data integrity ii - chromatography data system (cds) in pharma

Chromatography Data System (CDS)

[email protected]

- Introduction

- Functions of CDS

- Validation of CDS

- Regulatory requirements

- Procedures required

- Areas for ensuring CDS Data Integrity

- Previous observations

- FDA Warning Letters – 2013

- FDA Warning Letters – 2014

- FDA 483’s related to CDS

- EU – Non compliance Reports

- WHO - Notice of Concern

- How to avoid observations ?

- Conclusion

[email protected]

Introduction

Chromatography data systems have been in laboratories for many years in many forms:

• integrator

• single PC

• central data system

• client/ server or networked system.

Functions of CDS

In outline the process used by most CDS consists of all or most of

the points below:

• Set up the method and analytical run information.

• Instrument control

• Acquire data from each injection, together with injection number

from the auto-sampler and any chromatographic conditions.

• Process the acquired data first into peak areas or heights and

then into analyte amounts or concentrations.

• Store the resultant data files and other information acquired

during the run for reanalysis.

• Interface with other data or information systems for import of

data relating to CDS set-up or export of data for further

processing or collation of results.

Validation Package Documentation

Document Name Outline Function in Validation

Validation plan • Documents the intent of the validation effort throughout the whole life cycle

• Defines documentation for validation package

• Defines roles and responsibilities of parties involved

Project plan • Outlines all tasks in the project

• Allocates responsibilities for tasks to individuals or functional units

• Several versions as progress is updated

User requirements

specification (URS)

• Defines the functions that the CDS will undertake

• Defines the scope, boundary and interfaces of the system

• Defines the scope of tests for system evaluation and qualification

System selection report • Outlines the systems evaluated either on paper or in-house

• Summarizes experience of evaluation testing

• Outlines criteria for selecting chosen system

Vendor audit report and

vendor quality certificates

• Defines the quality of the software from vendor’s perspective (certificates)

• Confirms that quality procedures match practice (audit report)

• Confirms overall quality of the system before purchase



Purchase order • From vendor quotation selects software and peripherals to be ordered

• Delivery note used to confirm actual delivery against purchase order

• Defines the initial configuration items of the CDS

Installation qualification (IQ) • Installation of the components of the system by the vendor

• Testing of individual components

• Documentation of the work performed

Operational qualification

(OQ)

• Testing of the installed system

• Use of a vendor’s protocol or test scripts

• Documentation of the work performed

Performance qualification

(PQ) test plan

• Defines user testing on the system against the URS functions

• Highlights features to test and those not to test

• Outlines the assumptions, exclusions and limitations of approach

PQ test scripts • Test script written to cover key functions defined in test plan

• Scripts used to collect evidence and observations as testing is performed



Written procedures • Procedures defined for users and system administrators

• Procedures written for IT related functions

• Practice must match the procedure

User training material • Initial material used to train super users and all users available

• Refresher or advanced training documented

• Training records updated accordingly

Validation summary report • Summarizes the whole life cycle of the CDS

• Discusses any deviations from validation plan and quality issues found

• Management authorization to use the system

[email protected] requirements

Regulations

Main Clauses from EU Annex 11 Applicable for Maintaining the Validation Status of an Operational CDS.

• validation covers the whole lifecycle (11.2)

• environmental conditions must be within specifications (11.3)

• system description (11.4)

• access control and user account management (11.8)

• audit trails for data quality (11.10)

• change control procedures (11.11)

• data back-up quality and security (11.13)

• data back-up (11.14)

• alternative ways of working (11.15)

• procedures for breakdown (11.16)

• problem identification and resolution (11.17).

US FDA Regulatory Requirements for Data Integrity

Reference: http://www.fda.gov/Drugs/GuidanceComplianceRegulatoryInformation/Guidances/ucm124787.htm

US FDA Regulatory Requirements for Data Integrity

http://www.accessdata.fda.gov/scripts/cdrh/cfdocs/cfcfr/CFRSearch.cfm?CFRPart=11

FDA Regulatory Requirements for Computer Systems


FDA Regulatory Requirements for Data Integrity


MHRA Regulatory Requirements for Data Integrity

[email protected] required

Procedures required for computer systems

• Description of responsibilities: the roles and responsibilities of staff supporting the

computer system are defined.

