Looking Beyond Security Issues of Part 11 Compliance

Originally Published MDDI July 2002

NEWS & ANALYSIS

Gregg Nighswonger

Medical device companies, as well as pharmaceutical makers and other manufacturers involved in the life sciences, have struggled to adapt to the rigors of maintaining electronic records and signatures. A majority of companies have at least begun to tackle implementing systems that will comply with 21 CFR Part 11, FDA's rule that governs most aspects of electronic information management (see MD&DI News & Analysis, December 2001). Nevertheless, few firms believe that all their systems are fully compliant.

At the same time, the number of vendors of Part 11–compliant systems has grown significantly. Tamar June, Director of Marketing for AssurX Inc. (Morgan Hill, CA), believes this growth is being driven by the current economy. She notes that the company began marketing its Part 11–compliant product two years ago. "At that time, there were only a couple of players out there," she says. "Now, all of a sudden, all these players have come on the scene. The reason for it is pure economics. With the recession and the downturn of the stock market, who else is buying software? It's life sciences. A lot of life-sciences folks are buying it because of these requirements. And there are only a very few industries right now that are spending money on technology. Another would be defense and aerospace. So that drove a lot of the competition out there to get involved in this arena. It's pure economics."

In recent months, a number of vendors have announced key collaborations and the release of new software versions with enhanced features and capabilities to aid Part 11 compliance efforts. AssurX, for example, announced its partnership with SysGen Inc. to deliver corrective and preventive action (CAPA)/Audit Tracking and quality systems consulting services. The partnership will focus in part on implementation of AssurX's CATSweb corrective and preventive action (CAPA) and audit tracking system.

Similarly, Pilgrim Software Inc. (Tampa, FL) has formed a consulting partnership with Validation Associates (Raleigh, NC), which provides regulatory compliance consulting services. Validation Associates will use Pilgrim's software applications as a training program to demonstrate how clients can comply with Part 11 requirements.

Document Control Systems Inc. (Salt Lake City) has emphasized the need to make clients, particularly regulatory affairs professionals, an integral part of the product development process. In announcing the release of the company's MasterControl 7.0 FDA Edition document control and change management software, Brad Wright, president, emphasized that the latest enhancements are the result of feedback received from users of previous versions of the software. "We are constantly eliciting feedback from our customers and evaluating our products to ensure maximum ease of use," Wright explains.

In creating the current generation of systems, have developers identified any key stumbling blocks to compliance with Part 11? AssurX's June emphasizes that it is important to be in compliance with all aspects of the rule. "FDA doesn't say one area is more important than another part," she says. "They want all of it in there." There are certain points, however, that may be more problematic than others. "I think the most-overlooked part, as far as we can see, is one paragraph, which is Part 11.300d, which says, 'Use transaction safeguards to prevent unauthorized use of passwords and/or identification codes, and detect and report in an immediate and urgent manner any attempts at their unauthorized use to the system security unit, and, as appropriate, to organizational management.' That is basically the provision of the regulation that is going to ensure your protection against hackers."

June explains that the control of unsuccessful log-in attempts is a critical area of protection. "The key is to have something built into the system that sets a threshold for the maximum number of unsuccessful log-in attempts. So what happens is that if someone attempts to enter, say, three times, they're automatically locked out of the system, and there's an instant notification sent to the system administrator and/or management to alert them that there is an urgent matter and an immediate threat to the system." The alert can be communicated via e-mail, for example, or via a paging system, she explains.

June suggests that among the most challenging aspects of developing a product to ensure its overall compliance has been to understand FDA's requirements. "The final regulation, if you read it thoroughly, is only about four pages or so," she explains. "It's very brief, but it's also very vague." She believes confusion regarding many compliance issues can be minimized by reviewing the supplemental information available in the Federal Register and the general guidance documents issued by FDA.

Adopting systems to ensure compliance with Part 11 requirements can offer additional advantages to manufacturers. Use of such electronic systems tends to lead to more-streamlined data transfer and management processes, and can smooth project integration. Says June, "You are going to have instant productivity improvement and improvement in product quality. You're going to minimize—not eliminate but minimize—product quality problems because you're going to be able to capture and stop them if you are following your standard operating procedures."

Copyright ©2002 Medical Device & Diagnostic Industry