In July 2022, the U.S. FDA issued a Warning Letterto the U.S. American company “Jost Chemical Co.” after having inspected its site in January 2022. The warning letter listedfour significant areas:
“Failure of your quality unit to ensure that quality-related complaints are investigated and resolved, and failure to extend investigations to other batches that may have been associated with a specific failure or deviation.”
“Failure to establish adequate written procedures for cleaning equipment and its release for use in manufacture of API.”
“Failure to ensure that all test procedures are scientifically sound and appropriate to ensure that your API conform to established standards of quality and purity, and failure to ensure laboratory data is complete and attributable.”
“Failure to exercise sufficient controls over computerized systems to prevent unauthorized access or changes to data, and failure to establish and follow written procedures for the operation and maintenance of your computerized systems.”
I offer them the above clip as a good mini-training. I recently watched the show, and my wife thought I was going to have several heart attacks.
In a serious nature, please do not short your efforts in data integrity.
Specialty Process Labs LLC is a specialty API manufacturer of natural desiccated thyroid. Which is, yes, what you might think it is. And as far I can tell, mostly ships direct to compounding pharmacies and patients. This month they got a warning letter.
The warning letter highlights:
Failure to validate the process
Failure to test to specification
Failure to exercise sufficient controls over computerized systems
All three of these observations make me rather glad my loved-ones take levothyroxine and I am deeply aware of all the difficulties in that drug supply.
Focusing more on the computer system, it is an unsurprising list of bad access controls, change controls not controlled, and failure to validate excel spreadsheets.
The last observation really stood out to me:
“Manufacturing master batch records held in electronic form on your company’s shared drive do not have restrictions on user access. Your quality unit personnel stated that there are no restrictions for any personnel with login credentials to access new and obsolete master records. Our investigator observed during the inspection multiple versions of batch records were utilized for API lot production.”
This is truly a failure in document access and record management. And it is one I see a lot of places. The core requirement here is really well stated in the PIC/S Data Integrity Guidance requirement 8.4 “Expectations for the generation, distribution and control of records.” Please read the whole section, but pay close attention to the following:
Documents should be stored in a manner which ensures appropriate version control.
Master documents should contain distinctive marking so to distinguish the master from a copy, e.g. use of coloured papers or inks so as to prevent inadvertent use.
Master documents (in electronic form) should be prevented from unauthorised or inadvertent changes.
Document issuance should be controlled by written procedures that include the following controls:
details of who issued the copies and when they were issued; clear means of differentiating approved copies of documents, e.g. by use of a secure stamp, or paper colour code not available in the working areas or another appropriate system;
ensuring that only the current approved version is available for use;
allocating a unique identifier to each blank document issued and recording the issue of each document in a register; – numbering every distributed copy (e.g.: copy 2 of 2) and sequential numbering of issued pages in bound books;
where the re-issue of additional copies of the blank template is necessary, a controlled process regarding re-issue should be followed with all distributed copies maintained and a justification and approval for the need of an extra copy recorded, e.g.: “the original template record was damaged”;
critical GMP/GDP blank forms (e.g.: worksheets, laboratory notebooks, batch records, control records) should be reconciled following use to ensure the accuracy and completeness of records; and
where copies of documents other than records, (e.g. procedures), are printed for reference only, reconciliation may not be required, providing the documents are time-stamped on generation, and their short-term validity marked on the document
There are incredibly clear guidelines for these activities that the agencies have provided. Just need to use them.
This week, the Pharmaceutical Inspection Co-operation Scheme (PIC/S) finally announced that its new guidance on good practices for data management and integrity for pharmaceutical manufacturers and distributors has come into effect.
This final version is of a draft document originally introduced in 2016 and re-issued as a draft in 2018. It’s been a long road to get final version. Final version here.
Attributable is part of ALCOA that tells us that it should be possible to identify the individual or computerized system that performed the recorded task. The need to document who performed the task / function, is in part to demonstrate that the function was performed by trained and qualified personnel. This applies to changes made to records as well: corrections, deletions, changes, etc.
This means that records should be signed and dated using a unique identifier that is attributable to the author. Where author means the individual who created or recorded the data.
Understanding what role the individual is playing in the task is critical. There are basically six: Executor, Preparer, Checker, Verifier, Reviewer and Approver.
Last night speaking at the DFW Audit SIG one of the topics I wished I had gone a little deeper on were controls, and how to gauge their strength.
As I am preparing to interview candidates for a records management position, I thought I would flesh out controls specific to the storage of and access to completed or archived paper records, such as forms, as an example.
These controls are applied at the record or system level and are meant to prevent a potential data integrity issue from occurring.
Generation and Reconciliation of Documents
For each record
Who performs controlled issuance
Individuals authorized by quality unit from designated unit (limited, centralized)
Individuals authorized by quality unit from (limited, decentralized)
Anyone (unlimited, decrentalized), often user of record
Full reconciliation of record and pages based on unique identifier
Full reconciliation of records and pages based on quantity issued
Yes, by controlled process
Destruction of blank forms
Performed by issuing unit, quality oversight required (High level of evidence)
Performed by the operating or issuing unit, quality unit oversight required
Performed by the individual, quality unit oversight required (periodic walk throughs, self-inspections and audits)
Storage and Access to completed and archived paper records
Office retention location
How Removed & Returned
Limited conditions for removal (e.g. regulatory inspections) method of recording the removal and return of the record(e.g. archive management system, logbook). Most use of documents either in controlled reading area or by scans.
Method of recording the removal and return of the record(e.g., archive management system, logbook).
Method (e.g. logbook) recording of documents checked-in/checked-out
Card key access with entry and exit documented.
Card key access with entry and exit documented.
Limited key access
Periodic User Access Review
Every 2 years
There are also the need to consider controls for paper to electronic, electronic to paper and my favorite beast, the true copy.
For paper records a true copy of a picture of the original that keeps everything – a scan. The regulations state that you can get rid of the paper if you have a true copy. Many things called a true copy are probably not a true copy, to ensure an accurate true copy add two more controls.
Documented review by second person from the quality unit for legibility, accuracy, and completeness
Documented review by second person (not necessarily from the quality unit) for legibility, accuracy, and completeness
Documented verification by person performing the scan for legibility, accuracy, and completeness
Discard of original allowed
Yes, as defined by quality unit oversight, unless there is a seal, watermark, or other identifier that can’t be accurately reproduced electronically.
Yes, performed by the operating unit, unless there is a seal, watermark, or other identifier that can’t be accurately reproduced electronically. Quality unit oversight required
Yes, individual can discard original Quality unit oversight required