The FDA (Foods and Drugs Administration) requires all manufacturers in the pharmaceutical or agri-food sector who wish to market their products in the United States and, by extension, in Europe to comply with the 21 CFR part 11 standard. A company in one of the above-mentioned sectors, which acquires a CMMS (Computerised Maintenance Management System) solution, must check the compatibility of its solution with the 21 CFR part 11 standard.
But beware, it is not enough to have a solution that meets the expectations of the standard, the American regulation goes much further since it imposes numerous guarantees on the integration of the solution to meet the criteria by the FDA.
The 21 CFR part 11 standard sets out the regulatory requirements that each industry must meet in order to comply with the US legislation on data retention and electronic signatures. This standard certifies that the company complies with the very high security criteria required by the standard, which greatly reduces the risk of non-compliant products being placed on the market.
A standard that imposes a traceability on several levels
The key phrase associated with the standard is exhaustive traceability. Let me explain, the company must know at all times what has been done and by whom, with a very thorough identification system. This is one of the first requirements for compliance with 21 CFR part 11. To do this, the chosen solution must allow you to record the traces left on the systems and make them usable and selectable with a before/after value on the modified data. They must then be usable in an intelligible and simple way. Changes that are time-stamped by the solution and recorded operations should be easily accessible, for example via a function built into the tool that does not require querying skills.
Once the use of data has been mastered, the transactional circuits must be tackled. To do this, the CMMS must necessarily offer an electronic signature allowing step-by-step traceability, based on the identification system.
This system should be strengthened by more detailed management of users, right down to the unitary data. Each participant will only be able to intervene in the part of the process that has been allocated to them (traceability of data access). Likewise, in a process, only certain fields may be accessible depending on the user and their display or use may even be restricted depending on the value of the field. An automatic logout mechanism after a certain period of time is essential. Of course, everything that must be respected in the desktop tool, must also be respected in your mobile tools.
Implementation, a critical phase for compliance with the standard
The most critical stage concerns the implementation of the solution. It must be carried out in the presence of the customer (four-handed installation) since it is the customer who will be the guarantor of the conformity of the installation of the solution in the event of an audit. The 21 CFR part 11 standard requires a proven methodology at this stage to guarantee the quality of the solution’s integration.
First, in terms of documentation, the editor must provide an exhaustive and comprehensible documentation for the client, including the changes made in the software, so that the latter is able to understand the impact of these changes and to check their compliance when the software is first installed, but also for any updates.
The editor can then define with the customer the number of environments necessary for the implementation of the software (test, production…) and the methodology adapted to this architecture.
Once again, the traceability of operations will be essential to guarantee that each action carried out in one environment is reproduced identically in the others and especially in the production environment.
Two phases are essential: ’IQ (Installation Qualification) which details precisely the installation to be carried out for the various environments and the OQ (Operational Qualification) which guarantees that the software complies with the specifications expected by the customer ant that they will be reproducible in production.
A choice that should not be made lightly
Faced with this regulatory constraint, it is above all a question of software editors and integrators supporting their customers in the implementation of a system that is both secure and efficient and that allows them to improve the management of maintenance while naturally providing the elements expected by the standard during audits.
Interview with an expert – Laurent Crétot, Sales & Marketing Director at Siveco Group
