Control of Quality Records in the Pharmaceutical Industry

As in so many disciplines, the theory is much easier to accept than the practice. Before the task of maintaining document security becomes too overwhelming or shamefully neglected, it is prudent - and will save time and later frustration - to look at the number and nature of records involved. For the pharmaceutical industry (and companies embarking on ISO9000:2000 quality system development), all documents included in the processes of contract management, statutes, regulation, jurisdiction, purchasing (approved supplier records), receiving and shipping, design and development, production and administration (where applicable) are classed as "quality records" and "critical." The documents involved in the needs of any other interested parties (particularly customers) should also be considered.

The control and security of documents is more manageable if distribution is limited to those who "need to know." This means setting out the criteria for distribution at a very early stage in design and production development. Hard copy and electronic documents must be available for use where and when they are most needed. Every aspect of development and production, and the people involved in the process, must be considered carefully to ensure that everyone has the information they need, when they need it.

Creating a master document list

The main task will be to create a master document list that will record, in hard copy or electronically, all the documents involved - from contract review to final delivery of the product. The following questions must be asked at the first contract review stage:

• Is the document critical or non-critical?

• Who will control the list? (Preferably limited to one authorized individual.)

• Who will have authorized access for review, revision and amendment? (Usually the quality assurance manager, but in larger companies it could be the technical library staff or engineering staff.)

• Who should be considered when compiling the list of "authorized, responsible individuals"? Any persons responsible for review and release must be identified and their names and responsibilities circulated to other listed authorities. Keep a "signatories list" to safeguard against, and identify, the squiggles that some people use as signatures.

• Have the documents been subjected to the severest scrutiny before issue? Verification of content, a logical sequence of events with the reader in mind, grammar and spelling (particularly for international markets) should all be addressed.

• Are the documents clearly written with the reader in mind?

• Where do the documents begin to appear in the design and production process?

• Do they include user documents?

• What is the distribution? (Please, no uncontrolled copies!)

• What are the intradepartmental connections for each document and how are other agencies involved?

• Where will the documents be kept? (Secure from damage or other deterioration such as climate.)

• Who will be in charge of the documents at the point of use?

• Has documentation development been included in the quality plan and management quality objectives?

User publications are sometimes given short shrift in the development plans. Given their rightful place in the development process, questions will be asked such as: does the author need to know the product? At which stage should the author(s) be brought into the process? The answer is, the earlier the better: in fact, as soon as the design process is under way or even at the design note stage.

You may be under the impression that the above concerns are known and understood by all senior company executives, who govern themselves accordingly; unfortunately, they do not. I have seen files of critical documents stored in the most lamentable conditions, subject to the onslaught of seagulls. This is less likely to happen nowadays, with documents stored electronically. Many companies, however, simply update documents and put the latest version online at prescribed (or ad hoc) intervals, consigning previous versions to the waste basket. In some circumstances, the history and revision trail of the document can be preserved if the previous revisions have been exported to another authorized individual within the company, but this process can weaken the security of documents.

Password protection

Given the many constraints surrounding the protection of our documents, many of us place great trust in our passwords. Unfortunately, as Steve Hughes, managing director of DLP Consulting, points out: "The flaws existing in current password application could lead to serious breaches of security. You can bypass password dialogue boxes in older Windows operating systems (pre-Win2000/XP)." He observes further that: "Although safeguards are available that include software for fingerprint recognition, encoding and encrypting documents, encoding and encrypting e-mail when it constitutes a part of the quality system, many files are not password-protected at document level. Time- and date-stamping on database records (for example, financial and testing records) could protect documents from unauthorized interference."

Legal implications

In addition to the strictures expressed in the US Food and Drug Administration (FDA) standards, the legal implication of electronic data transfer has become a thorny issue. Publications such as The Legal Admissibility and Evidential Weight of Information Stored Electronically (BSI), although informative, simply add to our fears that we are becoming more and more embroiled in unmanageable requirements.

Best practice

The remedy is to follow best practice wherever possible. This does make sense when you think of the pharmaceutical industry as being (like the aerospace industry) an unforgiving environment for error and where traceability is a critical factor in design and product development. The same security procedures that are used in the financial systems controlling life assurance, pensions and banking can apply, where the recording of transaction dates and times are vital and bespoke systems are built to ensure this protection. You can also

• protect the backup tape (make sure it doesn't fall into the wrong hands)

• lock the server room

• install a firewall to stop Internet hacking

• pay attention to LAN security

• have a procedure for signing off and make sure everyone follows it

• vet staff before assigning passwords and other authorization to them

As well as all the above precautions, I would like to think that you are paying close attention to the style and content of the documents. Clarity is essential; try to stay away from "management speak" and other faddy language that can clutter the best thought-out and well-intentioned policies and procedures.

The main thing is to start the document control process in small, manageable pieces. You can create categories for the master document list from components of standards such as ISO9000:2000, which cover every aspect of a quality system. This will ensure that you have included all possible document sources.

Remember to assign the relevant authorities and responsibilities at the earliest possible stage in the project. Nothing will create more confusion than a last minute attempt to assess and categorize documents. Document control is the number one cause of failure in assessment for ISO9000:2000, and the component which, if neglected, will cause the greatest difficulties. You don't want this to happen in your company, do you?