- Introduction - Functions of CDS - Validation of CDS - Regulatory requirements - Procedures required - Areas for ensuring CDS Data Integrity - Previous observations - FDA Warning Letters – 2013 - FDA Warning Letters – 2014 - FDA 483’s related to CDS - EU – Non compliance Reports - WHO - Notice of Concern  - How to avoid observations ? - Conclusion

1. Chromatography Data System (CDS)
pharmauptoday@gmail.com

2. - Introduction
- Functions of CDS
- Validation of CDS
- Regulatory requirements
- Procedures required
- Areas for ensuring CDS Data Integrity
- Previous observations
- FDA Warning Letters – 2013
- FDA Warning Letters – 2014
- FDA 483’s related to CDS
- EU – Non compliance Reports
- WHO - Notice of Concern
- How to avoid observations ?
- Conclusion
pharmauptoday@gmail.com
Contents

3. Introduction
Chromatography data systems have been in laboratories for many years in many forms:
• integrator
• single PC
• central data system
• client/ server or networked system.

4. Functions of CDS
In outline the process used by most CDS consists of all or most of
the points below:
• Set up the method and analytical run information.
• Instrument control
• Acquire data from each injection, together with injection number
from the auto-sampler and any chromatographic conditions.
• Process the acquired data first into peak areas or heights and
then into analyte amounts or concentrations.
• Store the resultant data files and other information acquired
during the run for reanalysis.
• Interface with other data or information systems for import of
data relating to CDS set-up or export of data for further
processing or collation of results.

5. Validation Package Documentation
Document Name Outline Function in Validation
Validation plan • Documents the intent of the validation effort throughout the whole life cycle
• Defines documentation for validation package
• Defines roles and responsibilities of parties involved
Project plan • Outlines all tasks in the project
• Allocates responsibilities for tasks to individuals or functional units
• Several versions as progress is updated
User requirements
specification (URS)
• Defines the functions that the CDS will undertake
• Defines the scope, boundary and interfaces of the system
• Defines the scope of tests for system evaluation and qualification
System selection report • Outlines the systems evaluated either on paper or in-house
• Summarizes experience of evaluation testing
• Outlines criteria for selecting chosen system
Vendor audit report and
vendor quality certificates
• Defines the quality of the software from vendor’s perspective (certificates)
• Confirms that quality procedures match practice (audit report)
• Confirms overall quality of the system before purchase

6. Validation Package Documentation
Document Name Outline Function in Validation
Purchase order • From vendor quotation selects software and peripherals to be ordered
• Delivery note used to confirm actual delivery against purchase order
• Defines the initial configuration items of the CDS
Installation qualification (IQ) • Installation of the components of the system by the vendor
• Testing of individual components
• Documentation of the work performed
Operational qualification
(OQ)
• Testing of the installed system
• Use of a vendor’s protocol or test scripts
• Documentation of the work performed
Performance qualification
(PQ) test plan
• Defines user testing on the system against the URS functions
• Highlights features to test and those not to test
• Outlines the assumptions, exclusions and limitations of approach
PQ test scripts • Test script written to cover key functions defined in test plan
• Scripts used to collect evidence and observations as testing is performed

7. Validation Package Documentation
Document Name Outline Function in Validation
Written procedures • Procedures defined for users and system administrators
• Procedures written for IT related functions
• Practice must match the procedure
User training material • Initial material used to train super users and all users available
• Refresher or advanced training documented
• Training records updated accordingly
Validation summary report • Summarizes the whole life cycle of the CDS
• Discusses any deviations from validation plan and quality issues found
• Management authorization to use the system

8. pharmauptoday@gmail.com
Regulatory requirements

9. Regulations
Main Clauses from EU Annex 11 Applicable for Maintaining the Validation Status of an Operational
CDS.
• validation covers the whole lifecycle (11.2)
• environmental conditions must be within specifications (11.3)
• system description (11.4)
• access control and user account management (11.8)
• audit trails for data quality (11.10)
• change control procedures (11.11)
• data back-up quality and security (11.13)
• data back-up (11.14)
• alternative ways of working (11.15)
• procedures for breakdown (11.16)
• problem identification and resolution (11.17).

