By Barbara DePompa Reimers
April 15, 2003 | The code of Federal Regulations (CFR) Part 11 was implemented in 1997 to let the FDA accept electronic records and signatures in place of paper records and handwritten signatures. The law outlines controls for ensuring that electronic records and signatures are trustworthy, reliable, and compatible with FDA procedures. The ultimate goal: Make electronic records and signatures as verifiable and traceable as their paper counterparts.
More than five years later, however, pharmaceutical companies and biotech firms are still complaining that FDA inspectors' opinions vary greatly on what constitutes a "lack of compliance" with Part 11, and ongoing regulatory murkiness is seen as partly to blame for the slowing of new-drug approvals.
Industry observers say most FDA inspectors simply aren't yet comfortable with electronic documentation. "These inspectors are scientists, not software engineers," notes William Goebel, director of quality assurance for Cimquest, a consulting firm specializing in systems regulatory compliance. "When they look behind the scenes, they need to see an audit trail in a company's database application." Therefore, when a change is made to a record, the system must save the old version — not overwrite information — as well as keep track of the date, time, and ID of the person who made the change.
Eric Musser, chief technology officer at Ross Systems, adds that many drug companies that have implemented Part 11 compliance for electronic signatures and audit trails still keep all their paper records as backup. Ross Systems sells a software tool called the Validator, used to track transactions so they map completely with CFR Part 11 regulations.
If such redundancy seems grossly inefficient and costly, consider the recent temporary shutdown of Schering-Plough's manufacturing plants in Puerto Rico and New Jersey, where the FDA has levied some $500 million in fines against the firm for failure to provide basic record-keeping security.
As serious as the problem sounds anecdotally, however, the FDA doesn't have an exact number of Part 11 citations issued, nor does it really know how widespread noncompliance is. The agency does not track Part 11 violations as a separate category. Investigators roll these infractions in with others during the course of their regular inspections.
That's not to suggest noncompliance is a safe course. Industry observers say that as the FDA moves to clarify Part 11 compliance guidelines it will expect a reciprocal effort by drug and biotech firms to comply. Assuming good faith by biotechs and drug companies, there's still the issue of cost.
According to some analysts who track FDA regulations, the cost of Part 11 compliance could vary from $5 million to $400 million, depending on a company's size and requirements. The Pharmaceutical Research and Manufacturers of America (PhRMA) projects the industrywide cost of compliance to reach $2 billion by 2006.
The big question is how to comply with Part 11 without busting the budget. Janet Woodcock, director of the FDA's Center for Drug Evaluation and Research (CDER), says the agency is shifting its focus from compliance enforcement to offering guidance and incentives for companies struggling with Part 11 compliance (see "FDA Director Explains the Changes"). This shift in focus is intended partly to ease Part 11's financial pain. Rather than a single, all-inclusive overhaul of a company's computer systems, FDA officials and leading regulatory consultants favor a gradual, "risk-based" approach that is more cost-effective and responsive to a dynamic business environment.
|Which Systems to Fix First? Use This Cost-Risk Matrix
|Companies with low budgets and lots of computer systems that aren't compliant with 21 CFR Part 11 must prioritize which ones to fix first. One way is to...
Risk-based compliance evaluation carefully analyzes computer systems and information-handling processes to assess the risk and cost of converting paper-based information to an electronic format. Various systems and processes may be plotted on an X-Y matrix (see chart
) that measures, from low to high, the risk to security of the data (X-axis) and the cost of upgrading (Y-axis).
Then the company may prioritize its systems and processes needing conversion or replacement based on where they fall in the matrix. Computer systems, for example, that fall in the "high data security risk, low conversion cost" area of the matrix could be targeted first for compliance validation.
Audits and Gap Analyses
The first step, however, is to conduct an internal audit, which creates a master list clearly defining the systems that are, or are not, compliant. Nowadays, though, conducting such an audit is merely table stakes. "The FDA wants to see hard evidence that companies are implementing these compliance plans, using specific timelines to show when they will upgrade noncompliant systems," warns Tamar June, director of marketing for AssurX, a software and services provider.
