Siri H. Segalstad authored International IT Regulations and Compliance: Quality Standards in the Pharmaceutical and Regulated Industries, a guide to understanding and complying with industry regulations.   

Informatics Insight: The Necessity of Understanding and Complying with IT Regulations

 For a variety of reasons the world is becoming a more regulated place, and the domain of laboratory informatics and related systems is no exception. One of the greatest difficulties in complying with these regulations is first knowing about them and secondly interpreting what they mean. Some of these regulations affect how we do things; others are there to ensure that everything is working properly. In the final analysis, the justification for the regulations usually reduces to safety, whether for the users in the laboratory or those affected by the generated results.

While many look upon regulations as an impediment to getting ones' job done, when viewed appropriately, they can be seen as an aid to generating quality results. Because of this, it is valuable to review the available published regulations in your industry, whether you are required to follow them or not.

 It is not uncommon to experience difficulty determining which regulations you are required to follow. For a given type of analysis, you may have to work under very different regulations, depending on whether that analysis is being performed for an organization manufacturing pharmaceuticals, analyzing drinking water, analyzing waste water, or analyzing environmental water. This is further complicated by where the analysis is being performed, as many countries have their own sets of regulations. If this wasn't enough, you may be required to follow multiple sets of regulations, depending on whether the analysis is being performed on products manufactured in one country to be sold in another. If you are lucky, the specified requirements are similar, if not identical.

If you aren't so lucky, you may find yourself performing multiple sets of compliance processes for what is basically the same work. There are currently a number of initiatives to standardize many of these regulatory requirements between countries, but, as with anything bureaucratic, it tends to be a slow process.

Just a listing of all the potential regulations and practices would take more room than is available for this article. Some of these are well known by name, such as the United States' Food and Drug Administration's (FDA) Electronic Records; Electronic Signatures; Final Rule, better known as 21 CFR Part 11 [1] even if some vendors compliance leave a lot to be desired. Some of the others you may not have even heard of, depending on where you are located and the industry you work in, but they can be just as relevant. Among these are:

• Pharmaceutical Inspection Convention Scheme (PIC/S) [2]
• Good Automated Manufacturing Practices (GAMP) [3], [4], [5], [6]
• Organization for Economic Co-operation and Development (OECD) [7]
and of course
• all of the various Organization for Standardization (ISO) documents [8], [9], [10], [11], [12].
As you might suspect,
• ASTM International (formerly the American Society for Testing and Materials or ASTM) contributes to the discussions as well [13].

Interpreting what you need to do can quickly become muddled as you try to figure out with which of these you need to comply. This is compounded by the fact that not all of these documents are regulations per se, some are good practices documents generated by standards organizations, such as those from the International Society for Pharmaceutical Engineering (ISPE). However, some of the government standards specify that to be in compliance with their regulations, you must also be in compliance with specific standards and practices. This can rapidly result in a spider web of rules with which you must attempt to comply. While this might be worst for the larger multinational corporations, it's not difficult for smaller specialty organizations to be ensnared by them as well.

On reflection, I think you'll find the list of regulations affecting IT systems is much broader than what you might initially suspect. There are what might be termed obvious ones, such as those requiring the validation of all your computer systems to confirm that they perform the way they are supposed to. But there are dangers in staying too focused on just your laboratory data handling operations. If you take a step back and consider- almost all building management operations are controlled by computer these days. Those systems, including building management systems (BMS), heating, ventilation, and air conditioning systems (HVAC), and supervisory control and data acquisition (SCADA) systems, also can fall under regulatory guidelines where they impact the quality of the labs 'product' or safety of it's employees.

Potential impacts can include power management (as most modern instruments really don't like power disruptions), air handling (both for breathing and exhausting fumes), maintaining sterility/integrity of clean rooms, etc. An example of this is the FDA's 21 CFR Part 211.46 rule regarding ventilation, air filtration, air heating and cooling in relation to pharmaceutical manufacturing.

