Being Small and Speciality Does not Exempt from the GMPs

Specialty Process Labs LLC is a specialty API manufacturer of natural desiccated thyroid. Which is, yes, what you might think it is. And as far I can tell, mostly ships direct to compounding pharmacies and patients. This month they got a warning letter.

The warning letter highlights:

  1. Failure to validate the process
  2. Failure to test to specification
  3. Failure to exercise sufficient controls over computerized systems

All three of these observations make me rather glad my loved-ones take levothyroxine and I am deeply aware of all the difficulties in that drug supply.

Focusing more on the computer system, it is an unsurprising list of bad access controls, change controls not controlled, and failure to validate excel spreadsheets.

The last observation really stood out to me:

Manufacturing master batch records held in electronic form on your company’s shared drive do not have restrictions on user access. Your quality unit personnel stated that there are no restrictions for any personnel with login credentials to access new and obsolete master records. Our investigator observed during the inspection multiple versions of batch records were utilized for API lot production.”

This is truly a failure in document access and record management. And it is one I see a lot of places. The core requirement here is really well stated in the PIC/S Data Integrity Guidance requirement 8.4 “Expectations for the generation, distribution and control of records.” Please read the whole section, but pay close attention to the following:

  • Documents should be stored in a manner which ensures appropriate version control.
  • Master documents should contain distinctive marking so to distinguish the master from a copy, e.g. use of coloured papers or inks so as to prevent inadvertent use.
  • Master documents (in electronic form) should be prevented from unauthorised or inadvertent changes.
  • Document issuance should be controlled by written procedures that include the following controls:
    • details of who issued the copies and when they were issued; clear means of differentiating approved copies of documents, e.g. by use of a secure stamp, or paper colour code not available in the working areas or another appropriate system;
    • ensuring that only the current approved version is available for use;
    • allocating a unique identifier to each blank document issued and recording the issue of each document in a register; – numbering every distributed copy (e.g.: copy 2 of 2) and sequential numbering of issued pages in bound books;
    • where the re-issue of additional copies of the blank template is necessary, a controlled process regarding re-issue should be followed with all distributed copies maintained and a justification and approval for the need of an extra copy recorded, e.g.: “the original template record was damaged”;
    • critical GMP/GDP blank forms (e.g.: worksheets, laboratory notebooks, batch records, control records) should be reconciled following use to ensure the accuracy and completeness of records; and
    • where copies of documents other than records, (e.g. procedures), are printed for reference only, reconciliation may not be required, providing the documents are time-stamped on generation, and their short-term validity marked on the document

There are incredibly clear guidelines for these activities that the agencies have provided. Just need to use them.

PIC/S Guidance on Data Integrity is final

This week, the Pharmaceutical Inspection Co-operation Scheme (PIC/S) finally announced that its new guidance on good practices for data management and integrity for pharmaceutical manufacturers and distributors has come into effect.
 
This final version is of a draft document originally introduced in 2016 and re-issued as a draft in 2018. It’s been a long road to get final version. Final version here.

Attributable within a Process

Attributable is part of ALCOA that tells us that it should be possible to identify the individual or computerized system that performed the recorded task. The need to document who performed the task / function, is in part to demonstrate that the function was performed by trained and qualified personnel. This applies to changes made to records as well: corrections, deletions, changes, etc.

This means that records should be signed and dated using a unique identifier that is attributable to the author. Where author means the individual who created or recorded the data.

Understanding what role the individual is playing in the task is critical. There are basically six: Executor, Preparer, Checker, Verifier, Reviewer and Approver.

The Six Primary Roles

Data Integrity for Record Management

Last night speaking at the DFW Audit SIG one of the topics I wished I had gone a little deeper on were controls, and how to gauge their strength.

As I am preparing to interview candidates for a records management position, I thought I would flesh out controls specific to the storage of and access to completed or archived paper records, such as forms, as an example.

These controls are applied at the record or system level and are meant to prevent a potential data integrity issue from occurring.

Generation and Reconciliation of Documents

 Data Criticality
 HighMediumLow
Unique identifierFor each recordNoNo
Who performs controlled issuanceIndividuals authorized by quality unit from designated unit (limited, centralized)Individuals authorized by quality unit from (limited, decentralized)Anyone (unlimited, decrentalized), often user of record
ReconciliationFull reconciliation of record and pages based on unique identifierFull reconciliation of records and pages based on quantity issuedNo reconciliation
Controlled printYesYesNo
Bulk printingNoYes, by controlled processYes
Destruction of blank formsPerformed by issuing unit, quality oversight required (High level of evidence)Performed by the operating or issuing unit, quality unit oversight requiredPerformed by the individual, quality unit oversight required (periodic walk throughs, self-inspections and audits)

Storage and Access to completed and archived paper records

 Data Criticality
 HighMediumLow
Where StoredClimate-controlled roomClimate-controlled roomOffice retention location
How Removed & ReturnedLimited conditions for removal (e.g. regulatory inspections) method of recording the removal and return of the record(e.g. archive management system, logbook). Most use of documents either in controlled reading area or by scans.Method of recording the removal and return of the record(e.g., archive management system, logbook).Method (e.g. logbook) recording of documents checked-in/checked-out
Access ControlCard key access with entry and exit documented.Card key access with entry and exit documented.Limited key access
Periodic User Access ReviewAnnuallyAnnuallyEvery 2 years

There are also the need to consider controls for paper to electronic, electronic to paper and my favorite beast, the true copy.

For paper records a true copy of a picture of the original that keeps everything – a scan. The regulations state that you can get rid of the paper if you have a true copy. Many things called a true copy are probably not a true copy, to ensure an accurate true copy add two more controls.

 Data Criticality
 HighMediumLow
Review requirementsDocumented review by second person from the quality unit for legibility, accuracy, and completenessDocumented review by second person (not necessarily from the quality unit) for legibility, accuracy, and completenessDocumented verification by person performing the scan for legibility, accuracy, and completeness
Discard of original allowedYes, as defined by quality unit oversight, unless there is a seal, watermark, or other identifier that can’t be accurately reproduced electronically.Yes, performed by the operating unit, unless there is a seal, watermark, or other identifier that can’t be accurately reproduced electronically. Quality unit oversight requiredYes, individual can discard original Quality unit oversight required

Upcoming Data Integrity Virtual Presentation

I will be presenting at the February Audit SIG of the DFW Section of the ASQ on Data Integrity.  Many companies struggle with the concepts of data integrity as it involves both paper and electronic data, dealing with legacy computer systems and the organization culture. This session will lay out the core principles of data integrity:

  • Organizational culture should drive ALCOA
  • Data governance is part of the management review process
  • Data Risk Assessments with appropriate mitigations (full risk management approach)

The Audit SIG webinar is scheduled for Tuesday February 9, 2021 at 6:00 pm.  To sign up RSVP to jcapstick@gramercyinc.net by February 8 by 6:00 pm.  An email with a link to the webinar will be returned to those that RSVP.