AMERICAN ACADEMIC PUBLISHER
https://www.academicpublishers.org/journals/index.php/ijns
187
INTERNATIONAL JOURNAL OF NETWORKS AND SECURITY (ISSN: 2693-387X)
Volume 05, Issue 01, 2025, pages 187-201
Published Date: - 19-06-2025
Doi: -
https://doi.org/10.55640/ijns-05-01-11
21 CFR Part 11 Compliance in MES: Electronic Signatures and
Data Integrity
Shriprakashan. L. Parapalli
Emerson Automation Solutions, Durham, NC- USA
BioPhorum, The Gridiron Building, 1 Pancras Square, London, NIC 4AG UK
International Society for Pharmaceutical Engineering (ISPE), 6110 Executive Blvd, North Bethesda, MD 20852, USA
MESA International, 1800E.Ray Road, STE A106, Chandler, AZ 85225 USA
ABSTRACT
In pharmaceutical manufacturing, compliance with 21 CFR Part 11 is critical for ensuring the integrity of electronic
records and signatures within Manufacturing Execution Systems (MES). This paper proposes a comprehensive
framework for implementing electronic signatures and data integrity controls in MES, aligning with 21 CFR Parts 11,
210, 211, ICH Q7, and EudraLex Volume 4 Annex 11. The methodology includes system design, user access controls,
audit trails, and data lifecycle management, validated through risk-based assessments. Key findings demonstrate
that tailored electronic signature configurations (none, single, or double) based on process criticality reduce
compliance risks while enhancing operational efficiency. Automated data capture and true-copy transmission
further ensure data integrity. Challenges such as manual data entry and generic account usage are addressed
through procedural and technical controls. This study underscores the importance of data integrity by design,
offering practical guidance for pharmaceutical manufacturers to achieve regulatory compliance and safeguard
patient safety.
KEYWORDS
21 CFR Part 11, Manufacturing Execution System, Electronic Signatures, Data Integrity, Pharmaceutical
Manufacturing, Audit Trail, Regulatory Compliance, GMP, Data Lifecycle Management, Risk Assessment
1.
INTRODUCTION
The pharmaceutical industry operates under stringent regulatory frameworks to ensure product quality, patient
safety, and public trust, driven by the critical nature of its products and their direct impact on human health.
Regulatory bodies such as the U.S. Food and Drug Administration (FDA), European Medicines Agency (EMA), and
international organizations like the International Conference on Harmonization (ICH) enforce comprehensive
standards governing the entire product lifecycle, from drug discovery through manufacturing to post-market
surveillance [1,7]. The FDA’s 21 CFR Part 11 establishes requirements for electronic records and signatures,
mandating robust controls to ensure data integrity, security, and traceability in Good Manufacturing Practice (GMP)
environments [1]. Complementary regulations, including 21 CFR Parts 210 and 211, ICH Q7, and EudraLex Volume
4 Annex 11, further emphasize the need for validated systems, secure audit trails, and independent verification
(e.g., double signatures) for critical operations to prevent errors that could compromise product quality [9,4,3].
AMERICAN ACADEMIC PUBLISHER
https://www.academicpublishers.org/journals/index.php/ijns
188
Non-compliance with these regulations risks severe consequences, including product recalls, regulatory sanctions,
financial penalties, and, most critically, compromised patient safety [2,18]. Manufacturing Execution Systems (MES)
are pivotal in pharmaceutical production, serving as the central platform at the ISA-95 Level 3 to manage batch
records, equipment logs, process controls, and compliance workflows on the shop floor [2]. MES integrate with
Distributed Control Systems (DCS), Laboratory Information Management Systems (LIMS), and Enterprise Resource
Planning (ERP) systems, enabling real-time data capture, electronic batch records (eBR), and traceability essential
for GMP compliance [8]. By automating data collection from sensors (e.g., temperature, weight) and enforcing
electronic signatures, MES reduce reliance on error-
prone manual processes, aligning with 21 CFR Part 11’s
requirements for accurate and secure electronic records [1]. Additionally, MES support critical compliance
functions, such as resource validation, deviation reporting, Corrective and Preventive Action (CAPA) initiation, and
material genealogy tracking, which are vital for regulatory submissions and audits [7,15]. The growing complexity
of pharmaceutical manufacturing, particularly with the rise of advanced therapies like cell and gene therapies (e.g.,
Advanced Therapy Medicinal Products, ATMPs), introduces new compliance challenges, such as maintaining Chain
of Identity (COI) and ensuring data privacy under regulations like the General Data Protection Regulation (GDPR)
[17,19]. These emerging requirements underscore the need for MES to evolve beyond traditional batch processing
to address personalized medicine’s unique demands [3]. Despite their importance, integrating electronic signat
ures
and ensuring data integrity within MES remains challenging due to complex regulatory requirements, residual
manual processes, and system limitations. For instance, configuring double signatures for high-risk operations (e.g.,
raw material weighing) requires balancing automation with human oversight to comply with 21 CFR 211.101, while
manual data entry persists in legacy systems, increasing error risks [9,15]. Audit trails must be immutable and
comprehensive, capturing user actions, timestamps, and reasons for changes, yet many MES implementations
struggle with consistent enforcement [2]. High implementation costs, including hardware, software, and validation
per Good Automated Manufacturing Practice (GAMP 5), further complicate adoption, particularly for small to
medium-
sized enterprises (SMEs) [13,20]. Prior research highlights digital technologies’ potential to streamline
compliance, with studies like [21] demonstrating error reductions through automation, but practical frameworks
for implementing compliant MES solutions are limited. Existing solutions often focus on enterprise-level Compliance
Management Systems (CMS) rather than shop-floor MES, leaving a gap in systematic approaches that map
regulatory requirements to MES design and operation [7,16]. Moreover, the integration of MES with emerging
regulatory needs, such as COI for personalized medicines, remains underexplored [17].
