Anda di halaman 1dari 83

Assuring E Data Integrity and Part 11

Compliance for Empower

How to Configure an Empower Enterprise

2013 Waters Corporation 1


Agenda

Electronic Record regulations, Compliance Policy Guides and


Warning Letters
Raw Data in the Chromatography Laboratory
Designing your Empower process
General Security and System Policies
Access Management
Project Design and Configuration
Understanding Empower Audit Trails (brief)
Configuring for Electronic Signatures
Managing Data
Validation and Qualification
Other procedures and policies

2013 Waters Corporation 2


Gathering and sharing regulatory
information

2013 Waters Corporation 3


What Is Compliance?

Satisfying regulatory agencies and certification


organizations that a company's processes are being operated
at a level of control that will ensure that their products will
meet predetermined safety, efficacy, and quality
specifications.

2013 Waters Corporation 4


Electronic Record Regulations

2013 Waters Corporation 5


Purpose of Record Policies

Ensure Data Integrity


Records should be created contemporaneously
Retained
Reliable
o Changes should be noted, reasoned and non repudiated
Computer systems should be trustworthy
Validated to intended use
No resultant decrease in product quality, process control or quality
assurance
Evidence should be available to prove the above

2013 Waters Corporation 6


Chapter 21 Code of
Federal Regulations
21 CFR Part 11: Electronic Records;

21 CFR Part 211 - Current Good Manufacturing Practice


for Pharmaceutical Products
Electronic Signatures

21 CFR Part 58 - Current Good Laboratory Practice


for Pharmaceutical Products

21 CFR Part 110 - Current Good Manufacturing Practice


in Manufacturing Packing or Holding of Human Food

21 CFR Part 820 Quality System Regulation


for Medical Devices

As with FDA regulations, EU regulations have rules overlaid with


the electronic record rule (Annex 11)

2013 Waters Corporation 7


European Annex 11

GMP Chapter 4- Documentation


Annex 11: Electronic Records;

Annex 4: Manufacturing of Investigational Drug Product

OECD Guidance for the Conduct of Test Facility


Inspections and Study Audits

OECD Revised Guides for Compliance Monitoring


Procedures for GLP

As with FDA regulations, EU regulations have rules overlaid with


the electronic record rule (Annex 11)

2013 Waters Corporation 8


21 CFR Part 11 Controls

Administrative Controls:
Set policies, assign roles and responsibilities, operator and
administrator training, ITIL implementation, auditing
Procedural Controls:
SOPs and Work Instructions for operation and administration,
computer system validation, calibration, network qualification.
awareness training
Technical Controls:
Computerized features like audit trail, backup mechanism, user
management and security, electronic signatures and/or digital
signatures to assist or enforce administrative and procedural controls

2013 Waters Corporation 9


Key Topics of Part 11

Secure Records
Back up, archive, records retention policy of ALL data and meta
data
Easy retrieval of e-records and Human Readable copies
controlled access with unique username and password
o limit functionality
o feeds audit trail
Secure computer generated audit trails for any changes to data
o What changed, who, when why (and now where)
Applications that work
Validation
Training
Electronic Signatures
Non repudiation of signature (if using)

2013 Waters Corporation 10


Annex 11 to Influence Part 11?

PI 011-3

Annex 11
21 CFR Part 11

2013 Waters Corporation 11


Four new key areas in Annex 11

Supplier Audits: including the requirement to share a summary


of your assessment
Be sure this is agreed in your vendor NDA agreement
Qualification of IT Infrastructure
And a formal agreement with IT departments
Inclusion of Risk Management
In Regulation rather than in Guidance
Review of Audit Trails
Specifically mentioned
Printouts should indicate a change

2013 Waters Corporation 12


The Lessons to Learn from FDA

2013 Waters Corporation 13


Sunrise Pharmaceuticals
Jan 2010

Your firm has not exercised appropriate controls over computer or


related systems to assure that changes in master production and
control records or other records are instituted only by authorized
personnel [21 CFR 211.68(b)].
For example, your firm lacks systems to ensure that all electronic data
generated in your Quality Control laboratory is secure and remains unaltered.
All analysts have system administrator privileges that allow them to
modify, overwrite, and delete original raw data files in the High
Performance Liquid Chromatography (HPLC) units.

In addition, your firm's review of laboratory data does not include a


review of an audit trail or revision history to determine if unapproved
changes have been made.

