The US Food and Drug Administration has been prone throughout its history to strong policy swings that can catch drug companies off guard. A move towards more industry-friendly, good manufacturing guidelines has been well signposted over the past two years. Even though it sounds like good news, the new approach is still confusing companies trying to comply with existing regulations governing electronic records. This year should see a clearer picture emerging, but companies may have to abandon old habits and curtail the use of some popular software if they are to keep up with the changes.
It is more than 10 years since the FDA first proposed these regulations, which require that companies show that their electronic records are reliable and secure and that changes have been logged. The regulator was, however, responding to requests from the pharmaceutical industry, which believed that existing manufacturing regulations were holding up progress.
Rule 21 CFR Part 11 sets out the criteria under which the FDA will consider electronic records to be the equivalent of paper records, and electronic signatures equivalent to traditional handwritten signatures. The rule was first proposed in August 1994 and has been in place since 1997, but it is only in the past five years or so that the FDA has actively enforced the regulations.
Despite having themselves requested the regulations, drug companies have often shown a reluctance to give up their established ways of working for wholesale adoption of electronic methods. Many companies now operate a complex mixture of hard copy and electronic records, despite the fact that reducing the flow of paper would allow greater sharing of information throughout a company and improve efficiency.
The rule has spawned a whole industry to help companies comply with 21 CFR Part 11. This includes a host of software suppliers and consultants offering solutions to every regulatory problem, as well as dedicated websites put up by instrument suppliers to help customers negotiate the rules.
According to independent consultant Rob McDowall: 'Pharmaceutical companies are well on their way to compliance.' He pointed out that 'Chromatography Data Systems (CDS) and Laboratory Information Management Systems (LIMS) are technically compliant for the most part. Meanwhile second-tier systems, such as the operating software for other analytical instruments, including mass spectrometers and UV/visible spectrometers, are becoming compliant.
But there is still plenty of software that is not fully compatible with 21 CFR Part 11. One of the biggest offenders is the electronic spreadsheet and, in particular, Microsoft Excel, which is widely used to apply calculations to results produced by analytical instruments. Even though Excel (or any other spreadsheet) isn't compliant on its own, the immediate advantages to users are obvious. Time- consuming calculations can be automated, and it can exchange information easily with other members of the Microsoft Office family, so that data can be swiftly emailed between departments on the company intranet. But spreadsheets have poor security controls, and lack an audit trail. 'In my view, Excel is the biggest regulatory hole that laboratories have got,' says McDowall, who is the author of a forthcoming book, Validation of Chromatography Systems, to be published by the Royal Society of Chemistry later this year.
The problem of who made changes to a spreadsheet can be tackled by restricting access to templates, through an intranet or using a document management system. However, this places unwelcome restrictions on users. Another option is to make the software compliant, using an accompanying program or plug-in. This is a popular approach, and has spawned a number of competing software applications.
One such program is DaCS, from Wimmer Systems. DaCS is designed to work with Excel to make sure 21 CFR Part 11 is complied with, by managing file security and data integrity and producing an audit trail. Another supplier - Cimcon - makes its infotree software available as a plug-in, although it can also be employed as part of a full document-management system.
But, according to McDowall, companies should try and wean themselves from Excel altogether - in part because of its very popularity and ease of use. Its familiarity contrasts with the software used by many instruments. 'People are presented with an instrument system or LIMS with a different language-system to use and a lot more controls,' so, McDowall believes, it's no surprise that they turn to Excel to make calculations. 'Especially when management often doesn't allow enough time for users to learn new systems properly,' he says. 'The result is that people use software as point solutions.' This means that transferring information between systems is often a manual process, and hence inefficient and liable to introduce errors, he warns.
The ubiquity of Excel means that 'a single person's spreadsheet in the morning can be a department standard in the afternoon, purely and simply by email', says McDowall. And a single organisation can end up using several different versions of Excel, which causes problems with installing updates, especially when there are macros built into them.
Using additional software makes Excel compliant but gives no added benefit as it still leaves untouched the high level of manual processing involved in using a separate spreadsheet to make calculations, says McDowall. And it provides only one-third of the controls set out by 21 CFR Part 11. What add-in software does provide is technical compliance. This covers the controls that the software vendor has to put into the application - security, audit trails, and the ability to put in user-profiles. But technical compliance is not the only consideration. There are two other types of controls: the administrative controls, which cover the policy for using electronic signatures and verification of identities; and procedural controls, which are the standard operating procedures for using the system and the training of the users.
