Wednesday, October 16, 2002

Buzzword alert: Part 11 compliance

Over the past few years, a number of software vendors selling into the pharmaceutical and medical device industries have been claiming that their systems are "Part 11 compliant." Here's some background. In 1997 the US Food and Drug Administration (FDA) issued its final rule on the use of electronic records and electronic signatures, publishing it in the Federal Register under 21 CFR Part 11. Hence, the term "Part 11." Essentially, Part 11 provides criteria by which companies regulated by FDA can use electronic records and electronic signatures as equivalent to paper records with handwritten signatures in meeting FDA regulations. Furthermore, FDA investigators have started to inspect companies' computer systems for compliance to Part 11. In some cases, companies may find it easier to replace legacy systems than to remediate them. This has created a market opportunity for software vendors serving FDA-regulated industries.

However, some software vendors, hoping to win a piece of this business, make claims about their systems that go too far. Here are a few examples, without naming the vendors: "[Package name] is fully compliant with 21 CFR Part 11." .... "[Vendor name] has developed proprietary software utilizing 128-bit encryption technology that fully complies with 21 CFR Part 11." .... "This solution is 21 CFR Part 11 compliant and will provide an immediate solution to using electronic signatures with minimum investment and minimal impact on legacy systems." .... "[Package name] is 100% compliant with the US Food and Drug Administration (FDA) final ruling on Electronic Records and Electronic Signatures referred to as 21 CFR Part 11." And my personal favorite: "Are you concerned about Title 21 CFR Part 11 FDA regulations governing electronic records and electronic signatures? Don't be. The FDA edition of [package name] is fully compliant."

The basic problem is that these claims imply that the packages themselves are "compliant," whereas FDA regulations and guidance make it clear that it is the end users and their companies that must be compliant. One package may be easier than another to implement in a compliant fashion. But compliance is much more than buying and implementing a certain package. In a recent meeting with one software vendor (the minutes of which are public record), FDA representatives made the following simple and clear comment: "During the meeting we discussed the appropriateness of representing software as 'part 11 compliant.' We explained that the term is a misnomer because people who are subject to part 11 are responsible for compliance with the rule and because achieving compliance involves implementing a collection of administrative, procedural, and technical controls. We suggested that where software has technical features that are required by part 11, it would be appropriate to map those features to particular part 11 controls and then let prospective customers determine for themselves the potential suitability of the software in their own circumstances."