IT validation and compliance expert Michael Gregor wrote the following comment yesterday, which needs to be emphasized---particularly the point he makes about software vendor claims.
"...Data integrity can only be accomplished by deploying the required safeguards outlined in 21 CFR Part 11. Although many companies make a good faith effort to implement the majority of Part 11 controls, they lack the necessary procedures required to govern the implementation and maintenance of these controls. Furthermore, organizations often lack the validation documentation required to prove their said application was tested against Part 11 requirements. Therefore, resulting in noncompliance.
In addition to a lack of controls and validation documentation, many companies seem to throw technology at 21 CFR Part 11 in hopes that 21 CFR Part 11 will be satisfied. Unfortunately, it is not that easy. As I stated previously, implementing technology to address 21 CFR Part 11 must be accompanied by the required procedures and validation documentation.
On a side note, a very important point I would like to caution the industry with is the idea of many software vendors claiming 21 CFR Part 11 compliance. I have performed several audits of software vendors over the years and not once did I ever find a software vendor in compliance with 21 CFR Part 11. In fact, many will claim Part 11 compliance because they have an audit trail functionality. Well, we all know that Part 11 is much more than than an audit trail. In the name of patient safety and data authenticity, be very careful when verifying a software vendor's ability to comply with 21 CFR Part 11.
Lastly, it is important for the industry to understand that as technology evolves, so will the applicability of Part 11. Remember, if you are in doubt as to the applicability of Part 11, do not forget to ask yourself, Is my application's data used for regulatory purposes?
Michael J. Gregor
CEO, Compliance Gurus, Inc.