It is always wise, when dealing with regulations, to go back and read the regulations themselves, as opposed to basing your behavior on someone's synopsis of the regulations. While I am tempted to say that they are the final word on the subject, it is wise to recall that the inspectors checking for compliance with the regulations are people, and the way that a given regulation is interpreted has been known to change significantly with time. So, always remember that regulatory compliance is a dynamic process, not something you achieve and then forget. However, it is also true that you have to begin someplace to learn about the regulations, their intent, and the current interpretation of their meaning. Having spent more than a little time trying to determine which regulations a lab has to follow, I can safely say that a good place to start is with the book International IT Regulations and Compliance: Quality Standards in the Pharmaceutical and Regulated Industries by Siri H. Segalstad [14]. This book is an outgrowth of an European Union Leonardo da Vinci project to design a curriculum for a Master's Degree in IT Validation and was designed to consolidate required information into a single volume. It provides an astute analysis of the various regulations and an assessment of their intent.

Greatly adding to its value, Segalstad addresses not only the differences between the regulations of countries, but the changes between different versions of the regulations as well, along with an analysis of their likely continued evolution. She also includes a section on the legal implications of these regulations. Going beyond this, extensive sections of this book are devoted to explaining what the terms in these regulations actually mean and how you can comply with them.

Examples of this include discussions of quality management systems (QMS), the different types of validation and qualification, as well as factors to consider when purchasing or using a LIMS or other laboratory instrument system. Whether you are experiencing your first exposure to IT regulatory requirements or are attempting to put your quality assurance experience in perspective with other requirements, I can think of no better place to start than with this book.

References
[1] “21 CFR Part 11: Electronic Records; Electronic Signatures;
Final Rule,” Federal Register,  vol. 62, Mar. 1997, pp. 13429-13466.
[2] PI 011-03 Good Practices for Computerized Systems in Regulated 'GxP' Environments,  Geneva, Switzerland: PIC/s, 2007.
[3] GAMP 5: A Risk-Based Approach to Compliant GxP Computerized Systems,  Tampa, FL: International Society for Pharmaceutical Engineering (ISPE), 2008.
[4] GAMP Good Practice Guide: Validation of Laboratory Computerized Systems,  Tampa, FL: International Society of Pharmaceutical Engineering, 2005.
[5] GAMP Good Practice Guide: IT Infrastructure Control and Compliance,  Tampa, FL: International Society for Pharmaceutical Engineering (ISPE), 2005.
[6] GAMP Good Practice Guide: Electronic Data Archiving,  Tampa, FL: International Society for Pharmaceutical Engineering (ISPE), 2007.
[7] OECD Series on Principles of Good Laboratory Practice and Compliance Monitoring Number 10 GLP Consensus Document, The Application of Principles of GLP to Computerize Systems, Monograph No. 116,  Paris: OECD, 1995.
[8] ISO 9000:2000 Quality Management Systems - Fundamentals and Vocabulary,  Geneva, Switzerland: International Organization for Standardization (ISO), 2005.
[9] ISO 9001:2000 Quality Management Systems - Requirements,  Geneva, Switzerland: International Organization for Standardization (ISO), 2000.
[10] ISO 90003:2004 Software Engineering - Guidelines for the Application of ISO 9001:2004 to Computer Software,  Geneva, Switzerland: International Organization for Standardization (ISO), 2004.
[11] ISO/IEC 17025:2005 - General requirements for the competence of testing and calibration laboratories,  Geneva, Switzerland: International Organization for Standardization (ISO), 2005.
[12] ISO 17799:2005 Information Technology - Security Techniques - Code of Practice for Information Security Management,  Geneva, Switzerland: International Organization for Standardization (ISO), 2005.
[13] ASTM E1578-93 Standard Guide for Laboratory Information Management Systems (LIMS),  West Conshohocken, PA: American Society for Testing and Methods (ASTM), 1999.
[14] S.H. Segalstad, International IT Regulations and Compliance: Quality Standards in the Pharmaceutical and Regulated Industries, ISBN: 978-0470-758823,  West Sussex, England: John Wiley and Sons, Ltd, 2008.