What is Document Controls?

The Document Control process involves the management of documents in terms of creation, review, approval, distribution, and archiving that result in maintaining accuracy and compliance in the documentation. Document Controls are important because without effective Document Controls you have:

• High Probability of Errors: An error in even one document that goes unnoticed can quickly proliferate throughout an organization and lead to poor decision making
• Security Weaknesses: Documents can contain highly sensitive information that can be easily leaked or hacked and this can cause major reputational and regulatory damages
• Operational Efficiency: Even with a document controls process in place, the amount of documents to monitor can grow very quickly and it can be cumbersome to manage this process without the proper tools
• Regulatory Risk: Regulations like CFR Part 11 outlines specific requirements for document controls which if not followed can lead to major fines and other penalties

What is the Regulatory Landscape around Document Controls?

Due to their importance, Document Controls are subject to various regulatory requirements. Some of the key regulations surrounding Document Controls include:

• 21 CFR Part 11: This regulation from the FDA outlines that documents must have proper controls, be secure, and electronic signatures that are trustworthy
• EU Annex 11: This regulation also provides guidance on the use of electronic systems, but primarily in Europe and outlines recommendations for Validation, Audit Trails, Data Integrity, etc
• NIH Harmonized GMP Requirements: The NIH from the United States has released this guidance on Documents and Records that outlines how to effectively conduct audits and maintain quality when creating documents
• ISO 9001: This international standard for quality management also emphasizes the importance of Document Controls across all industries

How to implement Document Controls?

So, how do you actually implement effective Document Controls, avoid regulatory penalties, as well as mitigate the other risks that come from poor Document Controls? Not to worry: there are several Best Practices that can help you manage your documents effectively:

• Document Approval Workflow: Having a well defined approval workflow creates accountability for the quality of documentation and helps distribute responsibility effectively, making maintaining high standards for quality possible. Automating and monitoring this approval process through roles, permissions, and alerts can make these approval workflows a lot easier to implement and sustain.
• Assess Control & Audit Trail: Only the right people should have access to the right documents. Assess Control helps make sure that this is the case with added security and Audit Trails that track who is making what changes to a document can help understand where errors or data leaks are coming from and mitigate these problems.
• Protect Documents with Sensitive Information: Securely locking files that contain sensitive patient data or information about new pharmaceutical drugs is critical as these documents have a particularly high risk of resulting in reputational and regulatory penalties if leaked.
• Configurable Electronic Signatures: Trustworth electronic signatures are a requirement specifically called out by many regulations. This improves transparency and provides the proper legal framework to document when proper procedures are being followed.
• Password Management: Even with password protected security measures in place, poor or aging passwords still provide a high security risk of failing to mitigate bad actors from engaging in malicious activities.

CIMCON Software

CIMCON Software has been helping hundreds of clients with compliance of pharmaceutical regulations like CFR Part 11 for over 25 years. Through our experience, we have perfected controls that provide the functionality we recommend above to keep your documents secure and mitigate the risks discussed in this article. That is why we count 8 out of the Top 10 life science companies as our customers. With offices in the US, UK and Asia-Pacific, 500 customers in 30 countries, 24/7 support, and partnerships with multiple Cloud and technology vendors as well as Value-Added Resellers across the globe, CIMCON can support your implementation at a single site or across the enterprise.

The Power of Documented Controls

Overall, Document Controls can be hard, tedious, and difficult to maintain without errors. However, doing so is incredibly important as without proper document controls, firms can face major operational burdens, high levels of security vulnerability, poor business decision making, and strict regulatory penalties. But there are time tested strategies and tools that can help mitigate these risks without breaking the bank or having all team members work overtime and these can help propel your organizations digital transformation.

Guest Author: Heather Longden

Ms. Heather Longden has thirty (30) years of experience in regulatory compliance in the pharmaceutical industry and is an expert in data integrity, data management, 21 CFR Part 11, GxPs, and computer system validation. She is a leader at the GAMP^® Americas Steering Committee and serves on the the ISPE Boston Area Chapter Board and Education Program Committee (EPC).