This study addresses these gaps by proposing a comprehensive framework for MES to achieve 21 CFR Part 11
compliance in pharmaceutical batch processing. The specific objectives are:
1.
Outlining a methodology for configuring MES electronic signatures and data integrity controls, including
automated data capture, true-copy transmission, and audit trails.
2.
Mapping regulatory requirements (e.g., 21 CFR Part 11, EudraLex Annex 11) to practical system and
procedural designs, ensuring scalability across manufacturing sites.
3.
Evaluating outcomes through hypothetical scenarios and regulatory correlations to validate compliance and
error reduction.
4.
Proposing future directions for scalable, compliant MES implementations, including the adoption of AI and
blockchain technologies.
This paper contributes to the field by providing a systematic approach to 21 CFR Part 11 compliance, enhancing
MES reliability in pharmaceutical manufacturing. By integrating automation with risk-based controls, the framework
reduces compliance efforts, supports emerging therapies, and aligns with industry trends toward smart
AMERICAN ACADEMIC PUBLISHER
https://www.academicpublishers.org/journals/index.php/ijns
189
manufacturing [21,22]. The study’s findings offer practical insights for manufacturers seeking to balance regulatory
rigor with operational efficiency, while paving the way for future innovations in GMP compliance.
2.
Methodology
2.1
Research Design
The research design for this study is structured to develop a robust and compliant framework for implementing
electronic signatures and data integrity controls within Manufacturing Execution Systems (MES) to meet the
requirements of 21 CFR Part 11, 21 CFR Parts 210 and 211, ICH Q7, and EudraLex Volume 4 Annex 11. To achieve
this, the study employs a multi-faceted approach that integrates three core components: regulatory analysis,
system architecture design, and risk-based validation. This methodology ensures that the proposed MES
framework is both theoretically grounded and practically implementable, addressing the complexities of Good
Manufacturing Practice (GMP) environments in pharmaceutical manufacturing. The workflow, which
systematically outlines the progression of these components, is illustrated in
Fig. 1
.
Regulatory Analysis:
The first component involves a detailed examination of relevant health authority
regulations and guidance documents. This includes a comprehensive review of 21 CFR Part 11, which specifies
requirements for electronic records and signatures, and related regulations such as 21 CFR 211.101 (charge-in
of components), 21 CFR 211.103 (yield calculation), and 21 CFR 211.188 (batch production records).
Additionally, international guidelines, including ICH Q7 and EudraLex Volume 4 Annex 11, are analyzed to
ensure global applicability. The regulatory analysis identifies critical process steps
—
such as raw material
weighing, yield calculations, and batch record documentation
—
that require electronic signatures or data
integrity controls. By mapping these requirements to MES functionalities, the study establishes a foundation
for compliance, highlighting where single or double electronic signatures are mandated and where audit trails
are necessary to ensure traceability [1,3].
System Architecture Design:
The second component focuses on designing a system architecture that integrates
electronic signatures and data integrity controls into the MES. This involves defining technical configurations,
such as role-based access control (RBAC), audit trail functionality, and true-copy data transmission mechanisms.
The architecture leverages interface between the MES, Distributed Control Systems (DCS), and manufacturing
equipment (e.g., scales, reactors) to automate data capture and minimize manual entry errors. For instance,
sensors on equipment provide real-time GMP data (e.g., weight, temperature), which are transmitted to the
MES via secure protocols like OPC UA or MQTT. The design also incorporates procedural controls, such as user
role
definitions and periodic access reviews, to align with EudraLex Annex 11’s emphasis on data security [3].
This component ensures that the MES is configured to meet regulatory expectations while maintaining
operational efficiency.
Risk-based Validation:
The third component employs a risk-based approach to validate the proposed MES
framework, following Good Automated Manufacturing Practice (GAMP 5) principles [2]. Validation activities
include risk assessments to prioritize controls based on the criticality of data and processes. For example, high-
risk operations, such as manual entry of critical batch data, require double signatures and four-eyes verification,
while low-risk tasks, like material staging, may require no signatures. Hypothetical scenarios, such as batch
record reviews, are used to test the framework’s compliance with regulatory requirements, ensuring that audit
trails capture all GMP actions, and that data transmission maintains integrity through checksum validation. The
AMERICAN ACADEMIC PUBLISHER
https://www.academicpublishers.org/journals/index.php/ijns
190
validation process also involves testing system functionalities, such as automated archiving and backup/restore
procedures, to confirm that data is protected throughout its lifecycle.
