Signed Delivery and Traceability— Part 10 ── An SOP for evidence-backed sign-off and audit readiness: recording who checked what, at which phase

01Why "correct" is not enough

From Part 1 through Part 9 we built a model that secures quality across three layers — regulatory compliance, scientific accuracy, and intent fulfillment, in that order — running through ten phases and four gates (A: concept/primary sources, B: regulatory map, C: QC, D: QA). This final part is about closing that whole process in a state that can later be reproduced and proven.

In outsourced production, disputes rarely turn on the error itself; they turn on the moment when you cannot explain why something was made the way it was. The client's review function asks "what is the basis for this claim," the vendor cannot answer on the spot, and the trail runs back through one person's memory. If that person has left, the trail is gone. Traceability is the mechanism that cuts this dependence on individuals and preserves judgment as an organizational asset.

02What signed delivery contains

Signed delivery attaches to the artifact a single sheet stating who guaranteed what. "Signature" here is not limited to a stamp — an approval action in the version-control system, or a delivery sheet naming the verifier, date, and scope, is enough. What matters is not the form but that the verifying party and the scope can be uniquely identified.

Separating the sign-off into three layers splits accountability by layer. You can record a state where compliance passed but a scientific citation still raises concern — and whose hold it is.

03Minimum version-control rules

Version control typically collapses when filenames accumulate dates plus "latest," "final," and "really final." This destroys the ordering of versions and makes it impossible to tell which one was delivered. At minimum, fix the following.

1. Number versions as major.minor. Raise the minor each time you submit to the client; raise the major for structural or messaging changes.
2. For the delivered version, record a file fingerprint (e.g., SHA-256) alongside the version number and copy it onto the delivery sheet. This catches the accident of same name, different content.
3. Give each version a status — drafting, in review, approved, delivered — and forbid overwriting once approved. Any fix opens a new version.
4. Attach a human-readable change list to each version. Beyond a tool diff, record in one or two lines what changed and why.

04The decision log — recording why it passed

The heart of traceability is not the record of a pass but the record of judgment. The judgments most likely to be questioned later are the gray-area calls you cleared as "this is fine." The decision log records not just the conclusion but the norm applied, the basis, and the decider.

Misattributed articles surface — and are prevented — through this log. Exaggerated advertising is Article 66; advertising before approval is Article 68; the duty-of-effort on information provision is Article 68-2. Design the log so that filling the "norm applied" column is where a misattribution gets caught. For the overall framework see Ad Regulation 01: Pharmaceutical Affairs Act, 03: Ad Standards, and 04: MSA Guidelines.

Gate B's regulatory-map design was covered in Part 3: The Regulatory Map. The decision log is the record of how each issue on that map was actually adjudicated on a specific artifact.

05A phase-by-phase traceability matrix

The traceability matrix shows on one sheet who checked what, at which phase. Rows are the four gates; columns are the verification view, the verifier, and where the record lives. Attach this single sheet at delivery and the auditor can verify the coverage of checks at a glance.

06Retention — period, form, retrievability

Records are not enough merely by existing; they must stay in a form you can pull when needed. The three elements of retention design are period, tamper resistance, and searchability.

• Period: Align with the client's internal standard (the JPMA Code, each company's GVP, or the record-retention requirements for information-provision activities). Where none is stated, set the contract to at least the end of the product's use plus several years.
• Tamper resistance: Keep the fingerprint of approved versions and forbid overwriting. Enable the version-control audit log (who changed what, when).
• Searchability: Fix naming rules and folder structure so you can search across product name, version number, and decision-log ID. "Half a day to find it" is not audit readiness.

Decide in the contract, up front, whether the client or the vendor holds the records. If the vendor holds them, settle the handover and disposal procedure at contract end as well.

07Responding to audits and inquiries

Turn into a standing procedure how you move when a regulatory inquiry, a client internal audit, or MSA-guideline monitoring asks for records. Built in a panic, the pieces lose consistency and invite suspicion.

1. Fix the scope: Confirm in writing the target product, version, period, and view. Do not over-broaden.
2. Identify the records: Locate the records for the relevant gate from the matrix; reconcile the actual file by version number and fingerprint.
3. Check consistency: Self-check that the delivery sheet, decision log, and version do not contradict each other. If they do, do not hide it — report with the context.
4. Submit and keep a copy: Record the copy submitted, the date, and the recipient (itself a record).

For MSA-guideline operation and concrete Q&A see 04: MSA Guidelines and 05: MSA Q&A; for the JPMA side see 06: JPMA Code and 07: JPMA Creation Guide.

08Rollout — retrofitting onto existing work

New engagements can be built to this model from the start, but for work already in flight a phased rollout is realistic. Trying to put everything in place at once stalls the floor.

1. Stage 1: Mandate only the delivery sheet (sign-off + version number + open items). At minimal cost, "who guaranteed it" is preserved.
2. Stage 2: Introduce the decision log only for jobs that had gray-area calls. Start from high-risk points, not every job.
3. Stage 3: Standardize version-control rules and file fingerprints. Fix naming rules across the firm.
4. Stage 4: Templatize the traceability matrix and build it into the Gate D delivery check.

Success turns less on the elegance of the forms than on whether a producer can fill them in five minutes. Heavy forms go unfilled and become dead letter. At first, even cut fields — but reach a state where they are filled every time. Returning to the quality philosophy of Part 1 (in preparation): records are kept not for the audit but for the next person who will build.