Federal Regulations for Pharmaceutical and Healthcare

by E.R. Williams

It seems to be correct that configuration management could have saved money during Y2K. Within the Healthcare and Pharmaceutical industries, compliance with HIPAA and Part 11, respectively, is still becoming a challenge. You state that configuration management could be helpful with compliance. Why?

Yes, Configuration Management could have been helpful then and now. If the Configuration Management process had been implemented through most companies the foundation for both regulation requirements would have begun. Let me briefly explain. HIPAA indicates that companies have to comply with requirements for:

  • Privacy
  • Security
  • Transactions and codes
  • Etc.

CFR 21, Part 11 indicates companies have to comply with requirements for:

  • Electronic Records
  • Electronic Signatures
  • Audit Trails
  • Etc.

Now let's address or let me explain why Configuration Management (CM) lays a foundation (traditional CM, not just software on line control). What areas of configuration management as defined in Software/Firmware Configuration Management would/are important, past and present? When you begin to read and understand configuration management, you see the foundation for the above is set when implemented (as required by CMM or CMMI). Again, how Y2K and federal regulations compliance would have been much easier to deal with had the following process and activities been in place/used.

Under CM:


  • Document requirements and all elements of a system and projects. (It was not just identifying a document but the content and description of the product (system, application, software, database, etc.)


  • Security – under CM, securing the environment, hardware, software(on line and off line), etc. is emphasized
  • Data Integrity – data and information modification or change is also addressed through change control and auditing


  • Accountability - That there is status of all that has taken place to data, information and systems
  • Reporting and retention of the above for a required amount of time (archiving policy and procedures).


  • Verification - the process to verify that all elements of the system are correct and accounted for
  • Examination ? the examination to ensure that documentation and systems match all items that have been certified and/or secured and are under configuration control

The above relates to a question that traditional configuration management has been turned into a documentation or data administration process (and just on line software version control) and not the real concern for the system or product (content) and how the data is protected, secured, archived, distributive, and used to development and produce a system, product, etc. that would have laid a foundation.

Previous post:

Next post: