Академический Документы
Профессиональный Документы
Культура Документы
disabled. Concord Laboratories, 12 for example, would need to generate such a list as a
corrective action to the citation in the previous section.
5. Control changes to the system
Linked to the allocation of access privileges discussed earlier is the ability of a user to make
changes to methods, integration parameters and also baselines. U.S GMP. in 211.68(b)
requires that changes are only made by authorized individuals. However, when you share user
identities, as happened at Concord Laboratories, 12 unattributed changes to methods were
made as the laboratory could not identify individuals making changes to methods and, therefore,
determine if they had the appropriate combination of training, education and experience.
6. Only trained staff must operate the system
Under GMP, there is the requirement for all staff to have the combination of education, training
and experience to perform their job as stated in 211.25. This, you would think, would be a
classic no-brainer. However, some companies appear to have had a frontal lobotomy instead:
In one of the citations from the Able Laboratories 483 observation form 1 it notes failure to
provide adequate training to analytical chemists. Why was this important, you may ask? Here is
the reason: OOS results were substituted with passing results by Analysts and Supervisors.
The substitution of data was performed by cutting and pasting of chromatograms, substituting
vials, changing sample weights and changing processing methods.
So, it is an important part of a users training to ensure data integrity of the data generated and
that changes may only be made according to predefined procedures to prevent an accusation of
falsification or fraud.
7. Understand predicate rules for laboratory records
Under the U.S. GMP regulations for laboratory records, there is a specific statement in the
beginning of 211.194(a) that states: Laboratory records shall include complete data derived
from all tests necessary to assure compliance with established specifications and standards,
including examinations and assays, as follows. The key phrase in this is complete data i.e.
everything warts and all including the data you dont want your supervisor to see. This is the
key to establishing the integrity of data in a CDS. Why? Errors occur, mistakes happen,
chromatographs malfunction and columns fail to work. So, include everything.
Notable exceptions to this have been:
Able Labs 483 1 with the citation laboratory records do not include complete data derived from
all tests, examinations and assays necessary to assure compliance with established
specifications and standards.
Cambrex Profarmaco 17 where the citation reads: Your quality unit failed to maintain complete
laboratory control records for the analysis of your APIs (including graphs, charts, and spectra
from laboratory instrumentation derived from all tests conducted) to ensure compliance with
established specifications and standards.
Raw data (e.g., chromatograms, standard and sample weights, calculations, standards,
reagents, and instrument information) for the Albuterol Sulfate (June 2001) and Lorazepam
(June 2006) related substances, method validation were not available during the inspection. The
failure to have this data available during the inspection prevented the investigators from
confirming the authenticity and reliability of data submitted to support drug application.
I have included the Cambrex Profarmaco citation at length to illustrate how data integrity
problems in the laboratory can create problems for the business as a whole. The company has
applied for a license to sell a product, yet there is no data available from the CDS to support
statements in the submission to the agency lack of CDS data integrity can seriously damage
a companys wealth.
8. Define and document electronic records for the system
Since 2003, the Part 11 Scope and Application guidance 8 has recommended that companies
define the electronic records for their systems. However, on June 30, 2011, this also will be the
law in Europe for those working to GMP, as this is when the new version of Chapter 4 on
documentation becomes effective. The Principle states for Records: 10 For electronic records
regulated users should define which data are to be used as raw data. At least, all data on which
quality decisions are based should be defined as raw data.
There are two issues to look at here. First is the fact that EU GMP considers that documentation
includes a record that is the evidence of an activity; therefore, the data files created during an
analytical run are records. Second, when a CDS is used for batch release, the users must
define what the raw data are for the system. I have discussed this for a CDS in an earlier
publication. 18
However, Chapter 4 10 goes into greater scope and more detail in clause 4.1. (Note that only the
parts of this clause relevant to this discussion are presented here, and you should read the
whole clause to understand the whole picture.):
The requirements apply equally to all forms of document media types. Similar to the definition
of electronic record in 21 CFR Part 11, it does not matter that a media type has not been
invented: when it is and you use it, this regulation covers it. This is a broad-scope definition and
is not limited by any specific technology.
Many documents (instructions and/or records) may exist in hybrid forms, i.e. some elements as
electronic and others as paper based. It does not matter if a record is generated on paper,
exists as handwritten signatures following a printout of the electronic record (hybrid system) or
is maintained fully electronically, this regulation covers it.
Relationships and control measures for master documents, official copies, data handling and
records need to be stated for both hybrid and homogenous systems. This means that a
document that has been reviewed and approved, which defines relationships between the
records in the CDS and how they are controlled, including access by users, etcetera, is needed.
Appropriate controls should be in place to ensure the integrity of the record throughout the
retention period. We have to maintain the records and integrity of the data throughout the
record retention period.
Furthermore, in clause 4.10, 10 it states: It should be clearly defined which record is related to
each manufacturing activity and where this record is located. Secure controls must be in place
to ensure the integrity of the record throughout the retention period and validated where
appropriate. So, life has just gotten a lot more formal for a CDS. Laboratories must define the
raw data (records), if they have not already done so, and also state where the records are
located. Furthermore, the integrity of the records must be retained throughout the retention
period (reiterating 4.1 above) and, if electronic records are involved, validation will be involved in
any archiving or application software updates.
However, here is where the problem begins, from audits that I have conducted in many
laboratories over the years, there is still a problem of defining raw data in a CDS as anything
other than paper. Now, with the publication of the EU Chapter requirements, there is no room
for maneuver: CDS records are either hybrid or electronic. No discussion and no debate: the
argument of raw data as paper has just joined the dodo as extinct.