2013 Waters Corporation 14


Ohm Laboratories
21st December 2009

Your firm has not exercised appropriate controls over computer or


related systems to assure that changes in control records or other
records are instituted only by authorized personnel [21 CFR
211.68(b)].
For example, one user account is established for two analysts to access
the laboratory instrument's software on the computer system attached to
HPLC systems..
The user account provides full system administrative rights, including
editing of the methods and projects.
In addition, data security protocols are not established that describe the
user's roles and responsibilities in terms of privileges to access, change,
modify, create, and delete projects and data.

2013 Waters Corporation 15


Able Laboratories 483
May 2005

2013 Waters Corporation 16


Biochem February 2012

Access Control
Your firm did not put in place requirements for appropriate usernames and
passwords to allow appropriate control over data collected by your firm's
computerized systems including UV, IR, HPLC, and GC instruments. All
employees in your firm used the same username and password
Change Control
In addition, you did not document the changes made to the software or
data stored by the instrument systems.
Raw Data
Your firm had no system in place to ensure appropriate backup of
electronic raw data and no standard procedure for naming and saving data
for retrieval at a later date

2013 Waters Corporation 17


Gulf Pharmaceuticals
February 2012

Access Control
You have not implemented security control of laboratory electronic data. All laboratory
analysts share the same password for the HPLCs in the QC analytical chemistry lab
and Omnilog in the microbiology lab.
Raw Data
There is no system in place to ensure that all electronic raw data from the
laboratory is backed up and/or retained.
Data is deleted to make space for the most recent test results. You also informed our
investigators that printed copies of HPLC test results are treated as raw data.
Printed Copies
Printed copies of HPLC test results from your firms systems do not contain all of the
analytical metadata (for example: instrument conditions, integration parameters) that
is considered part of the raw data.

We highly recommend that you hire a third party auditor, with


experience in detecting data integrity problems, who may assist you in
evaluating your overall compliance with cGMP.

2013 Waters Corporation 18


Wockhardt Ltd July 2013

Delayed, denied, limited an inspection


Torn raw data records in the waste area
o Repeatedly asked to see them
o Presented 20 records, none of which were the missing records
o Later found raw data records in a different holding bag
Unlabeled and partially labeled vials
o When the investigator asked a QC Analyst to describe the contents of these
vials, the QC Analyst immediately began dumping the contents of the
vials into the drainage sink
requested the QC data package and raw data testing documentation
o no less than six times on (day 1), and again multiple times on (day 2)
o Finally got data on close out meeting on day 3

2013 Waters Corporation 19


Summary of Findings

No Secure Access to only authorized personnel


No password
Shared user accounts
o Set up that way
o Shared in an emergency without documentation or justification
No controls to limit access to the delete function (among others)
Either set up as administrators
Or with user type that permit deletion or data manipulation
No audit trails
Software not equipped with audit trail
User not having unique log on prevents correct audit trails
No review of audit trails by managers or QA
Trial injection data not kept or documented
Analyses being repeated without justification, then called trial injections
Delaying, denying or limiting an inspection
Hiding data or records
2013 Waters Corporation 20
Raw Data in the
Chromatographic Laboratory

2013 Waters Corporation 21


A day in the life of Raw Data
Change control
Quantification
Raw Data

Qualification and Reporting


Maintenance

CDS

2013 Waters Corporation 22


FDA.Gov:
FAQ on Printed Chromatograms

the printed chromatograms used in drug


manufacturing and testing do not satisfy the
predicate rule requirements in 21 CFR Part 211.
The electronic record must be maintained and readily available for
review by, for example, QC/QA personnel or the FDA investigator
2013 Waters Corporation 23
Designing your
Empower Process

2013 Waters Corporation 24


Design your Process

First design your ideal process before creating the user


requirement specification
Look at current processes
Look for bottle necks
Look at current calculations
Eliminate non compliant spreadsheets
Eliminate paper worksheets
Eliminate hand calculations
Ask for input about ideal process
Use outside help to design a process
Fresh pair of eyes
Vendor support using previous experience in similar industry
Employees with experience in previous employment

2013 Waters Corporation 25


Empower Versatility

Automated Dissolution Calculations


Integrity of your HPLC
dissolution testing
% Dissolved automatically
calculated
Combined Accounts forand
software
transfer
hardwareVol,solution
replace media
OR etc
Q Factors assessed
SOFTWARE ALONE for
For online and offline
calculations
Dissolution

2013 Waters Corporation 26


The Automated Process
Chromatography to Calculations

2013 Waters Corporation 27


General Security and System Policies

2013 Waters Corporation 28


Empower Software Security

Windows (7 or XP) operating system software is only used to


secure the database and raw data records from accidental
deletion, corruption or modification
Empower Software Security is used to secure specific areas of
the application.
Access Rights
o Functionality
o Data Sets (Projects)
Audit Entries
Password Security
Sign Off Privileges
This makes it the easiest CDS to run in a compliant way!!

