almost passed this one up because of the technical headline.

21 CFR Part 11: Current industry position

3/27/2001 By Kate Townsend, VP of Regulatory Affairs, Taratec Development Corp.

Background

In August 1997, the Food and Drug Administration (FDA) issued a new regulation entitled 21 CFR Part 11. The regulation was created to set standards for systems containing electronic records and electronic signatures and for the use of these systems. Although the regulation has been in effect for three years, the FDA has proceeded very slowly in its enforcement primarily due to two factors: the enormous amount of industry resources focused on the Year 2000 (Y2K) problem and the lack of a clear interpretation of the ruling.

Perception and Position

With the FDA beginning to enforce the regulation after an unofficial three year grace period due to Y2K, companies have changed their position on 21 CFR Part 11. While the early adopters have attempted to set policy on Part 11 from the start, the majority of companies are only now beginning to take action. They are moving away from their previous wait and see attitude to begin to internally address what actions need to be taken to achieve compliance.

Unfortunately like Y2K, which cost life science companies millions of dollars, Part 11 compliance will not be inexpensive. In fact, a number of companies and industry associations have stated that Part 11 has the potential to cost substantially more than Y2K. One of our clients recently spent $250MM on their Y2K initiative and has now committed to spending as much as $350MM over the next several years to complete assessment and remediation activities. Another client has estimated that compliance for a single manufacturing plant will cost between $10MM and $12MM. A third organization is expecting to spend as much as $20MM per laboratory for the same initiative.

Approach

There are many similarities between Part 11 and Y2K in the approach to be taken as both efforts begin with creating awareness for the problem and end with remediating the issues that have been identified. However, the scope of Part 11 is substantially broader as the regulation encompasses more than just substantial changes to the coding of computer systems. Part 11 also includes aspects such as operation and support policies and procedures as well as maintaining the appropriate level of personnel training.

One of the many things learned with Y2K was the significant project management challenge involved. Although much of the remediation was truly technical in nature, the sheer breadth of the effort posed challenges to many firms. The Part 11 compliance problem is again broader in scope as the number of people, organizations, and departments affected is larger than in Y2K, compounded by the fact that the technical issues themselves are arguably more complex.

Some of the most effective Y2K programs were managed by a centralized Program Management Office (PMO) and this concept can also be applied to Part 11 compliance. The PMO functionally organizes the primary activities that are required to manage a project of this size and complexity. PMO’s may be implemented on a global level, by business unit, and/or by department. Functions may be replicated or centrally located depending on business need and resource availability. The key to a successful PMO lies in having a simple mechanism to consistently monitor progress.

Companies should also consider who will conduct the Part 11 compliance effort itself. Unfortunately, this is not a project that may be outsourced in its entirety, although the use of a company to oversee the initiative is imperative. Outside consultants have typically been employed to assist with the interpretation, training, and assessment activities. However, the greater value in using a strong group of consultants is in establishing and even managing several components of the PMO.

Taratec has been involved in the compliance dilemma with many different clients and we have discovered that there is currently no specific organizational approach that all companies have adopted. Some organizations have selected the pilot approach, allowing a few groups to begin the Part 11 initiative outside of the corporate umbrella. Although this certainly expedites the process, the potential ramifications of a false or unguided path could pose many obstacles in the future. Other organizations have elected to execute parallel efforts in an attempt to save time. While this approach may speed up the process initially, in the long run it may substantially increase the effort as some of the work may have to be repeated after a corporate interpretation is finalized.

One point to consider is that most organizations are addressing this issue on a worldwide basis. This greatly increases the importance of having a single interpretation throughout a company. Since one system, a data warehouse for example, will often store data/records that are utilized by a number of departments, there must be a single standardized interpretation to assess the system consistently throughout the organization. Having a standardized interpretation will also help unify a worldwide compliance effort as well as saving time and money.

Remediation and Replacement

Since the majority of the industry has not reached this phase of the compliance process it is difficult to ascertain how it will unfold. Due to the sheer size of the effort, the most effective solution will most likely be a joint project between customers, vendors, and outside subject matter experts. This solution will minimize the internal strain on client resources as well as lowering overall cost since it will be possible to deploy resources on as needed basis.

It is important to realize that compliance cannot be achieved by simply buying new systems to replace those that are not compliant for a number of reasons. Although some companies are taking steps to provide the proper technical controls such as a full audit trail and the proper authority checks, currently they are few in number and must be carefully evaluated on a case-by-case basis. The vast majority of vendors simply state that they are Part 11 compliant without any knowledge of what that claim entails.

Additionally, it is important to realize that regardless of the reputation of the vendor and the quality of the product, it is impossible to have compliant software directly out of the box as compliance is also dictated by the use of the system in a specific environment. For example, the FDA requires that the personnel who develop, maintain, and use electronic record systems have the proper education and training to perform their assigned tasks. It is the responsibility of the client to determine the appropriate level of training and vendor supplied product instruction alone is not sufficient. Part 11 also requires that each system be fully validated which is a task which no vendor can complete.

Critical Success Factors

Here are the critical success factors that Taratec has identified from working with our clients:

Plan early and begin as soon as possible

Develop a single corporate interpretation

Implement a central or global PMO which is empowered to manage and drive the project.

Make the entire company aware of the impact of Part 11. Start with a comprehensive awareness program.

Coordinate activities to ensure consistency. Evaluate vendors thoroughly before purchasing a new system that must comply with Part 11.

http://www.medicaldesignonline.com/content/news/article.asp?docid={AF4D710B-2204-11D5-A770-00D0B7694F32}&VNETCOOKIE=NO

-- Martin Thompson (mthom1927@aol.com), March 30, 2001