2005-04-26

The Growing Scope of Records Management in the Pharmaceutical Industry

Here's an bylined article I worte that was submitted last week:

Records management is hardly new to the pharmaceutical industry. But what is new is the breadth of records that must now be kept, the increasing proportion of electronic records (especially e-mail), and the impact of additional, new regulations from beyond the life sciences sphere (e.g. Sarbanes-Oxley). These changes have in turn created awareness of records management in a larger audience within companies, but a number of recent survey have found considerable confusion and uncertainty about the subject. An overview of the subject may be of use at this time.

What is a record? Very simply, a record is the final output of a business, managerial or administrative transaction. It is important to emphasize the word ‘final’ as it places records management in the context of information lifecycle. Take for example a standard operating procedure (SOP); we understand that in creation a SOP would have gone through a typical lifecycle from initial authoring, review and amendment, approval and then release. The released SOP, which is the form that is actually used in the business to guide actions, is the final form and therefore the record. Earlier draft versions are not records, and indeed in many companies procedures are established to ensure that drafts are destroyed, along with any supporting information such a comments made during review.

In the case of electronic documents, the initial lifecycle would likely have been managed by an electronic document management system that tracked different versions, the status of those versions, managed a defined workflow and controlled user access at each stage. Typically though, most document management systems were initially designed to address the needs of document creation through to approval, release and distribution, but they do not provide tools to further manage final documents as records.

So what is records management and what tools do we need to support a good records management program? Records management is a process for the systematic management of all records and the information or data that they contain. A records management program provides for the regular review and controlled retention or destruction of records, and aims to ensure that records are kept as long as necessary and then destroyed as required or allowed by regulations and statutes. In the SOP example, if it is a manufacturing record under FDA oversight then it will need to be retained in accordance with 21 CFR Part 210-211, and if it is an electronic record it must also be managed according to 21 CFR Part 11.

When records management software programs were first created, they were typically electronic tracking systems that helped to manage paper records. They enabled managers to track where a record was – typically in a specific file, in a given box, on a shelf, in a specific storage facility. They also provided disposition management, notifying a manager when it was time review a given record for possible destruction.

As electronic records grew in prominence, records management software was extended to manage both physical as well as electronic records. However, it is not always easy to determine if a given record is electronic or paper. Since typewriters are now almost extinct, practically every paper document is created using a word processor and so exist in electronic form first, before being printed. If the document requires signing before it is in final form (and therefore a record) and if the signature is applied in ink form to paper, then it is a paper record. Very often though, a paper record with ink signature is scanned into an electronic system for long term maintenance, becoming purely electronic again. It is necessary with such ‘hybrid’ systems to clearly define which form is the ‘official’ record and to confirm that its retention management meets all regulatory requirements.

Hybrid paper/electronic system are always problematic, and indeed in the history of the FDA’s 21 CFR Part 11 regulations, there were a series of guidance documents intended to bring clarity to the issue of what constitutes an electronic record – but these were subsequently withdrawn as they were seen as too onerous.

It is inevitable that eventually purely electronic systems, with no paper intermediate or final forms, will come to dominate. For this to be achieved though, there must be no business processes that require a paper form of a record, which is more difficult than it might at first seem. For example, under 21 CFR Part 11, an electronic signature applied to a document in a closed system is basically a metadata record in the system’s audit trail of a signing event. However, if it is necessary to exchange a document with another company or regulator that cannot access the system where the signature information is kept, then the electronic signature cannot be confidently validated. This fact has contributed to a delay in wide adoption of electronic signatures. Advances in joint industry-regulator efforts to develop standards for digital signatures, such as SAFE, are enabling purely electronic records to be exchanged and validated beyond a given company’s system. The important distinction is that signature information is contained within the digitally-signed document and remains with it, rather than in the system that contained in when it was signed. However, even digital signatures depend on external systems for validation, which can create problems in maintaining the verifiability of signatures in records that must be maintained for decades.

On the technology side, we have also seen a convergence of document management and records management software – most records management vendors have been acquired by document management vendors and their products integrated into software platforms that are now more often described as enterprise content management systems (ECM). ECM systems are also incorporating archiving technologies such as computer output to laser disc (COLD) or microfiche (COM), document imaging and digital asset management (DAM) for complex images and videos. This means that the full lifecycle of electronic documents, other electronic files and resulting records can now be managed in one system, which can also manage legacy paper records.