10. US FDA Regulatory Requirements for Data Integrity
Reference: http://www.fda.gov/Drugs/GuidanceComplianceRegulatoryInformation/Guidances/ucm124787.htm

11. US FDA Regulatory Requirements for Data Integrity
http://www.accessdata.fda.gov/scripts/cdrh/cfdocs/cfcfr/CFRSearch.cfm?CFRPart=11

12. FDA Regulatory Requirements for Computer Systems
Reference: http://www.fda.gov/Drugs/GuidanceComplianceRegulatoryInformation/Guidances/ucm124787.htm

13. FDA Regulatory Requirements for Computer Systems
Reference: http://www.fda.gov/Drugs/GuidanceComplianceRegulatoryInformation/Guidances/ucm124787.htm

14. FDA Regulatory Requirements for Computer Systems
Reference: http://www.fda.gov/Drugs/GuidanceComplianceRegulatoryInformation/Guidances/ucm124787.htm

15. FDA Regulatory Requirements for Computer Systems
Reference: http://www.fda.gov/Drugs/GuidanceComplianceRegulatoryInformation/Guidances/ucm124787.htm

16. FDA Regulatory Requirements for Data Integrity
Reference: http://www.fda.gov/Drugs/GuidanceComplianceRegulatoryInformation/Guidances/ucm124787.htm

17. MHRA Regulatory Requirements for Data Integrity

18. MHRA Regulatory Requirements for Data Integrity

19. pharmauptoday@gmail.com
Procedures required

20. Procedures required for computer systems
• Description of responsibilities: the roles and responsibilities of staff supporting the
computer system are defined.
• System description of hardware and change-control procedures: describes how the
hardware components will be maintained (equivalent to the hardware configuration log)
with the procedure to be adopted when the system configuration is changed.
• Preventative maintenance: describes the procedures for preventative maintenance of the
hardware components.
• Prevention, detection and correction of errors: the measures and procedures for finding,
recording and resolving errors in the system. This can be a complex SOP covering many
different aspects of the system and may refer to sections of the technical manuals
provided with the system. This SOP includes good housekeeping such as disk
defragmentation or monitoring the space available on all disks.

21. Procedures required for computer systems
• System boot and shutdown: this is a special SOP that should contain all the specific
instructions for starting up and shutting down the system. This SOP may be required in an
emergency and, therefore, should be well written and be easily available for use.
• Control of environmental conditions: For systems that require a controlled environment,
an SOP should define the acceptable ranges of temperature, humidity and power supply.
Other environmental considerations may be what to do in the situation of electrostatic
discharges, power surges, fire, lightning strikes or the use and maintenance of an
uninterruptable power supply (UPS).
• Contingency plans and emergency operation: this is a disaster-recovery plan and uses
alternative plans until the computer system has been recovered. It is important that any
disaster recovery plan is tested and verified before any disaster occurs.
• Back-up and restore of data: describes the procedures for back-up of data and software
programs and how to restore data to disk.

22. Procedures required for computer systems
• Security: the logical (software) and physical security of the system is covered with the
procedures for setting up and maintaining security.
• Installation and update of software: procedures to be undertaken before, during and after
installing software. This should start with the complete back-up of all disks and then
installation of the software and any testing and validation that may be required.
• Development and update of system software procedures: software can be written to
control the system or help execute functions. This SOP outlines the procedures for the
creation, documentation and modification of these procedures.
• Password policy
• Peak Integration procedure

23. Comparison of FDA and EU Regulations for Audit Trails
The audit trail regulatory requirements from 21
CFR 11 and EU GMP Annex 11 are compared and
contrasted.
In general, the two requirements are similar, but
interpretation is required, as some requirements
are present either in the underlying predicate rule
(for 21 CFR 11) or in other locations (for EU
GMP). It is important when interpreting a specific
section of a regulation to remember that other
parts of the regulations may modify or interact with
it.
The problem is that audit trails in commercial
applications fail to document the second person
review adequately and should highlight when
changes have been made to records.

24. Areas for ensuring CDS Data Integrity
1. Identify each user uniquely
2. Implement adequate password controls
3. Establish different user roles / access privileges
4. Establish and maintain a list of current and historical users
5. Control changes to the system
6. Use only trained staff to operate the system
7. Understand predicate rules for laboratory records
8. Define and document e-records for the system
9. Review the audit trails for each batch set
10. Back the system up regularly

