In reality the corporate executive responsible for a regulated work process is the individual ultimately responsible to authorities for the integrity of electronic records produced by that work process and the quality of software systems being used to produce and archive those regulated work process e-records. (311)
Senior management is often removed from the daily view of regulated work processes and the computerized systems supporting production, use, and retention of electronic records from those activities. They frequently see the Chief Information Officer (CIO) as the responsible role for all things electronic. Regulators, however, see it another way. Authorities hold the senior end user manager responsible for the quality, integrity, and retention of e-records in a regulated work process whether it is in a manufacturing, laboratory or clinical work setting. Part 11 citations about e-records are reported under the relevant predicate rule – GMP, GLP, GCP – and go to the work process senior manager and not to the CIO.
As discussed in Chapter 1 of the book, Management Control is the first expectation of all regulations.
“…all regulations expect management to stay in control of the regulated work process, the computerized system, and the regulated electronic data.” (12) How does management do this? It is done with corporate policies, procedures, work instructions, forms, templates, guidelines, training, and monitoring for compliance with plans, assessments, and reports.
Policy starts at the top and every regulated company should have a corporate policy on Quality Practices for Electronic Data Handling and Computerized Systems Compliance. To be consistently followed, the policy needs a standard Risk Assessment Form to identify GXP and non-GXP systems. It also needs a business process for senior management to monitor e-record quality and systems compliance to the FDA 21 CFR Part 11, the EU GMP Annex 11, and the alignment of technology usage with business goals. In Chapter 10, one mechanism for this governance is discussed as a Business Decision Group (BDG).
The regulatory term for governance is “due diligence” and evidence of this at the corporate level is through policy, directives, plans, and reports. This can be efficiently done by having all annual business plans for regulated areas include budgets for the people, time, and other costs involved in ensuring e-records quality and compliant systems for GXP regulated activities. Then reports of performance to plan for the regulated work process would also include performance to stated e-record compliance goals.
The final product for GLP work is e-records supporting an electronic filing of an IND. Final product for all GCP clinical trials is the CRF database and electronic filing of an NDA. Final product for GMP is the pill or device PLUS electronic batch records. Corporate management is responsible to authorities for the quality of all these final e-record products and needs documented evidence for how it stays in control of compliant electronic data and computerized systems.
Next Month: Why Validate a Computerized System?
If system manuals and training materials do not reflect the installed version of the system, work process mistakes could happen with its use. If work process SOPs do not reference the work steps where the system is to be used, mistakes could happen to reduce product or data quality in the GXP work process. (30)