How can I learn about data integrity and electronic records in FDA regulated industries?
Nathan Boeger - CISSP-ISSAP
USN veteran. Simplifying OT / ICS Security. Compliance. DevSecOps. Neurodivergent & underserved population supporter.
Induction: This article introduces key concepts ?? and shares useful links. I helped author a newly released guide entitled, “21 CFR Part 11 and Pharmaceutical Best Practices with Ignition” ??, which provides general education ?? and best practices with a focus on Ignition. I did my best to write an informative free resource for any product or environment.?
Time sink ?: It was incredibly time consuming to find a starting point for good resources to learn. There is a lot of useless “clickbait”. The best approach is joining the ISPE and starting with their paid July 2022 version of GAMP 5. As a free approach, many of the key concepts are highlighted in the Ignition guide and covered in the links below.??
21 CFR What?: “21 CFR 11”, or “Part 11” for short, is a 1997 (“pre-Google”) regulation that governs the use of “Electronic Records” and “Electronic Signatures” (ERES) to be used as a substitute for paper records and handwritten signatures ?? in FDA regulated industries. The FDA publicly releases “Guidance for Industry” (GFI, links below), which communicate the agency’s “current thinking” on topics as “non-binding guidance”. Practically speaking, this communicates aspects of the law to focus more or less, and where to go for best practices. Of note, I only recall seeing the ISPE (older GAMP 4 standard) and FDA documents being referenced under agency GFI. Also of note, the FDA seems to be focusing way more on embedded software for medical devices and individual health records, neither of which I’m directly addressing here.?
Good Automated Manufacturing Practices (GAMP) from the ISPE is a great place to start for pharmaceutical best practices. The EU Annex 11 is the European equivalent, which has been more recently updated (2011). Also, The FDA and industry maintain Good Practices, collectively referred to as “GxP”, which are also great reference.
21 CFR Part 11 Trap ?. It is a common pitfall for vendors to go directly to the 1997 regulation and address stated requirements line by line. I've made this mistake before. I believe this largely misses that the intent of the regulation can be better solved by applying strong patterns throughout the environment. This approach often results in many answers like “it is the customers responsibility to do xyz”. Consider an electronic audit log example - an externally managed database can be locked down better than within an application. Consider granting the application "Append-only" permissions (SELECT/INSERT, not UPDATE/DELETE). This is easy to assure with separate systems and hard for an individual application.
Looking ahead. This guidance surrounds assurance of data integrity (protecting writes and deletes). See my article on OT INFOSEC Basics for more info. In most modern contexts, this probably cannot be achieved well at the application layer. It is probably best done with a “Shared Responsibility” model that considers the entire computing environment including customer process. I would be skeptical of a single vendor product claiming “compliance”, which is what customers seek. A tailored SaaS solution with a service component may get you there.?Customers still have an overarching responsibility that starts with auditing.
Reference material. There are many useful links at the end of this article. The FDA provides information. I consider ISPE GAMP guidance to be the “gold standard”. Microsoft, Amazon, and Google provide informative guides that broaden the scope to GxP. They provide significant coverage “baked in” to their cloud platforms, but pass much responsibility “upward” in the stack. Other SCADA vendors provide resources of moderate usefulness. Most pass significant responsibility back to the customer. I found the email and information collecting requirements to access those resources to be pesky.?
Context
My understanding of the law: The US congress regularly delegates authority to government agencies over specific areas. The Code of Federal Regulations (CFR) codifies administrative law. It is divided into 50 categories called “Titles”. Title 21 (Food and Drugs) grants authorities to the US Food and Drug Administration (FDA) in “Chapter 1”. The Part 11 ruling covers “Electronic Records” and “Electronic Signatures”.?
For context, other FDA “Chapter 1” regulations cover “clinical trials” and “Chapters 2” and “Chapter 3” govern the US Drug Enforcement Agency (DEA) and Office of the National Drug Control Policy.?
Key Concepts
Data Integrity
Integrity as a principle, referring to trustworthiness and reliability, is an important aspect of Part 11 compliance with Electronic Records and Electronic Signatures.??
ALCOA+
Per the FDA, “data integrity refers to completeness, consistency, and accuracy of data. Complete, consistent, and accurate data should be attributable, legible, contemporaneously recorded, original or a true copy, and accurate (ALCOA).” ALCOA has since been expanded to ALCOA+ to include “available, enduring, consistent, and complete”.?
Summary
This article is primarily intended share the useful links from the free Inductive Automation “21 CFR Part 11 and Pharmaceutical Best Practices with Ignition” resource. The guide should be generally informative, particularly if you are considering Ignition.?Better yet, read the source material in the links for yourself ??.
Best of luck! Please let me know how it goes in the comments.?
Security Resources
FDA Cybersecurity portal under their Digital Health Center of Excellence?
CISA Shields up, ICAM resources, and Multi-factor Authentication (MFA) guidance.?
NIST recommendations: Cybersecurity Insights Blog, Assessment & Auditing, MFA, Identity and Access Management, Digital Identity Guidelines (800-63 series), and Cybersecurity Frameworks.?
Cloud Part 11 Resources
Amazon AWS 21 CFR 11 Best Practices, Config Doc. AWS Well-Architected Framework.?
Microsoft Azure 21 CFR 11 portal, Azure GxP Guidelines (includes Part 11 & European standards). Azure Well-Architected Framework.?
Google Cloud Platform GxP and 21 CFR Part 11 guidance
References
FDA, 21 CFR Part 11, Electronic Records; Electronic Signatures; Final Rule. Federal
领英推荐
Register Vol. 62, No. 54, 13429, Mar 1997.
FDA, Withdrawal of Draft Guidance for Industry on Electronic Records; Electronic Signatures, Electronic Copies of Electronic Records, Feb 2003.
FDA, Part 11, Electronic Records; Electronic Signatures — Scope and Application, Aug 2003.?
FDA, General Principles of Software Validation; Guidance for Industry and FDA Staff. Jan 2002.?
FDA, Q7 Good Manufacturing Practice Guidance for Active Pharmaceutical Ingredients; Guidance for Industry. Sept 2016.?
FDA, Q8, Q9, and Q10 Questions and Answers (R4). Nov 2011.?
FDA, Process Validation: General Principles and Practices, Jan 2011.
FDA, Guidance for Industry Computerized Systems Used in Clinical Investigations, May 2007.?
FDA, Data Integrity and Compliance With CGMP Guidance for Industry, Dec 2018.?
FDA, Cybersecurity, Digital Health Center of Excellence, retrieved Aug 2022.
ISPE, GAMP 5 A Risk-Based Approach to Compliant GxP Computerized Systems, Second Edition. Jul, 2022.?
ISPE, Good Practice Guide: Process Validation. Mar, 2019.
Related References
FDA Cybersecurity portal under the Digital Health Center of Excellence
FDA, Guidance for Industry. Off-The-Shelf Software Use in Medical Devices. Sept, 2019.
FDA, NIST Request on Presidential Executive Order: Comments Submitted by the FDA. May, 2021
Related Resources (Global)
PIC/S Good Practice for Computerised Systems in Regulated “GxP” Environments
2016 World Health Organization (WHO) Guidance on Good Data and Record Management Practice
2018 MHRA (Medicines & Healthcare products Regulatory Agency (MHRA))? ‘GXP’ Data Integrity Guidance and Definitions
FDA Guidance For Industry (GFI) References?
FDA, Withdrawal of Draft Guidance for Industry on Electronic Records; Electronic Signatures, Electronic Copies of Electronic Records, Feb 2003.
FDA, Part 11, Electronic Records; Electronic Signatures — Scope and Application, Aug 2003.?
FDA, General Principles of Software Validation; Guidance for Industry and FDA Staff. Jan 2002.?
FDA, Guidance for Industry Computerized Systems Used in Clinical Investigations, May 2007.?
FDA, Data Integrity and Compliance With CGMP Guidance for Industry,? Dec 2018.
Inductive Automation / Ignition
Inductive Automation Security Portal, Ignition Security Hardening Guide.
CSV Lead & Software Dev | protonglow.com | part11compliance.com
1 个月I wrote this book called a “Practical Guide to 21 CFR Part 11”. It dives deep into the technical side. https://www.amazon.com/gp/aw/d/1739677773/ref=tmm_pap_swatch_0?ie=UTF8&dib_tag=se&dib=eyJ2IjoiMSJ9.wh3kZ0Em1nVbfOxTbz1JfA.j4aq-wTmRqK6mZOFzsJFBY0Z1IJNK4m-Co2afDPDBnw&qid=1728667032&sr=8-1
|| Chief Security Officer at The Financial Chronicle || Fitness || Programmer ||
1 年The articles great??. Not surprised there wasn't a lot of material regarding the subject area. No doubt though, your article will help others in their own search on it. Thanks for sharing
Director, Information Security | Securing Pharma 4.0 | Building Cybersecurity programs for growing organizations
1 年Fantastic initiative here! There’s a need for this sort of material helping to guide folks with a traditional IT and non-GMP backgrounds towards helpful learning resources.
USN veteran. Simplifying OT / ICS Security. Compliance. DevSecOps. Neurodivergent & underserved population supporter.
1 年James Burnand Joseph Dolivo Anika Peer?? GI Griffin Steve Griffing, PE, CISSP-ISSEP, CPP Stephanie U. Tom Hechtman Vincent Ares Keith Adair Arlen Nipper Chris Houghton Nathan Davenport Wesley Johnson Rosemary Djan Daniella Taveau Chris Nardecchia Robert Neil, CISSP, CISA, CRISC, CAP Carlos Colón Michael Vasilevsky Daniel Ward Rutesh Deshmukh Ryan Thompson Mark Priestley Enzo M. Tieghi Gaurav Shakya Annie Wise Shekar Nalla Saravanan Natarajprabu (PMP?) Abhijit Nair Shrikant Patil Rod Lindemann, CISSP Michael Vasilevsky