(exception is if customer wants to use LDAP for password authentication)


2013 Waters Corporation 29
Compliance Requirements:
System Set Up and Policies

Workstation Client Server


Data stored on PC in the lab Data only stored on server in secured
PC hardware failures result in loss of server room
data RAID technology protects from
failure
Expensive to licence a username for One user licence for every
every analyst on every workstation instrument in the lab
Many user names and passwords to Single set of passwords
maintain
Time Stamps from unsecured PC Time Stamps from the Server
time
Access to OS (task Access to OS of PC does not
manager/explorer) on PC compromise data security
compromises security of data
SOPs need to synchronize naming Single data repository ensures
conventions (files, methods, e- uniqueness of IDs
records)

2013 Waters Corporation 30


System Policies

2013 Waters Corporation 31


Empower System Policies

System Policies are labeled,


designating Waters
recommendation for policies
that should be invoked for
GxP_
Electronic Records
Electronic Signatures

However it is the user


interpretation that is
important!

2013 Waters Corporation 32


System Polices: General

Application Timeout
One password unlocks all my
windows
Leaves other users windows
locked
Better than screensaver
Disallow annotation tools
Consider if relying on paper
report review
Date and Time Zone display

2013 Waters Corporation 33


Access Management

2013 Waters Corporation 34


Empower User Types

Empower User Types are used to create unique security


model for the Empower application, reflecting your designed
processes
User Types are associated with each User Account
There is no limit to the number of User Types
One person may have one default user type and be demoted in
other project areas
Define User Types AFTER you define the workflow processes

2013 Waters Corporation 35


Empower User Types

2013 Waters Corporation 36


Empower User Accounts

Assigns username, password and user types to each User


Account

Each active/disabled Empower user account requires an


Empower license
removed Empower user accounts do not use a license
Can have multiple user type for one user account

Sharing of user accounts is not permitted


By the software licensing regulation
By the FDA

Audit trails in Empower rely on identification of each user


accessing the software.
Audit trails are useless if people share a common account
Equivalent to forging a signature on a GMP document

2013 Waters Corporation 37


Creating User Accounts

2013 Waters Corporation 38


Empower User Accounts

Access User Properties to change the information for each


user
Users may change their own passwords in this way if they feel
their password has been compromised

Can be altered by a Group Administrator if one is assigned


Eliminates the need for the system administrator to be involved
for every change

Multiple User Types can be associated to one User Account to


log in with different levels of privilege
Requires only one licence per user

2013 Waters Corporation 39


System Policies: Accounts and
Passwords

User accounts
No replication or deletion
User passwords
Full history
Expiry
Entry attempts
Length
Log on/off behaviour
Multiple users per Client
Default User interface rules

2013 Waters Corporation 40


Limited Entry Attempts

2013 Waters Corporation 41


Limited Entry Attempts

2013 Waters Corporation 42


Limited Entry Attempts

2013 Waters Corporation 43


System Policies: LDAP

Password Rules can be defined using


Active Directory or LDAP
Harmonize passwords across applications
Synchronize expiry
Add complexity rules

2013 Waters Corporation 44


Empower User Groups

Empower Groups provide the ability to divide


chromatographic information by laboratory, section or
department

30 Character limit for Group names

Users can be members of multiple Empower Groups

A Group administrator can be assigned for each user group


This person can alter the properties of ONLY the users in that group and
not other users
Interface will soon include full names (FR2)

2013 Waters Corporation 45


Empower User Groups

2013 Waters Corporation 46


Project Design and Configuration

2013 Waters Corporation 47


Project Management

Empower Projects are folders used to organise


chromatographic studies
Establish Name Convention
Customer Name, Assay Name, Compound, System Name,
Analyst Name
Determine how long an active Project will be available to
receive new samples
Decide what to do with inactive Projects
Keep them live but prevent acquisition of new data
Keep them live but lock completely
Develop an archive schedule

2013 Waters Corporation 48


Key Questions when creating
project structure

What criteria is best to search for data?


