This short video explains in simple terminology
what Computer System Validation is
and how it saves your company money

21 CFR Part 11 is a law that ensures companies implement good business practices. Part 11 allows a company to implement computer systems that will greatly increase the efficiency of individuals, reduce errors by identifying risks, and increase overall productivity of the company.

The Code of Federal Regulations (CFR) contains the laws for each of the government agencies. Each title of the CFR addresses a different regulated area. Laws typically refer to records and approval signatures, which originally referred to paper documents and handwritten signatures. Part 11 allows any paper record to be replaced by an electronic record, and allows any handwritten signature to be replaced with an electronic signature.

While Part 11 is an essential and very successful law, there has been much controversy and misunderstanding about it. The law is less than three pages long and doesn't give much detail about electronic records and signatures. Don't be mislead by the almost 30 pages of preamble material that is not the law. Just go to the end of the Part 11 document and flip back three pages to the beginning of the law. Adding to the confusion is the rapid evolution of computer technology that has made 21 CFR Part 11 compliance a moving target.

Computers have made people much more productive, so it is natural to use electronic records in place of paper records. Every company has electronic records, and most companies are so unsure about electronic signatures that they print out copies of electronic records and sign the paper. What these companies don't understand is that it doesn't take much effort to become FDA 21 CFR Part 11 compliant for both electronic records and signatures. Can you imagine a company with a lot less paper? With Part 11 this is not only possible, it is happening every day in companies all around the world.

As all regulated companies know, the company's Standard Operating Procedures (SOPs) describe how processes are to be performed. In the implementation of those processes, Part 11 allows any paper record to be replaced with an electronic record provided the computer system has appropriate features and is validated.

There are three primary areas of 21 CFR Part 11 compliance:

1. SOPs - There are about 10 SOPs needed to address the IT infrastructure. They address Data Backup, Data Security, Computer System Validation, and other aspects of computer systems that support electronic records and signatures.

2. System features - There are more than 40 industry standard features that are implemented to ensure the computer system is secure, contains audit trails for data values, and ensures the integrity of electronic signatures.

3. Computer System Validation - Every computer system must have documented evidence that the system does what is intended and that users of the system can detect when the system is not working as intended. Validation must follow the company's SOPs, and virtually all companies find the risk-based approach to computer system validation to be the most efficient and cost effective method of validation available.

The key to FDA 21 CFR Part 11 compliance is to use the law to your benefit, and not try to ignore it or circumvent it. When you buy a computer system to become more productive, doesn't it make sense to use Part 11 to maximize productivity?

For more than a decade, companies have added more and more computer systems and productivity steadily increased.  Today, the state of the economy exerts pressure to reduce costs and downsize the workforce.  This includes the once sacred information Technology (IT) budget.

Outsourcing now affects every area of a company. Server rooms have become bloated with multiple servers for each system environment: production, testing and development.   Server rooms require ample physical space, a great deal of electricity, a 24/7 monitoring staff and disaster recovery safeguards.  It seems outsourcing IT would be a viable solution; but is IT outsourcing the answer?

A few years ago, software vendors tried to help their customers by employing the Application Service Provider (ASP) model.  The software vendor hosts the application and users connect remotely.  Since the software vendor needs to continually maintain and upgrade the software, IT was quick to support this model.  It seemed like a good idea and the cost estimate was about the same as having IT host the servers within the company. In many cases, what actually happened was less than ideal. These are the questions or points to be addressed:

Do software vendors excel at hosting servers and providing IT services?

Do software vendors do the best job of controlling maintenance and upgrades to software applications used in GxP and other critical applications?

Systems were constantly changing, causing breakdowns and work disruptions. The FDA and other regulatory groups audited many of the ASP systems and found compliance was poor. There are no guarantees of passing an FDA inspection with non-regulated software vendors. Many companies neglected to inspect the ASP, as they did their own internal IT departments.  A regulated company, when outsourcing, still carries 100 percent of the responsibility and liability with respect to regulatory compliance. Perhaps out of sight out of mind is the thinking.

Almost all of the ASP models failed and were stopped or evolved into a third party hosting model.  In this model, another company hosts the servers in a location separate from the software vendor. The questions and points are the same:

Are third parties the best at providing IT services and hosting servers?

Do third parties excel in controlling the software vendors who maintain and upgrade software applications used in GxP and other mission critical applications?

This ASP model definitely cost more than the two tier model, but the systems were changing and breaking less. There still were work disruptions, but they were less frequent.   When audited by the FDA and other regulatory groups, compliance was still found to be poor. The regulated companies still didn’t inspect the third party host, as they did their own internal IT departments.

Today, we have a third evolution of the hosting model called Software As A Service (SaaS).  This is a three tier approach which often costs considerably more that the internal IT system.  The term ASP has been re-branded to SaaS and at first look seems to have great potential. SaaS is purported to have these characteristics: vault-like data center rife with redundancy, outstanding staff monitor the servers, secure backup, immediate hardware maintenance, logic and physical security. Despite the vastly improved model, the regulated companies still do not do their due diligence and perform inspections of the host. The host company is a surrogate IT department and as such, the same regulatory requirements apply. Take a closer look at these host companies:

Do they have Standard Operating Procedures and documented training?

Do they test their disaster recovery processes?

Prospective companies are easily impressed with the SaaS marketing offering redundant servers and locations in other cities.  Many companies think the SaaS software runs in a cluster – or cloud – so that a failure of their server will be taken over by another. Often, these companies are not advised there is an additional expense for this and other features such as an automatic failover to another server to an alternate datacenter.

How does the SaaS model actually control how the software vendor maintains and updates the software?  This is relatively simple when the servers are in the local IT server room.  However, this is not the case in the ASP and SaaS models. 

The answer is SaaS really only works when users of the software control the hosting service separate from the software vendor.  It would be more difficult to control a remote host versus a local host reporting to the same management as yourself. Again, is outsourcing and SaaS really the best solution?

Where can SaaS be of benefit? When there isn’t a mature IT infrastructure and mission critical applications are in use SaaS seems to have the potential for immediate improvement.  However, the end users of the application must manage the software vendor and host properly.  If the IT infrastructure is already in place, technologies like VMware can be used to eliminate most of the physical servers and provide failover redundancy at a lower cost and with more control.

There is really not much difference between outsourcing IT and any other kind of outsourcing.  The caveat – Buyer Beware applies.  Compliance is almost always more difficult when multiple non-regulated companies are involved.  If cost is the primary concern, why do these companies often invest and spend more dollars in SaaS solutions?   Why not invest in their own IT departments?  In the final analysis, it is essential for these companies to control their intellectual property, data, documents – any and all information that is the core of their business.

Throughout 2009 I worked on more than a dozen SaaS projects. I have found little regulatory compliance originating from the hosting companies.  The regulated companies purchasing these services demonstrated little compliance too.  That is, they did not perform inspections of the software implementations nor did they have system change control methods in place.  In many cases SaaS was chosen without the involvement of local IT.

In my opinion, SaaS was being utilized to relinquish responsibility, which is completely contrary to regulatory requirements. A company cannot transfer liability to a hired third party.  Outsource IT is not a fad that will quickly fade. My experience is: regulated companies who get into big trouble and don’t pass audits, finally put processes in place to ensure the third party is delivering the equivalent of what they would have from their own internal IT departments.  Time will tell if it really was worth outsourcing IT at all.

2009 was also the year that VMware implementations grew dramatically. The costs savings, local control, and continued regulatory compliance suggest it beats SaaS for most regulated applications. Now that Microsoft has a virtualization product, I think the race is on. I’m excited to be working on both sides and learning something new about these solutions every day.