A February 2022 FDA Warning Letter to Accu Bio-Chem Laboratories provides a great baseline for what your audit programs should look at and what your own labs should focus on:
Throw in a good lab instrument qualification review, and supplier/raw materials management, and you have a pretty solid program.
The US FDA recently changed the Investigations Operations Manual to allow Investigators direct access to a company’s databases during a BIMO inspection (See Section 5.10.2.1)
As the conduct of clinical and non-clinical trials increasingly moves toward 100% electronic data capture, to include electronic case report forms, medical records, patient-reported outcomes, informed consent systems and other electronic study records, it has become necessary for bioresearch monitoring investigators to have access to these electronic systems and databases in order to successfully perform inspections. Overseeing the firm’s personnel while they access their system is not always practical in BIMO inspections, as this can result in the firm having to dedicate an individual to this task.
FDA Investiations Operations Manual section 5.10.2.1
Obviously, if you haven’t, you should be updating your GCP Inspections SOP, especially since they have a few interesting requirements, such as “While you may complete a form needed by the firm in order to obtain read-only access, such as an account request form, you will not sign such form as per section 5.1.2.3. You may acknowledge via email that you have completed any required training necessary for access.”
I think for many in the GCP world this change is sort of a sleeper change. We have been used to giving access to EMA inspectors for years, who often know more about your TMF than you do by the time they walk in the door.
The real interesting thing is how this spells a shift in attitude at the agency that has been a long-time coming. And how it fits into recent trends in the increase in remote inspections.
Remote inspections are here to stay. Set aside the FDA’s current view that a remote event is not an inspection. And one of the big things that stand out about remote inspections is they do not work well to find data integrity issues, as we’ve seen from the decrease in observations that is not proportionate to the overall size of inspections. I think what we are seeing here is a recognition of that, and the first shift in mindset at the agency.
I’d expect to see the FDA change their approach on the GMP side as they continue to absorb the lessons learned from remote inspections. It is a trend that I would be paying attention to as you continue your digital journey. It is always important to think “how will an inspector view this data”. Usually, we think in terms of printouts. You should also be thinking about read-only access in the near future.
The SIPOC is a great tool for understanding data and fits nicely into a larger data process mapping initiative.
By understanding where the data comes from (Suppler), what it is used for (Customer) and what is done to the data on its trip from supplier to the customer (Process), you can:
The SIPOC can be applied at many levels of detail. At a high level, for example, batch data is used to determine supply. At a detailed level, a rule for calculating a data element can result in an unexpected number because of a condition that was not anticipated.
This week, the Pharmaceutical Inspection Co-operation Scheme (PIC/S) finally announced that its new guidance on good practices for data management and integrity for pharmaceutical manufacturers and distributors has come into effect.
This final version is of a draft document originally introduced in 2016 and re-issued as a draft in 2018. It’s been a long road to get final version. Final version here.
Last night speaking at the DFW Audit SIG one of the topics I wished I had gone a little deeper on were controls, and how to gauge their strength.
As I am preparing to interview candidates for a records management position, I thought I would flesh out controls specific to the storage of and access to completed or archived paper records, such as forms, as an example.
These controls are applied at the record or system level and are meant to prevent a potential data integrity issue from occurring.
| Data Criticality | |||
| High | Medium | Low | |
| Unique identifier | For each record | No | No |
| Who performs controlled issuance | Individuals authorized by quality unit from designated unit (limited, centralized) | Individuals authorized by quality unit from (limited, decentralized) | Anyone (unlimited, decrentalized), often user of record |
| Reconciliation | Full reconciliation of record and pages based on unique identifier | Full reconciliation of records and pages based on quantity issued | No reconciliation |
| Controlled print | Yes | Yes | No |
| Bulk printing | No | Yes, by controlled process | Yes |
| Destruction of blank forms | Performed by issuing unit, quality oversight required (High level of evidence) | Performed by the operating or issuing unit, quality unit oversight required | Performed by the individual, quality unit oversight required (periodic walk throughs, self-inspections and audits) |
| Data Criticality | |||
| High | Medium | Low | |
| Where Stored | Climate-controlled room | Climate-controlled room | Office retention location |
| How Removed & Returned | Limited conditions for removal (e.g. regulatory inspections) method of recording the removal and return of the record(e.g. archive management system, logbook). Most use of documents either in controlled reading area or by scans. | Method of recording the removal and return of the record(e.g., archive management system, logbook). | Method (e.g. logbook) recording of documents checked-in/checked-out |
| Access Control | Card key access with entry and exit documented. | Card key access with entry and exit documented. | Limited key access |
| Periodic User Access Review | Annually | Annually | Every 2 years |
There are also the need to consider controls for paper to electronic, electronic to paper and my favorite beast, the true copy.
For paper records a true copy of a picture of the original that keeps everything – a scan. The regulations state that you can get rid of the paper if you have a true copy. Many things called a true copy are probably not a true copy, to ensure an accurate true copy add two more controls.
| Data Criticality | |||
| High | Medium | Low | |
| Review requirements | Documented review by second person from the quality unit for legibility, accuracy, and completeness | Documented review by second person (not necessarily from the quality unit) for legibility, accuracy, and completeness | Documented verification by person performing the scan for legibility, accuracy, and completeness |
| Discard of original allowed | Yes, as defined by quality unit oversight, unless there is a seal, watermark, or other identifier that can’t be accurately reproduced electronically. | Yes, performed by the operating unit, unless there is a seal, watermark, or other identifier that can’t be accurately reproduced electronically. Quality unit oversight required | Yes, individual can discard original Quality unit oversight required |
Investigations of a Dog 