Assuring E Data Integrity and Part 11 Compliance For Empower

Assuring E Data Integrity and Part 11
Compliance for Empower
How to Configure an Empower Enterprise
2013 Waters Corporation 1

Agenda
Electronic Record regulations, Compliance Policy Guides and

Warning Letters
Raw Data in the Chromatography Laboratory
Designing your Empower process
General Security and System Policies
Access Management
Project Design and Configuration
Understanding Empower Audit Trails (brief)
Configuring for Electronic Signatures
Managing Data
Validation and Qualification
Other procedures and policies

Gathering and sharing regulatory
information

What Is Compliance?
Satisfying regulatory agencies and certification

organizations that a company's processes are being operated
at a level of control that will ensure that their products will
meet predetermined safety, efficacy, and quality
specifications.

Electronic Record Regulations

Purpose of Record Policies
Ensure Data Integrity

Records should be created contemporaneously
Retained
Reliable
o Changes should be noted, reasoned and non repudiated
Computer systems should be trustworthy
Validated to intended use
No resultant decrease in product quality, process control or quality
assurance
Evidence should be available to prove the above

Chapter 21 Code of
Federal Regulations
21 CFR Part 11: Electronic Records;
21 CFR Part 211 - Current Good Manufacturing Practice

for Pharmaceutical Products
Electronic Signatures
21 CFR Part 58 - Current Good Laboratory Practice

for Pharmaceutical Products
21 CFR Part 110 - Current Good Manufacturing Practice

in Manufacturing Packing or Holding of Human Food
21 CFR Part 820 Quality System Regulation

for Medical Devices
As with FDA regulations, EU regulations have rules overlaid with

the electronic record rule (Annex 11)

European Annex 11
GMP Chapter 4- Documentation

Annex 11: Electronic Records;
Annex 4: Manufacturing of Investigational Drug Product
OECD Guidance for the Conduct of Test Facility

Inspections and Study Audits
OECD Revised Guides for Compliance Monitoring

Procedures for GLP
As with FDA regulations, EU regulations have rules overlaid with

the electronic record rule (Annex 11)

21 CFR Part 11 Controls
Administrative Controls:
Set policies, assign roles and responsibilities, operator and
administrator training, ITIL implementation, auditing
Procedural Controls:
SOPs and Work Instructions for operation and administration,
computer system validation, calibration, network qualification.
awareness training
Technical Controls:
Computerized features like audit trail, backup mechanism, user
management and security, electronic signatures and/or digital
signatures to assist or enforce administrative and procedural controls

Key Topics of Part 11
Secure Records
Back up, archive, records retention policy of ALL data and meta
data
Easy retrieval of e-records and Human Readable copies
controlled access with unique username and password
o limit functionality
o feeds audit trail
Secure computer generated audit trails for any changes to data
o What changed, who, when why (and now where)
Applications that work
Validation
Training
Non repudiation of signature (if using)

Annex 11 to Influence Part 11?
PI 011-3
Annex 11
21 CFR Part 11

Four new key areas in Annex 11
Supplier Audits: including the requirement to share a summary

of your assessment
Be sure this is agreed in your vendor NDA agreement
Qualification of IT Infrastructure
And a formal agreement with IT departments
Inclusion of Risk Management
In Regulation rather than in Guidance
Review of Audit Trails
Specifically mentioned
Printouts should indicate a change

The Lessons to Learn from FDA

Sunrise Pharmaceuticals
Jan 2010
Your firm has not exercised appropriate controls over computer or

related systems to assure that changes in master production and
control records or other records are instituted only by authorized
personnel [21 CFR 211.68(b)].
For example, your firm lacks systems to ensure that all electronic data
generated in your Quality Control laboratory is secure and remains unaltered.
All analysts have system administrator privileges that allow them to
modify, overwrite, and delete original raw data files in the High
Performance Liquid Chromatography (HPLC) units.
In addition, your firm's review of laboratory data does not include a

review of an audit trail or revision history to determine if unapproved
changes have been made.

Ohm Laboratories
21st December 2009
Your firm has not exercised appropriate controls over computer or

related systems to assure that changes in control records or other
records are instituted only by authorized personnel [21 CFR
211.68(b)].
For example, one user account is established for two analysts to access
the laboratory instrument's software on the computer system attached to
HPLC systems..
The user account provides full system administrative rights, including
editing of the methods and projects.
In addition, data security protocols are not established that describe the
user's roles and responsibilities in terms of privileges to access, change,
modify, create, and delete projects and data.

Able Laboratories 483
May 2005

Biochem February 2012
Access Control
Your firm did not put in place requirements for appropriate usernames and
passwords to allow appropriate control over data collected by your firm's
computerized systems including UV, IR, HPLC, and GC instruments. All
employees in your firm used the same username and password
Change Control
In addition, you did not document the changes made to the software or
data stored by the instrument systems.
Raw Data
Your firm had no system in place to ensure appropriate backup of
electronic raw data and no standard procedure for naming and saving data
for retrieval at a later date

Gulf Pharmaceuticals
February 2012
Access Control
You have not implemented security control of laboratory electronic data. All laboratory
analysts share the same password for the HPLCs in the QC analytical chemistry lab
and Omnilog in the microbiology lab.
Raw Data
There is no system in place to ensure that all electronic raw data from the
laboratory is backed up and/or retained.
Data is deleted to make space for the most recent test results. You also informed our
investigators that printed copies of HPLC test results are treated as raw data.
Printed Copies
Printed copies of HPLC test results from your firms systems do not contain all of the
analytical metadata (for example: instrument conditions, integration parameters) that
is considered part of the raw data.
We highly recommend that you hire a third party auditor, with

experience in detecting data integrity problems, who may assist you in
evaluating your overall compliance with cGMP.

Wockhardt Ltd July 2013
Delayed, denied, limited an inspection

Torn raw data records in the waste area
o Repeatedly asked to see them
o Presented 20 records, none of which were the missing records
o Later found raw data records in a different holding bag
Unlabeled and partially labeled vials
o When the investigator asked a QC Analyst to describe the contents of these
vials, the QC Analyst immediately began dumping the contents of the
vials into the drainage sink
requested the QC data package and raw data testing documentation
o no less than six times on (day 1), and again multiple times on (day 2)
o Finally got data on close out meeting on day 3

Summary of Findings
No Secure Access to only authorized personnel

No password
Shared user accounts
o Set up that way
o Shared in an emergency without documentation or justification
No controls to limit access to the delete function (among others)
Either set up as administrators
Or with user type that permit deletion or data manipulation
No audit trails
Software not equipped with audit trail
User not having unique log on prevents correct audit trails
No review of audit trails by managers or QA
Trial injection data not kept or documented
Analyses being repeated without justification, then called trial injections
Delaying, denying or limiting an inspection
Hiding data or records
Raw Data in the
Chromatographic Laboratory

A day in the life of Raw Data
Change control
Quantification
Raw Data
Qualification and Reporting

Maintenance
CDS

FDA.Gov:
FAQ on Printed Chromatograms
the printed chromatograms used in drug

manufacturing and testing do not satisfy the
predicate rule requirements in 21 CFR Part 211.
The electronic record must be maintained and readily available for
review by, for example, QC/QA personnel or the FDA investigator
Designing your
Empower Process

Design your Process
First design your ideal process before creating the user

requirement specification
Look at current processes
Look for bottle necks
Look at current calculations
Eliminate non compliant spreadsheets
Eliminate paper worksheets
Eliminate hand calculations
Ask for input about ideal process
Use outside help to design a process
Fresh pair of eyes
Vendor support using previous experience in similar industry
Employees with experience in previous employment

Empower Versatility
Automated Dissolution Calculations

Integrity of your HPLC
dissolution testing
% Dissolved automatically
calculated
Combined Accounts forand
software
transfer
hardwareVol,solution
replace media
OR etc
Q Factors assessed
SOFTWARE ALONE for
For online and offline
calculations
Dissolution

The Automated Process
Chromatography to Calculations

General Security and System Policies

Empower Software Security
Windows (7 or XP) operating system software is only used to

secure the database and raw data records from accidental
deletion, corruption or modification
Empower Software Security is used to secure specific areas of
the application.
Access Rights
o Functionality
o Data Sets (Projects)
Audit Entries
Password Security
Sign Off Privileges
This makes it the easiest CDS to run in a compliant way!!
(exception is if customer wants to use LDAP for password authentication)

Compliance Requirements:
System Set Up and Policies
Workstation Client Server

Data stored on PC in the lab Data only stored on server in secured
PC hardware failures result in loss of server room
data RAID technology protects from
failure
Expensive to licence a username for One user licence for every
every analyst on every workstation instrument in the lab
Many user names and passwords to Single set of passwords
maintain
Time Stamps from unsecured PC Time Stamps from the Server
time
Access to OS (task Access to OS of PC does not
manager/explorer) on PC compromise data security
compromises security of data
SOPs need to synchronize naming Single data repository ensures
conventions (files, methods, e- uniqueness of IDs
records)

System Policies

Empower System Policies
System Policies are labeled,

designating Waters
recommendation for policies
that should be invoked for
GxP_
Electronic Records
However it is the user

interpretation that is
important!