• System description of hardware and change-control procedures: describes how the

hardware components will be maintained (equivalent to the hardware configuration log)

with the procedure to be adopted when the system configuration is changed.

• Preventative maintenance: describes the procedures for preventative maintenance of the

hardware components.

• Prevention, detection and correction of errors: the measures and procedures for finding,

recording and resolving errors in the system. This can be a complex SOP covering many

different aspects of the system and may refer to sections of the technical manuals

provided with the system. This SOP includes good housekeeping such as disk

defragmentation or monitoring the space available on all disks.


• System boot and shutdown: this is a special SOP that should contain all the specific

instructions for starting up and shutting down the system. This SOP may be required in an

emergency and, therefore, should be well written and be easily available for use.

• Control of environmental conditions: For systems that require a controlled environment,

an SOP should define the acceptable ranges of temperature, humidity and power supply.

Other environmental considerations may be what to do in the situation of electrostatic

discharges, power surges, fire, lightning strikes or the use and maintenance of an

uninterruptable power supply (UPS).

• Contingency plans and emergency operation: this is a disaster-recovery plan and uses

alternative plans until the computer system has been recovered. It is important that any

disaster recovery plan is tested and verified before any disaster occurs.

• Back-up and restore of data: describes the procedures for back-up of data and software

programs and how to restore data to disk.


• Security: the logical (software) and physical security of the system is covered with the

procedures for setting up and maintaining security.

• Installation and update of software: procedures to be undertaken before, during and after

installing software. This should start with the complete back-up of all disks and then

installation of the software and any testing and validation that may be required.

• Development and update of system software procedures: software can be written to

control the system or help execute functions. This SOP outlines the procedures for the

creation, documentation and modification of these procedures.

• Password policy

• Peak Integration procedure

Comparison of FDA and EU Regulations for Audit Trails

The audit trail regulatory requirements from 21

CFR 11 and EU GMP Annex 11 are compared and

contrasted.

In general, the two requirements are similar, but

interpretation is required, as some requirements

are present either in the underlying predicate rule

(for 21 CFR 11) or in other locations (for EU

GMP). It is important when interpreting a specific

section of a regulation to remember that other

parts of the regulations may modify or interact with

it.

The problem is that audit trails in commercial

applications fail to document the second person

review adequately and should highlight when

changes have been made to records.

Areas for ensuring CDS Data Integrity

1. Identify each user uniquely

2. Implement adequate password controls

3. Establish different user roles / access privileges

4. Establish and maintain a list of current and historical users

5. Control changes to the system

6. Use only trained staff to operate the system

7. Understand predicate rules for laboratory records

8. Define and document e-records for the system

9. Review the audit trails for each batch set

10. Back the system up regularly

[email protected] observations

[email protected] Letters - 2013

Failure to maintain laboratory control records with complete data derived from alltests conducted to ensure compliance with established specifications andstandards, including examinations and assays..

a. The inspection documented that HPLC processing methods (including integration

parameters) and re-integrations are executed without a pre-defined, scientifically valid

procedure.

Your analytical methods are not locked to ensure that the same integration parameters are

used on each analysis.

A QC operator interviewed during the inspection stated that integrations are performed and

re-performed until the chromatographic peaks are “good”, but was unable to provide an

explanation for the manner in which integration is performed.

Moreover, your firm does not have a procedure for the saving of processing methods used

for integration.

Reference : WL: 320-13-22 / Aarti Drugs Limited 7/30/13


c. During the review of the chromatography data, our investigator noticed that the raw data

retained does not include the run sequence or the processing method used to perform the

peak integrations.

Your QC personnel perform peak integrations based on analysts’ experience rather than by

an approved procedure.

Moreover, the chromatography raw data does not include the processing method used to

produce the final analytical results; therefore, during the review of the analytical data, it

would not be possible to detect any modification to the processing method.

