Articles

Computer Software Assurance

The FDA announced that in September 2020 it will release guidance on Computer Software Assurance (CSA). This document is intended to help industry understand the Computer System Validation (CSV) requirements of 21 CFR Part 11; Electronic Records and Signatures that was promulgated in 1997. CSA uses the risk-based approach to identify process steps and software functions that are critical to ensuring safety and quality. Validation documentation will focus on specifications that define the configuration settings and process steps related to the specific intended use of the software by the users. The users will analyze the specifications for risks and update the specifications with software functions that mitigate that risk. The users will then focus testing on those critical software functions.  

This new approach is not new at all. The 10-step Risk-Based approach does exactly what Computer Software Assurance requires. My latest book, Software as a Service (SaaS) Risk-Based Validation With Time-Saving Templates, provides an easy to follow set of templates to document requirements, specifications, risk-assessment, and testing. 

Managing the Documentation Maze: Answers to Questions You Didn't Even Know to Ask

David and Janet have written a fourth book together. Managing the Documentation Maze deals with a topic of critical importance for compliance with record-keeping regulations in pharmaceutical and medical device industries. It presents more than 750 questions and answers about documentation management, whether electronic or paper-based. It defines, through a Q&A approach, what document management actually is, and why it should be a core discipline in the industry.

This book address electronic system selection and validation, system security, user accountability, and audit trails, as well as standard operating procedures for supporting document systems. It also covers electronic systems, hybrid systems, and the entire scope of documentation that companies must manage. You will learn how to write and edit documents that meet regulatory compliance. You will be able to make the transition to an electronic system and understand how to validate and document the process.

Anyone responsible for managing documents in the health field will find this book to be a trusted partner, one that demystifies the meaning of binding regulations. This book will help you put an effective, lasting system in place—one that will stand up to any type of scrutiny. (Janet Gough & David Nettleton; 2010; www.wiley.com)

What is FDA 21 CFR Part 11?

21 CFR Part 11 is a law that ensures companies implement good business practices. Part 11 allows a company to implement computer systems that will greatly increase the efficiency of individuals, reduce errors by identifying risks, and increase overall productivity of the company.

The Code of Federal Regulations (CFR) contains the laws for each of the government agencies. Each title of the CFR addresses a different regulated area. Laws typically refer to records and approval signatures, which originally referred to paper documents and handwritten signatures. Part 11 allows any paper record to be replaced by an electronic record, and allows any handwritten signature to be replaced with an electronic signature.

While Part 11 is an essential and very successful law, there has been much controversy and misunderstanding about it. The law is less than three pages long and doesn't give much detail about electronic records and signatures. Don't be mislead by the almost 30 pages of preamble material that is not the law. Just go to the end of the Part 11 document and flip back three pages to the beginning of the law. Adding to the confusion is the rapid evolution of computer technology that has made 21 CFR Part 11 compliance a moving target.

Computers have made people much more productive, so it is natural to use electronic records in place of paper records. Every company has electronic records, and most companies are so unsure about electronic signatures that they print out copies of electronic records and sign the paper. What these companies don't understand is that it doesn't take much effort to become FDA 21 CFR Part 11 compliant for both electronic records and signatures. Can you imagine a company with a lot less paper? With Part 11 this is not only possible, it is happening every day in companies all around the world.

As all regulated companies know, the company's Standard Operating Procedures (SOPs) describe how processes are to be performed. In the implementation of those processes, Part 11 allows any paper record to be replaced with an electronic record provided the computer system has appropriate features and is validated.

There are four primary areas of 21 CFR Part 11 compliance:

1. SOPs - There are about a dozen SOPs needed to address the IT infrastructure. They address Data Backup, Data Security, Computer System Validation, and other aspects of computer systems that support electronic records and signatures.

2. System features - There are more than 40 industry standard features that are implemented to ensure the computer system is secure, contains audit trails for data values, and ensures the integrity of electronic signatures.

3. Infrastructure qualification addresses hardware and software components, including virtualization. It is applicable to local installation and Software as a Service (SaaS) hosted platforms.

4. Computer System Validation - Every computer system must have documented evidence that the system does what is intended and that users of the system can detect when the system is not working as intended. Validation must follow the company's SOPs, and virtually all companies find the risk-based approach to computer system validation to be the most efficient and cost effective method of validation available.

The key to FDA 21 CFR Part 11 compliance is to use the law to your benefit, and not try to ignore it or circumvent it. When you buy a computer system to become more productive, doesn't it make sense to use Part 11 to maximize productivity?

