Anyone who has been involved in assessing the compliance of computer-based systems against 21CFR Part 11 will know that many of the questions revolve around good IS (Information Systems) security – both procedural and technical. Whilst Part 11 has (quite rightly) resulted in a lot of concern in this area, this is just one reason for addressing the issue. Guidance from PIC/S also clearly indicates that this will be a major issue for companies subject to PIC/S inspection. In fact IS security is of significance to both GxP (GMP, GLP, GCP, etc.) compliance and the business. A Business Issue Whilst no one would deny that IS security is a GxP issue, there is of course a wider business issue. As well as holding GxP critical data and confidential data concerning patients or employees, all pharmaceutical companies have company confidential data. This may include sensitive financial or sales and marketing data. Assuring the integrity and confidentiality of such data alone should be sufficient reason for pharmaceutical companies to treat IS security very seriously. If proper controls are put in place for good business reasons, compliance with GxP regulations should be achieved as part of the same programme. A GxP Issue In the GxP parts of the business many companies appear to be going to great lengths to decide what is and is not an ‘Electronic Record’, and what data are within the scope of 21CFR Part 11. Many have chosen to use the definition that an ‘Electronic Record’ is only created when data are stored to ‘durable media’ (meaning non-volatile storage media such as a hard disc or CD-ROM). There are few (if any) signs that the US FDA is willing to accept such a broad definition, preferring to take each case on its merits. Whether data are stored on durable media or not, whilst GxP critical data are within a system there is always a security and data integrity risk, Take an example of batch data held in nondurable memory in a programmable logic controller (PLC) until the batch run is completed, with data either printed or transferred to hard disc when the batch completes. The data may not be held on durable media whilst the batch is running, but if a batch run takes hours the GMP critical data are still at risk from accidental deletion or deliberate change whilst they reside in the memory of the PLC. Whether or not Part 11 applies is not the sole issue. There is a general data integrity issue that is considered under general GMP rules. Any company that believes that defining a system as outside the scope of Part 11 ignores the general IS Security issue of serious non-compliances with respect to data integrity. Most FDA citations for computer systems are for non-compliance with the applicable (predicate) GxP rules, not Part 11. PIC/S Guidance In July 2004, PIC/S published their document "Good Practices for Computerised Systems in Regulated ‘GxP’ Environments". As well as covering Electronic Records and Electronic Signatures issues, it addresses wider issues of IS security as they impact upon GxP. Interesting enough, the document references 21CFR part 11, but also ISO/IEC17799:2000. This standard deals specifically with aspects of IS security. ISO17799:2000 The PIC/S guidance states (section 20.1) "Firms will need clearly documented policies, standard operating procedures, validation reports and training records covering such system controls. Information Security Management standards such as ISO/IEC 17799:2000 may be of assistance with the design, implementation and control of such systems." Since this text is italicised in the draft guidance, the recommendation for Inspectors is that this is one of the things they should be considering during an inspection At least one of the agencies contributing to the guidance has informally stated that their Inspectorate will not consider IS security an issue worthy of in-depth inspection for in companies who have achieved formal accreditation ISO/IEC 17799. Whilst achieving accreditation to the standard is not a trivial issue (typically taking more than 12 months to achieve), if this reduces the likelihood of IS security being the focus of an inspection it may well be a price worth paying. Comparison Between 21CFR Part 11 and the PIC/S Guidance A formal comparison between the two documents (cross referencing various sections) reveals some interesting similarities in most procedural controls, but a number of differences with regard to technical controls required. With respect to the procedural controls required by 21CFR Part 11 and PIC/S, neither regulation provides a great deal of prescriptive content with regard to how certain procedural controls should be implemented. As an example, issues such as the secure management (approval, distribution, storage and use) of documentation containing security sensitive information are covered in both documents. However, neither goes into detail of how this should be achieved. This is rightly so, considering that there are many different ways of achieving this for both electronic and paper documents. The PIC/S document emphasises the requirement for comprehensive audit trails and the practical interpretation of this guidance is very much in line with the requirements mandated for compliance with Part 11. However with regard to other technical controls, Part 11 tends to be more direct. Some of these areas include timestamps, password management and encryption, periods of continuous use, ‘immediate and urgent’ reporting of attempted security violations and so on. One of the most significant such difference is around the use of Electronic Signatures. Where Part 11 provides detailed technical requirements, the PIC/S guidance again remains general, subject to practical interpretation. Another technical area where Part 11 is specific, and which is not covered by the PIC/S guidance is that of making records available for review by the Inspectorate. This includes the ability to make both electronic and paper copies available for off-site review. For a number of systems this represents a considerable technical challenge. When systems, installations and sites do not fall under the Inspection remit of the FDA, this requirement is not mandated. However, since the PIC/S guidance also references 21 CFR Part 11, and since many PIC/S inspectors cover sites also covered by the FDA, the individual PIC/S inspector certainly has lee-way to determine what constitutes acceptable controls, both procedural and technical. Conclusion In summary, pharmaceutical companies need to take IS security seriously. This means taking steps to comply with relevant guidelines or at least being aware of the requirements being derived from their interpretation. Free Consultation For more information, simply contact the Factorytalk team and “Call in for a Coffee” for a free consultation. We are located at : Factorytalk Pte Ltd E-mail Address : |
 |
|||||||||||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||||||||
 |
|||||||||||||||||||||||||||||||||||
 |
|||||||||||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||||||||
 |
|||||||||||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||||||||
 |
|||||||||||||||||||||||||||||||||||
