1 April 2007

Sign here

FDA pharmaceutical regulation 21CFR11 is making its mark across the industry; drug developers, drug manufacturers, equipment suppliers must comply.

By Ellen Fussell Policastro

Kathleen Waters works in South San Francisco as a principal automation engineer at Genentech, a biotech company that uses human genetic information to discover, develop, and manufacture biotherapeutics to address life-threatening illnesses. Part of Waters' job is dealing with FDA regulations. The 21 CFR Part 11 (21CFR11) regulation deals with data handling and criteria under which the FDA considers electronic records and signatures, as well as handwritten signatures executed to electronic records, to be trustworthy. (See "FDA 21CFR11: The basics") While Waters and her team must deal with 21CFR11, she admits only a handful of predicate rules apply to Part 11. (See "Predicate rules") So it is important to assess each situation based on equipment use and not just on the rules.

Waters' team deals with equipment cleaning and maintenance, equipment use, master batch records, master production, and control records sampling. The new guidance document, which came out three years ago from the FDA on Part 11, has forced people to think; "just because you have records on a system, doesn't mean they're Part 11 records," she said. "In the new document, there was a much higher focus on predicate rules [CFRs], and because of that, when you look at Part 11 applicability on systems, you don't look at records of signatures, but how the system will be used," she said.
 
Here's how it works with Waters' team. When dealing with a new system coming into the plant, they will conduct a Part 11 assessment. The first step is to make sure Part 11 applies to the equipment. "If it does, we identify what rules it applies under; if it doesn't apply, we have to state the intended use and why it doesn't apply," she said. One situation in which 21CFR11 would not apply is if the plant bought an autoclave controller, in which a basic module prints out a report used for equipment tracking of temperatures and alarms. That is valuable from an operational perspective because "there are other ways to get that data, so that printout or that capture doesn't necessarily warrant being a Part 11 record," she said. "If you've integrated all your equipment with a data historian, your data historian is the repository of record for a lot of this data."
 
In another instance, when buying a new centrifuge (equipment used for protein extraction-to purify proteins or separate materials), Waters' team assesses what products will run on the equipment, and where they'll use it, such as with the manufacturing execution system (MES) and the plant data historian. "We define the whole problem and do a Part 11 assessment, going through the CFRs and looking for rules that apply to this piece of equipment," she said. "Because this system has recipes in it, there's a predicate rule associated with it, and it is product specific. So we determine if we have Part 11 applicability. If Part 11 applies, we look at what records we maintain in the system in electronic format. Because a lot of controllers don't maintain records, there's no Part 11 record in the controller, but they are in the SCADA system or HMI. Generally these records are the configuration of the system, which includes recipes, any type of trending maintained on that system, and an alarm event log for actions or interventions with the system," she said.
 
It is important to be subjective when assessing CFRs and putting systems in place, Waters said, because companies will do things differently based on what their infrastructure is. With source code, for instance, vendors might build in ways to do audit trails in configurations. But some companies have a standard system they use (such as a configuration management system external to process control). "They've built procedures around it to maintain this audit trail," she said. "So the question then becomes: Does it make sense to use vendor XYZ's tool when you already have a proven tool? We'll extract that data out and move it into a different system, or we might say yes we are going to use that. There's no best way to do it."

Complying for record storage

Just as drug makers need to assess their processes to figure out where and when to comply with 21CFR11, equipment manufacturers design or purchase different software packages to help end users comply.

Fluid Air manufactures shear granulators or mixers and fluid bed driers for powders in solid dosage processing, in Aurora, Ill. The company also uses software for storing electronic records. "We developed proprietary software that has to do with batch processing," said Sarah Crutchfield, the company's manager of software development. The company also purchased batch architect software. "They both accomplish the same task, but it depends on which brand the customer wants to go with," she said. Both systems comply with 21CFR Part 11 by providing means for electronic signatures and creating and storage of electronic records. 
  
Before the regulation, everything was done on paper records, "but now if you choose to provide the FDA with records in electronic format, you must comply with Part 11, which still allows paper records to be submitted," Crutchfield said. This makes sense for smaller companies who could find it too expensive to implement electronic systems. In such cases, "they would still have a paper batch record that would record that information," she said.
  
Using the right software helps in other ways than just complying with the standard. Using the technology to create secure records and keeping computer processes familiar to operators makes it easier to find those records in the future rather than having paper files, Crutchfield said. "We have part of our batch processing in which we create recipes to control the process so it should be able to run without operator intervention. This way it provides a more consistent product in the end when it's computerized, and we're eliminating human error."
 
Suppliers build in software packages

Quite a few hardware and software manufacturers have been designing technologies into their equipment to meet compliance requirements. The goal is to make it easier to provide unalterable records, encryption, and increased security, and to eliminate the possibility of making modifications without a record. Quite a few hardware and software vendors have redesigned and upgraded offerings to help customers in pharmaceuticals, biotech, and medical industries, especially with security features in HMI software.

Adding security features and permissions to define individual users provides a tool for integrators to meet 21CRF11 with data recording and storage. When an operator logs in, it is recorded with encrypted data log files. When running a recipe, the operator who has logged in can acknowledge every operation of the recipe," said James Davis, senior systems engineer at Opto 22, a manufacturer of hardware and software products that link electrical, mechanical, and electronic devices and machines to networks and computers, in Temecula, Calif. "That's the main heart of this regulation. Every operation code performed is logged and time stamped, and the current operator is noted." The most common architecture on the user end is a recipe residing in a sequel database. Software for compliance gives developers a chance to set up the operator, pull up the recipe, and run it a step at a time, Davis said. Features in equipment might be to automatically increment up the day and hour with the time stamp whenever there is a change to a control program. 
  
The significant aspect of any software feature is to be certain the person making the change is authorized to make it and is completely identified by a file that can't be altered or removed, said Tom Edwards, Opto 22's senior technical advisor. "That puts the information in as part of the database file. So it's a functional part of our record."
  
Edwards said he believes the trend in the next few years could be companies responsible for building equipment that is part of a validated system will become smaller because the process adds overhead. "From my perspective, the validation process is awkward and difficult. Whether or not a company chooses to participate is a question that goes to the core of doing business. It's a pain to deal with a validation process. Some suppliers might just start opting out; we've decided to opt in by making more tools," he said.
  
Some companies building in software go to a lot of trouble to meet 21CFR11 requirements, such as building the audit trail and making it difficult to make a change. Others have backed away from building that security into their system. The future could hold a more select group of suppliers who have gone to the trouble of adding the features to help validate the process, Edwards said. "All we've done is tried to give all the tools to the ultimate person responsible for validation."

ABOUT THE AUTHOR

Ellen Fussell Policastro is the associate editor of InTech. Her e-mail is efussellpolicastro@isa.org.