System Polices: General
Application Timeout
One password unlocks all my
windows
Leaves other users windows
locked
Better than screensaver
Disallow annotation tools
Consider if relying on paper
report review
Date and Time Zone display

Access Management

Empower User Types
Empower User Types are used to create unique security

model for the Empower application, reflecting your designed
processes
User Types are associated with each User Account
There is no limit to the number of User Types
One person may have one default user type and be demoted in
other project areas
Define User Types AFTER you define the workflow processes

Empower User Types

Empower User Accounts
Assigns username, password and user types to each User

Account
Each active/disabled Empower user account requires an

Empower license
removed Empower user accounts do not use a license
Can have multiple user type for one user account
Sharing of user accounts is not permitted

By the software licensing regulation
By the FDA
Audit trails in Empower rely on identification of each user

accessing the software.
Audit trails are useless if people share a common account
Equivalent to forging a signature on a GMP document

Creating User Accounts

Empower User Accounts
Access User Properties to change the information for each

user
Users may change their own passwords in this way if they feel
their password has been compromised
Can be altered by a Group Administrator if one is assigned

Eliminates the need for the system administrator to be involved
for every change
Multiple User Types can be associated to one User Account to

log in with different levels of privilege
Requires only one licence per user

System Policies: Accounts and
Passwords
User accounts
No replication or deletion
User passwords
Full history
Expiry
Entry attempts
Length
Log on/off behaviour
Multiple users per Client
Default User interface rules

Limited Entry Attempts



System Policies: LDAP
Password Rules can be defined using

Active Directory or LDAP
Harmonize passwords across applications
Synchronize expiry
Add complexity rules

Empower User Groups
Empower Groups provide the ability to divide

chromatographic information by laboratory, section or
department
30 Character limit for Group names
Users can be members of multiple Empower Groups
A Group administrator can be assigned for each user group

This person can alter the properties of ONLY the users in that group and
not other users
Interface will soon include full names (FR2)

Empower User Groups

Project Design and Configuration

Project Management
Empower Projects are folders used to organise

chromatographic studies
Establish Name Convention
Customer Name, Assay Name, Compound, System Name,
Analyst Name
Determine how long an active Project will be available to
receive new samples
Decide what to do with inactive Projects
Keep them live but prevent acquisition of new data
Keep them live but lock completely
Develop an archive schedule

Key Questions when creating
project structure
What criteria is best to search for data?

Examples are analyst, system, lab, compound, batch,
calculation type, project, animal, ship, customer, lab book,
date.
How many projects per month/year?
How many samples would go into each project per month?
Over what time period / which projects would you need to
compare data?
It is currently not possible to graphically compare data that exist
in two separate Empower projects

Example Project Schedules
Department Sample Scheme Time Period Advantages
Frequency
Research Varies in type Analyst Monthly / Flexible
and Number Quarterly
Research Small number Instrument Monthly / Limit the
of instruments Quarterly instrument
Many analysts methods in
each project
Development Many runs but Calculation Monthly / Fixed custom
compound type Weekly calculations in
varies strict template
methods of projects
calculation
Development Limited Compound Monthly / Specific
numbers of Yearly methods in
compounds each project
many types of
calculation

Example Project Schedules
Department Sample Scheme Time Period Advantages

Frequency
Stability Limited batches Batch Complete Easy to
over long time Study compare data,
period Fixed methods
QC Limited numbers Compound/ Monthly Specific
of compounds Formulation methods in each
with strict SOPs /SOP project easy to
find data
QC raw mats Very few Per Ship No time All data for one
formulations period delivery together
Weekly deliveries
QC Very few Per Line Monthly Specific
formulations methods in each
multiple project
production lines categorizes
similar data

Creating New Projects
Use the Project Wizard to create new projects

Based on a template project
Based on previous months project
Can only be created one by one
Use the Clone project feature

copies project structure and methods
copies preferences
can create multiple projects at once
o One to many
o Many to many
Need good templates
o containing correct structure and methods
o with correct naming strategy
New Projects using the Wizard

Using Clone to Create Projects
Caffeine Assay March
Caffeine Assay Caffeine Assay April
Caffeine Assay May
Caffeine Assay March Caffeine Assay April Caffeine Assay May
Preferable to use Template : Smaller Audit trails

