Friday, February 21, 2003

FDA drops the other shoe on Part 11

FDA has just announced that it is issuing a single new draft guidance document for 21 CFR Part 11, and it is withdrawing all prior agency draft guidance on Part 11. In its announcement, FDA stated clearly that a re-examination of Part 11 is already underway that may result in revision of Part 11 itself. FDA also indicated that for the time being it will "not normally take regulatory action to enforce Part 11 with regard to systems that were operational before August 20, 1997. . . while we are examining Part 11." In other words, for now, legacy systems are grand-fathered. Furthermore, FDA indicated specific concerns over some Part 11 requirements for validation, audit trails, record retention, and record copying.

I was at the Medical Device Manufacturing conference in Anaheim when word began to spread through the exhibit floor regarding this announcement. But after carefully reading the new guidance this morning, it is clear that FDA is not abandoning its concern about use of computer systems. I say this for three reasons:
  1. Even though FDA withdrew Part 11 guidance regarding validation, validation of computer systems is still a requirement under predicate rules (e.g. 21 CFR Part 210, 211, and 820). Validation was a requirement even before Part 11 was originally promulgated.

  2. FDA stated clearly that it will continue enforcement of certain controls for closed systems (11.10) and open systems (11.30), such as limiting access, operational checks, authority checks, device checks, and administrative/procedural controls.

  3. FDA stated it would continue to enforce all of the Part 11 requirements for electronic signatures. Nearly no legacy system meets these requirements without remediation or adoption of a hybrid system of handwritten signatures executed to electronic records.

As I wrote earlier this month, FDA is not abandoning its interest in regulating use of electronic records and electronic signatures. Regulated companies should continue to implement the administrative and procedural controls called for by Part 11, since for the most part they are not difficult to implement, and they represent best security practices that will increase the trustworthiness and reliability of any system. Vendors of packaged software (such as ERP, PDM, document management, and quality assurance systems) that are working on adding technical controls required by Part 11 should continue their efforts. Nevertheless, FDA’s announcement gives both users and software vendors some breathing space to implement proper controls over electronic records and signatures, with hope of a more well-defined risk-based approach to Part 11 to come in the future.

Friday, February 14, 2003

Corporations—the next target for crackdown on piracy

Just three weeks ago, I predicted that large corporations would be the next target for the entertainment industry’s crackdown on Internet piracy of copyrighted media content. But it turns out that my prediction is coming true faster than I expected. The entertainment industry is already distributing a brochure to hundreds of corporations around the world, urging them to take action against employee downloading, or face legal consequences. ZDNet has a full report on this latest warning from the entertainment industry.

As I noted earlier, companies need to get their desktops under control. Many companies already have policies in place regarding acceptable use of corporate systems and desktops, but many of the same companies do not take the next step to directly audit desktops for compliance. All companies, large and small, need to adopt periodic desktop auditing as a best practice to mitigate liability.

My firm, Strativa, has already conducted one such audit on behalf of a large company, with a worldwide network, and the results were a real eye-opener. We wrote a white paper on the subject, which is available here [no longer available--contact me if interested--FS].

Wednesday, February 05, 2003

FDA signals change in approach to Part 11

Last week, FDA announced that it is withdrawing its draft guidance regarding the electronic copies requirements of 21 CFR Part 11. This is good news for all companies regulated by FDA. When FDA first issued this draft guidance less than three months ago, it was clear to me that if something wasn’t changed it was going to be nearly impossible to implement. For example, the guidance called for companies to provide FDA with capabilities to "perform the same kinds of data processing" on the electronic copies that the company’s own system allows on the original records. Other consultants I’ve spoken to had basically the same reaction. So, withdrawal of this guidance is welcome.

There are hints that FDA soon may be making more changes to its approach to Part 11. FDA made this announcement in the context of the initiative it began last August to update its current good manufacturing practice (cGMP) program to a more risk-based approach. In this context, FDA indicates that the withdrawn guidance on Part 11 "may no longer represent FDA’s approach under the CGMP initiative." Furthermore, FDA announced that main responsibility for implementing Part 11 is shifting from the Office of Regulatory Affairs to the Center for Drug Evaluation and Research (CDER), the FDA center that regulates drugs.

The implications of FDA’s announcement are a) that a more risk-based approach to Part 11 may be forthcoming, something that practitioners have been calling for since Part 11 was first promulgated, and b) that Part 11 should be applied on an industry-specific basis, by those who best understand industry issues and risks. Although CDER will take the lead in implementing Part 11, it would seem likely that inspection to Part 11 would take place by investigators from each FDA Center.

Companies struggling with Part 11 compliance should view FDA’s announcement and its implications as providing some breathing space--not as an abandonment of FDA’s interest in regulating use of electronic records and electronic signatures. Regulated companies should continue to implement the administrative and procedural controls called for by Part 11, since for the most part they are not difficult to implement, and they represent best security practices that will increase the trustworthiness and reliability of any system. Vendors of packaged software (such as ERP, PDM, document management, and quality assurance systems) that are working on adding technical controls required by Part 11 should continue their efforts. Nevertheless, FDA’s announcement may indicate that both users and vendors may be able to deal with Part 11 with less uncertainty than in the past.

For more discussion on Part 11 and its implications for users and vendors, see the posts I wrote in October, November, and December of last year.