Parallel to a systems audit, the company must also evaluate processes for tracking, controlling, and safeguarding data all the way from discovery through clinical trials. From this assessment, the company should then create standard operating procedures (SOPs) that include sophisticated data encryption. Otherwise, it's possible that clinical information, for example, could be intercepted and changed without the company's knowledge, says Paul W. Allen, managing partner for the life sciences practice at Clarkston Consulting.
Many biotech organizations have already generated an inventory or master list of all their computer systems and evaluated them to determine the potential risk in the event of a computer error or failure. But this task must be followed by a gap analysis that creates specific actions to bring each system into compliance.
When prioritizing which systems to upgrade, the key is to focus on public health and safety risks that arise from using certain technologies. "The FDA's primary concern is ensuring public health and safety," says Keith Chambers, senior product evangelist for GE Fanuc Intellution, a company that provides software and services.
One area, for example, may be the lack of an automatic audit trail specifying changes (new entries, modifications, deletions) to drug-development study records, as well as the reason for those changes, says Jim Grosspietsch, director of marketing for NetRegulus, a software and services provider.
Costs typically drop as companies establish a pattern of success in FDA audits, gaining confidence about each process they move from paper to electronic documentation. Over time, the price of the technology should decrease. It costs less today to use electronic signatures, for example, than it did two years ago.
Info That Should Comply
Along with ensuring data integrity, building the facilities and processes to recover from a system crash are also central to compliance. In the event of a disaster, crucial development data must be recoverable and uncorrupted. Procedures need to be created for regular backups, with processes periodically checked so that data, when recovered, are correct.
|FDA Director Explains the Changes
|The head of the Center for Drug Evaluation and Research discusses why the FDA is now kinder and gentler about Part 11 compliance.
The quickest way to handle this requirement is to purchase disaster-recovery services, although smaller biotechs often prefer using internal personnel to conduct backups and recovery. In that case, these people need to be trained and practiced in recoveries, Clarkston's Allen says, to guarantee rapid and complete business restoration.
The area many companies find most challenging, however, is defining what information falls under the provisions of CFR Part 11. The most reliable way: Look at the requirements for that same information when it's included in a printed document, advises Frank Grywalski, CEO of Decision Management International, a software and services provider specializing in FDA-regulated businesses.
Keep in mind that even software designed to comply with Part 11 regulations must be properly configured and validated to achieve that compliance. For example, Allen explains, a system that supports multiple usernames and passwords will fail compliance if just two users share the same username and password.
Ensuring that every user has a unique name and password isn't enough, however. SOPs must also limit access to only those people with a preapproved need for the information. "You don't want everybody who has access to the system to be able to change data, alter a drug recipe, or make a change without your knowledge or the appropriate access authority," Allen says.
Many pharmaceutical firms still argue that the huge volumes of data created daily make total compliance impossible. Software suppliers and consultants counter that, once a system has been properly configured, with audit trails and security protocols, the volume of records or documents is irrelevant. If the software is properly implemented and the procedures updated, they insist, the data will be validated to comply with Part 11.
The biggest nut to crack, of course, is bringing legacy systems into compliance. Here it's critical to have a plan for replacing aging hardware and software that includes the reasons why the systems aren't currently being upgraded or replaced. And, again, you must show the FDA a schedule for bringing these systems into compliance or replacing them.
Because of the breadth and complexity of the systems that fall under Part 11 regulations, there are no shortcuts to full compliance. But the FDA is hoping its latest guidelines will help ease the way. And the cottage industry of software suppliers and regulatory consultants is continually refining its packaged, "risk-based" compliance products and services to help companies decide which systems, policies, and procedures to tackle first.
CFR Part 11 is unlikely to be deregulated anytime soon. Indeed, the demand for minimum security levels, data recoverability, and audit trails will only grow. By 2010, industry observers say, the focus on Part 11 compliance will shift from the paper-to-digital migration, to finding new ways of storing and maintaining several years' worth of compliant electronic data. This is yet another cost biotech companies must be ready to absorb, as technology evolves and data-storage requirements expand.
Barbara DePompa Reimers writes on business and IT issues from Germantown, Md. She may be reached at firstname.lastname@example.org.
ILLUSTRATION BY ALEX NABAUM