Using Clone to Create Projects
Aspirin Assay Aspirin Assay May
Assay Vit C Assay Vit C Assay May

Project
Template
Caffeine Assay Caffeine Assay May
One project, many copies Clone

Multiple projects, one copy Clone
Copies methods, custom fields, view filters

and preferences
Does not copy data
Understanding Empower Audit Trails

System Policies: Projects
Determines the audit trail

settings of new projects
Can never be altered
Silent is transparent to user
but..
Most regulations require a
reason for change
Confirm identity requires a
username and password for
every action
Not required by regulations
Some companies like it

Traceability -
Linking Information to Records
Sample Standards used

Sets for Calibration
Calibration
Original Curves
Processing Method
Unchanged
Raw Data
File
Unique
Result
Original
Instrument Method
Who Collected When

Who Processed What
Who Reviewed Why
Product Code/
E-cord information Who Approved
Stage Reagent
2013 Waters Corporation LC/GC System Used LIMS ID 58
Reviewing Audit Trails:
A New tool in FR2
Designed to make the requirement to

review Audit trails simpler
Launched from Review
Brings into one window audit records from
Project window
Manual results
Method changes
o Processing, Instrument, Sample Set (alter sample) and Method Set
o Allows multiple methods to be compares
Compares results from superceded results
Where results have been reprocessed
Compares Areas, RT, Amount etc between two results

Enhanced Data Review
New Result Audit Viewer(RAV)

Configuring for Electronic Signatures

Electronic Signatures in Empower
Applied to Reports to mimic the paper based process

Set appropriate system policies
Designed based on regulatory requirements
Designed based on customer feedback

Managing Data

Managing closed projects
Once a project is closed do you

Archive and delete the project?
Archive and leave the project live for further processing?
Archive and secure the project from further data acquisition
(i.e. process only)?
Archive and lock the project from any further activity (i.e.
read only)?
Leave the project live for a further month before archiving
and removing?
Leave the project live (or locked) and never archive it?
Move the live project to another location?

Securing Completed Projects
Project Lock or changing Project Access

Archival
Provide a mechanism to save e-records and their metadata

for future reference/access
Periodically archive data (projects) to secondary media:
Tape is not recommended for long term storage
o 4-5 year lifetime
CD or DVD used to be common
Mostly using hard drives
o Local standalone (Kit available to backup /archive
workstations)
o Network drives backed up by corporate
o Cloud Drives???

Use of an Archive Empower
Database
Preserves the links to all the different types of meta data
Sample sets, cal curves, QC controls, Stds, Systems,
System Suitability results
Ensures data is automatically updated to the same version of
software being used in Production
Very quickly retrieved
Preserved the original results but can be reprocessed if required
Move complete Same

projects older than version of
6 months Empower,
limited users
Database Archive
Server Server

Archiving Projects
Sample
Instruments
Raw Data Automated &

manual archiving of
Empower projects
Empower
in EDM
Data System
Raw data, processed

data and final results Reports & Results
are captured in the
project
Archive
Project archive
Project
contains all these data

Archiving Reports
Sample
Instruments
Raw Data Manual &

automated print of
reports into SDMS
Empower
Data System
Simply review and Sign off

for non Empower users Reports & Results
Enables fast integration to
alternative applications
Archive
(eg LIMS or ELN)
Project

Validation and Qualification

You Cannot Just Buy a
Compliant System
Compliance Ready Software

Software designed with compliance in mind
Full audit trail
Easy set up in system policies
Easy to retrieve/view off-line

Do you need to validate if you buy a
compliant system?
YES
Double V Model from
GAMP Good Practice Guide: Testing

Topics to Consider for URS for
Validation
Security
Including Part 11 requirements
Administration
Management tasks
Backup /recovery, archiving, legacy data
Dealing with upgrades
Instrument Control
Sample Sequences
Processing
Integration, Calibration, Quantitation, further processing
Reporting

GAMP 5
Leveraging Supplier Involvement
Maximize supplier involvement throughout the system life cycle

Leverage knowledge, experience and documentation
Subject to satisfactory supplier assessment
Supplier input may be used for the creation of
Functional specifications
System configuration
Testing
Support
Maintenance
Planning should determine how best to use supplier
documentation
Including existing test documentation
Avoid wasted effort and duplication
Assess for suitability, accuracy and
completeness
Compliance and Validation Services
Regbio Compliance Services Offerings
System Requirements
Specification
Legend
Vendor Audit
Analytical
Instrument
Qualification
Planning Analytical Systems
Extended
Software
Qualification
Specification Installation Qualifcation
Routine Compliance Core CSV

