Doc Control: when is enough, enough?
While browsing recent FDA 483’s within the Redica database, I came across a 483 (issued September 27, 2024) that may give us an insight regarding regulatory expectations for the management of in-process CGMP documentation that will eventually be used (e.g., uploaded to an eQMS) to support an investigation initiated under 211.192. For example, the use of MS Word, Excel, or even printed blank paper forms to document steps taken during an incident, investigation, OOX, etc… Here is the text, which was cited under 211.68(b):
“General Format documents not controlled or reconciled. These forms can be used in part for DEV/CAPA investigations, assessment/evaluation of CAPAs, and as a form for attaching data printouts.”
In this case, there were no controls implemented for “General Format” forms, meaning they can be easily replaced without a trace. In most cases, firms use Word for such activities, which presents its own challenge! The use of any software to support an investigation (a predicate rule!) would certainly need to meet the expectations outlined in 21 CFR Part 11, just like paper forms must meet doc control expectations, however, we have so far not considered this to be relevant. So where do we currently stand with regard to software and investigations? I’m afraid this is unacknowledged risk…
Many firms use Word/etc. to document the steps taken during the investigation, including a description of the event, evaluation of scope, root cause analysis, product impact, and CAPA. All of this is done without any controls! This data, which in many cases directly impacts a patient if incorrect or inaccurate, is essentially ungoverned. In fact, most firms don’t even mention the use of Word within their investigation SOPs/work instructions!
If this would be cited on an FDA 483, the investigator would need to answer the “so what” question. So here we go, I might write it as follows, cited under 211.68(b):
Appropriate controls are not exercised over computers or related systems to assure that changes in master production and control records are instituted by authorized personnel. Specifically,
Your firm uses MS Word to document CGMP original data collected during the OOX, deviation, incident, and complaint investigation processes. There are no written procedures established to describe the use of MS Word during the investigation process. Additionally, no risk assessment has been completed to identify any residual risk in the current unofficial workflow regarding the accuracy and completeness of CGMP data and/or metadata.
For example, during my review of the laptop assigned to your QA Associate, I noted at least 6 ongoing deviation investigations stored within the “Deviations” shared folder that were partially completed. No audit trail is available to evaluate the creation, modification and deletion of this data.
As a result, the accuracy and completeness of data collected during the investigations process and ultimately uploaded to your eQMS cannot be verified.
Have details collected during the initial scope evaluation been removed or altered to fit the product impact assessment? This may be done with the best of intentions, however, it may have unintended consequences. In my opinion, this is unacceptable residual risk. Even if we were operating in a largely unregulated environment, such as the manufacture of smartphones, this would be bad for business. Senior management should be hungry for the real and unfiltered metrics/state of quality, which originate at the front line but are often diluted and/or biased as they move up the chain to the monthly meeting. Why introduce the opportunity for bias to be introduced via revision of the investigation details without a trace? Nah. We can (and should) do better!
It is time a real discussion in this space is started.
Pete
