by Tamar M. June

According to Ken Miles of the Food and Drug Administration: "One of the biggest challenges facing companies today is migrating from paper-intensive systems to paperless electronic systems. The more involved companies get with their paper systems, the more they open themselves up to mistakes."

In March of 1997, the FDA published its final rule on electronic records, electronic signatures and audit trails. This rule--known as 21 CFR Part 11--establishes the criteria under which the FDA recognizes electronic records and electronic signatures as the equivalent of paper records and traditional handwritten signatures.

Electronic records are all of the quality records that you maintain, as well as other records you're required to submit to the FDA. An electronic signature is defined as "a computer data compilation of any symbol or series of symbols executed, adopted or authorized by an individual to be the legally binding equivalent of the individual's handwritten signature." Electronic signatures must include the signer's printed name, a date-and-time stamp of signing, as well as the meaning of the signature (e.g., review, approval or acknowledgement). Companies need to ensure that their employees understand the implications of electronic signatures and that any false activity on company records could result in criminal penalties.

When electronic records are in use, 21 CFR Part 11 requires that an audit trail be maintained automatically by the system. An audit trail provides a view-only archive of all changes to the records. Users must not be allowed to circumvent it under any circumstances.

Simply entering data or information into Microsoft Word or Excel files doesn't constitute an acceptable electronic record according to the FDA's definition. Systems must comply with all of the provisions set forth in the 21 CFR Part 11 regulations, which mandate authenticity as well as security of the data. Systems must be validated to establish that they're suitable for their intended use.

Medical device companies are finding that it's not an easy task to convert from paper-based record keeping to electronic records, nor do they fully understand the final Part 11 rules issued by the FDA. The results of a 2001 survey conducted by NuGenesis Technologies Corp. show that: "Thirty-eight percent of the respondents admitted they did not fully understand the implications of Part 11 as it affected their companies. And while 75 percent of respondents claimed they had begun putting Part 11 measures in place, only 11 percent said they were fully Part 11-compliant in at least some areas."

The regulations are subject to interpretation, and FDA inspectors have been inconsistent with the enforcement of these regulations. They tend to enforce Part 11 when other problems are found during a broader inspection, rather than look for Part 11 violations directly. However, as FDA inspectors become more experienced with Part 11 requirements, they're spotting deficiencies in systems on a much more regular basis--a trend likely to continue.

Miles points out that the FDA is facing the same challenges as the organizations it regulates. "We're implementing electronic quality systems for our field people, managers and laboratories," he notes. "We're performing audits, collaborating between different groups, validating our systems--basically adhering to the same standards that we place on regulated industry."

Miles suggests that organizations convert to paperless systems sooner rather than later. "Efficiency will be improved, and the error rate will be reduced tremendously," he states. "It's a form of quality assurance and has long-range effects on better product, higher profits, and fewer mistakes and product recalls. When you have better control of your records, and can distribute and share your information in a timely manner, it can only have positive effects on quality."

In 2001, Guidant Corp. took the same view. The company was operating on a hybrid system comprising both paper and electronic records, with some of the facilities operating on paper-based systems only. The decision to combine all of these processes into a single centralized system was initiated by Myrna Santos, regulatory and compliance auditor for Guidant Puerto Rico. Santos was looking for a 21 CFR Part 11-compliant corrective and preventive action system that could provide the flexibility the company required. As a world leader in the design, development and manufacture of cardiovascular medical products, Guidant required accessibility for all of its locations around the globe.

Since the company incorporated in 1994, Guidant revenues have grown to $3.2 billion, and it employs more than 10,000 people worldwide. Corporate headquarters are in Indianapolis, with major operations in California, Minnesota, Texas, Washington, Puerto Rico and Ireland. Other locations include Canada, Europe, Japan and Latin America.

Guidant is composed of four business units:

Cardiac Rhythm Management--produces implantable cardioverter defibrillators used to treat unhealthy heart rhythms.

Cardiac Surgery--focuses on less-invasive procedures for patients requiring bypass surgery. The CS division's products enable surgeons to perform bypass surgery without stopping the heart or making a large incision in the patient's leg to harvest veins typically used in bypass surgery.

Endovascular Solutions--develops solutions for treating vascular diseases, including aortic aneurysms and neurological, carotid and peripheral diseases.

Vascular Intervention--creates advanced treatments for coronary artery disease. The VI division offers a product line of stent and stent delivery systems.

After reviewing numerous CAPA systems on the market, Guidant selected CATSWeb from AssurX Inc. The primary decision factor was the degree of compliance with 21 CFR Part 11, followed by cost and ease of use. CATSWeb is a highly flexible Web-based enterprise quality tracking system that is configurable and customizable. Guidant's initial proof-of-concept program began at three company locations: Puerto Rico, Ireland and California. The project began in April 2002 and went live by the third week of July. It included designing the workflow, performing the process and software validation, and training the users. AssurX provided the procedural templates that helped to expedite the software validation process, as well as on-site training for the administrators and users.

"Validation of the software is very important," says Miles. "FDA inspectors will often write up companies that fail to provide process validation and standard operating procedures. Failure to maintain proper corrective and preventive action procedures are cited in a high rate of Notices of Inspectional Observations (known as 483 warning letters) issued to medical device companies. The last thing the organization wants is to be fined or forced to recall its product."

"Planning and training were essential to our success," says Pat McCrumb, manager of quality operations at Guidant's Santa Clara Cardiac Surgery Unit. "We took the time to carefully map out our workflow in advance. The system has significantly increased visibility and productivity. And because the system is so flexible, we're only limited by our imagination." McCrumb plans to use CATSWeb for final product releases as well as external corrective actions with suppliers.