25. pharmauptoday@gmail.com
Previous observations

26. pharmauptoday@gmail.com
Warning Letters - 2013

27. Failure to maintain laboratory control records with complete data derived from all
tests conducted to ensure compliance with established specifications and
standards, including examinations and assays..
a. The inspection documented that HPLC processing methods (including integration
parameters) and re-integrations are executed without a pre-defined, scientifically valid
procedure.
Your analytical methods are not locked to ensure that the same integration parameters are
used on each analysis.
A QC operator interviewed during the inspection stated that integrations are performed and
re-performed until the chromatographic peaks are “good”, but was unable to provide an
explanation for the manner in which integration is performed.
Moreover, your firm does not have a procedure for the saving of processing methods used
for integration.
Reference : WL: 320-13-22 / Aarti Drugs Limited 7/30/13

28. Failure to maintain laboratory control records with complete data derived from all
tests conducted to ensure compliance with established specifications and
standards, including examinations and assays..
c. During the review of the chromatography data, our investigator noticed that the raw data
retained does not include the run sequence or the processing method used to perform the
peak integrations.
Your QC personnel perform peak integrations based on analysts’ experience rather than by
an approved procedure.
Moreover, the chromatography raw data does not include the processing method used to
produce the final analytical results; therefore, during the review of the analytical data, it
would not be possible to detect any modification to the processing method.
Your firm’s response mentions that the QC operations are now under “direct control of
administrator”, but it does not define the roles and responsibilities of the administrator to
ensure the integrity and reliability of all QC laboratory data.
Reference : WL: 320-13-22 / Aarti Drugs Limited 7/30/13

29. Failure to maintain laboratory control records with complete data derived from all
tests conducted to ensure compliance with established specifications and
standards, including examinations and assays..
d. The audit trail function for the chromatographic systems was disabled at the time of the
inspection; therefore, there is no record for the acquisition of data or modifications to
laboratory data.
Your response to this deficiency did not discuss how you will ensure that data audit trails
will not be disrupted in the future.
Reference : WL: 320-13-22 / Aarti Drugs Limited 7/30/13

30. Failure to implement access controls and audit trails for laboratory
computer systems.
Your firm failed to have adequate procedures for the use of computerized systems used in
the QC laboratory.
At the time of the inspections, your QC laboratory personnel shared the same username
and password for the operating systems and analytical software on each workstation in the
QC laboratory.
In addition, no computer lock mechanism had been configured to prevent unauthorized
access to the operating system.
The investigator noticed that the current QC computer users are able to delete data
acquired.
In addition, the investigator found that there is no audit trail or trace in the operating system
to document deletions.
Reference : WL: 320-13-22 / Aarti Drugs Limited 7/30/13

31. Your firm failed to exercise appropriate controls over computer or related systems to assure that only
authorized personnel institute changes in master production and control records, or other records (21
CFR 211.68(b)).
Your firm’s (b)(4) “Jasco LC-Net II” HPLC instruments do not have restrictions in place to
prevent any change or deletion of analytical raw data.
Additionally, there is no audit trail in place to determine any previous deletion of raw data.
Reference : WL: 320-13-26 / Agila Specialties Private Limited 9/9/13

32. Your laboratory control records do not include data derived from all of the tests necessary to establish
compliance with standards.
For example, the inspection found multiple raw data chromatograms in digital files labeled “test” and
“demo,” that were injected prior to the sample injections that were used to conclude that batches were in
conformance with the specification. They were:
a. A “demo” chromatogram injected 3/6/12 and the official organic impurities injection on 4/6/12
for (b)(4)batch (b)(4).
b. A “demo” chromatogram injected 3/6/12 and the official organic impurities injection on 4/6/12
for (b)(4)batch (b)(4).
c. A “test” chromatogram injected 12/9/08 and the official related substances injection on 12/10/08
for (b)(4)batch (b)(4).
d. Two “test” chromatograms injected 12/4/08 and the official related substances injections on 12/5/08
for(b)(4) batch (b)(4).
e. Five “trial” chromatograms injected 7/5/11 between the official related substances injections which
occurred both before and after the “trial” injections for batch (b)(4) of (b)(4). The final injections were
made on 12/6/11 for this batch.
Reference : WL: 320-13-20 / Fresenius Kabi Oncology Ltd 7/1/13

33. Failure to protect computerized data from unauthorized access or changes.
Our inspection found that there were no restrictions to access the laboratory data residing on
the workstations attached to your standalone instrumentation: (b)(4) High Pressure Liquid
Chromatographs (HPLCs), the Fourier Transform Infrared Spectrophotometer (FTIR), the
gas chromatograph (GC) and the drives and portable media used as back-ups.
There was no protection of the data from alteration and deletion and no audit trails to detect if
such alteration or deletion had occurred.
Reference : WL: 320-13-23 / Posh Chemicals Private Limited 8/2/13

