PHARMA & BIOTECH MANUFACTURING OT

FDA 21 CFR Part 11 Requires Access Controls Your Manufacturing OT Does Not Have

FDA 21 CFR Part 11 Sections 11.10(d), (e), and (g) require access controls, audit trails, and authority checks for every system that generates electronic records.
Your bioreactor DCS, environmental monitoring, and WFI purification systems are all in scope.

BAKER HUGHES

GE VERNOVA

ALTAGAS

ALUAR

MITSUBISHI

FDA 21 CFR Part 11

IEC 62443

EU GMP Annex 11

SOC 2 Type II

KuppingerCole Leader 2025

$1.3B

Merck NotPetya Cost (2017)

20 min

Deployment per Site

Part 11

Sections 11.10(d), (e), (g) Covered

40+

Countries Deployed
Xona-Pharma Biotech-Image

The Access Control Gap Part 11 Was Written to Close

In June 2017, NotPetya entered Merck through a compromised software update and moved laterally through the entire network. Remote access points had no session-scoped controls. Network segmentation was insufficient to contain it. The result: $1.3 billion in damages, vaccine manufacturing halted for two weeks, and a pharmaceutical supply chain disruption that took months to resolve.

NotPetya spread because the access architecture treated network connectivity as authorization. That is the gap Part 11 was written to close.

Session-scoped, per-asset authorization is what 11.10(d) expects, not network reachability via VPN.
Remote access ranks among the top three OT vulnerability vectors per the SANS 2025 survey. For pharmaceutical manufacturing, the exposure is specific: bioreactor control systems, environmental monitoring in cleanrooms, CIP automation, WFI purification, and filling line controllers.

How Session Isolation Satisfies Part 11

Part 11 Compliant Access Controls

  • Session-scoped authorization satisfies Section 11.10(d)
  • Limits access at the asset level, not the network level
  • Every vendor authenticates through MFA

Vendor access requires explicit administrator approval before each session begins. Xona Centralizer enforces time-limited, asset-scoped sessions aligned to specific maintenance windows. Access terminates automatically when the window closes. No persistent vendor connection remains.

Result

No network-layer access to the manufacturing segment.

Time-Stamped Audit Trails

  • Centralizer records every session with timestamp and user identity
  • Asset accessed, session duration, and complete visual recording
  • Satisfies Section 11.10(e) requirementsResult
Result

FDA audit trail is a report pull. Not manual reconstruction.

Manufacturing OT Scope Only

  • Bioreactor DCS, SCADA, CIP automation, HVAC monitoring
  • WFI purification, lyophilization, filling lines, serialization
  • LIMS and clinical systems are not in scope
Result

Scope clarity prevents audit exposure.

Multi-Site Pharma Deployment

  • API synthesis, formulation, fill/finish, packaging
  • One CSG per building, 20 minutes to deploy
  • Centralizer aggregates governance across all sites
Result

Every building governed from one console.

20

minutes to deploy per site

No changes to OT network topology or control system configurations. Network firewall policies may require minor updates to enable the CSG connection path. No new VLANs. No batch process disruption.

Deployed by Baker Hughes, GE Vernova, AltaGas, Aluar, and Mitsubishi

Baker Hughes and Aluar run the same session isolation architecture in process manufacturing environments. These are production deployments across 40+ countries and 40+ sites. Not pilots.

Who Benefits and How

Manufacturing / Operations Manager

  • Deploy across API synthesis, formulation, and fill/finish in 20 minutes per site
  • Grant vendors time-limited access to specific bioreactors and filling lines
  • Eliminate change control requests for firewall rules

OT / Automation Engineer

  • Maintain Modbus, OPC UA, and PROFIBUS connectivity through protocol isolation
  • Run concurrent sessions across CIP and WFI systems
  • Deploy without modifying GMP-validated infrastructure

CISO / VP Quality & Compliance

  • Present FDA inspectors with timestamped session recordings
  • Satisfy Part 11 Sections 11.10(d), (e), (g) through one architecture
  • Close the VPN audit gap

Regulatory Affairs / QA Director

  • Map controls to Part 11 11.10(d/e/g) in validation docs
  • Demonstrate EU GMP Annex 11 compliance for European sites
  • Maintain scope clarity: manufacturing OT vs LIMS

Remote Access Comparison for Pharmaceutical Manufacturing OT

Capability
Deployment Time
Network Changes
Protocol Isolation
Session Recording
Part 11 11.10(d)
EU GMP Annex 11
Batch Process Impact
FDA Audit Trail

Xone-Logo-White@2x

 

20 minutes per site
None
Full: zero OT protocol data crosses to user side
Every session, timestamped, user-attributed
Per-asset, session-scoped authorization with MFA
Validated access controls and audit trails
Zero disruption during deployment
Automatic from Centralizer
Traditional VPN
Days to weeks
Firewall rules, VLANs
None
None at asset level
Network-level only
Manual documentation
Downtime for network changes
Manual log assembly
Cloud ZTNA
Hours to days
Cloud connector config
None
Varies
Cloud-mediated
Cloud dependency conflicts
Cloud dependency risk
Varies by vendor
Jump Server
Days to weeks
Network segmentation
None
Manual logging
Shared credentials typical
Manual documentation
Downtime for setup
Manual log assembly

FDA 21 CFR Part 11 Compliance Mapping

Three subsections apply directly to OT remote access for pharmaceutical manufacturing.
Requirement
Section 11.10(d)
Section 11.10(e)
Section 11.10(g)
Section 11.30
IEC 62443 SR 1.1
IEC 62443 SR 2.8
Protocol support
Control
Limiting access to authorized individuals
Time-stamped audit trails
Authority checks per operation
Open system controls
Human user ID and authentication
Auditable events
Legacy pharma automation compatibility
Xona Architecture
CSG: session-scoped, per-asset authorization with MFA
Centralizer: timestamp, user, asset ID per session
Role-based access, time-bounded at CSG
On-premises CSG, protocol isolation, no cloud dependency
MFA enforced at CSG before asset connection
Centralizer centralized audit log
Supported protocols include Telnet, VNC, HTTP/HTTPS, Modbus, OPC-UA, and legacy pharmaceutical automation protocols. No protocol upgrades or endpoint agents required.