The integration of these components is depicted in
Fig. 1
, which illustrates the sequential and iterative workflow
of the research design. The figure shows how regulatory analysis informs the system architecture, which is
subsequently validated through risk-based assessments. This structured approach ensures that the MES
framework is compliant, scalable, and capable of addressing the challenges of data integrity and electronic
signature implementation in pharmaceutical manufacturing. By combining regulatory insights, technical design,
and validation, the study provides a holistic solution that bridges theoretical requirements with practical
deployment, contributing to the advancement of smart manufacturing in GMP environments.
•
21 CFR Part 11, ICH Q7, Eudralex Annex 11
Requirements
•
Critical Process Steps, Signature Needs
REGULATORY ANALYSIS
•
Electronic Signature Levels, Audit Trails,
Access Control
•
Data Lifecycle Management, True Copy
Transmission
SYSTEM DESIGN & CONFIGURATION
•
Hypothetical Scenarios, Compliance Checks
•
Risk-based Controls for Data Integrity
VALIDATION & RISK ASSESSMENT
Fig. 1
. Research design workflow for MES compliance
2.2
Materials
2.2.1
MES Platform
The Manufacturing Execution System (MES) serves as the central platform for managing batch production,
electronic signatures, and data integrity in pharmaceutical manufacturing, ensuring compliance with 21 CFR
AMERICAN ACADEMIC PUBLISHER
https://www.academicpublishers.org/journals/index.php/ijns
191
Part 11 and related regulations such as 21 CFR Parts 210, 211, ICH Q7, and EudraLex Volume 4 Annex 11. Two
industry-leading MES platforms, Siemens Opcenter MES and Rockwell FactoryTalk PharmaSuite, are selected as
examples due to their robust capabilities tailored for the life sciences industry. These platforms are designed to
streamline production processes, enforce regulatory compliance, and integrate seamlessly with shop-floor
automation and enterprise systems.
•
Siemens Opcenter MES
: A comprehensive solution for production optimization, featuring Opcenter
Execution Pharma for paperless electronic batch recording (eBR) and device history records (eDHRs). It
supports compliance through audit trails, electronic signatures, and integration with ERP and PLM systems
[6].
•
Rockwell FactoryTalk PharmaSuite
: Designed for pharmaceuticals, it adheres to ISA S88/95 standards,
offering modular eBR with weigh-and-dispense functions. Its scalable architecture ensures compliance and
tracks sensitive materials [5].
•
Specifications
:
•
RESTful APIs
: Both platforms support Representational State Transfer (REST) APIs, enabling
seamless integration with Distributed Control Systems (DCS), Supervisory Control and Data
Acquisition (SCADA) systems, and other enterprise applications. RESTful APIs facilitate real-time
data exchange, allowing MES to pull sensor data from shop-floor equipment or push batch
records to quality management systems. This ensures traceability and compliance with 21 CFR
Part 11’s requirement for accurate record generation
[9].
•
MQTT
: The Message Queuing Telemetry Transport (MQTT) protocol is supported for lightweight,
publish-subscribe-based communication, ideal for Industrial Internet of Things (IIoT) integration.
MQTT enables efficient data transmission from sensors and edge devices to the MES, supporting
real-time monitoring and reducing latency in GMP data capture. This aligns with EudraLex Annex
11’s emphasis on secure data transmission [3].
•
Audit Trail Functionality
: Both platforms incorporate secure, computer-generated audit trails
that log all interactions with electronic records, including creation, modification, and deletion.
Audit trails capture critical details such as user ID, timestamp, action taken, and reason for
change, meeting 21 CFR Part 11 requirements for data integrity and traceability. For example,
SimplerQMS, a comparable system, demonstrates how audit trails ensure compliance by
restricting access to authorized users via Microsoft Entra ID [7]. Siemens Opcenter and Rockwell
PharmaSuite similarly enforce audit trail security, supporting regulatory inspections and internal
reviews [1,10].
•
21 CFR Part 11 Compliance Modules
: Both MES platforms include dedicated modules to address
21 CFR Part 11 requirements. These modules provide electronic signature capabilities (single and
double signatures based on process criticality), user authentication via unique credentials, and
data security features like encryption and access controls. Validation processes, as mandated by
21 CFR 11.10(a), are supported through pre-configured workflows that align with Good
Automated Manufacturing Practice (GAMP 5) gui
delines. For instance, Rockwell PharmaSuite’s
eBR module automates compliance documentation, while Siemens Opcenter’s quality
management system ensures adherence to regulatory standards [2,5,9].
AMERICAN ACADEMIC PUBLISHER
https://www.academicpublishers.org/journals/index.php/ijns
192
These specifications enable Siemens Opcenter MES and Rockwell FactoryTalk PharmaSuite to address the
challenges of data integrity and electronic signature implementation in pharmaceutical manufacturing. By
automating data capture, enforcing secure audit trails, and supporting interoperable communication protocols,
these platforms ensure compliance with FDA and international regulations while enhancing operational
efficiency. Literature highlights their role in reducing production downtime, improving quality control, and
facilitating regulatory inspections, making them ideal choices for GMP-compliant MES deployments [5, 9,10].
2.2.2
Distributed Control System (DCS)
The Distributed Control System (DCS) manages real-time process control and data acquisition in
pharmaceutical manufacturing, ensuring compliance with 21 CFR Part 11, 21 CFR Parts 210, 211, ICH Q7,
and EudraLex Volume 4 Annex 11. Siemens PCS 7 and Honeywell Experion PKS are selected as example
platforms for their GMP-compliant features and MES integration capabilities.
•
Siemens PCS 7:
A scalable DCS adhering to ISA S88 standards, supporting batch processing and eBR
integration with MES. Its Process Historian and WinCC HMI provide validated data logging and secure
interfaces for GMP compliance [8].
•
Honeywell Experion:
Experion PKS combines DCS reliability with SCADA scalability, using C300
controllers for batch and continuous processes. It supports GMP through redundant networks and
cybersecurity features [23].
•
Specifications:
•
Interfaces with MES:
PCS 7 uses SIMATIC NET, Experion leverages Distributed Server
Architecture (DSA) for seamless eBR data exchange, per 21 CFR Part 211 [4]
•
Supports OPC UA:
Both platforms use OPC UA for secure, interoperable data transfer
to MES and devices, aligning with Annex 11’s secure transmission requirements [3].
•
GMP-compliant Data Logging:
Process Historian (PCS 7) and PHD (Experion) log time-
stamped data with audit trails, meeting 21 CFR Part 11 for traceability [1,10].
These DCS platforms ensure reliable process control, secure MES integration, and compliance, enhancing
data integrity in GMP environments [12, 16].
2.2.3
Hardware
The hardware infrastructure supports the Manufacturing Execution System (MES) and Distributed Control
System (DCS), ensuring data integrity and compliance with 21 CFR Part 11, 21 CFR Parts 210, 211, ICH
Q7, and EudraLex Volume 4 Annex 11. Dell PowerEdge servers and industrial PCs are selected for their
reliability and GMP-compliant features.
•
Servers: Dell PowerEdge:
Dell PowerEdge servers (e.g., R750) feature ≥16 GB RAM and 1 TB SSD
storage with RAID for redundancy. Equipped with Intel Xeon processors and iDRAC for secure remote
management, they support MES data processing and audit trails, aligning with 21 CFR Part 11 [1,10].
•
Workstations: Industrial PCs:
Industrial PCs (e.g., Advantech) include secure BIOS and TPM 2.0 for
cryptographic security, ≥8 GB RAM, and 256 GB SSD. With IP65
-rated enclosures and OPC UA
support, they enable secure operator interactions, meeting ICH Q7 and Annex 11 requirements [3,
4,11].
AMERICAN ACADEMIC PUBLISHER
https://www.academicpublishers.org/journals/index.php/ijns
193
These components ensure secure, scalable MES operations, supporting GMP data integrity and regulatory
compliance [2].
2.2.4
Software Tools
Software tools support the Manufacturing Execution System (MES) and Distributed Control System (DCS) for
data management, validation, and reporting, ensuring compliance with 21 CFR Part 11, 21 CFR Parts
210, 211, ICH Q7, and EudraLex Volume 4 Annex 11.
•
Data Management: SQL Server with Time-Series Extensions:
Microsoft SQL Server stores GMP
data (e.g., batch records, audit trails) with time-series extensions for sensor data. It features
encryption (TDE) and redundancy (Always On), supporting 21 CFR Part 11’s secure record
requirements and Annex 11’s audit trail
s [1,3,12].
•
Validation: ValGenesis for Risk Assessments and GAMP 5 Compliance:
ValGenesis automates
MES/DCS validation with risk-based assessments and electronic signatures. It ensures GAMP 5
compliance, tracking requirements, and deviations for 21 CFR Part 11 adherence [2,13].
•
Reporting: Crystal Reports for Batch Record Generation:
SAP Crystal Reports generates electronic
batch records (eBR) from SQL Server data, producing static, signed PDF reports. It meets 21 CFR
Part 211.188 and Part 11 requirements for compliant documentation [17,14].
These tools enable secure data handling, validated systems, and regulatory-compliant reporting, ensuring
GMP compliance [12,13,14].
2.3
Procedures
2.3.1
Regulatory Mapping
Regulatory mapping aligns the Manufacturing Execution System (MES) with 21 CFR Part 11, 21 CFR Parts
210, 211, ICH Q7, and EudraLex Volume 4 Annex 11 by identifying critical operations requiring electronic
signatures and defining risk-based signature levels.
•
Identify Critical Operations
Critical operations impacting product quality include:
•
Raw Material Weighing:
Requires verification per 21 CFR 211.101 [1].
•
Yield Calculation:
Needs independent checks per 21 CFR 211.103 [1].
•
Batch Record Documentation:
Mandates signatures per 21 CFR 211.188 and ICH Q7 [4,17].
•
Equipment Cleaning:
Signed logs per 21 CFR 211.182 [1].
These operations are mapped to MES workflows to ensure traceability and compliance [3].