Software as a Service (SaaS): Is Outsourcing IT a Good Idea?

For more than a decade, companies have added more and more computer systems and productivity steadily increased.  Today, the state of the economy exerts pressure to reduce costs and downsize the workforce.  This includes the once sacred information Technology (IT) budget.

Outsourcing now affects every area of a company. Server rooms have become bloated with multiple servers for each system environment: production, testing and development.   Server rooms require ample physical space, a great deal of electricity, a 24/7 monitoring staff and disaster recovery safeguards.  It seems outsourcing IT would be a viable solution; but is IT outsourcing the answer?

A few years ago, software vendors tried to help their customers by employing the Application Service Provider (ASP) model.  The software vendor hosts the application and users connect remotely.  Since the software vendor needs to continually maintain and upgrade the software, IT was quick to support this model.  It seemed like a good idea and the cost estimate was about the same as having IT host the servers within the company. In many cases, what actually happened was less than ideal. These are the questions or points to be addressed:

Do software vendors excel at hosting servers and providing IT services?

Do software vendors do the best job of controlling maintenance and upgrades to software applications used in GxP and other critical applications?

Systems were constantly changing, causing breakdowns and work disruptions. The FDA and other regulatory groups audited many of the ASP systems and found compliance was poor. There are no guarantees of passing an FDA inspection with non-regulated software vendors. Many companies neglected to inspect the ASP, as they did their own internal IT departments.  A regulated company, when outsourcing, still carries 100 percent of the responsibility and liability with respect to regulatory compliance. Perhaps out of sight out of mind is the thinking.

Almost all of the ASP models failed and were stopped or evolved into a third party hosting model.  In this model, another company hosts the servers in a location separate from the software vendor. The questions and points are the same:

Are third parties the best at providing IT services and hosting servers?

Do third parties excel in controlling the software vendors who maintain and upgrade software applications used in GxP and other mission critical applications?

This ASP model definitely cost more than the two tier model, but the systems were changing and breaking less. There still were work disruptions, but they were less frequent.   When audited by the FDA and other regulatory groups, compliance was still found to be poor. The regulated companies still didn’t inspect the third party host, as they did their own internal IT departments.

Today, we have a third evolution of the hosting model called Software As A Service (SaaS).  This is a three tier approach which often costs considerably more that the internal IT system.  The term ASP has been re-branded to SaaS and at first look seems to have great potential. SaaS is purported to have these characteristics: vault-like data center rife with redundancy, outstanding staff monitor the servers, secure backup, immediate hardware maintenance, logic and physical security. Despite the vastly improved model, the regulated companies still do not do their due diligence and perform inspections of the host. The host company is a surrogate IT department and as such, the same regulatory requirements apply. Take a closer look at these host companies:

Do they have Standard Operating Procedures and documented training?

Do they test their disaster recovery processes?

Prospective companies are easily impressed with the SaaS marketing offering redundant servers and locations in other cities.  Many companies think the SaaS software runs in a cluster – or cloud – so that a failure of their server will be taken over by another. Often, these companies are not advised there is an additional expense for this and other features such as an automatic failover to another server to an alternate datacenter.

How does the SaaS model actually control how the software vendor maintains and updates the software?  This is relatively simple when the servers are in the local IT server room.  However, this is not the case in the ASP and SaaS models. 

The answer is SaaS really only works when users of the software control the hosting service separate from the software vendor.  It would be more difficult to control a remote host versus a local host reporting to the same management as yourself. Again, is outsourcing and SaaS really the best solution?

Where can SaaS be of benefit? When there isn’t a mature IT infrastructure and mission critical applications are in use SaaS seems to have the potential for immediate improvement.  However, the end users of the application must manage the software vendor and host properly.  If the IT infrastructure is already in place, technologies like VMware can be used to eliminate most of the physical servers and provide failover redundancy at a lower cost and with more control.

There is really not much difference between outsourcing IT and any other kind of outsourcing.  The caveat – Buyer Beware applies.  Compliance is almost always more difficult when multiple non-regulated companies are involved.  If cost is the primary concern, why do these companies often invest and spend more dollars in SaaS solutions?   Why not invest in their own IT departments?  In the final analysis, it is essential for these companies to control their intellectual property, data, documents – any and all information that is the core of their business.

