Tag: pic/s

The Audit Trail and Data Integrity

Requirement

Description

Attributable (Traceable)
  • Each audit trail entry must be attributable to the individual responsible for the direct data input so all changes or creation of data with the persons making those changes. When using a user’s unique ID, this must identify an individual pers on.
  • Each audit trail must be linked to the relevant record throughout the data life cycle.

Legible
  • The system should be able to print or provide an electronic copy of the audit trail.
  • The audit trail must be available in a meaningful format when. viewed in the system or as hardcopy.

Contemporaneous
  • Each audit trail entry must be date- and time-stamped according to a controlled clock which cannot be altered. The time should either be based on central server time or a local time, so long as it is clear in which time zone the entry was performed.

Original
  • The audit trail should retain the dynamic functionalities found in the computerized system, included search functionality to facilitate audit trail review activities.

Accurate
  • Audit trail functionality must be verified to ensure the data written to the audit trail equals the data entered or system generated.
  • Audit trail data must be stored in a secure manner and users cannot have the ability to amend, delete, or switch off the audit trail. Where a system administrator amends, or switches off the audit trail, a record of that action must be retained.

Complete
  • The audit trail entries must be automatically captured by the computerized system whenever an electronic record is created, modified, or deleted.
  • Audit trails, at minimum, must record all end user initiated processes related to critical data. The following parameters must be included:
    • The identity of the person performing the action.
    • In the case of a change or deletion, the detail of the change or deletion, and a record of the original entry.
    • The reason for any GxP change or deletion.
    • The time and date when the action was performed.

Consistent
  • Audit trails are used to review, detect, report, and address data integrity issues.
  • Audit trail reviewers must have appropriate training, system knowledge and knowledge of the process to perform the audit trail review. The review of the relevant audit trails must be documented.
  • Audit trail discrepancies must be addressed, investigated, and escalated to JEB management and national authorities, as necessary.

Enduring
  • The audit trail must be retained for the same duration as the associated electronic record.

Available
  • The audit trail must be available for review at any time by inspectors and auditors during the required retention period.
  • The audit trail must be accessible in a human readable format.

21CFR Part 11 Requirements

Definition: An audit trail is a secure, computer-generated, time-stamped electronic record that allows for the reconstruction of events related to the creation, modification, and deletion of an electronic record.

Requirements:

  • Availability: Audit trails must be easily accessible for review and copying by the FDA during inspections.
  • Automation: Entries must be automatically captured by the system without manual intervention.
  • Components: Each entry must include a timestamp, user ID, original and new values, and reasons for changes where applicable.
  • Security: Audit trail data must be securely stored and not accessible for editing by users

EMA Annex 11 (Eudralex Volume 4) Requirements

Definition: Audit trails are records of all GMP-relevant changes and deletions, created by the system to ensure traceability and accountability.

Requirements:

  • Risk-Based Approach: Building audit trails into the system for all GMP-relevant changes and deletions should be considered based on a risk assessment.
  • Documentation: The reasons for changes or deletions must be documented.
  • Review: Audit trails must be available, convertible into a generally readable form, and regularly reviewed.
  • Validation: The audit trail functionality must be validated to ensure it captures all necessary data accurately and securely.

Requirements from PIC/S GMP Data Integrity Guidance

Definition: Audit trails are metadata recorded about critical information such as changes or deletions of GMP/GDP relevant data to enable the reconstruction of activities.

Requirements:

  • Review: Critical audit trails related to each operation should be independently reviewed with all other records related to the operation, especially before batch release.
  • Documentation: Significant deviations found during the audit trail review must be fully investigated and documented.

Thoughts on ISPE 2022 Aseptic Conference

Just finished up the 2022 ISPE Aseptic Conference, and here are a few thoughts.

EU GMP Annex 1 expected in later half of the year

Paul Gustafson, chair of the Pharmaceutical Inspection Co-operation Scheme (PIC/S) and a senior corporate regulatory compliance and enforcement advisor with Health Canada, stated that the plan was to issue the widely anticipated Annex 1 in mid-year 2022. He repeatedly said July to September so that is interesting news and start getting your contamination control strategies going. There will be a one-year period before in force, with 2 years on some of the lyophilizer requirements.

For those keeping track, it retains the provision calling for testing filters used in the sterilization process, pre-use, post-sterilization integrity testing (PUPSIT). The PUPSIT provision “has driven a substantial amount of discussion and has resulted in a number of papers being drafted,” said Gustafson. This was a very gracious understatement, and I have to admit I really admired his Canadian humor.