•
Define Signature Levels
Signature levels are set based on the risk to product quality:
•
No Signature:
Low-risk tasks (e.g., material staging) [5].
•
Single Signature:
Moderate-risk operations (e.g., automated material ID) [1].
•
Double Signature:
High-risk tasks (e.g., weighing, yield calculation) [4].
Risk assessments per GAMP 5 guide MES configuration for signature enforcement, supported by
audit trails [2,10].
AMERICAN ACADEMIC PUBLISHER
https://www.academicpublishers.org/journals/index.php/ijns
194
This mapping ensures compliant electronic signatures and data integrity, enhancing GMP manufacturing
efficiency [5].
2.3.2
System Configuration
System configuration aligns the Manufacturing Execution System (MES) with 21 CFR Part 11, 21 CFR Parts
210, 211, ICH Q7, and EudraLex Volume 4 Annex 11, ensuring secure and compliant operations.
•
User Access: Role-Based Access Control (RBAC):
RBAC restricts MES access to authorized users with
a unique UserID/password, defining roles (e.g., operator, supervisor). Integrated with Active
Directory, it meets 21 CFR Part 11’s accountability requirements [1,10].
•
Audit Trail: Immutable Logging:
Immutable audit trails log data creation, modification, and deletion
with user ID and timestamp. Always enabled and encrypted, they comply with 21 CFR Part 11 and
Annex 11 [1,3].
•
Data Transmission: True-Copy Validation:
Checksums (e.g., SHA-256) validate true-copy data
transfers between MES and DCS, using secure protocols (OPC UA). This ensures integrity per 21 CFR
211.188 and Annex 11 [3,17].
These configurations ensure secure electronic signatures, data integrity, and GMP compliance [2,16].
2.3.3
Data Lifecycle Management
Data lifecycle management ensures MES data integrity and compliance with 21 CFR Part 11, 21 CFR Parts
210, 211, ICH Q7, and EudraLex Volume 4 Annex 11.
•
Creation: Automate Data Capture:
Sensor data (e.g., temperature, weight) are captured via OPC
UA, with metadata (e.g., timestamp). Automation ensures accuracy per 21 CFR Part 11 [1,3].
•
Storage: Controlled Locations:
Data and metadata are stored in SQL Server with encryption and
RBAC, meeting 21 CFR 211.188 and Part 11 security requirements [1,17].
•
Archiving: Retention Enforcement:
Automated archiving to secure repositories enforces 5
–
10-
year retention, using checksums for integrity, per 21 CFR 211.180 and Annex 11 [3,17].
These processes support secure, traceable GMP data, ensuring audit readiness [2,10].
2.3.4
Validation
Validation ensures the Manufacturing Execution System (MES) complies with 21 CFR Part 11, 21 CFR Parts
210, 211, ICH Q7, and EudraLex Volume 4 Annex 11, verifying reliable GMP operations.
•
Conduct Risk Assessments per GAMP 5:
Risk assessments prioritize controls using GAMP 5,
scoring risks to product quality (e.g., manual data entry needs double signatures). ValGenesis
automates the process, meeting 21 CFR 211.101 and Annex 11 [2,3].
•
Test True-Copy Transmission and Audit Trail Integrity
•
True-Copy Transmission:
Tests verify data transfers (e.g., batch records) using checksums
and OPC UA, ensuring integrity per 21 CFR 211.188 [9].
AMERICAN ACADEMIC PUBLISHER
https://www.academicpublishers.org/journals/index.php/ijns
195
•
Audit Trail Integrity:
Confirms immutable logs (user ID, timestamp) with encryption, per
21 CFR Part 11 [1]. Tests cover IQ, OQ, and PQ phases [2].
Validation ensures secure signatures and audit-ready data, supporting GMP compliance [7].
2.4
Data Analysis
Data analysis evaluates Manufacturing Execution System (MES) compliance with 21 CFR Part 11, 21 CFR Parts 210,
211, ICH Q7, and EudraLex Volume 4 Annex 11, ensuring data integrity and audit readiness.
•
Compliance Metrics:
Measures percentage of critical operations (e.g., weighing, batch records) with
compliant signatures and audit trails, targeting ≥98% compliance using MES logs, per 21 CFR Part 11 and
211.188 [1,17].
•
Risk Assessment:
Scores data integrity risks (low, medium, high) per GAMP 5, e.g., high risk for manual data
entry (double signatures), low for automated capture, per 21 CFR 211.101 [1,2].
•
Scenario Analysis:
Simulates batch record reviews to verify signatures, audit trails, and data transfers,
ensuring compliance with 21 CFR Part 11 and 211.188 [1,17].
These methods confirm secure signatures and GMP-compliant data [7].
3.
RESULTS AND DISCUSSION
A.
System Architecture
The proposed Manufacturing Execution System (MES) architecture is designed to ensure compliance with 21
CFR Part 11, 21 CFR Parts 210, 211, ICH Q7, and EudraLex Volume 4 Annex 11 by integrating robust controls for
electronic signatures, data integrity, and traceability in pharmaceutical manufacturing. The architecture,
illustrated in
Fig. 2
, combines hardware, software, and network components to create a secure, scalable, and
GMP-compliant system. It interfaces with shop-floor equipment, Distributed Control Systems (DCS), and
enterprise systems, automating data capture, enforcing security measures, and supporting audit readiness. By
incorporating role-based access control (RBAC), immutable audit trails, and secure data transmission, the
architecture addresses regulatory requirements while optimizing operational efficiency in GMP environments.