Your firm’s response mentions that the QC operations are now under “direct control of

administrator”, but it does not define the roles and responsibilities of the administrator to

ensure the integrity and reliability of all QC laboratory data.



d. The audit trail function for the chromatographic systems was disabled at the time of the

inspection; therefore, there is no record for the acquisition of data or modifications to

laboratory data.

Your response to this deficiency did not discuss how you will ensure that data audit trails

will not be disrupted in the future.


Failure to implement access controls and audit trails for laboratorycomputer systems.

Your firm failed to have adequate procedures for the use of computerized systems used inthe QC laboratory.

At the time of the inspections, your QC laboratory personnel shared the same usernameand password for the operating systems and analytical software on each workstation in theQC laboratory.

In addition, no computer lock mechanism had been configured to prevent unauthorizedaccess to the operating system.

The investigator noticed that the current QC computer users are able to delete dataacquired.

In addition, the investigator found that there is no audit trail or trace in the operating systemto document deletions.


Your firm failed to exercise appropriate controls over computer or related systems to assure that onlyauthorized personnel institute changes in master production and control records, or other records (21CFR 211.68(b)).

Your firm’s (b)(4) “Jasco LC-Net II” HPLC instruments do not have restrictions in place to

prevent any change or deletion of analytical raw data.

Additionally, there is no audit trail in place to determine any previous deletion of raw data.

Reference : WL: 320-13-26 / Agila Specialties Private Limited 9/9/13

Your laboratory control records do not include data derived from all of the tests necessary to establishcompliance with standards.

For example, the inspection found multiple raw data chromatograms in digital files labeled “test” and“demo,” that were injected prior to the sample injections that were used to conclude that batches were inconformance with the specification. They were:

a. A “demo” chromatogram injected 3/6/12 and the official organic impurities injection on 4/6/12for (b)(4)batch (b)(4).

b. A “demo” chromatogram injected 3/6/12 and the official organic impurities injection on 4/6/12for (b)(4)batch (b)(4).

c. A “test” chromatogram injected 12/9/08 and the official related substances injection on 12/10/08for (b)(4)batch (b)(4).

d. Two “test” chromatograms injected 12/4/08 and the official related substances injections on 12/5/08for(b)(4) batch (b)(4).

e. Five “trial” chromatograms injected 7/5/11 between the official related substances injections whichoccurred both before and after the “trial” injections for batch (b)(4) of (b)(4). The final injections weremade on 12/6/11 for this batch.

Reference : WL: 320-13-20 / Fresenius Kabi Oncology Ltd 7/1/13

Failure to protect computerized data from unauthorized access or changes.

Our inspection found that there were no restrictions to access the laboratory data residing on

the workstations attached to your standalone instrumentation: (b)(4) High Pressure Liquid

Chromatographs (HPLCs), the Fourier Transform Infrared Spectrophotometer (FTIR), the

gas chromatograph (GC) and the drives and portable media used as back-ups.

There was no protection of the data from alteration and deletion and no audit trails to detect if

such alteration or deletion had occurred.

Reference : WL: 320-13-23 / Posh Chemicals Private Limited 8/2/13

Your firm failed to ensure that laboratory records included complete data derived fromall tests necessary to assure compliance with established specifications andstandards (21 CFR 211.194(a)).

• For example, your firm did not retain any raw data related to sample weights and sample

solution preparations for the HPLC assays of (b)(4) tablet batches (b)(4) and (b)(4) that

you conducted on July 18, 2012.

• In addition, you did not include those results in the calculation of the final assay

values. Instead, you repeated the analysis the next day using a new set of sample

solutions, and reported the retest results on the certificates of analysis (COAs). Other

examples were also noted during the inspection.

Reference : WL: 320-13-17 / RPG Life Sciences Limited 5/28/13

Your firm failed to establish and exercise adequate controls over computers to prevent unauthorizedaccess or changes to electronic data.