Examples are analyst, system, lab, compound, batch,
calculation type, project, animal, ship, customer, lab book,
date.
How many projects per month/year?
How many samples would go into each project per month?
Over what time period / which projects would you need to
compare data?
It is currently not possible to graphically compare data that exist
in two separate Empower projects

2013 Waters Corporation 49


Example Project Schedules
Department Sample Scheme Time Period Advantages
Frequency
Research Varies in type Analyst Monthly / Flexible
and Number Quarterly
Research Small number Instrument Monthly / Limit the
of instruments Quarterly instrument
Many analysts methods in
each project
Development Many runs but Calculation Monthly / Fixed custom
compound type Weekly calculations in
varies strict template
methods of projects
calculation
Development Limited Compound Monthly / Specific
numbers of Yearly methods in
compounds each project
many types of
calculation

2013 Waters Corporation 50


Example Project Schedules

Department Sample Scheme Time Period Advantages


Frequency
Stability Limited batches Batch Complete Easy to
over long time Study compare data,
period Fixed methods
QC Limited numbers Compound/ Monthly Specific
of compounds Formulation methods in each
with strict SOPs /SOP project easy to
find data
QC raw mats Very few Per Ship No time All data for one
formulations period delivery together
Weekly deliveries
QC Very few Per Line Monthly Specific
formulations methods in each
multiple project
production lines categorizes
similar data

2013 Waters Corporation 51


Creating New Projects

Use the Project Wizard to create new projects


Based on a template project
Based on previous months project
Can only be created one by one

Use the Clone project feature


copies project structure and methods
copies preferences
can create multiple projects at once
o One to many
o Many to many
Need good templates
o containing correct structure and methods
o with correct naming strategy
2013 Waters Corporation 52
New Projects using the Wizard

2013 Waters Corporation 53


Using Clone to Create Projects

Caffeine Assay March

Caffeine Assay Caffeine Assay April

Caffeine Assay May

Caffeine Assay March Caffeine Assay April Caffeine Assay May

Preferable to use Template : Smaller Audit trails


2013 Waters Corporation 54
Using Clone to Create Projects

Aspirin Assay Aspirin Assay May

Assay Vit C Assay Vit C Assay May


Project
Template

Caffeine Assay Caffeine Assay May

One project, many copies Clone


Multiple projects, one copy Clone

Copies methods, custom fields, view filters


and preferences
Does not copy data
2013 Waters Corporation 55
Understanding Empower Audit Trails

2013 Waters Corporation 56


System Policies: Projects

Determines the audit trail


settings of new projects
Can never be altered
Silent is transparent to user
but..
Most regulations require a
reason for change
Confirm identity requires a
username and password for
every action
Not required by regulations
Some companies like it

2013 Waters Corporation 57


Traceability -
Linking Information to Records

Sample Standards used


Sets for Calibration

Calibration
Original Curves
Processing Method

Unchanged
Raw Data
File
Unique
Result
Original
Instrument Method

Who Collected When


Who Processed What
Who Reviewed Why
Product Code/
E-cord information Who Approved
Stage Reagent
2013 Waters Corporation LC/GC System Used LIMS ID 58
Reviewing Audit Trails:
A New tool in FR2

Designed to make the requirement to


review Audit trails simpler
Launched from Review
Brings into one window audit records from
Project window
Manual results
Method changes
o Processing, Instrument, Sample Set (alter sample) and Method Set
o Allows multiple methods to be compares
Compares results from superceded results
Where results have been reprocessed
Compares Areas, RT, Amount etc between two results

2013 Waters Corporation 59


Enhanced Data Review
New Result Audit Viewer(RAV)

2013 Waters Corporation 60


Configuring for Electronic Signatures

2013 Waters Corporation 61


Electronic Signatures in Empower

Applied to Reports to mimic the paper based process


Set appropriate system policies
Designed based on regulatory requirements
Designed based on customer feedback

2013 Waters Corporation 62


Managing Data

2013 Waters Corporation 63


Managing closed projects

Once a project is closed do you


Archive and delete the project?
Archive and leave the project live for further processing?
Archive and secure the project from further data acquisition
(i.e. process only)?
Archive and lock the project from any further activity (i.e.
read only)?
Leave the project live for a further month before archiving
and removing?
Leave the project live (or locked) and never archive it?
Move the live project to another location?

2013 Waters Corporation 64


Securing Completed Projects

Project Lock or changing Project Access

2013 Waters Corporation 65


Archival

Provide a mechanism to save e-records and their metadata


for future reference/access
Periodically archive data (projects) to secondary media:
Tape is not recommended for long term storage
o 4-5 year lifetime
CD or DVD used to be common
Mostly using hard drives
o Local standalone (Kit available to backup /archive
workstations)
o Network drives backed up by corporate
o Cloud Drives???

