"Over the next few years, we're going to see a lot of folks providing major investments, and you really have to think proactively," Sabogal says. "It has to be, 'I invested a year ago in a certain technology, and now I have to do another investment. But it's going to have to last me three or four years, and I want to be able to address all these different compliance issues.' A lot of it will be driven by what's your landscape, what components do you have in it?"

For some larger companies that have grown through mergers, the problem is complicated by the fact that when they made acquisitions, they also acquired disparate legacy IT systems. "Where traditionally they might have had a greater degree of confidence in their compliance within their own companies, they're now responsible for compliance across this much greater landscape than they had before," says Oracle's Constantinou. "That's making them nervous."

In the long run, companies may end up shifting to enterprise-wide applications, designed to be what Oracle's Doug Souza calls "the single source of truth." But for the foreseeable future, it's likely that most companies will be stitching components together. Technology suppliers are looking more closely at issues of system architecture to see how multiple components can be made to work together better.

For many customers in the pharmaceutical industry, the most significant part of the initiative may well be what Microsoft calls its prescriptive architecture guidance for the industry, which aims to document the fine points of handling IT systems in the life sciences. "For example," says Jason Burke, industry strategist for healthcare and life science for Microsoft, "if you get SQL Server and you install it in your data center, in addition to the normal prescriptive architecture patterns that we've given you already, what are the specific things that pharmaceutical companies should be doing in terms of fine-tuning the way they install and manage and operate that server in a regulated environment? Or with a product like SharePoint, which many companies use for collaboration, we might make some specific recommendations on the way they use Active Directory with an LDAP [a common sort of electronic directory] as the authentication method to make sure that the requirements for 21 CFR Part 11 are being satisfied within that collaborative environment."

Microsoft is also looking closely at ways to facilitate the hand-off between unregulated and regulated systems. For example, a clinical trial protocol might start its lifecycle with notes on a napkin at lunch, move on to being an uncontrolled file in Microsoft Word, and undergo revision in a protected collaborative environment, such as SharePoint, before finally being moved to a content management system. "At some point," Burke says, "that document moves from an unregulated state to a regulated state, and in most organizations, the transition period is a bit undefined. They know when it finally gets to the regulated state, but it may be difficult for them to identify the exact point when it occurs. So we're looking at solutions that bridge the gap and that implement electronic policy based controls that are electronically driven, as opposed to paper, SOP–driven."