• For example, the computers that control your analytical laboratory instruments, including

an HPLC, (b)(4) GCs, and an FTIR, lacked control mechanisms to prevent unauthorized

access to, changes to, or omission of data files.

a. Your analysis of (b)(4) USP batch (b)(4) exceeded the (b)(4) residual solvent limit on

February 29, 2012. Your firm did not report or investigate this OOS result, and deleted the

related electronic records. During our inspection, your analyst admitted that he also deleted

other uninvestigated failing and/or OOS electronic data from the laboratory database in

January 2013 prior to our inspection. Your QC Senior Manager also acknowledged this

laboratory-wide electronic data deletion practice.

b. During our inspection, your analysts demonstrated to our investigators that they could

delete any electronic analytical data files from the laboratory computers and external

backup hard drives.

Reference : WL: 320-13-17 / RPG Life Sciences Limited 5/28/13

Your firm failed to ensure that laboratory records included complete data derived from all testsnecessary to assure compliance with established specifications and standards (21 CFR 211.194(a)).

• For example, your firm’s laboratory records failed to include complete records of all stability testingperformed. The FDA investigators identified the practice of performing "trial" sample analysis forHigh Performance Liquid Chromatography (HPLC) analyses prior to collecting the “official” analyticaldata for stability testing. These “trials” were performed on multiple products,including (b)(4) Tablets (b)(4)mg, (b)(4)mg/(b)(4)ml, and (b)(4)Tablets. These trial runs were notrecorded in the equipment use log, and sample preparation data associated with these analyseswas destroyed, preventing any calculation or analysis of the resulting data. Your response statesthat trial runs were conducted using only one of the (b)(4) HPLC instruments located in the stabilitylaboratory, which happened to be the one instrument that the FDA investigators reviewed during theinspection. Your response indicates that you have revised procedures and re-trained your staff.

• Additionally, your quality control HPLC raw data files can be deleted from the hard drive using thecommon PC login used by all (b)(4) analysts. This deletion eliminates all records of sampleinjections and analyses. Your response indicates that this deletion function is only available on thesoftware used for one of (b)(4) sets of HPLC instruments. You also indicated that you have changedthe access control privileges such that laboratory analysts in a “user” role cannot delete or renamefiles.

Reference : WL: 320-13-21 / Wockhardt Limited 7/18/13

Your firm failed to record and justify any deviations from required laboratory control mechanisms (21CFR 211.160(a)).

The FDA investigators identified a memo dated March 12, 2013 (a week before the inspection),

documenting a computer “crash” that occurred on the central back-up and controller PC

for (b)(4) HPLC instruments. The memo describes the loss of instrument activity logs (audit

trails). Our investigators found that several of the HPLCs had the audit trail functions disabled;

therefore, there is no assurance that the data generated using these HPLCs is accurate.

Your response indicates that your firm performed an assessment of the historical HPLC

chromatograms (raw data) generated on each individual HPLC unit prior to March 12, 2013 and

verified it against previously printed chromatograms. Based on this analysis, your firm claimed that

you had confirmed that the backup data is available for each of the analyses and no analytical data

has been lost due to the computer crash. However, your firm failed to provide a risk assessment for

the products tested using the HPLC instruments that had the audit trail functions disabled. This is

especially noteworthy given the fact that prior to the inspection, at least one QC officer had the

ability to delete data on the affected system.



• For example, our investigators identified your practice of performing “trial” sample analysis for highperformance liquid chromatography (HPLC) analyses prior to acquiring the “official” analytical data forrelease and stability testing.

• The FDA investigators observed your practice of performing “trial” injections for HPLC analyses used totest content uniformity, assay, and dissolution for release and stability for at least (b)(4) different products.

