Professional Documents
Culture Documents
Factorytalk Is Security
Factorytalk Is Security
Factorytalk Is Security
Factorytalk
created when data are stored to 'durable media'
IS Security? A 21CFR Part 11 Issue, or a (meaning non-volatile storage media such as a hard
General GxP concern? disc or CD-ROM). There are few (if any) signs that the
US FDA is willing to accept such a broad definition,
Anyone who has been involved in assessing the preferring to take each case on its merits. Whether
compliance of computer-based systems against data are stored on durable media or not, whilst GxP
21CFR Part 11 will know that many of the questions critical data are within a system there is always a
revolve around good IS (Information Systems) security security and data integrity risk,
- both procedural and technical. regardless of whether or not the data constitute an
electronic record at any given moment in time.
Whilst Part 11 has (quite rightly) resulted in a lot of
concern in this area, this is just one reason for Take an example of batch data held in nondurable
addressing the issue. Guidance from PIC/S also memory in a programmable logic controller (PLC) until
clearly indicates that this will be a major issue for the batch run is completed, with data either printed or
companies subject to PIC/S inspection. In fact IS transferred to hard disc when the batch completes.
security is of significance to both GxP (GMP, GLP, The data may not be held on durable media whilst the
GCP, etc.) compliance and the business. batch is running, but if a batch run takes hours the
GMP critical data are still at risk from accidental
A Business Issue deletion or deliberate change whilst they reside in the
memory of the PLC. Whether or not Part 11 applies is
Whilst no one would deny that IS security is a GxP not the sole issue. There is a general data integrity
issue, there is of course a wider business issue. As issue that is considered under general GMP rules. Any
well as holding GxP critical data and confidential data company that believes that defining a system as
concerning patients or employees, all pharmaceutical outside the scope of Part 11 ignores the general IS
companies have company confidential data. This may Security issue of serious non-compliances with respect
include sensitive financial or sales and marketing data. to data integrity. Most FDA citations for computer
Assuring the integrity and confidentiality of such data systems are for non-compliance with the applicable
alone should be sufficient reason for pharmaceutical (predicate) GxP rules, not Part 11.
companies to treat IS security very seriously. If proper
controls are put in place for good business reasons, PIC/S Guidance
compliance with GxP regulations should be achieved
as part of the same programme. In July 2004, PIC/S published their document "Good
Practices for Computerised Systems in Regulated
A GxP Issue 'GxP' Environments".
In the GxP parts of the business many companies As well as covering Electronic Records and Electronic
appear to be going to great lengths to decide what is Signatures issues, it addresses wider issues of IS
and is not an 'Electronic Record', and what data are security as they impact upon GxP. Interesting enough,
within the scope of 21CFR Part 11. Many have chosen the document references 21CFR part 11, but also
to use the definition that an 'Electronic Record' is only ISO/IEC17799:2000. This standard deals specifically
No responsibility can be taken by the publisher or the contributors for action taken as a result of information provided or
opinions expressed in this publication. Readers are strongly recommended to take expert advice on particular situations.
No responsibility can be taken by the publisher or the contributors for action taken as a result of information provided or
opinions expressed in this publication. Readers are strongly recommended to take expert advice on particular situations.
Conclusion
Free Consultation
Singapore
10 Anson Road #09-24, International Plaza
Singapore 079903, SINGAPORE
Phone: +65 6408 8000 Fax: +65 6408 8001
Malaysia
Menara Maxis, 36th floor, Kuala Lumpur City Center,
Kuala Lumpur 50088, MALAYSIA
Phone: +60 3 2615 7397 Fax: +60 3 2615 0088
Indonesia
Indonesia Stock Exchange Building, Tower2, 17th Fl,
Jl.Jend. Sudirman Kav. 52-53, Jakarta 12190,
INDONESIA
Phone: +62 21 5291 7481 Fax: +62 21 515 7799
Website: www.factory-talk.com
E-mail Addresses: contact@factory-talk.com
No responsibility can be taken by the publisher or the contributors for action taken as a result of information provided or
opinions expressed in this publication. Readers are strongly recommended to take expert advice on particular situations.