Specialty Process Labs LLC is a specialty API manufacturer of natural desiccated thyroid. Which is, yes, what you might think it is. And as far I can tell, mostly ships direct to compounding pharmacies and patients. This month they got a warning letter.
The warning letter highlights:
Failure to validate the process
Failure to test to specification
Failure to exercise sufficient controls over computerized systems
All three of these observations make me rather glad my loved-ones take levothyroxine and I am deeply aware of all the difficulties in that drug supply.
Focusing more on the computer system, it is an unsurprising list of bad access controls, change controls not controlled, and failure to validate excel spreadsheets.
The last observation really stood out to me:
“Manufacturing master batch records held in electronic form on your company’s shared drive do not have restrictions on user access. Your quality unit personnel stated that there are no restrictions for any personnel with login credentials to access new and obsolete master records. Our investigator observed during the inspection multiple versions of batch records were utilized for API lot production.”
This is truly a failure in document access and record management. And it is one I see a lot of places. The core requirement here is really well stated in the PIC/S Data Integrity Guidance requirement 8.4 “Expectations for the generation, distribution and control of records.” Please read the whole section, but pay close attention to the following:
Documents should be stored in a manner which ensures appropriate version control.
Master documents should contain distinctive marking so to distinguish the master from a copy, e.g. use of coloured papers or inks so as to prevent inadvertent use.
Master documents (in electronic form) should be prevented from unauthorised or inadvertent changes.
Document issuance should be controlled by written procedures that include the following controls:
details of who issued the copies and when they were issued; clear means of differentiating approved copies of documents, e.g. by use of a secure stamp, or paper colour code not available in the working areas or another appropriate system;
ensuring that only the current approved version is available for use;
allocating a unique identifier to each blank document issued and recording the issue of each document in a register; – numbering every distributed copy (e.g.: copy 2 of 2) and sequential numbering of issued pages in bound books;
where the re-issue of additional copies of the blank template is necessary, a controlled process regarding re-issue should be followed with all distributed copies maintained and a justification and approval for the need of an extra copy recorded, e.g.: “the original template record was damaged”;
critical GMP/GDP blank forms (e.g.: worksheets, laboratory notebooks, batch records, control records) should be reconciled following use to ensure the accuracy and completeness of records; and
where copies of documents other than records, (e.g. procedures), are printed for reference only, reconciliation may not be required, providing the documents are time-stamped on generation, and their short-term validity marked on the document
There are incredibly clear guidelines for these activities that the agencies have provided. Just need to use them.
Records serve the purpose of controlling and directing the organization, helping to orient personnel to a common goal or purpose. For the purpose of training these records includes a training plan (and its subparts like curricula) and evidence of training performance (e.g. attendance) and assessment
There are two main audiences for record-keeping: operational staff and various auditors/inspectors. The operational perspective is ideally proactive, while the auditor’s perspective is typically retroactive.
For the training program this breaks down as:
Operational staff are interested in the trainee’s currency in their individual training plans for purposes of work assignments. Supervisors need to be sure people are doing the tasks they are trained on. Management is also ensuring they have enough capacity of trained individuals to ensure upcoming activities can be supported.
Auditors (internal and external) are interested in whether the individual who completed a task (e.g. approved a document) was trained to the appropriate process/procedure before doing the task. In this case the training records provide evidence of the organization’s past fulfillment of its regulatory obligations. Auditors will also look at the general health of the training system.
Training records (like all records) must demonstrate that training is implemented, responsible, consistent:
Implemented means that training events can be duly recorded in the system.
A responsible system’s controlled documents (i.e. procedure for training record-keeping) are written and followed, plus the procedure clearly identifies the responsible party for each task. For example, training is completed within the specified period.
Consistent systems ensure identical activities generate identical outcomes. Therefore, we validate Learning Management Systems (LMS)
Documentation of individual training is a captured record (training is captured as it happens), a maintained record (training can be verified after it happened) and a usable record (decisions can be made).
Captured records means the record has the following:
Record Management Term
Created by an authorized person, for example a qualified trainer.
A record is created for every training event.
The created record can be linked to the particular training event
Includes all information on the training event (who participated, what was covered, who trained and when)
Maintained records means the record has the following:
Record Management Term
Any alteration or modification is traceable
Every use of the record leaves an audit trail
Training records must be subject to a retention schedule and then disposed according to procedure
Usable means the training records can be used by authorized parties to make decisions:
Record Management Term
Training records are I a form that can be searched and retrieved within a reasonable period of time and expenditure of resources
Accessible to Authorized Parties
Available to those who are authorized to access them
Training Unit as Audience for Records
The training unit is a special case as an audience of documentation that has both operational and audit similarities. Some uses include:
Level of effort being applied to training oversight
Test and verify accuracy of statements about the benefits and impact of training
Last night speaking at the DFW Audit SIG one of the topics I wished I had gone a little deeper on were controls, and how to gauge their strength.
