Executive Summary

COMPUTERIZED NDA SYSTEM SECURITY AND INTEGRITY MEASURES should include controls to protect computer-assisted NDA sponsors' data, software, telecommunications and hardware from inconsistencies, tampering and accidental damage, FDA's "CANDA Guidance Manual" states. FDA announced the availability of the guidance in the Oct. 9 Federal Register. Explaining the need for security measures, the guidelines state that "while the [CANDA] systems provide opportunities for timeliness and efficiency improvements in the NDA process safeguards must be established to assure the security and integrity of NDA information accessible via the CANDAs." The safeguards are enumerated as a series of questions meant to guide pharmaceutical companies sponsoring CANDAs. Under "Data Security and Integrity," questions include: "Are CANDA data sets identical to those used to create the hardcopy NDA?; Were the data validated after they were placed in the CANDA database?"; and "Are the CANDA data validated periodically to assure that unauthorized changes have not been made to the data?" Software integrity and security concerns include the presence of "security functions, such as password protection and controlled data access." Other controls appear aimed at ensuring that FDAers can use the CANDA effectively. For example, the software integrity and security controls checklist includes: "What plans are in place for user training and system support/enhancement?" and "Is an adequate testing plan in place to prove that the CANDA operates correctly before the system is installed at FDA?" The telecommunications security and integrity checklist is meant to prevent "unauthorized access or inaccurate data transmission" and includes queries as to whether security features such as encryption devices, dial-back modems, password protection or leased phone lines have been considered by the CANDA sponsor. Hardware security and integrity concerns include being able to secure hardware in the reviewer's office and making sure that maintenance is available at the FDA site. The "CANDA Guidance Manual," 103 pages long with numerous appendices, contains several previously-published documents on various aspects of the CANDA process. Missing, however, is the "FDA Model CANDA," which is still in development. Center for Drug Evaluation & Research Office of Management Director Robert Bell reported in July that the guidelines would contain a "model Chevrolet" defining what information should be contained in a CANDA. Other chapters of the manual include a report by Parexel International on the CANDA experience of each of CDER's review divisions. The survey found that, of the 65 CANDAs submitted to FDA as of Nov. 30, 1991, the Cardio-Renal Drugs Division had reviewed the most, with 16 submissions and seven approvals ("The Pink Sheet" June 8, p. 7). Also included are the results of the Pharmaceutical Manufacturers Association 1990 survey of firms that have submitted CANDAs. The preface to the manual states that it is a compilation of the guidelines and information made available since a Sept. 15, 1988 Federal Register notice containing basic guidance on the factors the agency considers in evaluating CANDAs. That guidance "is still applicable today," the preface notes. The manual should be used "as a framework for future CANDA submissions," but "it is clear that a pharmaceutical company may do more or less than is outlined in the guidelines." The manual is also designed to "increase awareness concerning computerization and to encourage industry to computerize their NDA submissions so that we may achieve the goal of virtually all submissions being computerized by 1995." CDER's Bell announced that goal in May ("The Pink Sheet" May 11, p. 13). Copies of FDA's "CANDA Guidance Manual" are available from the agency's CDER Executive Secretarial Staff (HFD-8), Center for Drug Evaluation and Research, FDA, 7500 Standish Pl., Rockville, Md. 20855. Enclose two self-addressed adhesive labels.