As part of my work with FDA data integrity and Part 11 compliance, I typically address dozens of unique client questions around data integrity and cost-effective Part 11 compliance. And yet, in nearly every consulting engagement, conference speech, or private data integrity corporate workshop, people naturally end up asking a handful of fairly similar questions.
Below are five frequently asked questions that I often receive around Part 11 and data integrity:
1. What are some specific trigger events that should cause us to re-evaluate - or at least take a quick review of - our progress on data integrity and Part 11 compliance?
Clearly one trigger event is when the FDA (or a sister agency such as EMA) publishes a new regulatory guidance document related to Part 11 or data integrity, even if it may not appear - at first blush - that the guidance applies to your business. A perfect example is the 2013 FDA guidance, Blood Establishment Computer System Validation in the User's Facility.
Another trigger event might be if your organization makes a major policy or process change related to record retention. For instance, if your firm moves away from a traditional "print and retain" model of keeping required records to a more electronic archiving model. This would be a point wherein you would want to review your FDA recordkeeping policies and procedures, update them as necessary, and then pair them with a review of your data integrity controls around long-term data archival. Do you have the right policies in place? A good data archival retrieval auditing and sampling process? Has the process for data archival been validated?
A third trigger event to consider is if your organization undertakes a new business partner or a new supplier that will be creating regulated data on your behalf, storing regulated data on your behalf, or otherwise manipulating and processing regulated data on your behalf. Typical examples include a new contract research organization or a new contract manufacturing organization. Getting a data integrity audit of critical suppliers is increasingly a "must-do," especially for firms dealing with clinical data.
2. If our data is completely electronic - we use no paper source data at all - is there a requirement to print out our data in order to retain it for long-term storage?
No. Organizations are allowed to retain their data in a completely digital format. You can verify this by reviewing the various US-based data integrity regulations and FDA recordkeeping regulations (this list is valid as of January 2015). In the US specifically, the Uniform Electronic Transactions Act (UETA) and the Federal Rules of Civil Procedure (FRCP) require courts and government agencies to accept original source data and original signatures that are digital as long as some level of controls have been put in place to ensure the data (and any signatures) have integrity; thus, for FDA, those controls are spelled out in 21 CFR 11 Electronic Records; Electronic Signatures.
3. If we have some records in other languages and we do internal translations - including manual verifications by native speakers of that language - do the systems on which we do the translation work need to be Part 11 compliant?
No, in part because you are doing manual verifications of the translations by individuals fluent in that language. If your translation process was completely automated - say you were using Google Translate - and really had no clue if the translation was proper, accurate, grammatically correct, etc., and this was for records required under FDA statutes or regulations, Part 11 compliance would probably be the least of your issues. Part 11 is only designed to ensure that a digital record and signature are just as trustworthy as a similar paper record and ink signature.
If you had a paper, typed record translated by someone and you had no way to know or verify that the person's translation was correct, proper, grammatically logical, etc., you'd still have the exact same issues. Since you don't know the trustworthiness of the original record in its original language, you don't know whether the translated version of the record is accurate, complete, etc. That's one of the reasons that translation services use multiple translators to double- and triple-check each translation, and provide a certificate of accuracy.
It's my opinion that leaving the translation of a regulated record up to an automated translation software - no matter how good - without some level of post-translation verification is a huge risk, especially for FDA required records and records dealing product safety, efficacy and regulatory compliance.
4. In six months, we're moving to a new electronic system that will be validated for our complaint handling and CAPA handling processes - can we just tell the FDA investigator this and not worry about showing progress toward meeting Part 11 compliance?
Technically, if this was the only system that the investigator decided needed to be validated, and you could show some level of proof of purchase, the project plan, the vendor qualification status, and so on, then you *might* not need to worry. In reality, however, it is exceedingly unlikely that the FDA investigator will only see the need to confine Part 11 compliance and data integrity controls to just your complaint and CAPA data.
If you review both Part 11 and its preamble, as well as nearly all the Part 11 guidance that FDA has published since 2000, it should be clear that FDA consistently expects all the electronic records that you rely upon to make decisions around product safety, efficacy, and regulatory compliance to have integrity. In addition to validation, other data integrity controls need to be in place (validation cannot, by itself, for instance, prevent data fraud). Thus, you will want to have a plan - such as a site master validation plan or site master data integrity compliance plan - on which you can show progress and show how you ensure data integrity across the record lifecycle, from initial data creation to long-term data archival.
Lastly, it's important to always keep in mind that an audit or inspection is simply a "snapshot in time." So not having any progress on Part 11 will still likely net you a Form FDA-483 observation, but the proof you can show of impending validation completion plus all the current additional data integrity controls you do have might be able to mitigate that 483 enough so that you do not receive a Warning Letter citing poor data integrity. When I hold data integrity workshops, one of the significant section we always discuss is around all of the various data integrity controls that you can have beyond just "validation." Ironically, it's been my experience that many organizations do have multiple data integrity controls operating, they just don't realize it - or call them out as such - and so they do not get credit from FDA.
5. Is there any guidance available from FDA for qualifying or validating Excel spreadsheets?
Yes, although it's not a "guidance for industry" per se. FDA has published it's internal policy for how it expects Excel spreadsheets used for scientific calculations, formulations, macros, etc., to be validated. So one activity my clients undertake with is to review the FDA process Development and Validation of Spreadsheets for Calculation of Data, and then craft a reasonable, pragmatic spreadsheet macro validation SOP. It's important not to go overboard when applying controls to spreadsheets and trying to validate macros. If you review that FDA process, you'll see that if it takes you more than a day or two to validate a typical spreadsheet, you're probably doing too much - and that's a clear indication that you will save money, reduce your risk, and benefit from expert help on how to streamline and simply Part 11 compliance and FDA data integrity.
Are there any questions you frequently find come up in your organization around Part 11 or digital data integrity? Comment below or contact me directly.