Original GxP Record, The O in ALCOA+

Pandemic tracing as an example of data integrity
 
 

 Understanding what constitutes an original record and applying data management controls needs to be right up there with a clear understanding of your data and record criticality.

There are numerous regulations that refer to complete data and original records. If we take laboratory records as an example and consider cGMP violations over the last 12 months compliance with FDA regulation continues to be an issue.

 For example, 211.180 (d) 'requiring that records be retained as “original records, or as true copies or other 'accurate reproductions of the original records' and 211.188, 211.194, and 212.60(g) 'requiring 'complete information' complete data derived from all tests' and 'complete record of all data' and 'complete records'

 The number#1 query ERA Sciences deals with during data flow mapping is

 ' Are instrument printouts the original record'

 and the answer always requires us to look at the instrument capability and functionality to see if storing the records electronically within the instrument can be done whilst ensuring these records remain ALCOA+ compliant with assured data integrity throughout the required retention period.

The number #2 query is always

'If I print out a result report from my computerised system can this be considered the original record or a true copy if it contains the audit trail associated with the record.'

This query always requires more discussion. The term original record can be applied to both paper and electronic records and whether your original record is static or dynamic in nature must be understood to answer this query.

Data may be static (e.g. a ‘fixed’ record such as paper , pdf, photo) or dynamic (e.g. an electronic record which the user / reviewer /approver can interact with, re-interpret or trend in a different manner)

So we need to understand where the original data and record resides and whether our records are static or dynamic in nature. Otherwise we cannot have assurance that our data is complete, reliable and trustworthy and has all of the necessary controls in place for the full lifecycle of the data.

Knowing what and where these records are, is fundamental to the trustworthy nature of our data. I want to give an additional mention here to readability.

In the 2020 GAMP RDI GPG Data Integrity by Design Guide GAMP RDI Good Practice Guide: Data Integrity by Design (ispe.org) Section 3.2.1 clearly called out this need to consider readability

'Data should remain readable during the complete data lifecycle' so we should be able to read it and interact with it (if and when required and the nature of the original record allows us to do this). 

What is the Impact of Original Record Mismanagement

Unfortunately it's easy to misunderstand and potentially mismanage original records. Impacts associated with poor original records management can be substantial including:

  • patient left with no medicine

  • product(s) removal from the market

  • extensive remediation to fix broken data management processes including staff re-training

  • possible delay of ANDA/NDAs (cost unknown)

  • reputational damage

  • loss of future sales

  • product considered adulterated

Example of Issues associated with Original Records

In 2014 and again in 2016 Sri Krishna Pharmaceuticals was cited for Data Integrity Issues by the FDA. One specific section of the FDA Warning Letter in 2016 described concerns over the company’s handling of data derived from compliance and specification tests.

The warning letter noted that 'laboratory tests did not include all of the raw data generated during testing of finished products, rendering that data unreliable' and the analyst 'deleted the first set of injection data but submitted the second set'

Whether intentional or accidental the understanding of what constituted an original record and management controls at Krishna Pharma appears flawed. It resulted in repeat warning letters, import delays and bans, costly downstream impact to numerous clients for whom Krishna also acted as a CMO. This overall loss of trust associated with poor data practices takes a considerable time to rebuild for regulators and clients alike.

Not knowing where or having access to original records can cause significant delays to an organisation. Records are used and relied upon to make authoritative decisions about products and quality and also need to be readily available to regulatory bodies on request.

If we consider a far more personal record ‘our proof of Covid Vaccination certs’ which many of us have now received. Consider the impact of delays when first receiving these records eg travel plans disrupted, inability to work and even ability to safely socialise.

National authorities are in charge of issuing these covid vaccine certificates. Each issuing body (e.g. a hospital, a test centre, a health authority) has its own digital signature key. All of these are stored in a secure database in each country. Only the issuing body can re-issue the cert. So we don't actually have the original record on our phones/ pcs etc. Essentially we have a copy.

If we lose/ mislay/delete the copy we need to contact the issuing body (in Ireland it's the HSE directly) as only they have access to the original data set. This re-issue process may have associated delays but at least we know where the originals reside. For us access to original records has a time impact certainly but we are at least sure what and where the record is!

Harmonise Organisational Understanding

It’s important to ensure a harmonised understanding and Management of Original Records across your organisation. Let’s look at the regulatory and guidance definitions of what can constitute an Original Record

What the MHRA says:

'Original record: Data as the file or format in which it was originally generated, preserving the integrity (accuracy, completeness, content and meaning) of the record, e.g. original paper record of manual observation, or electronic raw data file from a computerized system.'

What the WHO says:

'raw data (source data)' - 'The original record (data) which can be described as the first-capture of information, whether recorded on paper or electronically'

What PIC/S says:

'The original record can be described as the first-capture of information, whether recorded on paper (static) or electronically (usually dynamic, depending on the complexity of the system)'

An original record or source record is the first capture of the who performed the activity person or system. Includes what happened or was performed at the time of the activity and shows the chronological sequence of events. The record may also capture signature approval(s) if they were required at the first capture point.

Record source is the location where the data was first captured or generated that allows it to be maintained with integrity throughout the required retention time.

