1. What are the records?
Records include more than the final assay results.
For example, they can include audit trails, QC results, user access control lists, and configuration settings.
- Review the manufacturers’ user and administrator manuals to identify records the instruments create, modify, maintain, or transmit.
- Ask for a guided tour of the validation / qualification records. (Try asking questions like: “The user manual describes how a user can delete assay results before they are sent to the LIMS. Please show me where you tested the instrument audit trail for this situation and how you preserve the original results.”)
2. Why isn’t paper the same as electronic?
Paper and electronic records are equivalent only if they are equivalent in content and meaning.
If the lab claims paper printouts are equivalent to the electronic records,
- Check how the procedure for producing paper printouts ensures paper is equivalent to electronic.
- Compare a sample of paper printouts to the electronic records to verify equivalence.
Aside: Check out what FDA’s thinking. While their FAQ is aimed at GMP, GLP and GCP data must be accurate and complete too!
If the paper records and electronic records turn out to be equivalent in content and meaning (just because we haven’t seen it yet doesn’t mean it can’t happen), the lab may have written SOPs saying the paper printouts of lab data are their “raw data” and they rely on the paper record to perform regulated activities.
Does the lab really rely on paper records to perform regulated activities?
Here’s what that process might look like.
- The lab tech prints all results from the instrument.
- A supervisor reviews the printouts, visually checking for panic values that should trigger notifications to the investigator and sponsor.
- When the supervisor sees panic values, they fax a copy of the printout to the appropriate people at the investigator site and sponsor.
- When the sponsor needs the lab results to include in their submission, the lab boxes up copies of paper and mails them to the sponsor.
- The sponsor double data enters the results into their clinical data management system.
That’s what your company does, right? Of course not!
Every downstream process in the lab, at the investigator site, and at the sponsor depends on the electronic records created by the instrument.
3. Are the records protected?
Know where the records are, how they are backed up, and effectiveness of access controls.
You know what the records are. Now find out where they all go so you can check access control and backups.
Access controls can be challenging with instrument systems. Manufacturers may not design their software to be compliant with GLP and GCP predicate rules. Sometimes they even configure their software with accounts that cannot be associated with an individual. Make sure to review SOPs and associated records for granting, revoking, modifying and periodically reviewing access both to the instrument system and the systems to which the instrument transmits data.
Of special importance for records that don’t make it to the LIMS system,
- Review the backup SOPs for applicable platforms.
- Check the records required by those SOPs.
Make sure audit trails are available and have been tested.
- Ask your validation / qualification records tour guide to show you where the audit trails were tested.
- Review a sample of records and their associated audit trails.
4. How does the lab review records?
In the paper world, review includes data changes. In the electronic world, it includes audit trails.
Audit trails aren’t there just for IT! Lab management is responsible for the contents of the records.
- Review the SOPs for reviewing electronic data andverify audit trails are included.
- Watch lab personnel review some of your data.
- Request documented evidence of reviews and compare it to the records (including the audit trail).
- Changes and deletions have been reviewed as required.
- Questions about them have been addressed appropriately.
5. Who has your data?
Probably more people than you want.
Nearly all central labs have web-based systems to give sponsors near real-time access to their lab data. Some labs lack processes to manage access over time. Labs that do have processes may get no response from clinical teams when the lab asks them to review access lists. If you work for Acme Pharmaceuticals and John Doe left your company for Zenith Pharmaceuticals two years ago, does your management really want him to be able to view and download your company’s lab data?
Work with the lab, your IT group, and your clinical teams to identify users who should no longer have access. If you find some, get the lab to find out how the accounts have been used since the time they should have been deactivated.