Medical device and other life science companies face enormous scientific, economic, and regulatory challenges during development of medical products. While R&D has always been intertwined with technological advances, it has not been the case for regulatory compliance.
In part one of this article, I described the typical manual change control process at a med tech firm. It was just one of the many cumbersome labor-intensive processes we endured back then. The heavy documentation burden imposed by regulatory requirements compelled many companies to automate their quality and compliance processes, partly or entirely.
“In the days of old, pharmaceutical companies would literally ship truckloads of data to the FDA,” wrote Ben Rothke in an article published in ISSA Journal. “There clearly had to be a better, faster, cheaper, and easier way to move data. And indeed there was—via electronic networks.” A group of pharmaceutical companies met with the FDA in the early 1990s to find out how they could submit voluminous documents electronically. This eventually led to the development of 21 CFR Part 11.1
The watershed regulation went into effect in August 1997. It established the criteria for the use of electronic records and electronic signatures by organizations under the jurisdiction of the U.S. Food and Drug Administration (FDA).
Part 11 was controversial from the start. It took the FDA two guidances, in 2001 and 2003, to explain the regulation’s scope and application. Critics said it was too broad and confusing, while companies complained about the high cost of its implementation.
The situation changed for the better by the time the second Part 11 guidance was issued in 2003. It signaled that, at last, the FDA had embraced technology for compliance purposes. It galvanized the industry to automate quality processes and for software companies to tailor compliance solutions to Part 11. The movement toward automation of manual quality processes began in earnest at that time.
The Heart of Part 11
Part 11 applies to electronic records submitted to the FDA under the Food, Drug, and Cosmetic Act, the Public Health Service Act, and other FDA regulations. Its overarching goal is to allow the use of electronic records as much as possible and at the same time ensure public safety. The FDA’s main concern is to safeguard record integrity in order to ensure product quality.2
“The FDA felt that the risks of falsification, misinterpretation, and change without leaving evidence are higher with electronic records than paper records and therefore specific controls are required,” wrote Rothke. The journal dubbed Part 11 as both a “security” and a “trust” regulation, in the sense that Part 11 builds on security toward trust. While security controls rights and access so as to maintain confidentiality and integrity, trust aims to control the basis of denial and ensure accountability of individuals responsible for certain acts within the electronic system.3
On top of those concerns, both the FDA and the industry wanted to reduce the tremendous time and effort, plus the high cost involved in regulatory submissions and compliance.
Part 11 Enforcement
Part 11 is voluntary in the sense that it applies to an organization only if it chooses to adopt electronic systems for compliance purposes. In the 1990s, many companies still operated with paper-based processes and sent paper submissions to the FDA, so those organizations were excluded from Part 11 requirements.
However, it became clear that the huge amounts of artifacts required to prove compliance necessitated automation and drove companies to switch to electronic systems. Many organizations combined paper and electronic processes, making hybrid systems widespread and are still so today.
Although the FDA’s Part 11 guidance states that the agency’s recommendations are nonbinding, it is not a license to ignore the regulation. This became very clear when Abbott Laboratories and Schering-Plough paid hefty fines due to a host of Current Good Manufacturing Practice (CGMP) violations, including requirements related to Part 11. Over a decade ago, the two companies entered into a consent decree with the FDA, in which Abbott agreed to pay $100 million, and Schering-Plough, $500 million in fines.4
Referring to the consent decree, an FDA official told a news publication, “Manufacturers who choose to wait until FDA investigators find violations rather than policing themselves will find that they have made a very poor and costly decision.”5
Initial Reaction to Part 11
I have to admit that back when I worked in an R&D Department of a med tech company, my colleagues and I were not familiar with Part 11. The first time I heard about it, I learned we were required to validate software as part of our testing regimen. We dealt with validation all the time in manufacturing and design, but with the introduction of Part 11, there was an added requirement of software validation.
We struggled with the meaning of Part 11 and how to deal with it. Like most in the industry, we used the GAMP V model, which is about risk management. GAMP (Good Automated Manufacturing Process) does not prescribe a method, but it offers a practical framework of good practice to ensure that computer systems are compliant.
GAMP was meant to be used along with other industry guidelines, standards, and best practices to determine the best approach for validation. So, to comply with Part 11, we took those principles and applied them in software validation.
Given the laborious manual processes we’ve endured and the advent of Part 11, which we barely understood back then, it was easy to develop a negative attitude toward compliance. There were times when all I could see were the obstacles to getting my products to market. We were bombarded with demands that were tedious at best and often whimsical.
I understood the need for regulation, but often felt that I jumped through a lot of hoops just for the sake of jumping, not because those requirements made my product safer or better.
Since then, the industry and regulators have matured and our understanding of Part 11 and other quality regulations has grown with experience. More and more companies have adopted technology and automated their quality processes and quality management systems.
In addition to Part 11, there were more than a dozen initiatives and regulations that helped propel life science compliance to the electronic age. We will talk about them in part three of this series.
1“21 CFR Part 11—The Biggest Security Regulation You’ve Never Heard of” by Ben Rothke, page 16, ISSA Journal, March 2004 edition, published by the Information Systems Security Association.
2“Guidance for Industry: Part 11 Electronic Records; Signatures—Scope and Application,” from FDA website.
3Supra, note 1, “21 CFR Part 11—The Biggest Security Regulation You’ve Never Heard of.”
4“21 CFR Part 11: How and Why to Comply,” Medical Device and Diagnostic Industry, Sept. 1, 2002.
5FDA Deputy Commissioner Lester M. Crawford was quoted in an article titled, “Schering-Plough Pays Fine,” by Anne Thayer, Chemical & Engineering News, May 27, 2002.
6 MasterControl provides software and comprehensive services (quality and compliance consulting, education and training, validation, implementation and project management, technical support, and configuration) to regulated companies worldwide. The company, based in Salt Lake City, Utah, has offices in Europe and Asia, www.mastercontrol.com
7“Convergence of Compliance and Technology: How Technology Has Changed Regulatory Compliance in the Past Decade,” an enhanced e-book with illustrations and a video, was published by MasterControl in September 2016. Get a complimentary copy at, http://www.mastercontrol.com/ebook/convergence.html?source=pr-sb5