Blog

Guest Author: Heather Longden

Ms. Heather Longden has thirty (30) years of experience in regulatory compliance in the pharmaceutical industry and is an expert in data integrity, data management, 21 CFR Part 11, GxPs, and computer system validation. She is a leader at the GAMP^® Americas Steering Committee and serves on the the ISPE Boston Area Chapter Board and Education Program Committee (EPC).

Reading a newly published FDA Warning letter (1)

“https://www.fda.gov/inspections-compliance-enforcement-and-criminal-investigations/warning-letters/nortec-quimica-sa-639894-12082022”

I was surprised and ‘not surprised’ to see ‘analytical worksheets’ mentioned in the midst of some basic electronic data integrity observations.

… the “analytical worksheet forms” used for recording testing results in the quality control (QC) laboratory are not controlled as there was no unique number, signature, or any other traceable element on the forms themselves to identify when or by whom it was issued.

It is not clear or obvious if this observation refers to paper forms or electronic forms, but in fact, it really makes no difference to the Quality Units’ responsibility to review and ‘reconcile’ forms and documents. In this specific example, the inspector was concerned about the correct assignment of ‘Attributability’ or the first A in ALCOA+. This is likely because other observations on electronic laboratory records also suggested issues with attributability.

However, the other observations include concerns about data being deleted, or a lack of review of the original data. This speaks to the 3rd C in ALCOA+, “Complete’ which is grouped under the + terms along with Consistent, Enduring and Available.

The requirement to review complete data has always been a concern of mine, especially when ‘Complete’ should include superceded versions of records, complete meta data, (which might include audit trails) and, most difficult of all, deleted, omitted, hidden or otherwise non-reported records and data. How does the reviewer ‘find’ this so called ‘orphan data?

In the old days of purely paper forms (potentially with duplicate paper automatically and contemporaneously creating multiple copies), each form in a pad was uniquely identified with a number, and the issuance of each pad was controlled and documented by the Quality Unit. The use of controlled lab notebooks or log books served the same function. Pages could not be ripped out, and lab books could not go ‘missing’.

But, with the ubiquitous use of electronic form or document creation, even a locked down template can be printed or duplicated electronically, completed in the lab or manufacturing floor, and then easily ‘lost’, either physically or electronically, without a trace that it ever existed.

While not always an indictment of falsehood or fraud, these orphan records, forms or other documents do provide the ‘opportunity’ for egregious behaviour, which therefore has to be reviewed and monitored to ensure that it does not occur. This is why inspectors and auditors are keen to question if records ‘could’ be lost, and if so, how do you know they have not?

For electronic forms, spreadsheets and documents, created and managed inside a 21 CFR Part 11 or ERES regulation-ready solution (which has been configured and validated for the appropriate data integrity expectations), ensuring that no employees can delete data is a simple first step to avoid orphan data (something that was not demonstrated in response to this FDA Warning Letter), but it is only a start. Data and records, including forms, can still be lost or not reported, even if deletion is prevented with technical controls.

In the case of paper worksheet pads or uniquely identified worksheets, there is still a need to reconcile the complete data set for missing ID numbers or even a missing notebook/ log book.

I can hear your astonishment: “Surely destruction of paper records, is something that everyone knows is a data integrity violation” while deletion with little trace is so much easier in electronic records. I’d have to disagree with you. The potential for electronic data to be deleted easily was always a danger, and so expectations were put in place to prevent and detect that action. However, ‘missing’ or otherwise unreviewed paper records was a quiet secret, until auditors started to look in trash cans, skips, or to search for document shredders.

In fact, the day before the above mentioned Warning Letter was published, the preceding letter included observations of the destruction of paper GMP records, including forms, as well as the ability to delete electronic records:

https://www.fda.gov/inspections-compliance-enforcement-and-criminal-investigations/warning-letters/centrient-pharmaceuticals-india-private-limited-640196-12072022

“..our investigators observed numerous logbooks, forms, and partially completed Sample Request For Analysis (Other Than SAP)” in an uncontrolled temporary storage room near your microbiology laboratory. Our investigators also observed in your document center, a document shredder labeled for “emergency use” containing shredded documents. Your document control personnel were unable to identify the documents in the shredder that were observed to contain information for relative humidity, temperature, and data recorded in writing.”

These concerning observations, which occurred during a planned and scheduled inspection, where advance notice was likely provided, are what drives the concerns about ‘what happens around here every day when the FDA is NOT on site’. And why, analytical worksheet forms need to include, not only attribution to a specific individual, but also a unique reference identifier, which can and should be used to ensure that documents, forms and other records have not been orphaned and skipped from quality review.

To continue learning how to identify, understand, and remediate concerns about paper or electronic forms, spreadsheets or documents used to record GMP data, and moving from paper to electronic forms that fully meet data integrity requirements, follow this blog series, visit www.part11solutions.com, or email CIMCON at info@cimcon.com for a discussion about easy and simple to implement technical controls to help create, issue, review, protect, reconcile and manage regulatory quality data.