By Bill Burke, Merit Solutions
Even Marco Polo had a road map….For most companies, full compliance with 21 CFR Part 11 is quite a long journey. You can give up before you start, as several do, and let the chips fall where they may. That would mean either keeping all significant business processes based on manual paper-based methods, or just taking your chances that neither the FDA nor the other FDA-regulated firms that you partner with don’t notice or care. FAT CHANCE!, e-r-r-, I mean, “Good Luck!”A saner business approach is to sit down, take a deep breath and develop an attack plan for 21 CFR Part 11 Compliance. Here’s how:Step 1: Do Your Homework
Even though you are well-advised to enlist the help of knowledgeable guides, and even if you have a talented quality management team in place, every top level executive in an FDA-regulated firm needs a working knowledge of 21 CFR Part 11. Start by getting a copy of the regulation and reading it. Then, set aside a few hours to google 21 CFR Part 11 and see where the Internet search takes you. In fact, you are well advised to repeat this exercise periodically, over the course of the year(s) your company is addressing full 21 CFR Part 11 compliance.Step 2: Get An Experienced Guide
You need a guide for 21 CFR Part 11 compliance, but not just any guide. First, you may wonder why your highly skilled, highly credentialed, and highly paid quality management team just can’t tend to 21 CFR Part 11 Compliance and be done with it. Expert though they may be, it is the rare quality executive that has a detailed understanding of the underlying architecture of business systems and how to best program automated processes that are fully 21 CFR Part 11 compliant. Why not your IT manager then, you ask? Well, even if your IT team has a nuanced understanding of both 21 CFR Part 11 and the underlying architecture of your business system (A BIG IF), they are unlikely to be schooled in the “gotchas” of the regulation in the way that consultants do who live and breathe the regulation every day and work with a variety of companies with ranges of significant processes in need of management.What you want is someone or a team of “someones” who “have seen it all.” That kind of track record can help you save time compared to the learn-as-I-go individual. Although every company has a unique set of risks, there ARE overlaps that allow outside consultants to bring their expertise from previous 21 CFR Part 11 compliance projects to bear on your company’s success in following suit.
Outside consultant services do not need to cost an arm and a leg. A mistake that many small and medium-sized firms make is hooking up, or entertaining the idea of hooking up, with consultants schooled in the compliance strategies and business systems used by the largest companies. Multinational, multilocation pharmaceutical firms, for example, have an entirely different set of non-compliance risks than a small company first venturing from clinical trials to full-scale production. Another group of outside consultants to avoid are those who are adept in your particular business system but who have never grappled with compliance issues before. Then there is the problem of bringing in non-technical consultants who may very well drive your company down the wrong road altogether. High level understanding of a particular business system is not enough. You need a systems-level understanding so that you are not throwing a lot of money at the problem and simply going in circles.
Who’s your ideal guide then? — an outside company with a proven track record of helping companies of a similar size as yours get 21 CFR Part 11 compliant, who have both technical expertise and knowledge of the underlying business system on the one hand, and a nuanced understanding of 21 CFR Part 11 on the other.
Step 3: Identify Your Significant Processes
Every company has their own way of doing things. Working with your guide, complete a comprehensive review of every aspect of what your company does, and identify those processes that if done incorrectly, can cause harm to humans. These are your risks. This is equivalent to drawing the mountains, swamps, and quicksand on your roadmap, i.e. the terrain to be traversed.What are the potential scenarios causing health harm that your business creates? The FDA provides guidance on how you identify these risks, and following this guidance can help you crystallize the scope of potential problems (risks) and suggest a priority pattern for compliance tasks.
Step 4: Build Your Standard Operating Procedures
Once you have identified your significant processes, (i.e. those processes that if done incorrectly can cause harm to humans), you then need to write out detailed flow charts of all the tasks and activities that are done in sequence to accomplish that process safely. Thinking of standard operating procedures as a flow chart, the lower level steps are those that connect your staff to the business systems enabling the process.You may have identified that one of your significant processes, for example, is a vendor purchase-to-pay process, where mistakes in supply orders (e.g. wrong order, wrong delivery, wrong storage, etc.) can have potentially dire consequences for the ultimate end-users of your product. Your standard operating procedure is nothing more or less han a step-by-step run down of how a process such as this is done correctly.
Step 5: Identify Your Enabling Systems
Once you have all of your standard operating procedures mapped out, you then need to identify all of the touch points of your business’s enabling systems that are acting with or underneath these significant processes. This is often an analytical step missed or mangled by those with a less than complete understanding of the architecture of the business systems you employ.For example, a significant process that your company performs may be manufacturing a batch of a certain material. Usually, there is a database that stores the formula for that particular material. The business system may interact with this database at several touch points, and you need to know what every one of those touch points are.
Step 6: Systems Validation
The next step is to take the underlying data system and prove that it does what you expect it to do, at each and every touch point with significant processes. While you probably don’t need to validate your accounting systems, for example, you do need to prove that the systems you use to pull formulas for manufacturing are 100% reliable. You need to look at your map of significant processes and develop tests with sample data sets that can be run to show that the system is reliable and that the expected answers will show up on the multiple screens affected whenever they are expected to show up.There are several steps to this validation process, as we have discussed in previous articles. IQ, Installation Qualification, proves that a system is installed as expected. OQ, Operational Qualification, proves that a system operates as expected. PQ, Performance Qualification, proves that the system behaves to expected parameters.The best case scenario is always for a company to get an experienced guide and make these road map assessments BEFORE a business system is implemented, because it can get quite costly to reverse business systems that do not architecturally support the 21 CFR Part 11 requirements. If there are business systems in place, the sooner you address these compliance issues the better as the costs of reversing or re-engineering systems built over time just compound. While there are relatively affordable and straightforward compliance modules for widely used business systems like Microsoft Great Plains(tm), companies that develop home-grown ERP solutions are likely to have quite the compliance nightmare on their hands that requires months or even years of expensive custom programming to eliminate non-compliance risks.
The good news is that reputable consultants with 21 CFR Part 11 expertise will give you a preliminary assessment at no cost. Usually, this will only involve a few hours of your time and/or the time of your staff to get a working report card on the nature of your risks and the work at hand. More importantly, it will give your company the benefit of experienced eyes that have been on the front lines of 21 CFR Part 11 compliance for many companies and can help you spot the hazards in your processes and systems that less seasoned eyes might not see.