Throughout 2009 I worked on more than a dozen SaaS projects. I have found little regulatory compliance originating from the hosting companies.  The regulated companies purchasing these services demonstrated little compliance too.  That is, they did not perform inspections of the software implementations nor did they have system change control methods in place.  In many cases SaaS was chosen without the involvement of local IT.

In my opinion, SaaS was being utilized to relinquish responsibility, which is completely contrary to regulatory requirements. A company cannot transfer liability to a hired third party.  Outsource IT is not a fad that will quickly fade. My experience is: regulated companies who get into big trouble and don’t pass audits, finally put processes in place to ensure the third party is delivering the equivalent of what they would have from their own internal IT departments.  Time will tell if it really was worth outsourcing IT at all.

2009 was also the year that VMware implementations grew dramatically. The costs savings, local control, and continued regulatory compliance suggest it beats SaaS for most regulated applications. Now that Microsoft has a virtualization product, I think the race is on. I’m excited to be working on both sides and learning something new about these solutions every day.

FDA Regulation of Tobacco Industry

Regardless of how FDA ultimately regulates tobacco, whether as a drug or a nutraceutical or anything in between, FDA Compliance also requires compliance with 21 CFR Part 11 - Compliance for Electronic Records and Signatures (similar to Alcohol and Tobacco Title 27 Part 73 Electronic Signatures), if such systems are used in production or the clinic. Every computerized system that is regulated by the Good X Practices (GxP) - manufacturing, laboratory, clinical, etc. - needs to be validated. 

Computer System Validation’s principal David Nettleton provides a highly interactive course that explains what computerized system validation and Part 11 means for companies involved with tobacco products, so they can ensure compliance and avoid drug-like Form 483 citations and warning letters. 

The three primary areas of Part 11 drug compliance are explored: SOPs, software product features, and validation documentation. The three-hour course details the required characteristics of software for security, data transfer, audit trails, electronic signatures, validation, training, and supporting SOP infrastructure. David Nettleton, an FDA expert with considerable success at ensuring quality computer systems for FDA compliance, says the course will detail the following: 

• Understand what Part 11 means, not just what it says in the regulation.
• Electronic signatures and biometric signatures
• Learn the product features to look for when purchasing COTS software
• Learn what software developers must do to create regulated applications
• Understand the SOPs required to support computer systems
• Reduce validation resources by using fill-in-the-blank validation documents: requirements, specifications, hazard analysis, testing, release.

Computer System Validation-Increase Productivity and Reduce Costs

This two-day course provides proven techniques for reducing costs associated with implementing, using, and maintaining computer systems. Nearly every computerized system utilized in laboratory, clinical, manufacturing and the quality process has to be validated. Finding efficiencies without weakening the quality position is essential in order to be competitive. This course benefits people that use computer systems to perform their job functions and is ideal for regulatory, clinical, and IT professionals working in the health care, clinical trial, biopharmaceutical, and medical device markets. Participants should have good computer skills and some experience in a GxP environment.

* Decrease software implementation times and lower costs using the proven risk-based computer system validation approach. It consists of 10-steps that use easy to understand fill-in-the-blank templates.

* Validation documentation templates are provided so you will have what the FDA expects for compliant software.

* Use resources effectively to perform effective validation while avoiding doing too much.

* Many companies are downsizing which makes more work for the remaining staff. Learn how to "right size" and minimize the validation documentation to reduce costs without increasing regulatory or business risk.

* Learn how to quickly cross train workers.

* Take advantage of temporary workers and outsourcing to promote growth and reduce costs.

* Understand software vendor claims and the deficiencies of their validation packages.

* Step by step instructions for performing and documenting a risk assessment, and how to use the results to reduce validation requirements.

* Ensure data integrity and protect intellectual property by using computer system industry standards for data security, data transfer, and audit trails.

* The instructor uses real-world examples and in-class exercises to illustrate the 21 CFR Part 11 regulation for electronic records and electronic signatures in FDA-regulated activities, including clinical trials and pharmaceutical manufacturing. Included are the HIPAA electronic security regulations for patient medical records.

* Learn how to implement a computer system to gain maximum productivity.

* Review recent FDA inspection trends and validation errors; avoid 483s and Warning Letters.

* Reduce testing by writing test cases that trace to elements of risk management.

* "Right size" change control methods that allows quick and safe system evolution while maintaining systems in a validated state.

* Streamline SOP authoring, revision, review, and approval. 

* Participants learn valuable skills that make them more efficient users of any type of computer system.