Regulatory Open Forum

An FDA investigator wants access to the company's electronic records. What should the official escort do?

Having been through a FDA audit in December, my advice would be to be as open as possible and helpful as possible.

You can also ask for advice on how the documents could be made better as well.

Lucy

An FDA investigator wants access to the company's electronic records. What should the official escort do?

An FDA investigator wants access to the company's electronic records. What should the official escort do?

Hi Nancy

This is a rather broad question.   Which records?

Audit trails on eQMS ERP document systems and lab equipment (e.g., HPLCs, etc.)?

Training records?

HR items?- nope; Financial revords, nope.

Inform legal counsel, closely supervise if legal counsel oks, note exactly which records with what time stamps, etc. He is looking at. Do not let them drive through the system and wander.

l you can break down which records, it would be more helpful.

Thanks!

------------------------------
Ginger Cantor, MBA, RAC
Founder/Principal Consultant
Centaur Consulting LLC
River Falls, Wisconsin 54022 USA
715-307-1850
centaurconsultingllc@gmail.com

Original Message:
Sent: 19-Mar-2024 18:47
From: Nancy Singer
Subject: When an FDA investigator asks for electronic records

An FDA investigator wants access to the company's electronic records. What should the official escort do?

------------------------------
Nancy Singer JD, FRAPS, RAC
President, Compliance-Alliance
Compliance-Alliance
Newport Coast CA
United States
------------------------------

An FDA investigator wants access to the company's electronic records. What should the official escort do?

In my most recent investigation (October 2023), the FDA investigator requested that documents and records he wanted to be reviewed be presented in electronic form. We refused and only gave him paper copies to review. Our procedures require us to stamp the copies as confidential, and while possible we were not prepared to convert request to a pdf that could be marked as so. FDA accepted the paper copies.

An FDA investigator wants access to the company's electronic records. What should the official escort do?

Bruce,

Thanks for sharing your experience. It is great to see what investigators in the field are doing these days.

In my most recent investigation (October 2023), the FDA investigator requested that documents and records he wanted to be reviewed be presented in electronic form. We refused and only gave him paper copies to review. Our procedures require us to stamp the copies as confidential, and while possible we were not prepared to convert request to a pdf that could be marked as so. FDA accepted the paper copies.

An FDA investigator wants access to the company's electronic records. What should the official escort do?

A great deal can be said about what the official escort should do if an FDA investigator (a.k.a., a law enforcement officer) wants access to a regulated firm's electronic records.  In a nutshell, the firm (whether the official escort or anyone else at the firm) needs to assure that the firm's response properly attends to three key areas:

a)    General observance of what I call "Good Response Practices" (GRP)
b)    Regulatory compliance regarding electronic records and signatures
c)    Cybersecurity

I give some corresponding overviews below.

Good Response Practices (GRP) is a deep, broad, multifaceted and crucial topic about which much can be said.  Indeed, my firm gives our clients a dedicated training for this when we are helping them get ready for an upcoming inspection. For brevity, I won't detail all the details of GRP here. But in summary, the essence of GRP revolves around 1) assuring that FDA's questions and records-requests are within the limits of the FD&C Act and the U.S. Constitution, along with FDA's own internal operating procedures (such as those prohibiting the FDA investigator from personally accessing electronic records except in certain situations), and 2) assuring that the firm's responses are truthful, accurate, succinct, cooperative, aligned with the firm's legal counsel, and protective of the firm's intellectual property.  Many specific tactics can be elaborated that must be employed to ensure these goals are met. More sophisticated firms often have a corresponding SOP(s) governing these activities, or else have an outside expert assist them during the FDA inspection.

Regarding regulatory compliance for electronic records and signatures, the firm must be in compliance with FDA's 21 CFR Part 11 (as reinterpreted by FDA's enforcement discretion) for any records requirements set forth in agency regulations and for any electronic records submitted to the agency under requirements of the FD&C Act and PHS Act.  Again, much can be said about this, and my firm gives entire trainings. But in summary, Part 11 is aimed at assuring proper integrity (e.g., trustworthiness, reliability, etc.) around electronic records and signatures so as to assure that the trustworthiness and reliability of the electronic record/signature is the same as a paper version.  Ultimately, the firm must properly navigate the Part 11 fundamentals when fielding FDA requests for electronic records.  And again, much can be said in this area.  For now, I'll just quickly mention my understanding that, for records which are in fact subject to Part 11, it may be deemed by FDA to be an illegal inspection refusal if the firm refuses FDA's electronic access to such electronic records.  Thus, I recommend corresponding caution when refusing to grant FDA electronic access.