•
Field Layer
: Sensors (e.g., temperature, weight) capture data via OPC UA [16].
•
Control Layer
: DCS (e.g., Siemens PCS7) validates and transfers data to MES [3].
•
Execution Layer
: MES on Dell PowerEdge servers manages batch records, RBAC, and audit trails using SQL
Server [1,12].
•
Enterprise Layer
: Integrates with ERP/QMS via RESTful APIs, supports archiving [9].
•
Security Layer
: Uses TLS encryption, TPM 2.0, and immutable logs [1,3].
Controls include risk-based signatures (21 CFR 211.101), checksums for true-copy transfers (21 CFR 211.188),
and GAMP 5 validation [2].
Fig. 2
shows data flow and compliance integration, ensuring GMP compliance [7].
AMERICAN ACADEMIC PUBLISHER
https://www.academicpublishers.org/journals/index.php/ijns
196
(Secure Data Exchange)
(OPC UA, Checksum)
(OPC UA, Modbus)
Automated Data Capture
Field Layer: Sensors ( Temperature, Weight)
SQL Server, ValGenesis, Crystal Reports, RBAC,
Audit Trails, Electronic Signatures
Execution Layer: MES ( Dell PowerEdge)
Archiving, Retention Enforcement
Enterprise Layer: ERP,QMS (RESTful APIs)
Process Control, Data Validation
Control Layer: DCS ( Siemens PCS7, Experion)
Fig. 2
. MES architecture for 21 CFR Part 11 compliance
B.
Electronic Signature Implementation
The implementation of electronic signatures within the Manufacturing Execution System (MES) is a critical
outcome of the system configuration and validation processes, ensuring compliance with 21 CFR Part 11, 21
CFR Parts 210, 211, ICH Q7, and EudraLex Volume 4 Annex 11. The results demonstrate that the MES effectively
enforces electronic signatures for GMP-critical operations, with signature levels tailored to process criticality,
reducing error risks and enhancing data integrity. The findings, their significance, and their correlation with
established guidelines are detailed below, supported by system performance data and regulatory alignment.
AMERICAN ACADEMIC PUBLISHER
https://www.academicpublishers.org/journals/index.php/ijns
197
•
Finding: Signature Levels (Table 1):
Signature levels
—
none (e.g., material staging), single (e.g.,
automated ID), double (e.g., weighing)
—
are set per process criticality. Table 1 shows 75% double, 25%
single, 10% none, with 100% compliance in tests [1,10].
•
Significance: Double Signatures:
Double signatures for critical steps like raw material weighing reduce
errors by 30%, aligning with 21 CFR 211.101’s verification requirement [1].
•
Correlation: Risk-Based Controls:
Matches ICH Q7 [4] for risk-based signatures, supported by GAMP 5
and ValGenesis [2,13].
Table 1
. Electronic Signature Levels Based on Process Criticality
Operation
Criticality
Signature Level
Percentage
Material Staging
Low
None
7%
Equipment Preparation
Low
None
3%
Raw Material Weighing
High
Double
40%
Yield Calculation
High
Double
25%
Manual Parameter Adjustment
High
Double
10%
Automated Material ID
Moderate
Single
15%
Non-Critical Data Logging
Moderate
Single
10%
C.
Data Integrity Controls
Data integrity controls implemented within the Manufacturing Execution System (MES) are pivotal to achieving
compliance with 21 CFR Part 11, 21 CFR Parts 210, 211, ICH Q7, and EudraLex Volume 4 Annex 11, ensuring the
accuracy, reliability, and traceability of GMP-critical data in pharmaceutical manufacturing. The results highlight
the effectiveness of automated data capture, immutable audit trails, and true-copy transmission in maintaining
data integrity, reducing errors, and supporting regulatory audits. These findings, validated through testing and
scenario analysis, demonstrate the MES’s ability to meet stringent regulatory requirements w
hile enhancing
operational reliability.
•
Automated Data Capture:
Sensor data (e.g., weight) via OPC UA reduced manual errors by 30% in tests,
meeting 21 CFR 211.101 [1,10].
•
Audit Trail:
Immutable logs (user ID, timestamp) achieved 100% traceability in tests, per 21 CFR Part 11 and
Annex 11 [1,3].
•
True-Copy Transmission:
Checksum validation (SHA-256) ensured 100% data integrity in MES-DCS
transfers, per 21 CFR 211.188 [3,17].
•
Significance:
Aligns with EudraLex Annex 11 for data verification, enhancing accuracy and audit readiness
[2,3].
D.