• The investigator observed that for finished product (b)(4) Tablets (b)(4) mg, batches (b)(4), your firmperformed “trial” injections. The inspection documented that an HPLC run had an injection sequencenamed as (b)(4) assay,(b)(4) assay (b)(4), and (b)(4) assay (b)(4) attributed to the “trial” injections. Ourinvestigators noticed that the injection sequence names used the (b)(4) digits of the previouslyreferenced batch numbers. During the inspection, your firm’s management was unable to determinewhether the “trial” injections were performed using standard solutions or actual batch samples. Based onthe HPLC data, these “trial” injections occurred on 5/7/13. Later that same day, it appears that the“official” sample analyses were performed for batches (b)(4). The assigned names for the sequenceinjections creates the perception that your QC operator named the vials using the (b)(4)digits of the batchnumbers to link the “trial” injections for the batches with the official assay analyses. We are concernedbecause our investigator noticed that the “trial” injection data related to batch (b)(4) rendered an out-of-specification (OOS) result for the (b)(4) and (b)(4) assays. Therefore, it appears that the batch (b)(4) didnot pass the “trial” analysis but met specifications when the “official” sample was tested shortly thereafter.



• In addition, our investigator discovered that some of the “trial” injection data was not kept

on the HPLC hard drives because your firm deleted it. Your firm’s management confirmed

that the files were deleted as part of an internal audit.

• Our investigators found similar instances of the use of “trial” injections stored in default

folders on the HPLC hard drive for at least four drug products. The inspections

documented that both sites have SOPs that allow the use of “trial” injections. For example,

SOP QA/GLP/08 “HPLC Analysis” mentions that standard and sample injections are

allowed to ensure system equilibration before the system suitability runs are

performed. Neither the International Conference on Harmonisation of Technical

Requirements for Registration of Pharmaceuticals for Human Use (ICH) document Q2R,

“Validation of Analytical Procedure: Text and Methodology,” nor the United States

Pharmacopoeia General Chapter <1058> , “Analytical Instrument Qualification,” includes

instructions for performing “trial” injections for a method that is validated.


Your firm failed to exercise appropriate controls over computer or related systems to assure that onlyauthorized personnel institute changes in master production and control records, or other records (21CFR 211.68(b)).

• The inspection documented that all of your QC laboratory computerized instruments ((b)(4) HPLCs)were found to be stand-alone, and laboratory personnel demonstrated that they can deleteelectronic raw data files from the local hard drive. Your firm deleted multiple HPLC data filesacquired in 2013 allegedly to clear up hard drive space without creating back-ups. Your QCmanagement confirmed that there is no audit trail or other traceability in the operating system todocument the deletion activity. Furthermore, your analysts do not have unique user names andpasswords for the computer and laboratory information systems; your QC analysts use a singleshared user identifier and password to access and manipulate multiple stand-alone systems.

• The (b)(4) HPLC systems in operation at the Waluj facility are also stand-alone, and during ourinspection, an employee demonstrated to the investigator that data can be deleted through the localhard drive of the data acquisition system. As with the Chikalthana facility, all Waluj facility employeesuse a shared password to access the operating system. During the inspection, your firm’smanagement informed our investigator that (b)(4) back-ups of data are performed. However, we areconcerned that your system and procedures permit deletion of HPLC files and that (b)(4) backed updata may not represent all the original data generated.


[email protected] Letters - 2014

Your firm frequently performs “unofficial testing” of samples, disregards the results, and reports resultsfrom additional tests. For example, during stability testing, your firm tested a batch sample six timesand subsequently deleted this data

• Our investigators found your practice of performing initial “trial” sample high performance liquid

chromatography (HPLC) analyses prior to acquiring the “official” analyses. The “trial” sample results

were subsequently discarded. “Trial” HPLC analyses for (b)(4) USP ((b)(4)) were apparently run as

part of the 12-month long-term stability studies on batch #(b)(4) for related substances.

• The inspection revealed that on August 26, 2011, your employee ran an HPLC analysis sequence

with the sample names (b)(4) and subsequently deleted the raw data files. It was noted that the

assigned names for the sequence injections indicates that your quality control staff named the

samples using the last three digits of the batch numbers to link the "trial" injections for the batches

with the official assay analyses.

• Your Senior Quality Control (QC) Officer confirmed that these were analyses of batch

samples. Furthermore, we found that on August 27, 2011, this batch was analyzed for unknown

impurities and the results were reported to be within specifications. However, the chromatographic

data showed that the "trial" injection data for this batch failed the unknown impurities specification

of (b)(4)% in multiple cases.