Regarding cybersecurity, the firm should ask the FDA to explain how the agency will protect the firm's electronic records against cybersecurity threats once the electronic records are in FDA's hands.  FDA has internal operating procedures to protect itself and the firm against such threats.  It doesn't hurt to make the FDA investigator refresh everyone about those cybersecurity procedures, as the firm and FDA often work together to achieve the cybersecurity as the electronic records are prepared for transfer.

------------------------------
Kevin Randall, ASQ CQA, RAC (U.S., Europe, Canada)
Principal Consultant
Ridgway, CO
United States
© Copyright by ComplianceAcuity, Inc. All rights reserved.

Original Message:
Sent: 20-Mar-2024 17:13
From: Nancy Singer
Subject: When an FDA investigator asks for electronic records

Bruce,

Thanks for sharing your experience. It is great to see what investigators in the field are doing these days.

------------------------------
Nancy Singer JD, FRAPS, RAC
President, Compliance-Alliance
Compliance-Alliance
Newport Coast CA
United States

Original Message:
Sent: 20-Mar-2024 12:40
From: Bruce Platt
Subject: When an FDA investigator asks for electronic records

In my most recent investigation (October 2023), the FDA investigator requested that documents and records he wanted to be reviewed be presented in electronic form. We refused and only gave him paper copies to review. Our procedures require us to stamp the copies as confidential, and while possible we were not prepared to convert request to a pdf that could be marked as so. FDA accepted the paper copies.

------------------------------
Bruce Platt
Director Quality Assurance
Ocular Therapeutix, Inc.
Bedford MA
United States

Original Message:
Sent: 19-Mar-2024 18:47
From: Nancy Singer
Subject: When an FDA investigator asks for electronic records

An FDA investigator wants access to the company's electronic records. What should the official escort do?

------------------------------
Nancy Singer JD, FRAPS, RAC
President, Compliance-Alliance
Compliance-Alliance
Newport Coast CA
United States
------------------------------

An FDA investigator wants access to the company's electronic records. What should the official escort do?

------------------------------
Nancy Singer JD, FRAPS, RAC
President, Compliance-Alliance
Compliance-Alliance
Newport Coast CA
United States
------------------------------

We set up a folder in DropBox and invite the investigator to share that folder (only). That way we can review the documents before uploading to make sure it is the current version and record what was shared.

We have done this for several FDA inspections and also audits. We have never had a complaint. We have also done this in real time while the investigator or auditor is in on-site and they have always been impressed with our cooperation and the speed of our response.

------------------------------
John Minier, RAC
Consultant, Principal

Original Message:
Sent: 19-Mar-2024 18:47
From: Nancy Singer
Subject: When an FDA investigator asks for electronic records

An FDA investigator wants access to the company's electronic records. What should the official escort do?

------------------------------
Nancy Singer JD, FRAPS, RAC
President, Compliance-Alliance
Compliance-Alliance
Newport Coast CA
United States
------------------------------

John,

That is a great idea. Thanks for the suggestion.

We set up a folder in DropBox and invite the investigator to share that folder (only). That way we can review the documents before uploading to make sure it is the current version and record what was shared.

We have done this for several FDA inspections and also audits. We have never had a complaint. We have also done this in real time while the investigator or auditor is in on-site and they have always been impressed with our cooperation and the speed of our response.

------------------------------
John Minier, RAC
Consultant, Principal

Original Message:
Sent: 19-Mar-2024 18:47
From: Nancy Singer
Subject: When an FDA investigator asks for electronic records

An FDA investigator wants access to the company's electronic records. What should the official escort do?

------------------------------
Nancy Singer JD, FRAPS, RAC
President, Compliance-Alliance
Compliance-Alliance
Newport Coast CA
United States
------------------------------

For the sake of FDA document security the investigator could not download the documents, but he could read them while off-site. Any documents he wanted to keep, we gave him on his flash drive. Kind of odd since I was downloading them from the DropBox folder to the flash drive. Anyway, it worked for him.

John,

That is a great idea. Thanks for the suggestion.

We set up a folder in DropBox and invite the investigator to share that folder (only). That way we can review the documents before uploading to make sure it is the current version and record what was shared.

We have done this for several FDA inspections and also audits. We have never had a complaint. We have also done this in real time while the investigator or auditor is in on-site and they have always been impressed with our cooperation and the speed of our response.

------------------------------
John Minier, RAC
Consultant, Principal

Original Message:
Sent: 19-Mar-2024 18:47
From: Nancy Singer
Subject: When an FDA investigator asks for electronic records

An FDA investigator wants access to the company's electronic records. What should the official escort do?

------------------------------
Nancy Singer JD, FRAPS, RAC
President, Compliance-Alliance
Compliance-Alliance
Newport Coast CA
United States
------------------------------