Another benefit of emerging ECM systems is e-mail archiving. In the past e-mail was seldom considered to contain important corporate records, but this has changed significantly, both because of broadened regulatory controls as well as the changing ways in which e-mail systems are employed by company staff.

In its early days e-mail was a simple communication medium with limited text. Then it became possible to attach documents to e-mails, but usually this was just a way to exchange copies of official records. Now however, e-mail applications like Microsoft Outlook are tightly integrated with word-processing applications. As e-mail increasingly supports more phases of document lifecycle, it is quite possible that a an e-mail may contain an official record. For example, a fully reviewed document may be e-mailed to a manager for signing – the first instance of the signed document may then be in a return e-mail. Another example of an official record in e-mail form is a simple text e-mail, with no document attachment, from a manager or executive which is an authorization for a business action.

At the moment in most companies, document management and e-mail systems are only weakly coupled, so it is hard to find where an official record is. Staff often assume that a given record is in a document management system, but that is not always the case, or it may not be the official record, as we have seen. Strictly controlled procedures are generally used to address this issue, but technological approaches to identify identical documents in different repositories (e.g. document management and e-mail systems) are beginning to be deployed, and importantly, the capture of content from across different systems into a single archive, where records management can be applied, is now emerging in integrated ECM systems.

In records management systems records follow a simple lifecycle path. Records are identified as to type and state. When first tracked records are usually in a ‘current’ state – that is they are the latest, effective version of a record. At some point however, a review process will identify that a record should move to a non-current state, for example if a more recent version is created. Subsequently a second review will determine if a record is to be archived or destroyed. The review process is greatly simplified if criteria can be applied to identify the type of record, and if there are standard retention periods pre-assigned to each record type. Developing a list of all record types and the policies associated with them can be a daunting task.

Record retention periods can vary from a few months, to years or even decades, and the period is often defined by legislation or regulations. Financial records are typically required to be maintained for seven years, whereas pharmaceutical product records may have to be maintained for a period of years after the final sale of a drug which may be expected to be in the market for many decades. Since records may be required to be provided in support of activities such as legal proceedings, regulatory review or defense of intellectual property, records management systems allow ‘holds’ to be applied to records to override the normal advance of a record according to predefined lifecycle rules. Only when all holds have been removed can a record resume its normal lifecycle.

The breadth of reasons why records must be managed has increased dramatically. These include regulatory requirements for pharmaceutical products, patient privacy, health and safety, environmental protection, contractual regulations, corporate governance, data protection, defense of inventorship, patents, copyright, trademarks, etc. The range of file types that are considered records has also dramatically increased, but without doubt, the largest category is e-mail.

Pharmaceutical companies are finding they must apply a records management strategy to all of their e-mails. Traditionally companies had general policies whereby all e-mails were disposed of after a period such as 90 days, unless a staff member made a deliberate disposition decision. However, given the distribution list of many e-mails, in practice a significant portion e-mails were saved by at least one employee, often by copying them to their local computer, making a CD, floppy disk or USB stick copy, or even printing them out. Once opposing counsels in legal proceedings determined that there was a good chance that a copy of an e-mail still existed somewhere in a company, even after the defined destruction periods, they started to demand detailed searches, which of course are extremely expensive. Recently I was told by and IT staffer at a major pharmaceutical company that his company spent $10 million searching for and retrieving such e-mails in one case alone!

A few years ago companies were only concerned with backing up e-mails for disaster recovery. Then in a number of highly publicized cases it was discovered that backup tapes containing e-mails had been kept after the designated destruction period. Companies implemented procedures to destroy backup tapes, but now they are being required to recognize that a certain portion of e-mails are in fact corporate records that must be retained for defined, and often long, periods of time. Given the huge volume of e-mails, it is technically impractical to keep all e-mails. Therefore systems are being established which classify e-mails and automatically apply retention policies based on the record type. In other words records management is being applied to e-mail.

In summary, whereas records management was once a back office activity of limited visibility, it has moved up significantly on corporate agendas as companies struggle to comply with a broad range of regulatory, legislative and other requirements. Supporting technologies for records management and archiving are now integrated in an emerging class of enterprise content management applications in a manner that promises to enable the management of records in any format, wherever they are, and by whatever method they were exchanged. However, the shear volume of records, especially coming from e-mail exchange, promises to make comprehensive records management programs extremely challenging, and necessitate the application of risk-benefit analysis to optimize program efficiencies.

1 comment:

  1. I disagree with your definition of a records as the "final output". I believe that changes made along the way are a vital part of records management, at least for legal issues if nothing else.

    ReplyDelete