Companies should really look to take advantage of 21 CFR 11 to make improvements, says McDowall. After all, it was in the name of progress that the sector asked for the regulations in the first place. Of course, for many companies, it is too easy to stick with existing arrangements - staff and managers are usually comfortable with them and are often fearful of change. But McDowall believes the potential benefits of a greater shift towards electronic methods and signatures are too significant to be ignored. These include a more efficient exchange of information between scientific groups and a reduction in the number of software systems being used. This latter effect can significantly reduce the overall validation burden. All this results in time savings and creates a more consistent and error-free environment, McDowall believes.
To get the most benefit from these changes, companies need to redesign work processes rather than just make do with practices that have evolved - sometimes haphazardly - over time. McDowall thinks that it is essential for companies to first 'get the business process right'. In projects he has undertaken, as a consultant, to introduce electronic signatures to chromatography data systems and other applications, 'getting rid of Excel is one of the keys to success', he says.
Calculations carried out in Excel can be incorporated either in CDS or LIMS software. McDowall cites a case study from his consulting firm where 200 analytical instruments' paper-based signatures and Excel calculations were moved to electronic signatures and in-CDS calculations. The shift led to a ninefold reduction in the time taken to process 90,000 samples.
Simplifying business process and software validation could prove a wise move, because 21 CFR Part 11 compliance has been made more complicated by recent changes in emphasis by the FDA. The agency's aim has been to move towards restoring an older approach to regulation - that of establishing best practices for industry. As a first step in early 2003, the FDA withdrew part of the draft guidance for electronic records and in September published 'scope and applicability' final guidance that emphasises a more 'risk-based' approach to enforcement of the regulations.
The change in direction is another attempt to respond to industry complaints of high compliance costs, McDowall believes. At the outset, FDA stated that 21 CFR Part 11 regulation would be 'broadly cost-neutral'. However, that hasn't been the experience of pharmaceutical companies, and the biggest in the sector have estimated their compliance costs (up to 2001) at around $100m-$200m per company. 'The whole thing that's driving this [change in direction] is that healthcare costs are too high; the way the FDA was going was making that cost even higher,' he says.
'The scope and applications guidance published by the FDA in 2003 backed off on a number of things' but made it harder to work with Excel, says McDowall. 'Instead of looking at one Excel spreadsheet applicable to all of them [situations], you've got to look at each individual spreadsheet now,' he says. What does this mean for pharmaceutical companies? In a regulated environment such as quality control: 'It is in their best business interests to abandon Excel.' And it is not only controlled environments that can benefit. There is no reason that the same approach cannot be followed throughout a pharmaceutical company. 'R&D believes it is a special case,' says McDowall, but he argues that in some respects it makes good business sense to carry back the stricter controls required in manufacturing environments to the research departments.
And there are more changes to come. 'This year the FDA will produce a revised version of Part 11.' What's that going to mean? 'My suspicion is that it will change, it will do away with, open versus closed systems,' he says. 'The one thing I hope is that the FDA will produce guidance documents in a far faster way than they did with the old part 11,' says McDowall. Nevertheless, he is optimistic about the way that the FDA has changed in the past two years. 'It is a good omen for the way that things will work in the future. The FDA is becoming far more focused on listening to what the industry is saying and delivering documents to help them,' he says.
Things should be clearer before the end of the year when McDowall will give a talk at a conference in London on Validation and the Risk Management of Commercial Software in the pharmaceutical and medical device sectors. The December conference, organised by the Regulatory Compliance Workshop Group, will bring together consultants, pharmaceutical companies and software/instrument suppliers from around the world to look at the more risk-based approach to compliance and validation that the FDA is now following.
As the pharmaceutical industry accelerates its move from paper towards electronic signatures and records, McDowall gives his - tongue-in-cheek - vision of the future for compliance with Rule 21 CFR part 11. 'Wouldn't the ultimate approach of the FDA be to sit in Rockville and do a remote audit, by video conference and internet? Now that's a scary thought.'
