The Part 11 of chapter 21 of the American CFR « Code of Federal Regulation » establishes the traceability expectations of manufacturers with regard to CMMS solutions

9 August 2021

The FDA (Foods and Drugs Administration) imposes to all manufacturers in the pharmaceutical or agro-food sector who wish to market their products in the United States and by extension in Europe, to comply with 21 CFR part 11. A company in one of the above mentioned sectors which implements a CMMS solution (Computerized maintenance management system) has to check the compatibility of its solution with the 21 CFR part 11 standard. But beware, it is not enough to have a solution that meets the expectations of the standard, the American regulation goes much further since it imposes numerous guarantees on the integration of the solution in order to meet the FDA requirements.

The 21 CFR part 11 establishes the regulatory provisions to which each manufacturer must follow to comply with US data retention and electronic signature legislation. This standard certifies that the company complies with the very high safety criteria required by the standard, this greatly reduces the risk of non-compliant products being placed on the market.

Standard that imposes traceability on several levels

The key word associated with the standard is: full traceability. Let me explain, the company must know at all times what has been done and by whom, with a very advanced identification system. This is one of the first requirements for compliance with the 21 CFR part 11. To do this, the chosen solution must allow you to record the traces left on the system and make them usable and selectable with a before/after value on the modified data. They must then be usable in an intelligible and simple way. The modifications that are time stamped by the solution and the recorded operations must be easily accessible, for example via a function integrated into the tool that does not require any querying skills.

Once the use of data is mastered, transactional channels need to be addressed. In order to do so, the CMMS will have to offer an electronic signature system allowing a step by step traceability based on the identification system.

This device should be reinforced by a finer control of the users, down to unit data. Each intervener will only be able to intervene on the part of the process that has been assigned to him (traceability in access to data). Also, in a process, only some fields could be accessible according to the user, their display or use can be restricted according to the value of the field. An automatic disconnection mechanism after a certain period of time without action is essential. Of course, everything that must be respected on the tool must also be respected on your mobile tools.

Implementation, a critical phase for compliance with the standard

The most critical phase concerns the implementation of the solution. It must take place in the presence of the client (4 handed installation) since it is the latter that will guarantee the conformity of the installation of the solution in the event of an audit. The 21 CFR part 11 standard, requires at this stage a proven methodology to guarantee the quality of the solution’s integration.

First of all, in terms of documentation, the editor must provide the client with an extensive and comprehensive documentation, including changes made to the software so that the latter is able to understand its impact and to check its compliance when it is first installed but also for any updates.

The editor will then be able to define with the client the number of environments required for the implementation of the software (test, production…) and the methodology adapted to this architecture.

Once again, the traceability of operations will be essential to guarantee that each action carried out in one environment is reproduced identically in the others and especially in the production environment.

Two phases are essential: IQ (Installation Qualification) which precisely details the installation to be carried out for the different environments, the OQ (Operational Qualification) which guarantees that the software respects the specifications expected by the client and that they are replicable in production.

A choice that should not be made lightly

In the face of this regulatory constraint, it is above all a question of editors and integrators assisting their customers in setting up a system that is both secure and efficient and that allows them to improve the management of maintenance while naturally providing the elements expected by the standard during audits.

By Laurent Crétot, Commercial Manager within Siveco Group
Translated from the Expert Advice published in the French media IT Social