The Chief Information Officer (CIO) is responsible for providing the IT infrastructure that delivers software applications to end users, but end user management is responsible to authorities for the accuracy and integrity of the electronic records produced. The selection, validation, and use of software applications appropriate to a regulated work process and retention of the e-records produced are the responsibility of the work process owners and ultimately the corporate executives to whom they report. (p.311)
In the last ten years there has been a dramatic shift to computerized systems in all phases of the healthcare business and electronic records now comprise the bulk of data produced by the research, development, and manufacture of drugs and medical devices. Yet many corporate central records departments remain paper focused and senior management looks to the CIO and thinks of IT backup media as sufficient for electronic record retention. This is a dangerous mistake.
Just as in the case of the Sarbanes-Oxley Act (2002) and financial records management, GXP regulated corporate managers must show “due diligence” for the accuracy and integrity of GXP-related electronic records. Such “due diligence” means policy, procedures, and a compliance program for e-record quality to GXP regulations, 21 CFR Part 11, and EU GMP Annex 11 standards from GXP e-record creation through to long term retention for the last batch of product sold in the last country on earth. Central paper records and routine system backups are no longer enough.
It is important that management at corporate level examines its use of computerized systems and electronic data for all GXP regulated activities and filings. The value of such e-data and systems should be identified as the corporate assets they are and not as overhead expenses. To protect these assets, corporate management needs to develop policies and standard practices with roles and responsibilities defined for the following:
- Quality of electronic data handling in GXP activities – creation through retention time
- Quality of GXP computerized systems and their validation to Part 11/Annex 11 standards
- Controlled electronic archives for management of GXP data through retention times – end user, archivist, and IT roles
- End user management responsibilities for GXP data integrity in their work areas and for its safe retention to legal terms – validated systems used, vendor systems vetted, users trained, PQ system sponsor role, BCP alternative procedures during system outage, area archive index, etc.
- End user and IT roles in computer validation of GXP systems (PQ and IQ) from install through replacement and decommission with OQ for internal custom coding
- QA Compliance Program for monitoring corporate performance to these policies and procedures with periodic report back to corporate level per GXP area
Next Month: System Sponsor Role in Computer Validation
The sponsor of a system and its validation package is the work process manager responsible for the regulated electronic data being processed. This is the manager who will meet with FDA inspectors to get their 483 report following a site inspection. (p. 35)