Installation/ Services
Routine OQ/PQ Service
Qualification
Extended Qualification Extended CSV

Service
Reporting/
Release

Compliance around the Application:
Other Policies and Procedures

Training Procedures
Document that all users have received appropriate training

Should include
Lab users (scientists)
Managers
QA Reviewers
IT / Network Support Engineers
Instrument Engineers
Validation Specialists
Consultants
If applicable training should include knowledge of
21 CFR Part 11 and the legal implication of

Change Control SOP
Changes to system
Risk assessment of the change
Performance tests
Actual impact of changes
How documentation should be updated
Training updated
Consider how to deal with different categories of change:

Configuration Changes (Policies / User Types / SOP updates)
Microsoft or Empower Hotfix
New instrument driver
Empower Service Release
New Version of Empower

Disaster Recovery SOP
Plan for data integrity in case of:

Power Interruption/Spike
Flood
Fire
Major Storm
Protest/sabatoge
Plan data storage areas on/off site
Results of annual disaster recovery drill
Consider use of
High Availability solutions
o RAC, DataGuard, Oracle FailSafe
Emergency Workgroup or Personal Systems

Backup
Define and test a strategy to recover in the event of a disaster

Tape is one mechanism
o Tapes will wear out
o Test backups
Now often to hard disk storage or Cloud?
Validating and Testing this is key
Oracle Hot and Cold Back up
Archive Log files
Ensure you talk to Waters to Set this up correctly

Empower 3 Compliance for an
FDA audit
Inspectors want to see that you have implemented the controls that
Empower provides for you
Unique Usernames for audit trails
Default strings for reasons WHY you change objects
Password expiry and history
Limited access to delete objects in the database
Outside Empower procedures are as important

Training
Daily Backup of data
Long Term Archiving
Validation of the entire system, including software to demonstrate fit

for intended use based on a clear URS is a key aspect
Including a clear Change Control procedure

Thank you!

Assuring E Data Integrity and Part 11 Compliance For Empower

Încărcat de

Informații document

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

Assuring E Data Integrity and Part 11 Compliance For Empower

Încărcat de

Drepturi de autor:

Formate disponibile

Assuring E Data Integrity and Part 11

Compliance for Empower

How to Configure an Empower Enterprise

2013 Waters Corporation 1

Electronic Record regulations, Compliance Policy Guides and

2013 Waters Corporation 2

2013 Waters Corporation 3

Satisfying regulatory agencies and certification

2013 Waters Corporation 4

2013 Waters Corporation 5

Ensure Data Integrity

2013 Waters Corporation 6

21 CFR Part 211 - Current Good Manufacturing Practice

21 CFR Part 58 - Current Good Laboratory Practice

21 CFR Part 110 - Current Good Manufacturing Practice

21 CFR Part 820 Quality System Regulation

As with FDA regulations, EU regulations have rules overlaid with

2013 Waters Corporation 7

GMP Chapter 4- Documentation

Annex 4: Manufacturing of Investigational Drug Product

OECD Guidance for the Conduct of Test Facility

OECD Revised Guides for Compliance Monitoring

As with FDA regulations, EU regulations have rules overlaid with

2013 Waters Corporation 8

2013 Waters Corporation 9

2013 Waters Corporation 10

2013 Waters Corporation 11

Supplier Audits: including the requirement to share a summary

2013 Waters Corporation 12

2013 Waters Corporation 13

Your firm has not exercised appropriate controls over computer or

In addition, your firm's review of laboratory data does not include a

2013 Waters Corporation 14

Your firm has not exercised appropriate controls over computer or

2013 Waters Corporation 15

2013 Waters Corporation 16

2013 Waters Corporation 17

We highly recommend that you hire a third party auditor, with

2013 Waters Corporation 18

Delayed, denied, limited an inspection

2013 Waters Corporation 19

No Secure Access to only authorized personnel

2013 Waters Corporation 21

Qualification and Reporting

2013 Waters Corporation 22

the printed chromatograms used in drug

2013 Waters Corporation 24

First design your ideal process before creating the user

2013 Waters Corporation 25

Automated Dissolution Calculations

2013 Waters Corporation 26

2013 Waters Corporation 27

2013 Waters Corporation 28

Windows (7 or XP) operating system software is only used to

(exception is if customer wants to use LDAP for password authentication)

Workstation Client Server

2013 Waters Corporation 30

2013 Waters Corporation 31

System Policies are labeled,

However it is the user

2013 Waters Corporation 32

2013 Waters Corporation 33

2013 Waters Corporation 34