Reference : WL: 320-14-08 / Sun Pharmaceutical Industries Limited - Karkhadi 5/7/14

Your firm frequently performs “unofficial testing” of samples, disregards the results, and reports resultsfrom additional tests. For example, during stability testing, your firm tested a batch sample six timesand subsequently deleted this data

• Similar unacceptable data handling practices were observed in your laboratory’s conduct of gas

chromatography (GC) analyses. The FDA investigators reviewed what appear to be data from

“unofficial” injections for GC analyses for recovered (b)(4) raw material batch #(b)(4). On February

11, 2012, your analyst performed testing on recovered (b)(4) raw material batch #(b)(4) and the

sample was within specifications. The following day, February 12, 2012, your analyst ran a GC

analysis sequence with the sample names (b)(4) and subsequently deleted the raw data files. Your

staff performed calculations during the inspection, at our request, that showed that these samples

did not meet the (b)(4) impurity specification for this material. Therefore, it appears that out-of-

specification data for batch #(b)(4) was considered to be “unofficial,” while passing data were

reported as the "official" results for the batch.

• In addition, the inspection revealed numerous examples of deleted GC electronic raw data files on

the computer controlling the GC instruments that were replaced with identical “official”

chromatogram file names. The identically named GC data files that were deleted had been created

at different times and contained disparate data. Also, it appeared that data was not consistently

archived to the central server.

Reference : WL: 320-14-08 / Sun Pharmaceutical Industries Limited - Karkhadi 5/7/14

Failure to maintain complete data derived from all testing and to ensure compliance with establishedspecifications and standards pertaining to data retention and management.

• Your firm did not retain complete raw data from testing performed to ensure the quality of your

APIs. Specifically, your firm deleted all electronic raw data supporting your high performance liquid

chromatography (HPLC) testing of all API products released to the U.S. market.

• In addition, your firm failed to retain basic chromatographic information such as injection sequence,

instrument method or integration method for the tests. Your firm’s lack of data control causes us to

question the reliability of your data.

• In addition, your laboratory management was unaware of, and therefore did not follow, the written

procedure detailing the review of analytical data.

• Furthermore, your management confirmed that the review of analytical data did not include

evaluating the system suitability parameters to ensure proper column performance.

Reference : WL: 320-14-10 / Trifarma S.p.A. 7/7/14

Failure to prevent unauthorized access or changes to data and to provide adequate controls to preventomission of data

• Your firm did not have proper controls in place to prevent the unauthorized manipulation of your

laboratory’s raw electronic data.

• Specifically, your laboratory systems did not have access controls to prevent deletion or alteration of

raw data.

• The inspection noted that all laboratory employees were granted full privileges to the computer

systems.

• In addition, prior to January 7, 2014, HPLC and gas chromatograph (GC) computer software lacked

active audit trail functions to record changes to data, including information on original results, the

identity of the person making the change, and the date of the change.

Reference : WL: 320-14-10 / Trifarma S.p.A. 7/7/14

Failure to manage laboratory systems with sufficient controls to ensure conformance to establishedspecifications and prevent omission of data.

• Our inspection revealed serious deficiencies related to your documentation practices, including

missing raw data. It is a basic responsibility of your quality unit to ensure that your firm retains the

supporting raw data that demonstrates your APIs meet specifications that they are purported to

possess.

• For example, during the inspection, our investigator found a chromatogram related to (b)(4), API in

the trash, dated October 15, 2013, which reported an additional chromatographic peak when

compared to the standard. During the inspection, your firm stated that the analyst discarded the

chromatogram because it was present in the blank injection. However, the analyst was unable to

retrieve the blank chromatogram from the system because it was overwritten by a subsequent

injection.

Reference : WL: 320-15-04 / Novacyl Wuxi Pharmaceutical Co., Ltd. 12/19/14

Failure to manage laboratory systems with sufficient controls to ensure conformance to establishedspecifications and prevent omission of data.

