21 CFR Part 11

21 CFR Part 11 Case Studies

Segalstad Consulting has been involved in many 21 CFR Part 11 projects, which have all been planned, executed, and handled in very different ways. Two of them are used as examples here, and a discussion of the pros and cons for each project is included at the end. Both companies are approximately the same size pharmaceutical companies with R&D facilities as well as production facilities. Both companies are located in the same geographical area, and one exports products to the US, while the other plans to do so in the future. Both projects were done in 2000-2002, before the FDA issued their guidance of a risk-based approach.

Project 1: A Norwegian Company (name withheld)

Checklist approach

This project started with writing a draft checklist. This was done in cooperation between the QA and Segalstad. The draft checklist was sent for further discussions in the organization, and a final checklist was created.

Discussion items in the process

At the same time all top-level SOPs for computer systems validation were revised to include the same baseline for all systems. As this company did not export anything to the US, the big discussion was which systems need to be compliant with Part 11. The company knew that sooner or later the EU regulations would include something equivalent to Part 11, and that the EU GMP Annex 11 also contains requirements along the same lines, but that these are not so explicit. The conclusion after very heated discussions was in essence that it was up to the system manager to decide, and no requirements were given.

System Part 11 assessment

There was no formal system assessment project, as it was up to the system managers to decide whether they wanted to check their system for compliance with Part 11 or not. Most of them decided not to do so.

Project 2: H. Lundbeck, Denmark

Checklist approach

This project started with creating a Part 11 task force of about 12 people. A rough draft checklist had been created earlier. The task force was given a one-week Part 11 class, starting with lectures, and continuing with supervised Part 11 audits, and finally Part 11 audits. After each audit the group got together to discuss problems they had encountered. The checklist was revised the last day. The conclusion after this week was that all participants had a common platform of understanding what Part 11 was all about.

Discussion items in the process

There were discussions during the week of training, but at the end of the week these were all over. The company knew it had to comply with Part 11, so the question was mainly which systems were GMP/GLP/GCP systems and which were not.

System Part 11 assessment

Each manager in the company was asked to fill in a form for each of the computer systems they used in their part of the organization. The group of trained people, now to become assessors, compiled a complete list of the company’s systems, and divided the systems between them for assessment. Two assessors worked together on each system, and they booked time with the system manager for the assessment. The teams changed, and almost all assessors worked with everybody. The checklists were completed and signed off by the assessors and the system manager, and included a suggestion for following up the non-compliance findings. A complete Part 11 report was created when all systems were done, and it was up to the upper management to decide the priority of which system need to receive remedial actions first and which could wait.

Discussion of the 21 CFR Part 11 Projects’ Approach and Results

Differences in checklists

There were differences in the checklists created. A few examples are here, but there were also other differences.

Date and time format: One specified this as “local time in the format DD-MM-YYYY HH-MM-SS”, and the other specified this as “unambiguous + requirements for definition of time zone”.

Versions: One did not mentioned versions at all, and the other specified this as “Distinguished as status or version number”.

Audit trail associated with record One specified this as “Shall be directly associated”, and the other specified this as “Should be associated, as this is easier to maintain”

Project 1 had a great disadvantage by not selling to the US market, so it was perceived by some people that it was an option to be Part 11 compliant. The others in the project thought this was a quick-and-easy way out of additional work. The SOPs have been created so that all systems need to do a few things like validation of computer systems, and depending on decisions on the need for Part 11 compliance, the rest of the SOPs shall be followed. Only one SOP needs to be changed to include all relevant systems in Part 11, and that is the SOP that says the Part 11 compliance may be opted out.

Lundbeck’s task force was a major contributor to the success, as the training formed a baseline or benchmark for treating all systems in the same way. It was also an advantage to have two assessors on the teams, as even the last systems assessed gave internal discussions of whether the findings were OK or not. Assessing systems for Part 11 is not easy! This project did cost a lot of money as 12 persons were involved for a week during training, and some 150 systems were assessed, each for about 1/2 day with two assessors. But the result was that within 2-3 months all GxP systems had been assessed and the rest of the systems had documentation to say why they were exempt.