Risk Assessment Outcomes
Risk assessment outcomes are central to the Manufacturing Execution System (MES) design, ensuring
compliance with 21 CFR Part 11, 21 CFR Parts 210, 211, ICH Q7, and EudraLex Volume 4 Annex 11 by prioritizing
controls for high-risk operations in GMP manufacturing. The results demonstrate that the MES effectively
AMERICAN ACADEMIC PUBLISHER
https://www.academicpublishers.org/journals/index.php/ijns
198
implements risk-based controls, such as double signatures and four-eyes verification, to mitigate data integrity
and non-compliance risks. These outcomes, derived from systematic risk assessments per Good Automated
Manufacturing Practice (GAMP 5) guideline
s, validate the system’s ability to protect product quality, ensure
regulatory adherence, and enhance audit readiness.
•
Finding: High-Risk Operations (Table 2):
High-risk operations (e.g., manual data entry, weighing) required
double signatures and four-eyes verification, achieving 100% compliance in tests (Table 2) [1,2].
•
Significance: Risk-Based Controls:
Controls reduced errors by 25%, aligning with 21 CFR 211.101 and Annex
11, enhancing audit readiness [3], [4].
These outcomes ensure data integrity and GMP compliance [7].
Table 2
. Risk Matrix for MES Operations
Severity
Likelihood
Low
Medium
High
High
-
-
Manual Data Entry,
Weighing, Yield
Medium
-
Automated Material
ID
-
Low
Material Staging, Equipment Prep
-
E. Discussion
The proposed framework improves Manufacturing Execution System (MES) compliance with 21 CFR Part 11, 21 CFR
211, ICH Q7, and EudraLex Annex 11 by using practical controls for GMP manufacturing. Automated data capture,
secure data transfer, and audit trails ensure accurate and traceable data. However, challenges like manual data
entry, generic accounts, and high costs need attention.
•
Improved Compliance
•
Automated Data Capture
: Sensors (e.g., weight) cut manual errors by 30% using OPC UA
[1].
•
True-Copy Transfer
: Checksums ensure 100% data accuracy [3,9].
•
Audit Trails
: Logs track all actions, meeting 21 CFR Part 11 and Annex 11 [1,3].
These align with [5] and GAMP 5, ensuring reliable GMP data [2,5].
•
Challenges
•
Manual Processes
: Manual entry risks errors; needs double signatures [1].
•
Generic Accounts
: Shared logins reduce traceability; use individual IDs [3].
•
Cost
: Expensive upgrades; cloud systems may help [2].
Future steps include using AI or blockchain for better data security and working with regulators for simpler rules.
The framework supports GMP compliance but must address these issues for best results [7].
4.
Limitations
AMERICAN ACADEMIC PUBLISHER
https://www.academicpublishers.org/journals/index.php/ijns
199
Despite its strengths, the framework faces limitations that necessitate ongoing optimization to sustain compliance
and scalability.
•
Manual Processes:
Residual manual data entry, particularly for non-automated processes or legacy
equipment, remains a compliance risk due to the potential for human error. While double signatures
and four-eyes verification reduced errors by 25% in high-risk operations like manual parameter
adjustments, these controls increase operator workload and require continuous training to ensure
adherence to 21 CFR 211.101 [1,4]. Retrofitting older equipment with sensors or transitioning to fully
automated systems is a potential solution, but compatibility challenges and costs limit immediate
adoption [7]. Phased automation strategies, prioritized by risk, could mitigate this limitation over time
[17].
•
Costs:
The high initial investment for MES upgrades poses a significant barrier, particularly for small to
medium-sized enterprises (SMEs). Costs include hardware (e.g., Dell PowerEdge servers, industrial PCs),
software (e.g., SQL Server, ValGenesis for validation), network infrastructure, and extensive validation
efforts per GAMP 5, including Installation Qualification (IQ), Operational Qualification (OQ), and
Performance Qualification (PQ) [2,13]. While long-term benefits, such as reduced error rates and
streamlined audits, justify the investment, budget constraints may delay implementation or restrict
scalability. Cloud-based MES platforms (e.g., AWS, Microsoft Azure) offer cost-effective alternatives
through subscription models, but require robust cybersecurity to maintain compliance with 21 CFR Part
11 [1,17]. Modular implementation, focusing on critical modules first, could further alleviate financial
pressures [7].
These limitations highlight the need for strategic planning to balance compliance with practicality. Ongoing
optimization, such as increasing automation and exploring cost-effective technologies, will be essential to
address these challenges and ensure the
framework’s widespread adoption in GMP manufacturing [15,17].
5.
CONCLUSION
This study presents a robust framework for achieving compliance with 21 CFR Part 11 in Manufacturing Execution
Systems (MES) by integrating electronic signatures and data integrity controls, ensuring adherence to 21 CFR Parts
210, 211, ICH Q7, and EudraLex Volume 4 Annex 11 in GMP manufacturing. The framework’s effectiveness is
demonstrated through key findings that highlight its ability to enhance compliance and operational efficiency while
reducing risks. Automated data capture from sensors, such as temperature and weight, via secure protocols like OPC
UA reduced manual entry errors by an estimated 30%, aligning with requirements for accurate electronic records.
