As if a slowing economy and dwindling product pipelines weren’t enough to contend with, drug companies are under mounting pressure to face a regulatory issue that many compare to the “Y2K bug” of the late 1990s: compliance with the FDA’s 21 CFR Part 11 regulation. The ruling, which governs the security of electronic records submitted to the agency, has been in place since 1997, but the FDA is only just beginning to crack down on companies who fail to meet the minimum validation requirements (see sidebar, p. 9).
The increasingly threat of an FDA audit has biopharmaceutical firms scrambling to ensure their systems are in line with the ruling well before their next FDA submission. Although the ruling applies to the security of records submitted as part of the drug approval process, there is a question as to whether this includes bioinformatics data from early drug discovery.
Much is at stake for companies pondering this issue: The validation process is not cheap. Estimates range from $100 million to $150 million for large biotechs and up to $250 million for global pharmas simply to ensure that the systems they already have in place meet the FDA’s approval. Any chance of shaving off some expenses is a welcome relief. On the other hand, the failure to prepare for future requirements could cost a company dearly down the road, in the form of a rejected — or hopelessly delayed — drug.
Even the experts are uncertain about Part 11’s potential impact on bioinformatics. Paul Motise, a consumer safety officer with the FDA, noted that because bioinformatics research “occurs before any testing is done on laboratory animals…[it] is too far upstream to come under FDA regulation, currently.” While declining to speculate on whether the FDA may become more vigilant in tracking early discovery data, Motise did note that validating bioinformatics systems makes “good business sense to ensure that the systems to be used as the basis for deciding upon further research perform properly and consistently.”
According to Victoria Lander, market development manager at NuGenesis Technologies, there is a “tremendous amount of misconception” surrounding the Part 11 ruling, largely due to confusion over when an electronic record begins: “People are putting data directly from instruments into Access and then dumping that data into a printer, and then dumping it somewhere else. They do all this stuff to their data, and the question is when is a record really a record? When is a record created and when should the audit trail start?”
Lander, who conducts Part 11 compliance workshops for NuGenesis, said that concerns about early discovery data are mounting in the industry. “Lately people are realizing that their data is ending up in submissions down the road as early discovery stuff starts getting folded into drugs, so they want to make sure that their records are Part 11 compliant … because whoever ultimately makes the drug, they’re going to apply for FDA approval once the drug is ready to go into trials or on the market.”
But the decision to make all early discovery informatics compliant is not a simple one. Aside from the excessive time and costs associated with validation, the research culture of early discovery simply doesn’t lend itself to a compliant environment, which requires log-ins for each instrument and computer, lists of passwords to remember, and other procedural hoops for researchers to jump through just to do their job. While employees at the discovery and manufacturing end of the pipeline may be used to heavily regulated environments, discovery researchers tend to expect a greater degree of freedom.
In addition, Part 11 requires that all electronic records and supporting documents remain available and reproducible for the full length of the FDA approval process — a period of up to 20 years in some cases, comprising generations of computer systems and software. It’s simply not practical to store every bit of discovery data, especially as around 90 percent of it doesn’t even make it downstream.
Finally, the open source root of many bioinformatics software programs makes the development of documentation and controls required for Part-11-enabled software nearly impossible.
Bioinformatics software vendors have been even more reluctant to jump on the Part 11 bandwagon, and for the most part are taking a wait-and-see approach to enabling their software for compliance. Indeed, without a clear directive from the FDA on the issue, vendors are loathe to take part in what has been described by some as a “fear, uncertainty, and doubt” campaign led by consultants and vendors who stand to gain from a broad — and confused — customer base.
Robert Rhorer, the founder of regulatory advisory firm Cohegun Consulting, noted that some companies use “scare tactics” to push clients into “overkill on compliance.” Another danger, according to Jack Elands, CEO of IDBS, is vendors who fail to remind customers that compliant software is only part of the picture. “If you take non-compliant data and put it into a compliant system, that doesn’t make it compliant,” he said.
Added Rhorer, “Software producers can’t say their software is validated or compliant. It’s how that software is used in place by the user.” Rhorer uses the terms “validatable” and “Part-11 capable” to describe software systems that have the technical controls in place to be used as part of a compliant environment. “That’s a very subtle difference, but very important,” he noted. The buyer is ultimately responsible for putting in place the complementary procedural and administrative controls to comprise a fully compliant system.
Part 11 Perks
Some informatics vendors are finding that Part 11 capability gives them a much-needed advantage when selling into regulated companies. Janet Smith, director of regulatory affairs at Scimagix, said that the company’s decision to make its SIMS (Scientific Image Management System) platform validatable has “influenced more sales than anything else we’re looking at right now.” Added Michael Cosgrove, SciMagix’s director of enterprise systems, “Having this capability means when we run up against companies that have other types of image handling systems…they’re not coming up with the ability to go into this area, and that certainly gives us a competitive edge.”
Agilent Technologies, which has had some experience grappling with compliance issues for its broad life science instrumentation line, opted to enable its recently launched Synapsia Informatics Workbench for Part 11 compliance. Deciding that the question wasn’t whether bioinformatics would eventually fall under the ruling, but only “when and how,” Agilent “took what we already did in quality assurance and quality control and moved it into our informatics application,” said Francois Mandeville, business manager of Agilent’s informatics solutions business.