• In addition, the inspection documented that your firm made changes to integration parameters for the impurities

test without appropriate documentation or justification. Your firm relied upon hand written notes on a

chromatogram discovered in a drawer at the laboratory as the documentation for this change. Furthermore,

your firm implemented this change without an audit trail that would have captured the date of the change and

who made the change.

Other significant deficiencies noted in your laboratory system include:

a) Failure to have a written procedure for manual integration despite its prevalence.

b) Failure to use separate passwords for each analyst’s access to the laboratory systems.

c) Use of uncontrolled worksheets for raw analytical data in your laboratory.

d) Presence of many uncontrolled chromatograms, spreadsheets and notes of unknown origin found in a

drawer.

• The lack of controls on method performance and inadequate controls on the integrity of the data collected raise

questions as to the authenticity and reliability of your data and the quality of the APIs you produce.

Reference : WL: 320-15-04 / Novacyl Wuxi Pharmaceutical Co., Ltd. 12/19/14

[email protected]’s related to CDS

483’s Related to CDS

Reference : Ranbaxy Laboratories Limited – Toansa – Jan-2014

[email protected] – Non compliance Reports

EU Non Compliance Reports

Firm Name Observation

Zhejiang Apeloa Kangyu

Bio-Pharmaceutical Co.

Ltd., China; Nov 2014

• The company failed to establish a procedure to identify and validate GMP-relevant

computerized systems in general.

• HPLC chromatograms had been copied from previous batches and renamed with

different batch and file names.

• Several electronically stored HPLC runs had not been entered into the equipment

log books. The nature of these data could not finally been clarified.

• Neither the individual workstation nor the central server had been adequately

protected against uncontrolled deletion or change of data.

• The transfer of data between workstations and server showed to be incomplete.

• No audit trail and no consistency checks had been implemented to prevent misuse

of data.



Zeta Analytical Ltd, UK;

Jan 2014• It could not be confirmed who had conducted the testing or when because of

discrepancies in the raw data; consequently staff competence could not be

confirmed.

• Raw data were not being recorded contemporaneously nor by the performing

analyst.

• Failed HPLC injections of QC standards in place to demonstrate the correct

operation of the HPLC were deleted, repeated many hours after the original

analysis and re-inserted into the analytical sequence without explanation

invalidating the batch data. The company provided commitments to address the

data traceability concerns.



Wockhardt Limited, Nani

Daman, India Oct 2014• Issues were identified which compromised the integrity of analytical data produced

by the QC department. Evidence was seen of data falsification.

• A significant number of product stability data results reported in the Product Quality

Reviews had been fabricated. Neither hard copy nor electronic records were

available.

• In addition issues were seen with HPLC electronic data indicating un-authorised

manipulation of data and incidents of unreported trial runs prior to reported

analytical runs.

[email protected] – Notice of Concern

WHO – NOC : Microlabs, Hosur

Summary of observations

[email protected] to avoid observations ?

Data Integrity – Rebuilding Trust

• Know the Regulations & Intensity of Data integrity related to CDS

• Perform a GAP Analysis

• Determine the scope of the problem / Detect the integrity related to CDS

• Implement a corrective action plan (global) & Prevent the Integrity related to CDS

• Remove individuals responsible for problems from CGMP positions

• Complete a satisfactory inspection

GAP Analysis

• Perform GAP analysis by

brainstorming with cross

functional team to identify and

prevent the issues related to

CDS.

Review System

Identify gap

Change control process

Develop, Training & implement

ion

Implications

Recommendations

Summary of Data Integrity issues

• HPLC integration parameters were changed and re-run until passing

results were obtained

• Audit trail function was disabled.

• Unofficial testing of samples with file names like test, trial, or demo

• There are no controls to prohibit unauthorized changes to electronic

data / inadequate access controls.

• Files were saved on personal computers instead of a network

• Sharing passwords / unauthorized access.

• Lack of security on electronic data systems.

• Failure to maintain back-up of electronic data.

Ele

ctr

on

ic D

ata

Detecting & Preventing CDS issues

• CDS should not be file based (easy to delete data), it should be with

an integrated database.