As I am preparing to interview candidates for a records management position, I thought I would flesh out controls specific to the storage of and access to completed or archived paper records, such as forms, as an example.
These controls are applied at the record or system level and are meant to prevent a potential data integrity issue from occurring.
Generation and Reconciliation of Documents
For each record
Who performs controlled issuance
Individuals authorized by quality unit from designated unit (limited, centralized)
Individuals authorized by quality unit from (limited, decentralized)
Anyone (unlimited, decrentalized), often user of record
Full reconciliation of record and pages based on unique identifier
Full reconciliation of records and pages based on quantity issued
Yes, by controlled process
Destruction of blank forms
Performed by issuing unit, quality oversight required (High level of evidence)
Performed by the operating or issuing unit, quality unit oversight required
Performed by the individual, quality unit oversight required (periodic walk throughs, self-inspections and audits)
Storage and Access to completed and archived paper records
Office retention location
How Removed & Returned
Limited conditions for removal (e.g. regulatory inspections) method of recording the removal and return of the record(e.g. archive management system, logbook). Most use of documents either in controlled reading area or by scans.
Method of recording the removal and return of the record(e.g., archive management system, logbook).
Method (e.g. logbook) recording of documents checked-in/checked-out
Card key access with entry and exit documented.
Card key access with entry and exit documented.
Limited key access
Periodic User Access Review
Every 2 years
There are also the need to consider controls for paper to electronic, electronic to paper and my favorite beast, the true copy.
For paper records a true copy of a picture of the original that keeps everything – a scan. The regulations state that you can get rid of the paper if you have a true copy. Many things called a true copy are probably not a true copy, to ensure an accurate true copy add two more controls.
Documented review by second person from the quality unit for legibility, accuracy, and completeness
Documented review by second person (not necessarily from the quality unit) for legibility, accuracy, and completeness
Documented verification by person performing the scan for legibility, accuracy, and completeness
Discard of original allowed
Yes, as defined by quality unit oversight, unless there is a seal, watermark, or other identifier that can’t be accurately reproduced electronically.
Yes, performed by the operating unit, unless there is a seal, watermark, or other identifier that can’t be accurately reproduced electronically. Quality unit oversight required
Yes, individual can discard original Quality unit oversight required
Transparency is something that regulatory agencies need to get better at, both in sharing more and doing it in a timely manner. The fact that the 2019 data from the MHRA was released in October of 2020 is pretty poor. As a reference, the FDA releases their data pretty reliably at the end of the calendar year for the given year.
Been evaluating the MHRA’s 2020 data on Chapter 4 Documentation, which is the 2nd largest category of observations in 2019 (and in 2018 before it).
80 different inspections cited comments against the Principles section
Good documentation constitutes an essential part of the quality assurance system and is key to operating in compliance with GMP requirements. The various types of documents and media used should be fully defined in the manufacturer’s Quality Management System.
Documentation may exist in a variety of forms, including paper-based, electronic or photographic media. The main objective of the system of documentation utilized must be to establish, control, monitor and record all activities which directly or indirectly impact on all aspects of the quality of medicinal products. The Quality Management System should include sufficient instructional detail to facilitate a common understanding of the requirements, in addition to providing for sufficient recording of the various processes and evaluation of any observations, so that ongoing application of the requirements may be demonstrated.
There are two primary types of documentation used to manage and record GMP compliance: instructions (directions, requirements) and records/reports. Appropriate good documentation practice should be applied with respect to the type of document.
Suitable controls should be implemented to ensure the accuracy, integrity, availability and legibility of documents. Instruction documents should be free from errors and available in writing. The term ‘written’ means recorded, or documented on media from which data may be rendered in a human readable form.
Principles, Chapter 4 Documentation
The Principles section then goes on to lay out the required document types.
We can learn more by drilling down in the document.
There are 87 inspections with 4.1 in section “Generation and Control of Documents”. 1 is critical and 25 are major. Here we see failures in understanding types of documents and controlling them, or maybe just having them in the first place.
The 82 against 4.2 (1 critical and 20 major) are more about having the manufacturing and testing process defined (and matching the filing).
103 inspections with observations against 4.3 (23 major) show companies that do not have appropriate approval and release controls
14 for 4.4 (6 major) means there are 14 companies out there who can’t write a good process and procedure. 4.4 has one of my favorite requirements “written in an imperative mandatory style”
60 against 4.5 (13 major) demonstrates a lack of review and keeping documents up-to-date.
12 companies (6 major) have terrible handwriting and cannot stick to ballpoints, yes in fact 4.7 states “Handwritten entries should be made in clear, legible, indelible way.”
If I stumbled across this on a gemba walk there would be coaching on proper storage techniques of documents. My only hope is some corporate communications person made it this way on purpose and the poor person in the photo was muttering under their breath the entire time.
There is an opportunity here on connecting with communications team on best ways to showcase GxP activities. I recommend writing a good policy on the subject and ensuring it is appropriately bought into.