Part 11 for Process Equipment, Audit Trail Reviewing, Requirements for Bulk Chemicals, And Cal Certs Without Pass/Fail

Paul Daniel, Vaisala
Senior GxP Regulatory Compliance Expert
Published:
Industrial Measurements
Life Science

This week we have five move post-webinar questions from the Data Integrity webinar. The questions are:

  1. Do we need to comply with Part 11 for a system attached to a process equipment if we are taking print outs and filing with our batch records?
  2. What should we focus our audit trail reviews on?
  3. Are there regulatory requirements for bulk chemical manufacturers?
  4. What if our calibration certificates don't come with a pass/fail status, only raw results?
  5. Are audit trail reviews tied to an official regulation or an extrapolation of the need to have audit trail functions?

See all the answers below... But first..

Vaisala blog

New White Paper on Data Integrity: Managing GxP Environmental Systems to Ensure Data Integrity

In this paper, we give you eight ways to ensure data integrity in your computerized systems, including:

  • Risk-based Validation
  • Auditing Audit trails
  • Ensuring accuracy and functionality
  • Change control
  • Selecting system provider

 

More Data Integrity Webinar Q&A

Do we require part 11 compliance for a computer system attached to a process equipment if we are taking print out and filing in our batch records?

You do not need to worry about compliance with Part 11 if the print-out is the raw data directly from the process equipment.  An example would be the print-out from an electronic scale.  If the process equipment creates a file or does any processing of the file before printing it out, you will need to investigate deeper. Another example would be an HPLC where the raw data is manipulated and analyzed before it is printed. In these instances, validation may be required, including verification of elements of Part 11.  

For audit trails reviews, what should we focus our attention on?

I love this question! Almost everybody accepts it must be done, but almost no-one asks how to actually do it.  The answer to this question is largely dependent on what the system is used for, how it stores data, and how detailed the audit trail is. 

In our viewLinc system, no user can actually make a record involving raw data or even change it.  So in some sense, we don't even need an audit trail…  But, since it is a hard argument to have,  we put an audit trail in anyway. The viewLinc audit trail tracks events and configuration changes. 

Since a monitoring system's secondary function, after collecting raw data, is sending alarms for any out-of-spec conditions or data, the configuration of the alarms is probably the most sensitive data that can be changed by a user.  Therefore, in a review of a monitoring system audit trail, I would be looking for administrative events that involved configuration changes.  I would be looking at the comments tied to the events to see that the changes were part of legitimate change controls. Here's what the "Events" view panel looks like in viewLinc... However, if I was dealing with a more complex system, such as a HPLC tied to a LIMS system I would see it differently. In this type of setup, the raw data files are often created by users and often need analysis and adjustment to make the data into actual and meaningful test results.  Such as system would likely be equipped with security roles to prevent people with review responsibilities from being able to change data, but if it wasn't (which would be a Part 11 compliance violation) I would look for change events by users known to have review roles.  

Otherwise, I would check the dates associated with the given projects and files. If a HPLC analysis and review of the file is typically completed and reviewed within 3 working days, I would look for instances where the changes to the data were made outside that 3-day window.  This might be indicative of people making changes after the fact. So we see that our audit trail review strategy is tied very much to the type of system we are using. We consider the system's existing data protections, and the way the it is used to process and store data.  To really understand how to review the audit trail, you must imagine the ways a person could "cheat" the data, and then design your review strategies to detect these activities.

Is there a regulatory requirement for bulk chemical manufacturers (e.g. excipients) to apply Data Integrity practices?

I have to answer your question with another question: Are there any GMP requirements for manufacturers of excipients?  Because data integrity requirements are not new, and are part of the core requirements for any GMP activity, therefore any activity that is has a regulatory requirement for GMP compliance, will also have a regulatory requirement to apply Data Integrity practices. Vaisala

I make a distinction between manufacturers of raw materials, excipients, and API's.  In my definition, an excipient is something that is not an API, but changes the action of the drug in some way, like a tablet coating. 

Excipients will differ between generic and patented formulations, even though the actual drug products will have the same API's, and likely other raw materials. The only reason I make this distinction is that I believe that it will help answer the question.  Some raw material providers are just making a raw material that could be used in many industries, and the way they are made suitable for pharmaceutical use is through testing and purification by the pharmaceutical manufacturer.  In this case, I could see a bulk raw material supplier being exempt from GMPs and therefore Data Integrity requirements.  Now a manufacturer of excipients, as I have defined them as unique drug components that are not APIs, could likely be seen as being subject to GMPs and therefore to Data Integrity requirements.