The company implemented compliance engineering into its informatics development process “long before it was necessary” not only for the competitive advantage it offers, but also for the benefits it brings to the software design process, Mandeville said. Because developers are forced to embed design intentions and traceability links within the source code as they write it, “it’s easier for engineers to absorb each other’s code.” The result is a faster, better-documented software engineering process, according to Mandeville.
A similar argument is made for users of compliance-enabled software. Regardless of regulatory requirements, it’s simply “good business practice” to put the security and audit-trail capabilities of compliant software in place for early discovery and pre-clinical data, said Rhorer. For users making important business decisions based on their data, the goal is to “look in the mirror and say the data that I’ve reviewed is the best and as accurate as possible,” he said. In addition, compliant systems are ideal environments for securely and reliably tracking research data for patent filing and, when necessary, patent protection.
CuraGen’s Compliant Pipeline
For users still puzzling over whether, when, and how to make their bioinformatics tools and data Part 11 compliant, CuraGen’s approach may provide some insight.
With its discovery process firmly rooted in bioinformatics, the company was forced to contend with the fuzzy boundary of discovery data very early on in the regulatory process. Since it plans to submit all of its Investigational New Drug and Biologics License Applications electronically, CuraGen built a document management system it calls CuraDox to handle the “static” submission documents in a compliant manner, said Donna Morgan Murray, director of regulatory affairs and clinical development. The company then had to determine the best way to link its “dynamic” bioinformatics system, called GeneScape, to CuraDox in a flexible, yet secure manner. The solution was to keep the base GeneScape applications free from Part 11 compliance, yet archive “pivotal data” from GeneScape in CuraDox when necessary.
“CuraDox is tightly under control and validated, whereas GeneScape is open and unvalidated,” said Murray. “That’s the real advantage to us. If we had to force our scientists to work at the slow pace that’s required when you do system design, testing, and validation, it would slow down our discovery process.”
CuraGen had an advantage over its older pharma relatives in building the flexible system, since it had no legacy systems to contend with, Murray said. The company is hoping that this gives them an additional advantage when it files its first IND in the first half of 2003. “We want to get this information to the FDA in the format we know they want, and we want to get it to them quickly.” A fully compliant electronic system to manage the submission process ultimately makes life easier for the FDA reviewers, which can only help CuraGen. “From a regulatory standpoint we’re ready,” said Murray, who jokingly added, “Now the hard part is the science behind it.”
What Does 21 CFR Part 11 Compliance Mean, Anyway?
Title 21 Code of Federal Regulations (21 CFR), Part 11, “Electronic Records, Electronic Signatures,” went into effect in August 1997. The ruling was intended to create criteria for electronic record-keeping technologies, with the goal of ensuring that electronic records, electronic signatures, and handwritten signatures executed to electronic records can be considered trustworthy, reliable, and “generally equivalent” to paper records and handwritten signatures. Part 11 offers a laundry list of technical and procedural requirements for organizations that choose to maintain records electronically and use electronic signatures.
The ruling defines an electronic record as “any combination of text, graphics, data, audio, pictorial, or other information representation in digital form that is created, modified, maintained, archived, retrieved, or distributed by a computer system.” An electronic signature is defined as “a computer data compilation of any symbol or series of symbols executed, adopted, or authorized by an individual to be the legally binding equivalent of the individual’s handwritten signature.”
The full text of the ruling is available at: www.fda.gov/ora/compliance_ref/part11/default.htm. Some key procedures and controls include:
· Validation of systems to ensure accuracy, reliability, consistent intended performance, and the ability to discern invalid or altered records.
· Protection of records to enable their accurate and ready retrieval throughout the records retention period.
· Limiting system access to authorized individuals.
· Use of secure, computer-generated, time-stamped audit trails to independently record the date and time of operator entries and actions that create, modify, or delete electronic records.
· Signed electronic records must clearly indicate the printed name of the signer, the date and time when the signature was executed, and the meaning (such as review, approval, responsibility, or authorship) associated with the signature.
· Each electronic signature must be unique to one individual and cannot be reused by, or reassigned to, anyone else.
When, What, How, Why? Key Points on Part 11 and Bioinformatics
· So far, bioinformatics software is not directly covered by 21 CFR Part 11. In fact, few FDA citations have been written under the regulation at all, and those that have been issued are in the area of manufacturing. However, many warn that bioinformatics and other early discovery informatics will soon be affected by the ruling, either directly or indirectly. Estimates of when this may begin to happen range from two to five years.
· Software vendors can enable their software for 21 CFR Part-11 compliance, but it is up to customers to validate it within their own systems. Beware vendors who claim that their standalone systems are validated — data from non-compliant systems that is fed into that machine will not be compliant.
· If you’re in the market for Part-11 enabled software, your vendor should permit an on-site audit. Vendors should be prepared to prove that their development, coding, testing, and other standard operating procedures are conducted in a structured, controlled, and traceable manner.
· Compliance is expensive, both for vendors and users. For vendors, additional manpower and documentation is necessary to prove that a product is Part-11 enabled, adding time and money to the development process. Users can spend anywhere from $100 million to $250 million on compliance, according to estimates.
· The “better safe than sorry” camp argues that even if Part 11 compliance does not become a requirement for bioinformatics software, the technology makes good enough business sense to put in place anyway, provided firms can bear the additional cost. Compliant systems can also track and document research data for patenting purposes or for better decision-making. On the vendor side, once standard operating procedures for compliance-friendly engineering are in place, proponents say it speeds future development and helps document “institutional knowledge” otherwise lost when employees move on.