According to Ken Miles of the
Food and Drug Administration: "One of the biggest challenges
facing companies today is migrating from paper-intensive
systems to paperless electronic systems. The more involved
companies get with their paper systems, the more they open
themselves up to mistakes."
In March of 1997, the FDA published its final rule on
electronic records, electronic signatures and audit trails.
This rule--known as 21 CFR Part 11--establishes the criteria
under which the FDA recognizes electronic records and electronic
signatures as the equivalent of paper records and traditional
Electronic records are all of the quality records that
you maintain, as well as other records you're required to
submit to the FDA. An electronic signature is defined as
"a computer data compilation of any symbol or series
of symbols executed, adopted or authorized by an individual
to be the legally binding equivalent of the individual's
handwritten signature." Electronic signatures must
include the signer's printed name, a date-and-time stamp
of signing, as well as the meaning of the signature (e.g.,
review, approval or acknowledgement). Companies need to
ensure that their employees understand the implications
of electronic signatures and that any false activity on
company records could result in criminal penalties.
When electronic records are in use, 21 CFR Part 11 requires
that an audit trail be maintained automatically by the system.
An audit trail provides a view-only archive of all changes
to the records. Users must not be allowed to circumvent
it under any circumstances.
Simply entering data or information into Microsoft Word
or Excel files doesn't constitute an acceptable electronic
record according to the FDA's definition. Systems must comply
with all of the provisions set forth in the 21 CFR Part
11 regulations, which mandate authenticity as well as security
of the data. Systems must be validated to establish that
they're suitable for their intended use.
Medical device companies are finding that it's not an
easy task to convert from paper-based record keeping to
electronic records, nor do they fully understand the final
Part 11 rules issued by the FDA. The results of a 2001 survey
conducted by NuGenesis Technologies Corp. show that: "Thirty-eight
percent of the respondents admitted they did not fully understand
the implications of Part 11 as it affected their companies.
And while 75 percent of respondents claimed they had begun
putting Part 11 measures in place, only 11 percent said
they were fully Part 11-compliant in at least some areas."
The regulations are subject to interpretation, and FDA
inspectors have been inconsistent with the enforcement of
these regulations. They tend to enforce Part 11 when other
problems are found during a broader inspection, rather than
look for Part 11 violations directly. However, as FDA inspectors
become more experienced with Part 11 requirements, they're
spotting deficiencies in systems on a much more regular
basis--a trend likely to continue.
Miles points out that the FDA is facing the same challenges
as the organizations it regulates. "We're implementing
electronic quality systems for our field people, managers
and laboratories," he notes. "We're performing
audits, collaborating between different groups, validating
our systems--basically adhering to the same standards that
we place on regulated industry."
Miles suggests that organizations convert to paperless
systems sooner rather than later. "Efficiency will
be improved, and the error rate will be reduced tremendously,"
he states. "It's a form of quality assurance and has
long-range effects on better product, higher profits, and
fewer mistakes and product recalls. When you have better
control of your records, and can distribute and share your
information in a timely manner, it can only have positive
effects on quality."
In 2001, Guidant Corp. took the same view. The company
was operating on a hybrid system comprising both paper and
electronic records, with some of the facilities operating
on paper-based systems only. The decision to combine all
of these processes into a single centralized system was
initiated by Myrna Santos, regulatory and compliance auditor
for Guidant Puerto Rico. Santos was looking for a 21 CFR
Part 11-compliant corrective and preventive action system
that could provide the flexibility the company required.
As a world leader in the design, development and manufacture
of cardiovascular medical products, Guidant required accessibility
for all of its locations around the globe.
Since the company incorporated in 1994, Guidant revenues
have grown to $3.2 billion, and it employs more than 10,000
people worldwide. Corporate headquarters are in Indianapolis,
with major operations in California, Minnesota, Texas, Washington,
Puerto Rico and Ireland. Other locations include Canada,
Europe, Japan and Latin America.