Now, if you think the FDA has been sleeping on the job, there is a little snippet from the
Administrations Web site19 that is available for all to see: The printed paper copy of the
chromatogram would not be considered a true copy of the entire electronic raw data used to
create that chromatogram, as required by 21 CFR 211.180(d). The printed chromatogram would
also not be considered an exact and complete copy of the electronic raw data used to create
the chromatogram, as required by 21 CFR 211.68. The chromatogram does not generally
include, for example, the injection sequence, instrument method, integration method, or the
audit trail, of which all were used to create the chromatogram or are associated with its validity.
Therefore, the printed chromatograms used in drug manufacturing and testing do not satisfy the
predicate rule requirements in 21 CFR Part 11. The electronic records created by the
computerized laboratory systems must be maintained under these requirements. I could not
write this better but I could make it more entertaining.
9. Review the audit trail entries for each batch
Part of the complete data for a CDS analytical run includes the audit trail, and there is the
requirement under US GMP 211.194(a)(8) for the initials or signature of a second person to
show that work has been done correctly and conforms to standards. This implies that the audit
trail should be checked. In contrast, in Europe under Annex 11, it will be the law to review the
audit trail for batch release from June 30, 2011.
The FDA has cited laboratories over the years for failure to review the audit trails of CDS
systems: Failure to review electronic data as part of batch release at Able Laboratories 1 Both
Concord Laboratories 12 and Ohm Laboratories 13 also were cited for failing to review audit trails
in their CDS systems e.g. Review of audit trails is not required.
The problem is that current CDS audit trails cannot demonstrate that a user has reviewed it
what a bummer!
10. Backup the system regularly
Part 11 requires record protection 15 and so does that new version of Annex 11. 9 The latter
goes further than Part 11 and its predicate rule in clause 7.2 Regular back-ups of all relevant
data should be done. Integrity and accuracy of backup data and the ability to restore the data
should be checked during validation and monitored periodically. So, interpreting this, backups
have to be done regularly. Typically, this will be daily. So, it will be the IT department doing this
task, not laboratory personnel. When the backup is performed, the backup logs must be
checked to see whether the backup worked or not and, if not, should be rescheduled to avoid
the loss of data. Moreover, backup needs to be validated, and periodic restores should be
performed to see that the tapes are still readable.
However, there is always somebody who is going to fail in a spectacular way, and our star in
this section is Ohm Laboratories: 13 Specifically, your firm does not have an adequate number
of personnel to ensure that your firms manufacturing operations are adequately conducted and
completed. For example, a. Your QCU personnel stated that no data back-up of the HPLC
Systems has been performed since May 26, 2009 due to insufficient time to perform such
activity. your quality unit personnel informed the investigators that the computer software was
upgraded and the raw data was lost during the software upgrade.
We have serious concerns about your firms implementation of changes to your computerized
systems (e.g., software upgrade). It is your responsibility to provide the means of ensuring data
protection (e.g., back-up system) for your computerized systems to prevent the permanent loss
of records. Please provide corrective actions to prevent similar recurrences.
The problem is that leaving the backups to laboratory personnel means that there is a great risk
that backups will not be performed regularly, will not be performed at all and probably will not be
verified to see if data can be recovered before a disaster happens. However, losing data during
the software upgrade is inexcusable and stupid.
The first thing anybody should do is backup the system securely, and this means verifying the
backup a check to read the data on the tape and verify it with the original data on the disk.
This takes time but is essential to check the quality of the backup. If you are worried still, take a
second backup using a tape from a different batch. Then, if there is a problem, you have a
second life line. However, the bottom line is that analysts should analyze samples, and the IT
department does the backups: right people for the right jobs. After all, you would not want the IT
department analyzing your samples would you?
Conclusions
To ensure the integrity of the data generated by a chromatography data system, we have
looked at 10 areas that, either by lack of control of the CDS or through new regulatory
requirements, are essential. Failure to have these controls and procedures in place will result in
compliance issues and also business problems that will adversely impact company
performance.
References
1. Able Laboratories 483 Inspectional Observations (July 2005)
2. R.D.McDowall, Quality Assurance Journal, 10 (2006) 15-20
3. Leiner Health Products Warning Letter (August 2007)
4. Xian Libang Pharmaceutical Company, Warning Letter (January 2010)
5. Review of Post-Inspection Responses, Federal Register, August 11, 2009, 74 (153) 40211
40212
6. R.D.McDowall, Spectroscopy, Focus on Quality, November 2009
7. FDA To Conduct Inspections Focusing on 21 CFR 11 (Part 11) requirements relating to
human drugs, http://www.fda.gov/AboutFDA/CentersOffices/CDER/ucm204012.htm, July 2010
8. FDA Guidance for Industry, Part 11 Scope and Application, 2003
9. EU GMP Annex 11 Computerised Systems:
http://ec.europa.eu/health/documents/eudralex/vol-4/index_en.htm
10. EU GMP Chapter 4 Documentation: http://ec.europa.eu/health/documents/eudralex/vol4/index_en.htm
11. R.D.McDowall, Spectroscopy, Focus on Quality, December 2010
12. Concord Laboratories Warning Letter (July 2006)
13 Ohm Laboratories, Warning Letter (December 2009)
14. Gaines Chemical Company 483 Inspectional Observations (December 1999)
15. 21 CFR 11, Electronic Records Electronic Signatures Final Rule, 1997
16. FDA Guidance for Industry, Computerized Systems in Clinical Investigations, 2007
17. Cambrex Profarmaco Warning Letter (August 2009)