International Compliance

EU GMP Annex 11 requires validated access controls, audit trails, and data integrity measures for pharmaceutical manufacturing systems. ISPE GAMP 5 defines risk-based computer system validation including access control classification. NIS2 Article 21 treats pharma manufacturers as Essential Entities, making these controls mandatory, not optional. The same session isolation architecture satisfies US FDA Part 11 and EU GMP Annex 11 requirements.

Technical Specifications

OT Protocols
Modbus
OPC UA
PROFIBUS
RDP
SSH
Modbus, OPC UA, PROFIBUS, RDP, SSH, Web (pharma-specific HMI and SCADA interfaces)
Architecture
CSG (per-site gateway)
Centralizer (multi-site governance)
Centralizer (multi-site governance)
Deployment Models
On-premises
hybrid
air-gapped
GMP Compliance
No modification to validated network infrastructure.
No modification to validated network infrastructure.
Outbound-only communication from CSG to Centralizer.
Platform v5.5
Session Hold
RDP Auto-Reconnect
concurrent multi-protocol sessions
integration syncs with Forescout and Nozomi Networks

FAQ

Does FDA 21 CFR Part 11 apply to OT systems like bioreactor controllers and environmental monitoring?

Yes. Part 11 applies to any system that creates, modifies, maintains, archives, retrieves, or transmits electronic records subject to FDA predicate rules. When a bioreactor DCS logs batch parameters, those are electronic records under Part 11. The access controls in Section 11.10(d/e/g) apply to any remote access to those systems.

What manufacturing OT systems does Xona cover? Does it apply to LIMS or clinical systems?

Manufacturing floor OT: bioreactor DCS and SCADA for batch processing, CIP automation, HVAC and environmental monitoring, WFI purification, lyophilization controllers, filling line automation, and serialization systems. LIMS, clinical trial databases, and electronic lab notebooks are not in scope.

We already use a VPN for remote access to manufacturing systems. Is that sufficient for Part 11?

A VPN provides network-layer access to a subnet. Section 11.10(d) requires limiting access at the system level. Section 11.10(e) requires time-stamped audit trails. Section 11.10(g) requires authority checks per operation. A VPN satisfies none of these at the asset level.

How does Xona deploy across multiple pharmaceutical manufacturing buildings and sites?

The CSG deploys in 20 minutes per site. Deployment requires no changes to OT network topology or control system configurations. Network firewall policies may require minor updates to enable the CSG connection path. No new VLANs. No change control process for network infrastructure modifications. One CSG covers multiple manufacturing OT systems in the same building. CSG gateways capture session recordings across every connected building and site; Centralizer aggregates governance data and indexes recordings for replay. API synthesis, formulation, fill/finish, and packaging facilities all governed from one console.

What audit trail does Centralizer provide for FDA inspections?

Every session is recorded with timestamp, user identity, asset accessed, session duration, and complete visual recording. When an FDA inspector requests records for a specific batch or time period, the data is a report pull from Centralizer.

How does Xona relate to IEC 62443 for pharma manufacturing OT security?

IEC 62443 provides the industrial automation security framework. Part 11 provides the FDA regulatory requirement. The CSG architecture satisfies both: SR 1.1 (human user ID and authentication), SR 2.8 (auditable events), and SR 3.1 (communication integrity).

Our manufacturing facility runs 24/7 batch processes. How does deployment work without disrupting production?

The CSG deploys in 20 minutes per site. Deployment requires no changes to OT network topology or control system configurations. Network firewall policies may require minor updates to enable the CSG connection path. No new VLANs. No downtime required for OT systems during installation. The gateway communicates outbound to Centralizer only. No inbound ports are opened on the manufacturing network. Deployment during normal operations with zero disruption to batch processes, environmental monitoring, or filling line automation.

Does the architecture satisfy EU GMP Annex 11 for European pharmaceutical manufacturing sites?

Yes. EU GMP Annex 11 requires validated access controls, audit trails, and data integrity measures for computerised systems in pharmaceutical manufacturing. The session isolation architecture delivers the same controls that satisfy FDA Part 11 Section 11.10(d/e/g). ISPE GAMP 5 risk-based validation applies to the access control classification. For manufacturers operating under both FDA and EMA oversight, one deployment satisfies both regulatory frameworks.

Stop Generating Electronic Records Without the Controls Part 11 Requires

Every batch your bioreactor logs is an electronic record under Part 11. Every remote access session to that bioreactor either satisfies 11.10(d/e/g) or it does not. There is no partial compliance.
Start every session audit-ready. 20-minute deployment. Part 11 Sections 11.10(d), (e), and (g) covered. FDA inspection ready from day one.

 Secure access for the systems that keep the world running.
© Xona Systems, 2026
Cookie Policy
Privacy Policy
Disclosure Policy
Website Terms of Service
Terms & Conditions