Using Thin Client Technology To Achieve Part 11 Compliance

The Food and Drug Administration (FDA) established a new piece of compliance legislation in 1997 that established for the first time, conditions that must be met in order to substitute electronic records for paper records. 21 CFR Part 11 (or Part 11 for short), describes controls that must be in place to ensure the integrity of systems operations and the information stored on those systems.

This paper provides a discussion of those sections of Part 11, where thin client technology can be applied to satisfy those compliance issues, and how a move to thin client technology can make good business sense as well.

Thin client technology requires a paradigm shift back to the early days of centralized computing. Today a typical application might include one or several computers near the process that each have their own operating system, HMI software package, (including hardware or software license key and security access), data manipulation and storage capability and maybe even reporting capability. The system architecture implemented in this fashion can be referred to as "thick client" or distributed control. Communication back to a network server may be for data collection only.

This thick client architecture described above, presents several challenges for those industries required to meet Part 11 compliance.

  • The hardware and software on each computer must be validated (tested) to ensure the operating system was loaded and configured correctly with the correct revisions and service packs installed. If equipment failure requires reloading of software, this process must be repeated in the revalidation process.
  • When operating system software or application software upgrades become necessary, upgrades must be installed and validated for each machine.
  • Algorithms must be developed and checked to verify that data transferred to a server(s) or between other computers was completed accurately and without error.
  • Since each computer has a hard drive to store data locally, precautions must be taken to protect it from environmental damage and to protect the data stored on it from tampering.
  • Disaster recovery strategies need to be developed to include all types of failures such as hardware failures or power loss to ensure that important data is not lost.
  • Controls must be put in place and enforced to ensure unwanted software and viruses are not introduced into the system.

By replacing the thick clients with thin clients, many of the challenges presented above become much easier to solve. Thin client technology takes advantage of Microsoft's Terminal Services feature of Windows 2000 Server. The thick clients can be replaced with terminals without hard drives, floppy or CD ROM drives and a relatively small amount of RAM. If budgets require, existing clients could still be used even if they are running an older Windows OS such as Windows 3.XX/95/98.

In the thin client architecture, the validation process becomes much easier. Since the operating system and application software is loaded on the server(s), the whole process of software installation, configuration and verification is eliminated for the terminals. Further, if a terminal dies, instead of being down for hours or days while hardware and software is re-installed, configured and validated, it could be as simple as plugging in a new terminal and turning it on.

Future upgrading of operating system, HMI software, adding service packs, etc is performed on the server(s) only. The terminals will reap the immediate benefit of the upgrades without making any changes to its hardware or software. And by eliminating hard drives, floppy and CD ROM drives from terminals, hacking into the system and introducing viruses into the system becomes much more difficult if not impossible.

Since data is no longer transferred between terminals and the server, the effort required to verify the transfer and validate the data is eliminated. Since data is no longer stored on local hard drives, the threat of data loss from client hardware failure is eliminated. Since data is manipulated and stored only on the server(s), in friendly environments, redundancy, disaster recovery, and protection from loss of power, become much easier to implement.

In summary, thin client technology provides many advantages to FDA regulated industries that must comply with 21 CFR Part 11. They are:

  • Simplifying and reducing the validation effort required.
  • Providing a centralized, secure location for the processing and storage of electronic records.
  • Protection of electronic records from unauthorized access and tampering.
  • Protection of electronic records from the introduction of viruses.
  • Providing a centralized location for the maintenance and management of operating system and application software revisions and change control.

For additional information about the FDA rule 21 CFR Part 11, visit the following website:

www.21cfrpart11.com

Mr. Bruce Lauderman, P.E., is Vice President of Performance Automation and Controls, LLC, a company that provides integration and consulting services to many customers, including the food and pharmaceutical industries. PAC specializes in helping pharmaceutical companies comply with 21 CFR Part 11, in both gap assessment and remediation. For information on PAC, visit the company's website at:

www.pac-llc.com

You can contact Mr. Lauderman directly as follows:


Bruce Lauderman, P.E.
(269) 217-8500

bruce.lauderman@pac-llc.com

For more information on ACP Industrial Thin Client computers, please visit our web site at http://www.thinmanager.com

To sign up for the E-mail newsletter go here: ACP newsletter signup

For an archive of past newsletter articles go to: ACP Newsletter Archive

Top