirements as systems that are 100% automated. The manual components of a hybrid system do not need to meet the requirements. However, you must be able to demonstrate how the manual and automated portions of a hybrid system work together and how the records stay in sync.

Moving forward, Yves Dufort of Wonderware thinks industry leaders will push for more control of their business. These leaders are facing the realities of globalization in the food industry and understand that product consistency and product safety must be addressed on a worldwide basis. In furthering these objectives, they are standardizing work processes and reporting systems. They need to know who has touched a product or entered information about a product into the production process. Dufort sees these companies demanding the level of control and security of Part 11, not for regulatory reasons but for internal control reasons. He sees Part 11 functionality as becoming a standard feature for most software products targeting the food manufacturing industry and he sees this as the way to achieve these objections while limiting the engineering and development cost of an internally developed approach.

So, is Part 11 a challenge or an opportunity? If you see Part 11 as another government requirement to be satisfied, it is a challenge. If you see it as part of improving internal operations and increasing the quality and quantity of information about your operations, it's an opportunity. Either way, Part 11 just might be the justification you need to improve your business processes and internal systems.