In the last few years, there has been a constant stream of regulation in the USA and Europe on electronic record keeping. In this respect, financial and service companies are following a path first trodden in the medical devices industries.
In 1997, the FDA published its regulation 21 CFR Part 11, following an initial request from the pharmaceutical industry that it be allowed to maintain its records electronically. When the regulation was published, it laid down guidelines on electronic signatures and record keeping that constituted a definitive statement on best practice – and it caused what amounted to a panic across the affected industries. The perception was that all existing systems had to be compliant and that the regulation required them to keep all and every electronic record to comply. In fact the regulation did not require this at all.
DISPELLING THE CONFUSION
Despite the initial confusion over 21 CFR Part 11, pharmaceutical and biotechnology companies saw its considerable potential and accordingly applied it to their FDA-compliant processes. Now the regulation is under review, and in the next two years it will be republished with a different emphasis.
Part 11 describes the FDA’s requirements for acceptable electronic records, but does not describe any particular implementations. Indeed the FDA clearly states that it does not want software products described as "complying with Part 11". For the FDA it is the company and its principal individuals who comply – or fail to comply – with Part 11. It is, however, acceptable when describing a software product to claim that it assists the company and its employees in complying with 21 CFR Part 11.
Most companies have focused their Part 11 compliance effort on manufacturing, trials and development because that is where the focus of FDA auditing is most often placed. One benefit that companies have discovered for themselves is that compliance with Part 11 enables them to much more easily meet the requirements of applying for a patent. The exact records that support the filing process and can be used in cases of patent dispute are the outcome of Part 11’s insistence on effective electronic signature and record keeping.
John Murray is the software and electronic records compliance expert at the Centre for Devices and Radiological Health at the FDA. He recalls: "The number one thing 21 CFR Part 11 did was to raise awareness. Prior to regulation, nobody appeared to realise that the electronic systems in devices were already regulated. What the regulation achieved immediately was to make it clear that due care and diligence were required to ensure that systems worked. The bad thing it did was to create a crisis when people thought it applied to existing systems, which it did not.
"The reason it was required is that medical device manufacturers are heavily reliant on IT providers for software. Prior to this, there was no indication to vendors of software that their products were going into devices that are regulated. This is not the commercial market, but a regulated environment in which off-the-shelf packages may or may not be satisfactory in operation. It boils down to the basic risk model. The risk model for medical devices is based on safety as the number one factor. Commercial IT companies then didn’t know what appliance their software was being implemented in. Theirs is a business risk model, not a safety model. What we did with Part 11 was to work on getting the two models aligned.
"There are similar risk model differences in other industries. In the aerospace industry, they employ a higher specification fuse for passenger plane electrical systems than the ones the automotive industry puts in your car, for example. Off-the-shelf software is an attractive proposition for medical device manufacturers, but it needs to prove itself in the particular application."
The original purpose of the regulation was to allow FDA-regulated industries to use electronic records for compliance processes, and at the time the regulation was published there was no general guidance on electronic documentation in the legal framework of the US federal government. Now the paperwork reduction legislation encourages electronic record keeping, but, in the early days of Part 11, the medical devices industry was sailing uncharted waters.
Murray says: "We set a path and at a later date we set out to optimise the solution. The number one change we introduced was to shift people’s focus from all systems and legacy systems. We wanted people to focus instead on new systems and to engage with the IT vendors on spending next-generation dollars. It’s akin to road traffic laws. US law didn’t require the retrofitting of seat belts or airbags to old cars and we don’t expect legacy systems to be compliant with Part 11.
"The second change we are making is to narrow the scope of the types of documents required in complying with the regulation. Not every electronic record is needed to comply with Part 11: only those you need to demonstrate compliance. The third change is that we are allowing risk-based systems, and that is why we need a scope document, which is currently undergoing preparation work.
"My impression is that these changes are widely welcomed in the devices industry. Curiously, though, some people in the industry told us they wanted risk-based regulation, and when we said we were introducing it, some people asked why. And they were the same people.
"The big advantage and benefit of this regulation is that it allows manufacturers to use electronic records in their business as well as in their dealings with the FDA. That is a competitive advantage worldwide. You can have a design centre in London, a manufacturing plant in India and a logistics centre in Pennsylvania all linked together. For the user of medical devices, this means there is an efficient and speedy supply chain providing a good supply of product."
All recent electronic records regulations, including Sarbanes-Oxley, have been a lot more burdensome for companies than Part 11. Part 11 does not contain specific measurable qualities as later regulations do. It simply states that companies are required to keep electronic records, which is not a particularly onerous task for the industry. What it does stop is people buying systems that are not validated for a specific use. You cannot do that when you are manufacturing life-critical devices.
Murray says: "There are a lot of issues coming together now in relation to design and development software. In product design, people are using commercial systems that may not have been intended for use in the production of regulated products, and there is a need for validation and compliance on electronic system information. This is a particular issue because now devices that used to be stand-alone are becoming interconnected. They are internet-enabled, and security vulnerabilities mean cooperative capabilities have to be very carefully analysed to prevent problems.
"We want to keep the user experience in place because people have been using devices for years and they know how they want to work with them. It is the business models that need to converge.
"The IT manufacturer, the hospital and the independent vendors all work with different models and they need to cooperate on a common basis. Change is required, and unless the partners want a lot of help from the US Congress, they need to work it out themselves. Congress will certainly impose a solution when something bad happens. It is better if all the parties involved in the device industry stay two steps ahead and fix the problems themselves. When people find and fix an error themselves, that’s a good thing. Some people might make a big issue out of somebody else’s error, but to me it is the companies that ignore problems that are a worry. The purpose of quality programmes is to address problems and fix errors."
Murray believes compliance with Part 11 is not currently a major issue because we are in a holding pattern. The regulation is undergoing change and when the rules are rewritten – probably in about two years – compliance policy will be based on the new regulation, and compliance will be an important issue. In the meantime, keep your electronic records in accordance with existing law.