IT vendors and service providers also are being exposed to regulatory compliance pressures. FDA expects IT vendors that provide services to pharmaceutical companies from vendor sites to comply with regulations and prepare for future FDA audits. The intent is to increase the monitoring of project operations at vendor sites. Therefore, compliance is a critical requirement for vendor and service provider sites.
Vendors that develop and maintain IT systems for regulated companies from their sites must be aware of their responsibilities as prescribed in FDA's Compliance Policy Guide (CPG) on Vendor Responsibility, which makes vendors "liable, under the Food, Drug and Cosmetic (FD&C) Act, for any violation attributable to intrinsic defects in the hardware and software" (1). According to the guide, "Vendors may incur liability for validation, as well as hardware/software maintenance performed on behalf of users."
FDA regulations, as published in documents such as Computerized Systems Used in Clinical Trials or the General Principles of Software Validation, dwell largely on software applications and do not directly mention IT infrastructure.
Title 21 of Code of Federal Regulations (CFR) Part 11 (Electronic Records and Electronic Signatures) is an umbrella regulation covering all predicate rules for good clinical practices, current good manufacturing practices, and good laboratory practices. Part 11 mentions computerized systems as well as software applications such that any computerized system in its entirety is subject to the regulation. FDA defines a computer system as: “a functional unit consisting of one or more computers and associated peripheral input and output devices, and associated software, that uses common storage for all or part of a program and also for all or part of the data necessary for the execution of the program; executes user-written or user-designated programs; performs user-designated data manipulation, including arithmetic operations and logic operations; and that can execute programs that modify themselves during their execution. A computer system may be a stand-alone unit or may consist of several interconnected units.”
A computerized system is defined as a unit that includes hardware, software, peripheral devices, personnel, and documentation such as manuals and standard operating procedures (SOPs). It is based on an infrastructure made up of data centers, servers, workstations, routers, switches, firewalls, applications, and protocols.
The 21 CFR Part 11 rule suggests that "any decision to validate computerized systems, and the extent of the validation, takes into account the impact the systems have on its ability to meet predicate rule requirements." The effect these systems may have on the accuracy, reliability, integrity, availability, and authenticity of required electronic records and signatures must be considered. Further, the rule states that "even if there is no predicate rule requirement to validate a system, in some instances it may still be important to validate the system." Although this rule does not seek to establish "legally enforceable responsibilities," the industry has witnessed a few cases in 2005 where FDA issued warnings to a regulated firm citing noncompliance to Electronic Records and Electronic Signatures (ER,ES) requirements (specifically, pointing out a lack of validation in a computer system as a grave risk).
Therefore, the entire IT infrastructure stands influenced by 21 CFR 11, thereby making it fall under the ambit of regulatory scrutiny. Qualification of IT infrastructure thus becomes essential to the validation of computerized systems. IT infrastructure houses and sustains validated systems; therefore, the sole purpose of infrastructure qualification is to guarantee and safeguard reliability, security, and business continuity. IT infrastructure, if not maintained in a demonstrable state of control and qualification, may affect the validated status of GxP applications or electronic record systems that depend on the infrastructure.