34. Your firm failed to ensure that laboratory records included complete data derived from
all tests necessary to assure compliance with established specifications and
standards (21 CFR 211.194(a)).
• For example, your firm did not retain any raw data related to sample weights and sample
solution preparations for the HPLC assays of (b)(4) tablet batches (b)(4) and (b)(4) that
you conducted on July 18, 2012.
• In addition, you did not include those results in the calculation of the final assay
values. Instead, you repeated the analysis the next day using a new set of sample
solutions, and reported the retest results on the certificates of analysis (COAs). Other
examples were also noted during the inspection.
Reference : WL: 320-13-17 / RPG Life Sciences Limited 5/28/13

35. Your firm failed to establish and exercise adequate controls over computers to prevent unauthorized
access or changes to electronic data.
• For example, the computers that control your analytical laboratory instruments, including
an HPLC, (b)(4) GCs, and an FTIR, lacked control mechanisms to prevent unauthorized
access to, changes to, or omission of data files.
a. Your analysis of (b)(4) USP batch (b)(4) exceeded the (b)(4) residual solvent limit on
February 29, 2012. Your firm did not report or investigate this OOS result, and deleted the
related electronic records. During our inspection, your analyst admitted that he also deleted
other uninvestigated failing and/or OOS electronic data from the laboratory database in
January 2013 prior to our inspection. Your QC Senior Manager also acknowledged this
laboratory-wide electronic data deletion practice.
b. During our inspection, your analysts demonstrated to our investigators that they could
delete any electronic analytical data files from the laboratory computers and external
backup hard drives.
Reference : WL: 320-13-17 / RPG Life Sciences Limited 5/28/13

36. Your firm failed to ensure that laboratory records included complete data derived from all tests
necessary to assure compliance with established specifications and standards (21 CFR 211.194(a)).
• For example, your firm’s laboratory records failed to include complete records of all stability testing
performed. The FDA investigators identified the practice of performing "trial" sample analysis for
High Performance Liquid Chromatography (HPLC) analyses prior to collecting the “official” analytical
data for stability testing. These “trials” were performed on multiple products,
including (b)(4) Tablets (b)(4)mg, (b)(4)mg/(b)(4)ml, and (b)(4)Tablets. These trial runs were not
recorded in the equipment use log, and sample preparation data associated with these analyses
was destroyed, preventing any calculation or analysis of the resulting data. Your response states
that trial runs were conducted using only one of the (b)(4) HPLC instruments located in the stability
laboratory, which happened to be the one instrument that the FDA investigators reviewed during the
inspection. Your response indicates that you have revised procedures and re-trained your staff.
• Additionally, your quality control HPLC raw data files can be deleted from the hard drive using the
common PC login used by all (b)(4) analysts. This deletion eliminates all records of sample
injections and analyses. Your response indicates that this deletion function is only available on the
software used for one of (b)(4) sets of HPLC instruments. You also indicated that you have changed
the access control privileges such that laboratory analysts in a “user” role cannot delete or rename
files.
Reference : WL: 320-13-21 / Wockhardt Limited 7/18/13

37. Your firm failed to record and justify any deviations from required laboratory control mechanisms (21
CFR 211.160(a)).
The FDA investigators identified a memo dated March 12, 2013 (a week before the inspection),
documenting a computer “crash” that occurred on the central back-up and controller PC
for (b)(4) HPLC instruments. The memo describes the loss of instrument activity logs (audit
trails). Our investigators found that several of the HPLCs had the audit trail functions disabled;
therefore, there is no assurance that the data generated using these HPLCs is accurate.
Your response indicates that your firm performed an assessment of the historical HPLC
chromatograms (raw data) generated on each individual HPLC unit prior to March 12, 2013 and
verified it against previously printed chromatograms. Based on this analysis, your firm claimed that
you had confirmed that the backup data is available for each of the analyses and no analytical data
has been lost due to the computer crash. However, your firm failed to provide a risk assessment for
the products tested using the HPLC instruments that had the audit trail functions disabled. This is
especially noteworthy given the fact that prior to the inspection, at least one QC officer had the
ability to delete data on the affected system.
Reference : WL: 320-13-21 / Wockhardt Limited 7/18/13