Guidant is composed of four business units:
Cardiac Rhythm Management--produces implantable cardioverter
defibrillators used to treat unhealthy heart rhythms.
Cardiac Surgery--focuses on less-invasive procedures for
patients requiring bypass surgery. The CS division's products
enable surgeons to perform bypass surgery without stopping
the heart or making a large incision in the patient's leg
to harvest veins typically used in bypass surgery.
Endovascular Solutions--develops solutions for treating
vascular diseases, including aortic aneurysms and neurological,
carotid and peripheral diseases.
Vascular Intervention--creates advanced treatments for coronary
artery disease. The VI division offers a product line of
stent and stent delivery systems.
After reviewing numerous CAPA systems on the market, Guidant
selected CATSWeb from AssurX Inc. The primary decision factor
was the degree of compliance with 21 CFR Part 11, followed
by cost and ease of use. CATSWeb is a highly flexible Web-based
enterprise quality tracking system that is configurable
and customizable. Guidant's initial proof-of-concept program
began at three company locations: Puerto Rico, Ireland and
California. The project began in April 2002 and went live
by the third week of July. It included designing the workflow,
performing the process and software validation, and training
the users. AssurX provided the procedural templates that
helped to expedite the software validation process, as well
as on-site training for the administrators and users.
"Validation of the software is very important,"
says Miles. "FDA inspectors will often write up companies
that fail to provide process validation and standard operating
procedures. Failure to maintain proper corrective and preventive
action procedures are cited in a high rate of Notices of
Inspectional Observations (known as 483 warning letters)
issued to medical device companies. The last thing the organization
wants is to be fined or forced to recall its product."
"Planning and training were essential to our success,"
says Pat McCrumb, manager of quality operations at Guidant's
Santa Clara Cardiac Surgery Unit. "We took the time
to carefully map out our workflow in advance. The system
has significantly increased visibility and productivity.
And because the system is so flexible, we're only limited
by our imagination." McCrumb plans to use CATSWeb for
final product releases as well as external corrective actions
Users were impressed with the short learning curve and
ease of entering information electronically. They're now
able to record all information into a single electronic
system that eliminates the potential for mistakes and allows
management to view real-time data to make better, faster
McCrumb uses CATSWeb for entering nonconforming material
issues. These records are frequently accompanied by digital
images, which are stored securely within the database, thereby
being subject to the same audit trail and controls. As a
result, closure rates have significantly reduced. For example,
70 percent of nonconformances are closed within five days
and 60 percent are closed within 48 hours. "It used
to take me two to three weeks to prepare quarterly nonconformance
reports," remembers McCrumb. "Now it only takes
me two days. I also publish weekly open activity reports
that take me less than 30 minutes to prepare. The query
functionality is key. Before, I used to do all of this by
The integrated query and analysis functionality enables
McCrumb to effectively identify trends in quality data and
proactively react to the trends in real time. CATSWeb is
used at every level of the organization, including design/engineering,
incoming inspection, quality control, manufacturing, distribution
and management--essentially throughout the product life
Santos adds that CATSWeb has helped her in ensuring that
manufacturing-related complaints are addressed in a timely
fashion. The quality assurance and compliance group enters
incoming complaints and issues and assigns actions to appropriate
personnel. Assigned tasks are typically due in one week.
Santos established notification rules that automatically
remind assignees of pending tasks two days prior to the
due date, and again the following day. All of the notifications
are sent via Guidant's e-mail system. Escalation rules automatically
reassign the tasks to management if they're not addressed
within a predetermined period of time.
During weekly cross-functional meetings, data from the
system is reviewed and more effective preventive actions
are put into place. Management can then query the information
at any time to make more informed productivity decisions,
generate progress reports, view quality indicators and set
future goals. "We've cut the time required for quality
indicator chart generation by more than 50 percent,"
Since July 2002, Guidant users have entered more than
2,000 issues into the system. About 365 people currently
use the system, and that number will grow during the remainder
of the roll-out phase.
