On February 11, 1999, DEIO issued a memorandum to the field instructing investigators to raise the awareness of potential Year 2000 (Y2K) problems to firms during FDA inspections. A follow-up e-mail and teleconference also asked the investigators, to include pertinent discussions in their Establishment Inspection Reports (EIRs) concerning these Y2K discussions with the firm’s management.

We have decided that we need to expand our Y2K activities to include asking questions regarding what the firm has done to assure themselves that their computer controlled/date sensitive products, manufacturing processes and distribution systems are Y2K compliant. Such information will also be included in the EIRs. If investigators encounter serious problems, concerns, or find the firm is not taking appropriate steps to avoid serious Y2K problems, this information must be reported and brought to the attention of appropriate District and Center personnel.

ORA has identified two individuals who can be contacted by the field in regards to Y2K questions. They are, Denise Dion, DEIO, HFC-130, at (301) 827-5645 and Donald Vasbinder, DCP, HFC-230, at (301) 827-0414.

Changes to the original memorandum are marked with an asterisk in this revision.

Background - Where We Are On Y2K, Externally and Internally

As the Year 2000 (Y2K) draws near, there is a growing concern as to how Y2K issues, which have been much discussed, could impact the industries regulated by the Agency and whether any specific inspectional or regulatory strategies should be developed and implemented at this time. It is not possible to predict with certainty the extent and severity of effects resulting from Y2K problems because of the varied manner in which such problems may be manifested. Internally, the Agency has been taking steps to ensure its own computer systems are Y2K-ready. Externally, it has been alerting the regulated industries by circulating informational letters on the issues. The same information has also been made available on the FDA's web site, http://www.fda.gov.

FDA has dealt with the Y2K problem by designating it as its top information technology priority and allocating it the resources necessary to successfully complete the effort. Our goal is for our systems to be compliant by March 31, 1999, in order to take advantage of the remaining months for monitoring and problem resolution. We are over 90% complete in reaching this goal and feel confident it will be completed on time. Indeed, all of our mission critical systems requiring repair have been renovated and are operational. Nonetheless, we are also taking the following additional measures to mitigate any risks associated with the Y2K problem:

Verification and validation of mission critical systems for Y2K compliance by an independent contractor. This effort is currently underway and is on target for completion by March 1, 1999.

Development of contingency plans for its mission critical systems and associated processes. This will ensure, that even in the event of unforeseen failure, the FDA can continue operating into and past the year 2000. That process is currently in the testing phase.

Based on our experiences, we would recommend to our regulated industries that, to ensure the Y2K problem is dealt with successfully, they have in place a Y2K compliance effort that includes the following:

Completion of any renovation in sufficient time to ensure a period of monitoring and problem resolution prior to when problems related to Y2K are expected to occur

For mission critical systems, review by an independent contractor/auditor to verify and validate the Y2K compliance status of the systems (For computerized systems regulated by the FDA, assure all changes have been validated and are in compliance with applicable GMPs)

Development of contingency plans to ensure business processes will continue unabated regardless of the impact of Y2K

The Agency feels that it must continue to raise the awareness of regulated industries to the Y2K problems during our routine field inspection activities.

Inspectional Strategy

A. Effective immediately the Office of Regulatory Affairs requests that during all routine inspections the following information regarding Y2K should be provided to the firm *and the discussion of such must be recorded in the EIR: *

1. Tell the firm of the existence of FDA’s Y2K page on the FDA web site at URL: http://www.fda.gov/cdrh/yr2000/year2000.html

2. Provide them with copies of the appropriate Center’s Y2K letter(s). (Letters may be obtained from the above identified web site. Letters from CDRH, CDER and CBER were attached to the electronic version of this memo.) To date CDRH, CDER and CBER have issued industry awareness letters. CVM has a letter in draft that should issue soon.

3. Explain that Y2K problems may affect many aspects of the firm’s operations (e.g. embedded, application and operating systems software), including some operations not regulated by FDA. It is FDA’s anticipation that they will do what is prudent to assure they are not adversely impacted by the millennial change.

4. Provide them with a copy of Compliance Policy Guide titled "Year 2000 (Y2K) Computer *Compliance*." A copy is attached for your convenience and can also be found at *http://www.fda.gov/ora/compliance_ref/cpg160-800.html. *

*5. In those establishments that have automated/date sensitive products, manufacturing or testing processes, or distribution systems, determine what activities, if any, the firm has completed or has begun to assure they will be Y2K compliant. Report your findings in the EIR. If you encounter a situation where a firm that has automated/date sensitive products, manufacturing or testing processes, or distribution systems, and they have not taken steps to assure they will be Y2K compliant, you must bring this to the attention of District management and the appropriate Center compliance staff as needed. *

B. If a Center has issued specific guidance regarding Y2K issues, either in a Compliance Program (CP) or other inspectional guidance documents, follow the Center’s guidance. To date, CBER has such guidance in its CPs for Licensed Allergenic Products and Licensed Therapeutic Products and has issued instructions to the Team Biologics investigators for other biological products.

C. In the event you learn during your inspection that a firm has made changes to its regulated computerized production or process control systems in order to achieve Y2K readiness, you may review the validation efforts to assure the change was made per the firm’s procedures and the applicable regulations.

We want to stress that investigators are NOT being asked to evaluate the adequacy of an inspected establishment’s Y2K readiness efforts. Rather, our *primary* goal is to inform the regulated industries of the Y2K issues, if they are not already aware, and provide them with the information they need to understand FDA’s current Y2K policies, procedures and concerns. *Additionally, we will be determining what steps the firm has taken, or will be taking, to assure they will be Y2K compliant. *

As emphasized above, the Y2K problems are one area where the Agency wants to work with the regulated industries and ensure communication of the information in order to make a safer transition into the new millennium.

If you have any questions regarding this interim policy, please contact Denise Dion in DEIO at (301) 827-5645 or via e-mail at ddion@ora.fda.gov.

Gary L. Pierce