Virtualization: Taking Advantage of Part 11 to Save Money

For Medical Device


MasterControl recently interviewed John Avellanet, the founder of the FDA regulatory intelligence and lean compliance program for executives and business owners, SmarterCompliance™, and the Managing Director of Cerulean Associates LLC. He is the author of more than 35 articles on lean compliance, Part 11, and quality systems, a contributing author to the book Best Practices in Biotechnology Business Development, and a frequent speaker with FDA officials.

Technology analysts have shown that companies can save between 30 to 80% of their IT budgets with virtualization.
Question: In February, you published a strategy article, "Virtualization and Validation," that argued the Food & Drug Administration's 21 Code of Federal Regulations Part 11 is on a collision course with current computing technology if the agency doesn't release its long-promised revision soon. What prompted your article?

John Avellanet: There were really two sparks that started the article. One was a question from an attendee of my seminar last year, Understanding and Implementing the Revised FDA Part 11 and EU Annex 11 [a recording of that seminar is available on Mr. Avellanet's website]. The second was a discussion I had with several subscribers to my newsletter on how to save money when it comes to IT but still be in compliance with current FDA expectations.

Question: You write in your article about the status of the agency's efforts to revise Part 11. How did you learn about this?

John Avellanet: One of the key components of my newsletter and executive advisory program is compliance intelligence - it's not really different from business intelligence. I survey a broad range of information sources: the agency's own publications and presentations, warning letters, 483s, establishment inspection reports, daily FDA news articles, other government agency publications, blog postings, private conversations with colleagues in the FDA, and so on. It takes quite a bit of time just to gather and synthesize all the information. I then analyze it, look for subtexts, trends and themes, and assess probabilities. From all this I make recommendations for my subscribers.

Question: Given what you've learned about the revised Part 11, how can companies take advantage of where the agency seems to be heading?

John Avellanet: One approach is to leverage a newer technology concept called "computer virtualization." I won't go into all the details, but essentially, there are a two types of virtualization you can think about: one is running multiple software on the same computer and having each piece of software think it has the computer to itself - your production line monitoring software thinks it's the only software on the computer; the other type of virtualization spreads your software across many different computers connected across many different locations in the world - "cloud computing." In that latter model, your production line monitoring software runs and stores data on multiple computers either in the same data center or in data centers in India, the US and Sweden. From a cost perspective, technology analysts have shown that companies can save between 30 to 80% of their IT budgets with virtualization. So the return on investment is there.

For a big company like AstraZeneca, outsourcing your systems to an IT vendor that uses virtualization is going to drive down costs. Where the revisions to Part 11 come into play is around validation. Under the old rubric of "validate everything," virtualization was impossible. But because so much of the Part 11 revisions seem centered around data integrity - as opposed to software code validation, for instance - companies can focus their compliance efforts on data controls and leave the software and hardware largely to the technology vendors.

Can you give some examples?

John Avellanet: From the big picture standpoint, you need to do three things:
  1. Do your homework first - In the "Virtualization and Validation" article, I gave several suggestions on how to find a technology virtualization provider that fits your company, and folks can walk through those on their own. The key is to make sure you do your homework and not just pick some firm that made a splash with last month's press release. Any inspector will look to understand the logic behind your decisions.
  2. Conduct risk-based due diligence - If the systems (and data) you're going to outsource are low risk in terms of your quality system or product safety and efficacy, you may be able to get away without doing a full on-site audit, and just use the so-called "paper audit." So the intensity of your due diligence needs to be based on the criticality of the records contained within the systems you plan to virtualize.

  3. Craft a quality or technical agreement with reasonable expectations and sharp teeth - Here you'd want to clearly identify your minimum level of expectations. I suggest you do some research on what typical levels are in the industry for each category of system you want to virtualize and outsource. For instance, I'm sure MasterControl can provide typical uptime statistics for any of its solutions; I'd then find out similar numbers for other technologies, then average them all together to get a median uptime expectation - say 98.4% for example. And then that percentage would be expressly written into any quality or technical agreement I signed. The teeth of the contract might be financial penalties that would be assessed if average uptime dropped below the 98.4% level for a defined period.

When we narrow down to the details, the focus has to be on controls - and verification thereof - around electronic record integrity. If nothing else, you want the ability to conduct independent verifications of the vendor's controls on your data. This is where working with someone independent can help ensure you clarify reasonable controls and thresholds (plus some "stretch" goals), and then help you push back against any vendor objections.

Whomever you involve, make sure they have both IT compliance experience and records management experience; one without the other is going to leave you vulnerable. I'll address the records management side since therein lies the most common weaknesses and gaps I uncover when I conduct audits. Electronic data is most at risk when it's sitting in storage - either on a computer or backed up on tape. Remember, your data can sit there for a long time - five, ten, even twenty years in some cases, depending on the regulation involved. What the information inspectors want to look at is not really the document you did yesterday, but the one that supports a process undertaken six months ago or a clinical trial conducted six years ago. And, if you're sued, it's all your stored information for which the litigators are going to file discovery motion so that they can get their hands on it. So making sure you understand the records management controls and implications around your electronic data integrity is crucial.

Question: When you advise clients and subscribers on saving money with virtualization and staying Part 11 compliant, what's the one thing you want them to keep in mind?

John Avellanet: If you do nothing else but identify - and execute - a strategy based on reasonable risk mitigation, focusing primarily on controlling risk to record integrity, then you'll be able to take advantage of where the FDA seems to be driving Part 11 while you take advantage of new technology to save money. Keeping the 20th-century "validate everything" Part 11 mindset while trying to leverage today's 21st-century technology is a recipe for noncompliance and budget breakdown.

As far as the expected revisions to Part 11 seem to indicate, do you see any advantages in maintaining an electronic quality management system over a paper-based system?

John Avellanet: For companies that go the virtualization route - and particularly those that choose to outsource their IT systems - an electronic quality management system would be more efficient, allow greater tie-ins and monitoring of record integrity parameters, and likely serve up more cost savings over the long run. Given the lengthy timelines of new drug, biologic and device time to market, long-term planning for compliance goes hand-in-hand with fiscal responsibility.
*[Language enclosed in brackets was added by the editor.]

John Avellanet
is the Managing Director of Cerulean Associates LLC and founder of the FDA regulatory intelligence and lean compliance advisory program for executives and business owners, SmarterCompliance™. He is the author of more than 35 articles on lean compliance and quality systems, a contributing author to the book Best Practices in Biotechnology Business Development, and a frequent speaker with FDA officials.Mr. Avellanet makes frequent public presentations on cost-effective quality system tactics, best practices for lean Part 11 compliance, and FDA records management requirements. He conducts training for private companies, and is a frequent speaker for professional associations and industry conferences. He can be directly reached through his independent advisory firm, Cerulean Associates LLC, on the web at

Read More

FDA Link

"Guidance for Industry: 21 CFR Part 11; Electronic Records; Electronic Signatures Validation"

Additional Article

Avellanet, John. "Virtualization and Validation." Accessed 3-4-09.