Warning letter / Centrient India / MARCS-CMS 640196/ 320-23-06/ DECEMBER 07, 2022/ Observation 1

Failure to ensure adequate document control over paper and electronic records. Observed numerous logbooks, forms, and partially completed “Sample Request For Analysis in an uncontrolled temporary storage room. In the document center observed a document shredder labelled for “emergency use” containing shredded documents. Unable to identify the documents in the shredder that were observed to contain information for relative humidity, temperature, and data recorded in writing.

Failure to have adequate controls for your computerized systems. Multiple usernames and passwords for software login of several users’ information were handwritten in an uncontrolled notebook of senior executive microbiologist. The login information was for software used to control laboratory equipment, such as incubators for the storage of product and water samples. To ensure data integrity, actions performed need to be attributable to a specific individual.

Response does not provide a detailed plan to ensure future paper and electronic record and documentation practices comply with CGMP. Response is also inadequate because it does not include a comprehensive retrospective risk assessment of the impact and scope for the inadequate document control at the facility, and it does not fully address tiered user access and controls to ensure access is appropriate to each users’ role and administrative roles are adequately controlled.

Inadequacy of absence of policies, procedures with respect to data integrity, document control – issuance, maintenance, retrieval, archival, destruction of paper documents or their implementation lead to such observations during regulatory audits. Companies in a GxP domain should have procedures and practices for control of computerized systems and electronic data – defined and controlled user access levels; password policy & controls; data archival, retrieval, audit trails; computer system qualifications and validation (CSV).

Companies should have robust document control procedures for paper documents and implementation of the procedures and practices covering document issuance, maintenance, review, retrieval, archival and destruction. There should be accountability of all documents through issuance and retrieval logs; Quality unit (Quality Assurance department) should be the custodian of the same. Document destruction should be a controlled activity with authorization from Quality unit and logs maintained. Document shredding machines (shredders) should also be controlled with logbook and documentation of shredding activities performed. Document archival and storage locations should be well defined with access controls.

There should be policy, procedures for control of computerized systems. Administrative controls should be defined and should be with independent units (usually the IT function reporting to top management). Computerized systems should be 21 CFR Part 11 and electronic data control requirements compliant. This will include – defined procedures for password controls [individual passwords for all named users, defined expiry of passwords (usually 1 month), password complexity (minimum length and requirement of combination of letters, numbers, symbols), non repetition of passwords (eg: a password should not be same as at least last 3 passwords), password reset by users (without any need to write down passwords)], defined access privileges for users which is consistent with user roles in all systems, procedures for activation and deactivation of users and user privileges, There should be procedures for control of electronic data – data archival, retrieval, review of audit trails.  If there are certain legacy computerized systems where some or several features of 21CFR Part 11 compliance are missing, an assessment should be performed with respect to risk to data security, data traceability. Accordingly remedial measures – alternate controls or replacement of systems should be taken up. There shall be no uncontrolled usage of passwords, sharing of passwords. Defined procedure for Computer systems qualification and validation (CSV) and all GxP computer systems should be qualified and validated. 

Companies should have well defined data integrity policy, which include policies for control of computerised systems and electronic data compliance. All employees of the company should be well trained in the policies and procedures. There should be active oversight and control of Quality Management system performance and Data Integrity by Quality unit & periodic review by top management. (e.g. monthly management review meetings. Such review should cover review of data integrity incidents and actions taken, apart from review of Quality events & trends such as complaints, deviations, out of specifications and out of trends.  There shall be defined procedure for  management review meetings with agenda, presentation templates, documentation of minutes and action points.

• Immediate implementation of control procedure for usage of shredder – log book, authorization for document destruction by Quality unit with traceability of documents destructed.
• Scan the entire site for any uncontrolled areas where documents are stored, document the observations, list all the documents that is observed in such areas. Categorise and reconcile the documents so observed, identify reasons for such documents to be kept in uncontrolled room(s). Establish corrective actions for all identified reasons.
• Take an inventory of all documents archived in all document storage area (controlled and uncontrolled), reconcile the documents category wise (e.g. Batch records, Batch analytical records, SOPs, log books, Validation reports, Qualification reports….and so on). Based on the reconciliation, identify lapses and improvement measures. This shall include defined archival period, archival area, procedure for document movement, controlled access to documents, archival areas, authorization for destruction of documents, documentation of document archival and destruction. Establish a robust document management system tool (DMS tool) for improved control of document handling.
• Make a matrix of all critical and key documentation related to manufacture and release of products and batches (e.g – batch record, analytical record, equipment logbooks, calibration records, equipment qualification documents, training records….and so on). For all the batches manufactured and distributed (and within expiry) update the matrix for availability and authenticity of the documents. Based on this make an assessment of any lapses in the documentation of each batch. This shall be performed with involvement of a respected and reputed independent 3^rd party GMP/Quality consultant. Based on the assessment take actions – which may include retest of selected or all batches, product recall if the documentation and control is not able to provide assurance of the quality and integrity of products and batches.
• Make an inventory of all computerized systems in the site, identify the GxP systems (those which have an impact on GMP, Quality, Compliance) and non GxP systems. Make an assessment of the 21 CFR Part 11 electronic data control requirements for all GxP systems (User access controls; electronic data controls -data storage, back up and archival, electronic data and audit trail review, data retrieval; data traceability). Based on the assessment establish remedial measures for 21 CFR Part 11 compliance of the systems. This shall include – establishment of procedures, upgradation of systems where existing systems have inadequate controls, establishing alternative control procedures for legacy systems till they are replaced or upgraded. Assessment of computer systems and implementation of remediation measures  shall be performed with involvement of a respected and reputed independent 3^rd party data integrity (DI) / GMP consultant.
• Establish Data Integrity policy and procedures with detailed dos and don’ts and train the personnel. Establish continuous learning programs with a mix of trainings, workshops for enhancing the GMP and Data integrity culture in the organization. Establish procedures for management review with involvement of senior management and leadership. Review of Quality system performance (GxP / GMP / Data Integrity) should be part of management review meetings at the highest level, ideally every month. Management review meetings shall review Quality events, incidents and track progress and effectiveness of remedial measures and continuous improvement programs.