Call in for a Coffee
Factorytalk
IS Security? A 21CFR Part 11 Issue, or a
General GxP concern?
Anyone who has been involved in assessing the
compliance of computer-based systems against
21CFR Part 11 will know that many of the questions
revolve around good IS (Information Systems) security
- both procedural and technical.
Whilst Part 11 has (quite rightly) resulted in a lot of
concern in this area, this is just one reason for
addressing the issue. Guidance from PIC/S also
clearly indicates that this will be a major issue for
companies subject to PIC/S inspection. In fact IS
security is of significance to both GxP (GMP, GLP,
GCP, etc.) compliance and the business.
A Business Issue
Whilst no one would deny that IS security is a GxP
issue, there is of course a wider business issue. As
well as holding GxP critical data and confidential data
concerning patients or employees, all pharmaceutical
companies have company confidential data. This may
include sensitive financial or sales and marketing data.
Assuring the integrity and confidentiality of such data
alone should be sufficient reason for pharmaceutical
companies to treat IS security very seriously. If proper
controls are put in place for good business reasons,
compliance with GxP regulations should be achieved
as part of the same programme.
A GxP Issue
In the GxP parts of the business many companies
appear to be going to great lengths to decide what is
and is not an 'Electronic Record', and what data are
within the scope of 21CFR Part 11. Many have chosen
to use the definition that an 'Electronic Record' is only
No responsibility can be taken by the publisher or the contributors for action taken as a result of information provided or
opinions expressed in this publication. Readers are strongly recommended to take expert advice on particular situations.
Factorytalk Co., Ltd. All Rights Reserved.
created when data are stored to 'durable media'
(meaning non-volatile storage media such as a hard
disc or CD-ROM). There are few (if any) signs that the
US FDA is willing to accept such a broad definition,
preferring to take each case on its merits. Whether
data are stored on durable media or not, whilst GxP
critical data are within a system there is always a
security and data integrity risk,
regardless of whether or not the data constitute an
electronic record at any given moment in time.
Take an example of batch data held in nondurable
memory in a programmable logic controller (PLC) until
the batch run is completed, with data either printed or
transferred to hard disc when the batch completes.
The data may not be held on durable media whilst the
batch is running, but if a batch run takes hours the
GMP critical data are still at risk from accidental
deletion or deliberate change whilst they reside in the
memory of the PLC. Whether or not Part 11 applies is
not the sole issue. There is a general data integrity
issue that is considered under general GMP rules. Any
company that believes that defining a system as
outside the scope of Part 11 ignores the general IS
Security issue of serious non-compliances with respect
to data integrity. Most FDA citations for computer
systems are for non-compliance with the applicable
(predicate) GxP rules, not Part 11.
PIC/S Guidance
In July 2004, PIC/S published their document "Good
Practices for Computerised Systems in Regulated
'GxP' Environments".
As well as covering Electronic Records and Electronic
Signatures issues, it addresses wider issues of IS
security as they impact upon GxP. Interesting enough,
the document references 21CFR part 11, but also
ISO/IEC17799:2000. This standard deals specifically
 Call in for a Coffee
Factorytalk
with aspects of IS security.
ISO17799:2000
The PIC/S guidance states (section 20.1) "Firms will
need clearly documented policies, standard operating
procedures, validation reports and training records
covering such system controls. Information Security
Management standards such as ISO/IEC 17799:2000
may be of assistance with the design, implementation
and control of such systems." Since this text is
italicised in the draft guidance, the recommendation for
Inspectors is that this is one of the things they should
be considering during an inspection
At least one of the agencies contributing to the
guidance has informally stated that their Inspectorate
will not consider IS security an issue worthy of in-depth
inspection for in companies who have achieved formal
accreditation ISO/IEC 17799. Whilst achieving
accreditation to the standard is not a trivial issue
(typically taking more than 12 months to achieve), if
this reduces the likelihood of IS security being the
focus of an inspection it may well be a price worth
paying.
Comparison Between 21CFR Part 11 and the PIC/S
Guidance
A formal comparison between the two documents
(cross referencing various sections) reveals some
interesting similarities in most procedural controls, but
a number of differences with regard to technical
controls required.
With respect to the procedural controls required by
21CFR Part 11 and PIC/S, neither regulation provides
a great deal of prescriptive content with regard to how
certain procedural controls should be implemented. As
an example, issues such as the secure management
No responsibility can be taken by the publisher or the contributors for action taken as a result of information provided or
opinions expressed in this publication. Readers are strongly recommended to take expert advice on particular situations.
Factorytalk Co., Ltd. All Rights Reserved.
(approval, distribution, storage and use) of
documentation containing security sensitive
information are covered in both documents. However,
neither goes into detail of how this should be achieved.
This is rightly so, considering that there are many
different ways of achieving this for both electronic and
paper documents.
The PIC/S document emphasises the requirement for
comprehensive audit trails and the practical
interpretation of this guidance is very much in line with
the requirements mandated for compliance with Part
11. However with regard to other technical controls,
Part 11 tends to be more direct. Some of these areas
include timestamps, password management and
encryption, periods of continuous use, 'immediate and
urgent' reporting of attempted security violations and
so on. One of the most significant such difference is
around the use of Electronic Signatures. Where Part
11 provides detailed technical requirements, the PIC/S
guidance again remains general, subject to practical
interpretation.
Another technical area where Part 11 is specific, and
which is not covered by the PIC/S guidance is that of
making records available for review by the
Inspectorate. This includes the ability to make both
electronic and paper copies available for off-site
review. For a number of systems this represents a
considerable technical challenge. When systems,
installations and sites do not fall under the Inspection
remit of the FDA, this requirement is not mandated.
However, since the PIC/S guidance also references 21
CFR Part 11, and since many PIC/S inspectors cover
sites also covered by the FDA, the individual PIC/S
inspector certainly has lee-way to determine what
constitutes acceptable controls, both procedural and
technical.
 Call in for a Coffee
Factorytalk

Conclusion

In summary, pharmaceutical companies need to take

IS security seriously. This means taking steps to
comply with relevant guidelines or at least being aware
of the requirements being derived from their
interpretation.

Free Consultation

For more information, simply contact the Factorytalk

team and "Call in for a Coffee" for a free consultation.

Factorytalk is located at:

Bangkok
12th Floor, Liberty Square, 287 Silom Road,
Silom, Bangrak, Bangkok 10500, THAILAND
Phone: +66 2 630 4525 Fax: +66 2 630 4527

Singapore
10 Anson Road #09-24, International Plaza
Singapore 079903, SINGAPORE
Phone: +65 6408 8000 Fax: +65 6408 8001

Malaysia
Menara Maxis, 36th floor, Kuala Lumpur City Center,
Kuala Lumpur 50088, MALAYSIA
Phone: +60 3 2615 7397 Fax: +60 3 2615 0088

Indonesia
Indonesia Stock Exchange Building, Tower2, 17th Fl,
Jl.Jend. Sudirman Kav. 52-53, Jakarta 12190,
INDONESIA
Phone: +62 21 5291 7481 Fax: +62 21 515 7799

Website: www.factory-talk.com
E-mail Addresses: contact@factory-talk.com

No responsibility can be taken by the publisher or the contributors for action taken as a result of information provided or
opinions expressed in this publication. Readers are strongly recommended to take expert advice on particular situations.

Factorytalk Co., Ltd. All Rights Reserved.