• Don’t use standalone workstations (easy to change date), use only

networked systems.

• Don’t use local workstation, acquire data on networked server.

• Restrict access to networked server except via CDS application.

• Follow the backup and recovery process.

• CDS application should be configured with full audit trails, Electronic

signatures, user types with access privileges.

• Document the complete software configuration.

Co

nfi

gu

rati

on

of

CD

S


• Define a clear policy / procedure on various activities (e.g.

Password policy, Project creation & back-up)

• Have clear procedure and controls over the electronic data /

software administration.

• Cross check Privileges Vs. Job responsibilities.

• Check the adequacy of the procedures.

Po

licie

s &

Pro

ced

ure

s


• Strategic planning

• Determine the level of compliance that we are seeking

• Identify the weaknesses and strengths in our computerizedsystems

• Conduct an inventory of the systems

• Determine if the system must comply with Part 11

• Conduct the assessment using a checklist or spreadsheet

• Provide documented justification if certain system are exemptfrom Part 11

• Implement and execute a remediation plan

• Conduct the required follow-up as warranted.

Part

11 G

AP

Assessm

en

t


• Equilibrate chromatographic systems before they are ready for analysis.

• The time taken for equilibration shall be established during the method

development/validation/verification/transfer work performed in the laboratory and

this should be documented in the analytical procedure.

• Train the users and Follow good chromatographic practices and good start-up

procedures. Refer : http://www.slideshare.net/skvemula/good-chromatographic-

practices

• Follow proper change over procedures for mobile phase and modes (Normal

phase & Reverse phase).

• Inject the sample only after the system suitability criteria is met.

• Upon completion of the analysis, document the number of system evaluation

injections as part of the analytical report for the run.

Tri

al In

jecti

on

s

http://www.slideshare.net/skvemula/good-chromatographic-practices












• Roles provide administrators with straight forward method for managing userprivileges.

• Administrator can define roles based on job responsibilities.

• User types / groups should be defined based on the structure of the laboratory.

• Have independent User ids for the computer systems and CDS.

• Users should not have privilege to delete / modify / overwrite the data.

• Audit trails for access (System audit trails) shall be checked frequently.

• Data security shall be maintained.

Access C

on

tro

ls

HPLC - Peak Integration for Chromatography

Have a defined procedure on peak integration.

The presentation on “Peak Integration for Chromatography” is accessible form

the link : http://www.slideshare.net/skvemula/hplc-peak-integration-for-

chromatography-38032765

Contents:

- Introduction - Definitions

- How Peaks appear

- ApexTrack Integration

- Timed Events

- Peak Integration Events

- Peak Labels

- Manual Integration

- Warning letter Citations

http://www.slideshare.net/skvemula/hplc-peak-integration-for-chromatography-38032765











[email protected]

Conclusion

• A structured and systematic evaluation of current compliance state can go a long way to ensuring that your next CDS implementation is truly compliance-ready and maintains that compliant state.

• Lessons from past FDA warning letters

• Ensure that users are uniquely identified and that records of their access privileges are maintained.

• Have controls on re-integrations & methods.

• Understand the predicate rule in relation to computer systems

• Don’t delete / don’t give access privilege to delete raw data.

• Trial injections are not allowed.

• Stand alone systems are not allowed.

• Define electronic records and electronic working practices

• Review the CDS audit trails

• Vendors of CDS systems must ensure that audit trails are easy-to-use and actually contain information that is useful to the users to determine the quality and integrity of data.

[email protected]

Data Integrity Part I is available at:

http://www.slideshare.net/skvemula/presentation-on-data-integrity-in-pharmaceutical-industry














[email protected] You

For “Pharma Uptoday” free daily newsletter write a mail to [email protected]

for few previous posts browse our website:https://sites.google.com/site/pharmauptoday

for other Pharma Uptoday presentations & Monthly Magazines browse:http://www.slideshare.net/skvemula

mailto:[email protected]

https://sites.google.com/site/pharmauptoday

http://www.slideshare.net/skvemula

data integrity ii - chromatography data system (cds) in pharma

Healthcare