Software Validation Remains Important FDA Focus

January 31, 2006

Though it has shifted hard away from active Part 11 enforcement or even much public discussion of the rule by name, the FDA remains committed to seeing that regulated firms can demonstrate that their computer software does what it is supposed to do, experts tell PIR.

“Getting computer software validation right is 90 percent of Part 11 [and broader] compliance,” said Ron Johnson, currently executive vice president with Quintiles and former director of compliance for FDA’s Center for Devices and Radiological Health.

At its core, that means being able to demonstrate clearly throughout your entire data chain “who’s doing what to what,” agrees Marv Goldschmitt, vice president of business development at Tizor.

Past Part 11 Blunders

Experts tell PIR that the FDA probably knows it overdid its Part 11-related rules and regulations for several years after it first unveiled the rule in 1997 – and the agency in the past year or two has tried to mitigate that by significantly scaling back its Part 11 requirements.

“Part 11 was a well intended law but it was extremely difficult to implement” as originally written, Goldschmitt noted.

“I think the agency knows it overdid it and was forcing companies to do stupid things to avoid the Part 11 rule,” Johnson said. “Now they’ve made significant revisions to Part 11 and companies can apply a common-sense approach to compliance.”

That’s the good news. The bad news is that some companies are now under emphasizing Part 11-related issues because they believe the FDA has lost interest in the topic. “Industry’s assignment of importance [to Part 11 and other issues] connects directly with the FDA’s emphasis,” Johnson noted. “Part 11 is not the bugaboo it was before, and for that reason, many companies have backed off on it.”

However, the FDA has stressed that it is still focused on edata integrity. For example, a recent warning letter to Guidant never used the term Part 11, but focused on erecord integrity and other Part 11-related issues, experts have pointed out (PIR, Nov. 23, Page 1).

Stay Guided by Predicate Rule

Key to compliance (by any name) is getting a good handle on your computer system validation. “Once inside your system, you have to be able to demonstrate that it is being used and accessed by the right people in the right way,” Goldschmitt stressed. Beyond Part 11, this is also a critical component of compliance with a wide variety of regulations including privacy rules and the Sarbanes-Oxley Act, which governs financial records, he added.

When in doubt about what to cover, look to the predicate rule, experts advise. If an erecord is required by the predicate rule, it should have Part 11 controls. “Some consultants are still giving people a much too narrow interpretation of Part 11,” Johnson said. Instead of focusing on the predicate rule as a foundation, these consultants are alarming companies and pushing them to apply Part 11 and other erecord controls far too broadly, he said.

Instead, keep focus on edata integrity with computer software validation and the ability to produce clear, defensible audit trails, Goldschmitt advised. “Mistakes happen to data, and most of those are honest and/or inadvertent,” he said. A strong audit trail program will help your firm to “minimize the danger when something goes wrong,” he added. His company offers behavioral fingerprinting, for example, which can instantly tell an administrator when a user does something unusual or outside a system’s standard operating procedures. — Michael Causey