IT and Data Management Are Pharma’s Weakest Compliance Link

21 CFR Part 11 noncompliance is a whole lot less sexy than the colorful sales and marketing pecadillos the industry has seen so far this year, but it is a main theme in Mr. Olagunju's complaints against Novartis and a recurring theme in 483s and regulatory problems.   "IT is still the weak link in the chain of compliance," defense attorney Mitch Lazris said at an industry event recently, "And, in the courtroom it's the industry's Achilles Heel." (IT consultant John Avellanet, CEO of Cerulean, LLC quoted Lazris in a presentation he made in Washington this week.  He also commented on data integrity a few days ago for "On Pharma." Here is a slightly longer article, in which he offers best practices.) The essence of Part 11 is data integrity, and pharma doesn't always get it right. (In the medical devices area,  even news of Baxter's infusion pump recall involved data integrity---it appears that repair, test and inspection data had all been falsified.)  "FDA's mistake with Part 11 was focusing on the technology hows and not the required outcomes for information integrity," said George Smith, head of CDER's office of compliance, also quoted by Avellanet. Experts agree that managing data is at the root of many of the pharmaceutical industry's most pressing problems today.  When our magazine started up in 2002, "Part 11," the regulation that pharma loved to hate, was on every healthcare trade magazine headline and magazine cover (including ours).   We don't hear about the regulation all that frequently anymore But rumors of Part 11's demise have been highly exaggerated. Just because we're not hearing about it again and again doesn't mean it shouldn't be a priority. Only now, it's integrated into the overall fabric of compliance.  The following slide from Mr. Avellanet's presentation, sums up the situation nicely. cerulean.jpg  Consultant Michael Gregor, CEO of Compliance Gurus, says many pharma companies fail to:
  • follow documented standard operating procedures
  • maintain accurate and complete records.
  • deploy audit trial functionality in automated applications used for regulatory purposes
  • validate computerized systems for their intent of use
  • train employees on company SOPs and/or Policies
Mr. Gregor, who will be a guest commentator on our web site and blog, and who is developing an FDA Compliance Index" for offered the following responses to the same questions about clinical data validation we'd posed to Mr. Avellanet. Again, his answers refer only to pharma in general and have absolutely no relation to the Novartis legal case, the company of any of its affiliates. PM - What are the typical mistakes companies make when trying to manage clinical data? MG - Here are the top ones: 1. Failure to validate their computerized system used for AERs, Statistical Analysis, or Electronic Data Capture. Furthermore, companies typically lack the deviation procedures that govern the deviations from their established procedures (VERY COMMON). 2. Failure to document all changes to a database containing clinical data. Failure to document, assess, OR validate any changes to the software application used to manage clinical data (VERY COMMON). 3. Lack of procedures governing the data validation and data cleaning process. 4. Failure to abide by 21 CFR Part 11, Electronic Records and Electronic Signatures when creating, processing, archiving, or storing data. 5. Failing to create 21 CFR Part 11 requirements during their computer validation efforts for the data management application. 6. Insufficient resources available to follow company procedures or to assure quality of clinical data management.* I have typically seen company's QA resources stretched so thin they do not have the bandwidth to support the clinical data management function. *Hmmm. Makes one wonder whether AstraZeneca, in focusing its job cuts (just announced today) on Operations and IT, made a move it may soon regret. -AMS