Users were impressed with the short learning curve and ease of entering information electronically. They're now able to record all information into a single electronic system that eliminates the potential for mistakes and allows management to view real-time data to make better, faster decisions.

McCrumb uses CATSWeb for entering nonconforming material issues. These records are frequently accompanied by digital images, which are stored securely within the database, thereby being subject to the same audit trail and controls. As a result, closure rates have significantly reduced. For example, 70 percent of nonconformances are closed within five days and 60 percent are closed within 48 hours. "It used to take me two to three weeks to prepare quarterly nonconformance reports," remembers McCrumb. "Now it only takes me two days. I also publish weekly open activity reports that take me less than 30 minutes to prepare. The query functionality is key. Before, I used to do all of this by hand--on paper."

The integrated query and analysis functionality enables McCrumb to effectively identify trends in quality data and proactively react to the trends in real time. CATSWeb is used at every level of the organization, including design/engineering, incoming inspection, quality control, manufacturing, distribution and management--essentially throughout the product life cycle.

Santos adds that CATSWeb has helped her in ensuring that manufacturing-related complaints are addressed in a timely fashion. The quality assurance and compliance group enters incoming complaints and issues and assigns actions to appropriate personnel. Assigned tasks are typically due in one week. Santos established notification rules that automatically remind assignees of pending tasks two days prior to the due date, and again the following day. All of the notifications are sent via Guidant's e-mail system. Escalation rules automatically reassign the tasks to management if they're not addressed within a predetermined period of time.

During weekly cross-functional meetings, data from the system is reviewed and more effective preventive actions are put into place. Management can then query the information at any time to make more informed productivity decisions, generate progress reports, view quality indicators and set future goals. "We've cut the time required for quality indicator chart generation by more than 50 percent," Santos reveals.

Since July 2002, Guidant users have entered more than 2,000 issues into the system. About 365 people currently use the system, and that number will grow during the remainder of the roll-out phase.

What to Look for When Going Paperless

These system characteristics will provide the easiest implementation, lowest total cost of ownership, widest accessibility and best regulatory compliance:

Configurable. The system should allow easy and robust configuration of forms, fields and workflow. The system should adapt to your processes, not the other way around. If the software vendor requires you to pay for expensive preconfiguration, maintenance costs will likely be high.

Security. User access should be configurable down to the field or record level. Configurable minimum password requirements, password aging and maximum session durations are mandatory requirements. Support for secure communications (SSL) and network authentication systems is highly desirable. The system should be capable of detecting and thwarting unwanted access and notifying system administrators when such a threat is detected.

Web-based. All functionality, including administration and configuration screens, should be available via a standard Web browser. The system should support Web browsers from a variety of manufacturers running on a variety of operating systems.

Electronic signatures. The software must prompt the user for at least one unique identification component (e.g., password) each time a signature is applied, or use a biometric means of authentication. Signatures must show the printed name of the signer, the date and time the signature was applied, and the meaning of the signature.

Audit trails. The system should include a secure, time-stamped audit trail that enables authorized users to view all past versions of your electronic records. Users must have no means of bypassing or modifying the audit trail. Systems should maintain past versions of records in their entirety (i.e., record-level vs. field-level audit trails) for easiest review and analysis.

Validation templates. Prewritten procedure templates for installation qualification and operational qualification will speed the validation process. Each step of the test process should state the expected result.

Customizable. The system should offer an application programming interface that allows for advanced extensibility without requiring vendor customization.

Flexible and robust integration capabilities. The system should easily integrate with the information systems you already have, including custom applications developed in-house.

File attachments. The system should allow any type of file to be attached to a record. Changes to attachments must be maintained in the secure audit trail.

E-mail integration. Integration with your current e-mail system, regardless of its type, is critical for time-sensitive workflow processes.

Unlimited automatic notification and escalation rules. Configurable automatic notification and escalation rules provide a watchdog mechanism that keeps critical workflow processes on track.

Analysis, reporting and business intelligence tools. The system should be able to perform ad-hoc queries based on any field in your forms. Systems should allow you to use your current reporting/business intelligence tools rather than being forced to use a new tool that the software vendor provides.

Scalability. Electronic record systems should be designed to grow with your organization, to "scale up" by adding additional servers as usage increases. Systems should utilize modern, reliable and robust databases such as Microsoft's SQL Server 2000 or Oracle 9i.

Conclusion

"The FDA's primary goal is to protect the public," says Miles. "With electronic systems, medical device companies can report problems in the field and take corrective action much more quickly and efficiently than they can with paper systems, which can take months.

"Being able to capture, manage and trend information during all stages of the product life cycle in an electronic system allows quick assembly of valuable information when taking corrective action or making quality-related changes. These types of changes not only affect safety and effectiveness, but also productivity and profitability within an organization."

With the FDA increasing its focus on compliance and CAPA issues, organizations can no longer set aside their plans to convert from paper to electronic systems. Recent FDA fines of medical device companies have run into the hundreds of millions of dollars. Failure to address quality or manufacturing issues will not only result in FDA warnings or possible recalls but also class action lawsuits filed by consumers who become victims of defective medical devices. A global CAPA solution can provide information and visibility throughout the entire organization in real time and is no longer isolated to the quality assurance department. Problems can be resolved much faster--before they become a major liability.

About the author

Tamar M. June is director of marketing at AssurX Inc., a software company that provides CAPA systems to a variety of industries including medical device, pharmaceutical, semiconductor, aerospace and contact manufacturing. She has spent the past 16 years in both manufacturing and information technology. Letters to the editor regarding this article can be sent to letters@qualitydigest.com.