 The record source may change if for example records and data are archived either electronically or physically in the case of paper records. There may be other reasons why original data and records are moved from an original source location. Validation and documentation associated with original record movement need to be assessed and an approach may be defined in an overall risk management framework. 

Laboratory Instruments and Original Records

If the data source is a simple instrument, for example pH meter or balance and contains first capture records but has limited capacity, then it is unlikely to be able to maintain the record(s) for the required retention time with the required data integrity controls. A decision must be made by the business process owner and system owner if a paper printout may be used to constitute the original record.

A second option for instruments with limited record capacity and limited data integrity controls could be the automatic generation of a pdf by the instrument including all required metadata.

We need to be careful and not introduce more data risks when utilising pdf functionality. If users can decide when and if records require a pdf to be generated rather than automatic generation by the instrument some data and records may be intentionally excluded from the pdf generation process. This would impact downstream oversight as records could be missing and data sets potentially incomplete. Worse still original data/records would then be overwritten once instrument capacity is reached.

A third option increasingly being considered and implemented is a solution to centrally manage data in a computerised system for these simple instruments.

 Management of original records whether paper, pdf or within a central database will need to be clearly defined in procedures with necessary oversight controls.

A decision to maintain print outs as original records will first require assessment of the long term capability and data integrity controls of that instrument. The outcome of the assessment should be formally managed. Here are a few management options that may work for your organisation.

  • Include how original records are managed in instrument specific SOPs

  • Include in your Policy on Data Integrity and Management (for GxP Instruments and Systems)

  • Add a Dropdown item to your System Risk Register to define Original Records Source

  • Generate Instrument Specific GxP Risk Assessment Reports

 

Where do other Challenges lie?

Regulatory and guidance document definitions seem straightforward, but often when we start to use or process data the lines seem to blur again on what constitutes an original record.

For example take an FTIR system where a record is generated on an instrument and directly captured in a fit for purpose computerised system (within a DB or as a flat file). Now what happens when you interpret this data, process it in some way! Is this result record also an original record? It doesn't exist anywhere else - what do you think?

If a result record is generated only on the computerised system as in this example then it is also an original record - how this result data is associated with the original data may also categorise it as metadata.

Now if we print out the FTIR result in full from the computerised system with all available audit trail and metadata can this/does paper printout now constitute an original record or true copy. Well the guidance from the FDA in 2018 on this is very clear.

Guidance for Industry (fda.gov)

'a printout or a static record does not preserve the dynamic record format that is part of the complete original record' For example, the spectral file created by FTIR (Fourier transform infrared spectroscopy) is dynamic and can be reprocessed. However, a static record or printout is fixed and would not satisfy CGMP requirements to retain original records or true copies (211.180(d))'

Information and data that is originally captured in a dynamic state should remain available in that state and a risk based approach applied with a documented risk justification when a decision is made to maintain a record in a static rather than it's original dynamic state

Conclusion

Some of the confusion associated with original records understanding definitely comes from the first capture term - data coming from an instrument or other source’.

 We need to understand the capability of these source systems, and then document whether the source has the required data integrity capabilities required for the lifetime of the data.

Again I would reference GAMP RDI Good Practice Guide: Data Integrity by Design (ispe.org) when it talks about System Lifecycle considerations it refers specifically to ' a computerised system involved in the creation or first capture of data' and it clearly calls out the transparency associated with records ' store multiple or repeated readings with no overwriting and full audit trail on all values'

Also consider whether a computer or network system is a better solution to centrally manage data and records rather than lots of individual paper or electronic record silos from individual instruments.

Harmonisation and socialisation of terms will lead to better data integrity controls and record management outcomes. 

  • Ensure to Include in organisational glossaries and socialise an understanding of what constitutes an original record with examples.

  • Describe what is a static or dynamic record with examples within particular areas such as manufacturing, supply chain, calibration teams and the laboratory.

 For those unfamiliar with the term True Copy used earlier - A certified true copy can take the place of an original record if the organisation has a documented and/or validated electronic process to generate true copies. You can see our recent conversation on True Copies here: "true copies" | Search | LinkedIn

 
 
 
Dr Eva Kelly

Dr Eva Kelly

Eva holds a degree in Analytical Science and a PhD in Chemistry from Dublin City University, bringing over 25 years of experience in site solutions and learning management across various sectors, including pharmaceuticals, medical devices, and FMCG. She has specialized as a Data Integrity SME, with expertise in 21 CFR Part 11 and Annex 11 compliance, and has led Data Integrity and QA IT roles within pharma and biotech companies, focusing on GxP SAAS, hosted, and on-premise solutions. Eva is passionate about fostering a culture of Data Integrity (DI) excellence, working directly with clients to implement DI governance strategies that prioritize people, processes, and technology. Over the past decade, she has honed her skills in stakeholder presentations, quality risk management, and the implementation of systems such as SABA Cloud, EtQ Reliance, VEEVA Vault, and Axway Track and Trace, among others. With a deep understanding of DI's evolving role, Eva is dedicated to helping clients achieve thorough GxP record compliance and successful DI initiatives.

Comments

Related posts