By Salvatore Salamone
December 15, 2002 | Life science companies in the future may have to go to extraordinary lengths to prove to the FDA that their IT systems and the people who run them are doing everything by the book.
That was the warning in an address from Sun Microsystems Global Life Sciences Director Howard Asher entitled “The Unique IT Needs of the Life Sciences Community.” The address was delivered at the BioITWorld Conference & Expo held in San Diego last month.
According to Asher, the FDA and other global regulatory bodies are going to expect rigorous proof that the IT systems do as good a job of ensuring the data validity and that systems track and document changes as well as the paper-based approaches of the past.
“When it comes to compliance, people say, ‘CFR Part 11, it’s like Y2K -- piece of cake,’” Asher said. But there is a major difference. With the Y2K problem, if a system wasn’t Y2K compliant and caused a problem, the consequences were usually minimal and there was no real penalty. With CFR Part 11 compliance, a single slip-up anywhere, and the FDA “can seize products, close factories, and arrest managers,” he said.
“If you are going to take away the paper, the key word is trust,” Asher said. He believes the future will have FDA-validated IT networks, FDA-certified systems administrators, and the need for independent third parties to perform systems-administrative audits.
IT’s the Game
Asher, like many others in the industry, believes life science companies are looking to technologies such as higher-performance computing, analysis tools, and knowledge management systems to increase the number of new drugs they develop and cut the time and cost to develop each one.
As IT systems are deployed to reap potential gains in productivity, the extent of what is regulated has grown, Asher said. Over the years, regulatory compliance has extended from covering a relatively discrete part of a life science company’s operations, such as clinical trials, manufacturing, and labeling of drugs, to marketing, development, sales, and distribution.
For example, Asher said, “If a drug is distributed and starts killing people, distribution reports are a key. The FDA wants 100 percent retrieval of the product.”
Some life science companies are looking to IT to help prevent regulatory troubles. For example, companies use security techniques to ensure confidentiality of patient records to meet HIPAA requirements and encryption technology and audit trails to help satisfy CFR Part 11 requirements.
But convincing the FDA that everything is OK won’t be easy, he said.
For instance, most FDA inspectors are not comfortable with e-anything. “FDA inspectors spend 70 percent of their time watching tomatoes being crushed and cheese being made,” Asher said. So when they go into a data center, not all inspectors might feel at home.
One Iowa-based life science company, which had gone all electronic, was forced by a federal court order sought by an FDA inspector to print out all of its documents. The company had to produce 600 cases of paper documents, Asher said. He hopes this won’t be the norm, but he believes companies will need to demonstrate that the networks and systems holding their data are indeed secure.
The burden of proof is on the life science company to show that its IT systems meet the same stringent requirements as paper-based systems. Such compliance will give rise to FDA-validated networks and FDA-certified systems administrators.