2013 Waters Corporation 66


Use of an Archive Empower
Database
Preserves the links to all the different types of meta data
Sample sets, cal curves, QC controls, Stds, Systems,
System Suitability results
Ensures data is automatically updated to the same version of
software being used in Production
Very quickly retrieved
Preserved the original results but can be reprocessed if required

Move complete Same


projects older than version of
6 months Empower,
limited users
Database Archive
Server Server

2013 Waters Corporation 67


Archiving Projects

Sample

Instruments

Raw Data Automated &


manual archiving of
Empower projects
Empower
in EDM
Data System

Raw data, processed


data and final results Reports & Results
are captured in the
project
Archive
Project archive
Project
contains all these data

2013 Waters Corporation 68


Archiving Reports

Sample

Instruments

Raw Data Manual &


automated print of
reports into SDMS
Empower
Data System

Simply review and Sign off


for non Empower users Reports & Results
Enables fast integration to
alternative applications
Archive
(eg LIMS or ELN)
Project

2013 Waters Corporation 69


Validation and Qualification

2013 Waters Corporation 70


You Cannot Just Buy a
Compliant System

Compliance Ready Software


Software designed with compliance in mind
Full audit trail
Easy set up in system policies
Easy to retrieve/view off-line

2013 Waters Corporation 71


Do you need to validate if you buy a
compliant system?

YES
2013 Waters Corporation 72
Double V Model from
GAMP Good Practice Guide: Testing

2013 Waters Corporation 73


Topics to Consider for URS for
Validation

Security
Including Part 11 requirements
Administration
Management tasks
Backup /recovery, archiving, legacy data
Dealing with upgrades
Instrument Control
Sample Sequences
Processing
Integration, Calibration, Quantitation, further processing
Reporting

2013 Waters Corporation 74


GAMP 5
Leveraging Supplier Involvement

Maximize supplier involvement throughout the system life cycle


Leverage knowledge, experience and documentation
Subject to satisfactory supplier assessment
Supplier input may be used for the creation of
Functional specifications
System configuration
Testing
Support
Maintenance
Planning should determine how best to use supplier
documentation
Including existing test documentation
Avoid wasted effort and duplication
Assess for suitability, accuracy and
completeness
2013 Waters Corporation 75
Compliance and Validation Services
Regbio Compliance Services Offerings

System Requirements
Specification

Legend
Vendor Audit
Analytical
Instrument
Qualification
Planning Analytical Systems
Extended
Software
Qualification
Specification Installation Qualifcation

Routine Compliance Core CSV


Installation/ Services
Routine OQ/PQ Service
Qualification

Extended Qualification Extended CSV


Service

Reporting/
Release

2013 Waters Corporation 76


Compliance around the Application:
Other Policies and Procedures

2013 Waters Corporation 77


Training Procedures

Document that all users have received appropriate training


Should include
Lab users (scientists)
Managers
QA Reviewers
IT / Network Support Engineers
Instrument Engineers
Validation Specialists
Consultants
If applicable training should include knowledge of
21 CFR Part 11 and the legal implication of
Electronic Signatures

2013 Waters Corporation 78


Change Control SOP

Changes to system
Risk assessment of the change
Performance tests
Actual impact of changes
How documentation should be updated
Training updated

Consider how to deal with different categories of change:


Configuration Changes (Policies / User Types / SOP updates)
Microsoft or Empower Hotfix
New instrument driver
Empower Service Release
New Version of Empower

2013 Waters Corporation 79


Disaster Recovery SOP

Plan for data integrity in case of:


Power Interruption/Spike
Flood
Fire
Major Storm
Protest/sabatoge
Plan data storage areas on/off site
Results of annual disaster recovery drill

Consider use of
High Availability solutions
o RAC, DataGuard, Oracle FailSafe
Emergency Workgroup or Personal Systems

2013 Waters Corporation 80


Backup

Define and test a strategy to recover in the event of a disaster


Tape is one mechanism
o Tapes will wear out
o Test backups
Now often to hard disk storage or Cloud?
Validating and Testing this is key
Oracle Hot and Cold Back up
Archive Log files
Ensure you talk to Waters to Set this up correctly

2013 Waters Corporation 81


Empower 3 Compliance for an
FDA audit

Inspectors want to see that you have implemented the controls that
Empower provides for you
Unique Usernames for audit trails
Default strings for reasons WHY you change objects
Password expiry and history
Limited access to delete objects in the database

Outside Empower procedures are as important


Training
Daily Backup of data
Long Term Archiving

Validation of the entire system, including software to demonstrate fit


for intended use based on a clear URS is a key aspect
Including a clear Change Control procedure

2013 Waters Corporation 82


Thank you!

2013 Waters Corporation 83