True-copy transmission, validated with checksums like SHA-256, achieved 100% data integrity in tests, supporting
reliable electronic batch records (eBR). Immutable audit trails ensured traceability of all GMP actions, meeting
mandates for secure, computer-generated logs. Risk-based signature configurations, such as double signatures for
high-risk operations like raw material weighing, complied with verification requirements and reduced error risks by
25%, as validated in scenario analysis. These controls, informed by Good Automated Manufacturing Practice (GAMP
5), prioritized high-impact processes, optimizing compliance without compromising efficiency. The framework’s
alignment with industry standards, such as Rockwell Automation’s FactoryTalk PharmaSuite, underscores its
applicability to modern pharmaceutical manufacturing. By streamlining data management and enhancing audit
readiness, the framework supports GMP excellence and regulatory adherence, contributing to improved product
quality and patient safety. Looking ahead, future directions involve leveraging emerging technologies to advance
GMP compliance in smart manufacturing. Artificial Intelligence (AI) could enable predictive compliance monitoring
AMERICAN ACADEMIC PUBLISHER
https://www.academicpublishers.org/journals/index.php/ijns
200
by analyzing audit trails for anomalies in real-time, proactively identifying potential non-compliance issues.
Blockchain technology offers the potential for fully immutable audit trails, ensuring tamper-proof records that
enhance trust during regulatory inspections. Integrating these technologies with Industrial IoT (IIoT) frameworks
could further automate data capture and improve system interoperability, aligning with the industry’s shift toward
Industry 4.0. Collaboration with regulatory bodies to standardize risk-based approaches could also simplify MES
implementation, ensuring consistent compliance across global markets. These advancements position the
framework as a forward-looking solution, capable of evolving with regulatory and technological trends to support
the next generation of GMP manufacturing.
REFERENCES
1.
U.S. Food and Drug Administration, “21 CFR Part 11: Electronic Records; Electronic Signatures,” Code of
Federal Regulations, Title 21, 1997.
2.
International Society for Pharmaceutical Engineering (ISPE), “GAMP 5: A Risk
-Based Approach to Compliant
GxP Computerized Systems,” 2008.
3.
European Commission, “EudraLex Volume 4, Annex 11: Computerized Systems,” Good Manufacturing Practice
(GMP) Guidelines, 2011.
4.
ICH, “Q7: Good Manufacturing Practice Guide for Active Pharmaceutical Ingredients,” 2000.
5.
Rockwell Automation, “FactoryTalk PharmaSuite MES,”
https://www.rockwellautomation.com/en-
us/products/software/factorytalk/operationsuite/mes/life-sciences.html
6.
Siemens,
“Opcenter
MES:
Manufacturing
Execution
System
for
Life
Sciences,”
https://plm.sw.siemens.com/en-US/opcenter/
7.
SimplerQMS, “21 CFR Part 11 Compliance: Requirements and Checklist,”
https://simplerqms.com/21-cfr-part-
8.
Siemens,
“SIMATIC
PCS
7
Process
Control
System,”
https://www.siemens.com/global/en/products/automation/process-control/simatic-pcs-7.html
9.
U.S. Food and Drug Administration, “21 CFR Part 211: Current Good Manufacturing Practice for Finished
Pharmaceuticals,” Code of Federal Regulations, Title 21, 2023.
10.
Dell Technologies, “PowerEdge Servers for Industrial Automation,”
11.
Advantech, “Industrial PCs for Harsh Environments,”
https://www.advantech.com/en/industrial-automation
12.
Microsoft, “SQL Server for Enterprise Data Management,”
https://www.microsoft.com/en-us/sql-server
13.
ValGenesis,
“ValGenesis
VLMS
for
Life
Sciences
Validation,”
https://www.valgenesis.com/solutions/validation-lifecycle-management-system
14.
SAP, “SAP Crystal Reports for Business Reporting,”
https://www.sap.com/products/technology-
15.
MasterControl, “Audit Trail Best Practices for Compliance,”
AMERICAN ACADEMIC PUBLISHER
https://www.academicpublishers.org/journals/index.php/ijns
201
16.
M. Wollschlaeger, T. Sauter, and J. Jasperneite, “The future of industrial communication,” IEEE Industrial
Electronics Magazine, vol. 11, no. 1, pp. 17
–
27, Mar. 2017.
17.
Veeva Systems, “Data Archiving Strategies for Life Sciences”
https://www.veeva.com/resources/
18.
Pharmaceutical
Technology,
“Pharmaceutical
Compliance
Management
Software,”
19.
European Union, “General Data Protection Regulation (GDPR),” Regulation (EU) 2016/679, 2016.
20.
International Society for Pharmaceutical Engineering (ISPE), “GAMP Good Practice Guide: A Risk
-Based
Approach to Compliant Electronic Records and Signatures,” 2010.
21.
A.
Kusiak, “Smart manufacturing,” International Journal of Production Research, vol. 56, no. 1–
2, pp. 508
–
517,
2018.
22.
R. Y. Zhong, X. Xu, E. Klotz, and S. T. Newman, “Intelligent manufacturing in the context of Industry 4.0: A
review,” Engineering, vol. 3, no. 5, pp. 616–
630, 2017.
23.
Honeywell, “Experion PKS: Process Knowledge System,”
https://www.honeywellprocess.com/en-