In this moths blog, I will dive deeper into why and where paper/printed forms are still used in Pharma manufacturing and testing facilities who are purporting to meet regulatory GxP requirements.

But first, a couple of definitions and notes. In most cases, I will be referring to forms that are printed, completed in pen, and then stored as paper records. However, when those forms are then scanned and stored electronically as PDF files, I will still refer to them as paper forms, regardless of the format of the archived ‘copy’.

Forms issued, completed AND stored electronically will be discussed later, as they generally have their own compliance requirements to address.

Good documentation practice is essential for all records required by a regulatory predicate rule. Some companies still refer to this as GDP, however, since the introduction of Good Distribution Practice, which claimed the GDP acronym, documentation regulations now use the term GDocP. Continue reading “Data Integrity Compliance for Paper Forms and Electronic Data Created in Regulated Laboratories and Manufacturing – Where Forms are Used Today in Regulated GxP Environments”

Guest Author: Heather Longden

Ms. Heather Longden has thirty (30) years of experience in regulatory compliance in the pharmaceutical industry and is an expert in data integrity, data management, 21 CFR Part 11, GxPs, and computer system validation. She is a leader at the GAMP^® Americas Steering Committee and serves on the the ISPE Boston Area Chapter Board and Education Program Committee (EPC).

Reading a newly published FDA Warning letter (1)

“https://www.fda.gov/inspections-compliance-enforcement-and-criminal-investigations/warning-letters/nortec-quimica-sa-639894-12082022”

I was surprised and ‘not surprised’ to see ‘analytical worksheets’ mentioned in the midst of some basic electronic data integrity observations.

… the “analytical worksheet forms” used for recording testing results in the quality control (QC) laboratory are not controlled as there was no unique number, signature, or any other traceable element on the forms themselves to identify when or by whom it was issued.

It is not clear or obvious if this observation refers to paper forms or electronic forms, but in fact, it really makes no difference to the Quality Units’ responsibility to review and ‘reconcile’ forms and documents. In this specific example, the inspector was concerned about the correct assignment of ‘Attributability’ or the first A in ALCOA+. This is likely because other observations on electronic laboratory records also suggested issues with attributability. Continue reading “Data Integrity Compliance for Paper Forms and Electronic Data  Created in Regulated Laboratories and Manufacturing – A Review of Two Recent FDA Warning Letters”

Since the FDA’s Data Integrity guidance came out in April 2016, there has been a lot of interest on the topic. Indeed, the number of warning letters for drug GMPs increased by 12% in FY2017 as compared to the previous year. 65% of these warning letters cited data integrity violations.

In a world awash with data, where does one start to improve data integrity? From an IT perspective, data is generally classified as:

• Structured data, that normally resides in a relational database such as SQL or Oracle. Enterprise applications such as ERP, MES and LIMS typically store their data in such relational databases and are examples of structured data.
• Unstructured data, that refers to files residing on users’ local machines or network drives. Common examples of unstructured data include spreadsheets, Word/PDF documents, drawings, instrument lab or other raw data files in CSV or TXT format.

Data integrity assurance requires a number of components that include, but are not limited to, security, audit trails and electronic signatures. Applying a risk-based approach to data would lead to the following general conclusions: Continue reading “21 CFR Part 11 Compliance for Spreadsheets”

Companies that use spreadsheets for business process that involve GCP, GLP or GMP outcomes often look to tighten up good practice by focusing on the most immediate
problem(s) at hand. Typically that involves one or more of the following processes:

1. Validate of the spreadsheet
2. Verify that the use of the spreadsheet complies with Predicate rules and 21 CFR Part 11 requirements for security, audit trail and e-Signature sign offs
3. Validate the application providing the controls

All three processes are important and play a critical role in the proper use of spreadsheets in labs, clinical trials, research or manufacturing and in meeting requirements of 21 CFR Part 11. Continue reading “Sustainable Business Practice leading to Quality and Compliance Enhancements”