Regarding showing PASSED on a calibration certificate in the U.K., UKAS certified calibrations don't come with a pass/fail status, only raw results. What's the best way to deal with these?

Ah... forgive me for playing a little fast and loose with the word "PASSED".  It's often easier to teach GxP standards using phrases that imply that something MUST meet calibration criteria by saying that the certificate must say "PASSED." 

But of course, you are correct that you don't always get the word "PASSED" on the certificate.  The best practice I was alluding to was simply that calibration should be documented, typically with a certificate, and you should be able to determine from the certificate that the instrument was successfully calibrated, and within the due dates.  Successfully calibrated (which is what we mean by "Pass") means that measurements against a standard, after adjustment if any, were within the acceptable performance parameters for accuracy for that instrument.  Ideally, the certificate will also carry some kind of indicator of what the expected performance parameters are so that one may make such a determination from the certificate itself without having to refer to additional documents.  A word of warning – when you do send an instrument out for calibration, the calibration service providers will allow you to tell them what the acceptable limits of performance are, and you do not need to simply parrot the manufacturer's performance specifications.  What is more important is your process tolerance specifications.  If your process tolerance is quite a bit wider than the instrument's performance specifications (this is typical of Vaisala loggers) you gain some additional protection against failed calibrations AND the attendant paperwork.

Are the periodic audit trail reviews tied to an official regulation, or is it an extrapolation of the need to have audit trail functions?

Since you are in the UK, I looked to the MHRA. Their expectation is that the audit trail is there to specifically provide the ability to review it, and in that review to be able to reconstruct the actions to create the data record.  So, in that context, audit trail review is the reason for the audit trail to exist, as opposed to an extrapolation in the other direction. It is suggested by some that the appropriate time to review an audit trail is at the time the data itself is reviewed, or used for a GMP decision.  This is different than simple periodic audit trail review.  However, I consider both processes to be necessary and not mutually exclusive.

Don't miss this: Upcoming Webinar on New Wireless Technology

Join us for "The Internet of Things Now Includes Wireless Technology That Rises Above Crowded Frequencies" 

Wednesday, April 19, 2017 / 11:00 AM EDT / 8:00 AM PDT

Your presenter: Paul Daniel, Senior Regulatory Compliance Expert at Vaisala

Who Should Attend:

  • Facilities managers
  • Calibration managers
  • Validation managers
  • Validation specialists
  • Regulatory officers
  • Distribution, Logistics Managers
  • Stability Scientists & Laboratory Managers

Summary

The Internet of Things has allowed the development of wireless technology that ensures reliable, long-range signal strength in sensor-equipped data loggers. This webinar will show you how recent advances in long-range wireless communication are changing the way controlled environments are monitored, especially in GxP-regulated applications. 

  • A brief history of wireless technology:
  • Key differences in current technologies and functional comparisons of each (i.e. Wi-Fi, Bluetooth and ZigBee)
  • The fundamentals of wireless monitoring networks, including frequency, modulation, LoRa®, link budgets, and network topology

 

 

Contributors

Paul Daniel, Vaisala

Senior GxP Regulatory Compliance Expert

Paul Daniel has worked in the GMP-regulated industries for over 25 years helping manufacturers apply good manufacturing practices in a wide range of qualification projects.  His specialties include mapping, monitoring, and computerized systems.  At Vaisala, Paul oversees and guides the validation program for the Vaisala viewLinc environmental monitoring system.  He serves as a customer advocate to ensure the viewLinc environmental monitoring system matches the demanding requirements of life science and regulated applications.  Paul is a graduate of University of California, Berkeley, with a bachelor’s degree in biology.

Janice Bennett-Livingston

Marketing Manager

In addition to editing the Vaisala Life Science blog, Janice Bennett-Livingston is the Global Life Science Marketing Manager for Vaisala's Industrial Measurements business area.

Pre-Vaisala writing credits include a monthly column called "Research Watch" for Canada's award-winning magazine alive, as well as articles in Canadian Living and other periodicals. Other past work: copywriting for DDB Canada, technical writing at Business Objects, and communications specialist for the British Columbia Child & Family Research Institute.

Add new comment