FDA continues to evaluate COVID inspection measures

Alonza Cruse, Director of the Office of Pharmaceutical Quality Operations at FDA/ORA did a thorough job going through the COVID measures of Remote Regulatory Assessments and Remote Interactive Evaluations and discussed how the agency was in the process of learning how best to do things going forward.

He also clearly state how they were continuing to get back to normal inspections and discussed new personnel in foreign offices, such as India.

Highlights from Panels

One of my favorite panels was Jo Ann Jacobs and Kara Vogt speaking on “Building Resiliency into Single-Use-Technology Systems” They laid out some good work they are doing as part of a startup to design good functional equivalency and supplier management, obviously learning from PPAP and similar measures. Quite well done. While it leans heavily into my own practice around functional equivalency it was good to see such a rock-solid implementation, and I felt like I learned a few good ideas.

I spoke on Contamination Control, Risk Management and the Quality Management System, having a blast doing so. I was followed by Christa Myers who spoke on “Contamination Control Strategy: From Annex 1 Draft Requirements to Implementation in Practice.” We made a good duo and between the two I hope participants got a real solid idea on how to do this contamination control strategy effectively.

I learned a lot about robotics and isolators.

Still a big fan of ISPE’s Women in Pharma.

PIC/S Guidance on Data Integrity is final

This week, the Pharmaceutical Inspection Co-operation Scheme (PIC/S) finally announced that its new guidance on good practices for data management and integrity for pharmaceutical manufacturers and distributors has come into effect.
 
This final version is of a draft document originally introduced in 2016 and re-issued as a draft in 2018. It’s been a long road to get final version. Final version here.

PIC/S on Inspection of biotech manufacturers

PIC/S recently updated an Aide Mémoire on inspections of biotech manufacturers in January. The aim of this AiM is to harmonize GMP inspections in biotechnological and biological facilities and to ensure their quality. There wasn’t much new in this version, the revision history says “Minor edits to update cross-references to PIC/S GMP Guide (PE 009-14),” but this is a good time to review the document.

PIC/S on Change Review and Effectiveness

Starting from the end, let’s review some of the requirements in the new draft PIC/S guidance.

Prior to change closure

RequirementImportant Points
Changes meet their intended objectives and pre-defined effectiveness criteria. Any deviations from those criteria are adequately assessed, accepted and managed/justified. Whenever possible, quantitative data are leveraged to objectively determine change effectiveness (e.g. statistical confidence and coverage).Clearly delineating what effective means as a date is critical to generate data.

CQV activities can tell you if the intended objective is met. Effectiveness reviews must be made up of:

Sufficient data points, as described in the implementation plan, gathered to a described timeline, before an assessment of the change is made.

The success criteria should be achieved. If not, reasons why they have not been achieved should be assessed along with the mitigation steps to address the reasons why, including reverting to the previous operating state where appropriate. This may require the proposal of a subsequent change or amendment of the implementation plan to ensure success.

Data and knowledge gathered from implementation of the change should be shared with the development function and other locations, as appropriate, to ensure that learning can be applied in products under development or to similar products manufactured at the same or other locations
As part of the quality risk management activities, residual risks are assessed and managed to acceptable levels, and appropriate adaptations of procedures and controls are implemented.These are action items in the change control.

As part of the closure activities, revise the risk assessment, clearly delineating risk assessment in two phases.
Any unintended consequences or risks introduced as a result of changes are evaluated, documented, accepted and handled adequately, and are subject to a pre-defined monitoring timeframe.Leverage the deviation system.

Prior to or after change closure

RequirementImportant Points
Any post-implementation actions needed (including those for deviations from pre-defined acceptance criteria and/or CAPAs) are identified and adequately completed.If you waterfall into a CAPA system, it is important to include effectiveness reviews that are to the change, and not just to the root cause.
Relevant risk assessments are updated post-effectiveness assessments. New product/process knowledge resulting from those risk assessments are captured in the appropriate Quality and Operations documents (e.g. SOPs, Reports, Product Control Strategy documents, etc.)Risk management is not a once and done for change management.
Changes are monitored via ongoing monitoring systems to ensure maintenance of a state of control, and lessons learned are captured and shared/communicated.Knowledge management is critical as part of the product management lifecycle.

Lessons learned are critical.