These system characteristics will provide the easiest implementation,
lowest total cost of ownership, widest accessibility and
best regulatory compliance:
Configurable. The system should allow easy and robust configuration
of forms, fields and workflow. The system should adapt to
your processes, not the other way around. If the software
vendor requires you to pay for expensive preconfiguration,
maintenance costs will likely be high.
Security. User access should be configurable down to the
field or record level. Configurable minimum password requirements,
password aging and maximum session durations are mandatory
requirements. Support for secure communications (SSL) and
network authentication systems is highly desirable. The
system should be capable of detecting and thwarting unwanted
access and notifying system administrators when such a threat
Web-based. All functionality, including administration and
configuration screens, should be available via a standard
Web browser. The system should support Web browsers from
a variety of manufacturers running on a variety of operating
Electronic signatures. The software must prompt the user
for at least one unique identification component (e.g.,
password) each time a signature is applied, or use a biometric
means of authentication. Signatures must show the printed
name of the signer, the date and time the signature was
applied, and the meaning of the signature.
Audit trails. The system should include a secure, time-stamped
audit trail that enables authorized users to view all past
versions of your electronic records. Users must have no
means of bypassing or modifying the audit trail. Systems
should maintain past versions of records in their entirety
(i.e., record-level vs. field-level audit trails) for easiest
review and analysis.
Validation templates. Prewritten procedure templates for
installation qualification and operational qualification
will speed the validation process. Each step of the test
process should state the expected result.
Customizable. The system should offer an application programming
interface that allows for advanced extensibility without
requiring vendor customization.
Flexible and robust integration capabilities. The system
should easily integrate with the information systems you
already have, including custom applications developed in-house.
File attachments. The system should allow any type of file
to be attached to a record. Changes to attachments must
be maintained in the secure audit trail.
E-mail integration. Integration with your current e-mail
system, regardless of its type, is critical for time-sensitive
Unlimited automatic notification and escalation rules. Configurable
automatic notification and escalation rules provide a watchdog
mechanism that keeps critical workflow processes on track.
Analysis, reporting and business intelligence tools. The
system should be able to perform ad-hoc queries based on
any field in your forms. Systems should allow you to use
your current reporting/business intelligence tools rather
than being forced to use a new tool that the software vendor
Scalability. Electronic record systems should be designed
to grow with your organization, to "scale up"
by adding additional servers as usage increases. Systems
should utilize modern, reliable and robust databases such
as Microsoft's SQL Server 2000 or Oracle 9i.
"The FDA's primary goal is to protect the public,"
says Miles. "With electronic systems, medical device
companies can report problems in the field and take corrective
action much more quickly and efficiently than they can with
paper systems, which can take months.
"Being able to capture, manage and trend information
during all stages of the product life cycle in an electronic
system allows quick assembly of valuable information when
taking corrective action or making quality-related changes.
These types of changes not only affect safety and effectiveness,
but also productivity and profitability within an organization."
With the FDA increasing its focus on compliance and CAPA
issues, organizations can no longer set aside their plans
to convert from paper to electronic systems. Recent FDA
fines of medical device companies have run into the hundreds
of millions of dollars. Failure to address quality or manufacturing
issues will not only result in FDA warnings or possible
recalls but also class action lawsuits filed by consumers
who become victims of defective medical devices. A global
CAPA solution can provide information and visibility throughout
the entire organization in real time and is no longer isolated
to the quality assurance department. Problems can be resolved
much faster--before they become a major liability.
Tamar M. June is director of marketing at AssurX Inc.,
a software company that provides CAPA systems to a variety
of industries including medical device, pharmaceutical,
semiconductor, aerospace and contact manufacturing. She
has spent the past 16 years in both manufacturing and information
technology. Letters to the editor regarding this article
can be sent to email@example.com.