38. Your firm failed to ensure that laboratory records included complete data derived from all tests
necessary to assure compliance with established specifications and standards (21 CFR 211.194(a)).
• For example, our investigators identified your practice of performing “trial” sample analysis for high
performance liquid chromatography (HPLC) analyses prior to acquiring the “official” analytical data for
release and stability testing.
• The FDA investigators observed your practice of performing “trial” injections for HPLC analyses used to
test content uniformity, assay, and dissolution for release and stability for at least (b)(4) different products.
• The investigator observed that for finished product (b)(4) Tablets (b)(4) mg, batches (b)(4), your firm
performed “trial” injections. The inspection documented that an HPLC run had an injection sequence
named as (b)(4) assay,(b)(4) assay (b)(4), and (b)(4) assay (b)(4) attributed to the “trial” injections. Our
investigators noticed that the injection sequence names used the (b)(4) digits of the previously
referenced batch numbers. During the inspection, your firm’s management was unable to determine
whether the “trial” injections were performed using standard solutions or actual batch samples. Based on
the HPLC data, these “trial” injections occurred on 5/7/13. Later that same day, it appears that the
“official” sample analyses were performed for batches (b)(4). The assigned names for the sequence
injections creates the perception that your QC operator named the vials using the (b)(4)digits of the batch
numbers to link the “trial” injections for the batches with the official assay analyses. We are concerned
because our investigator noticed that the “trial” injection data related to batch (b)(4) rendered an out-of-
specification (OOS) result for the (b)(4) and (b)(4) assays. Therefore, it appears that the batch (b)(4) did
not pass the “trial” analysis but met specifications when the “official” sample was tested shortly thereafter.
Reference : WL: 320-14-01 / Wockhardt Limited 11/25/13

39. Your firm failed to ensure that laboratory records included complete data derived from all tests
necessary to assure compliance with established specifications and standards (21 CFR 211.194(a)).
• In addition, our investigator discovered that some of the “trial” injection data was not kept
on the HPLC hard drives because your firm deleted it. Your firm’s management confirmed
that the files were deleted as part of an internal audit.
• Our investigators found similar instances of the use of “trial” injections stored in default
folders on the HPLC hard drive for at least four drug products. The inspections
documented that both sites have SOPs that allow the use of “trial” injections. For example,
SOP QA/GLP/08 “HPLC Analysis” mentions that standard and sample injections are
allowed to ensure system equilibration before the system suitability runs are
performed. Neither the International Conference on Harmonisation of Technical
Requirements for Registration of Pharmaceuticals for Human Use (ICH) document Q2R,
“Validation of Analytical Procedure: Text and Methodology,” nor the United States
Pharmacopoeia General Chapter <1058> , “Analytical Instrument Qualification,” includes
instructions for performing “trial” injections for a method that is validated.
Reference : WL: 320-14-01 / Wockhardt Limited 11/25/13

40. Your firm failed to exercise appropriate controls over computer or related systems to assure that only
authorized personnel institute changes in master production and control records, or other records (21
CFR 211.68(b)).
• The inspection documented that all of your QC laboratory computerized instruments ((b)(4) HPLCs)
were found to be stand-alone, and laboratory personnel demonstrated that they can delete
electronic raw data files from the local hard drive. Your firm deleted multiple HPLC data files
acquired in 2013 allegedly to clear up hard drive space without creating back-ups. Your QC
management confirmed that there is no audit trail or other traceability in the operating system to
document the deletion activity. Furthermore, your analysts do not have unique user names and
passwords for the computer and laboratory information systems; your QC analysts use a single
shared user identifier and password to access and manipulate multiple stand-alone systems.
• The (b)(4) HPLC systems in operation at the Waluj facility are also stand-alone, and during our
inspection, an employee demonstrated to the investigator that data can be deleted through the local
hard drive of the data acquisition system. As with the Chikalthana facility, all Waluj facility employees
use a shared password to access the operating system. During the inspection, your firm’s
management informed our investigator that (b)(4) back-ups of data are performed. However, we are
concerned that your system and procedures permit deletion of HPLC files and that (b)(4) backed up
data may not represent all the original data generated.
Reference : WL: 320-14-01 / Wockhardt Limited 11/25/13

41. pharmauptoday@gmail.com
Warning Letters - 2014

42. Your firm frequently performs “unofficial testing” of samples, disregards the results, and reports results
from additional tests. For example, during stability testing, your firm tested a batch sample six times
and subsequently deleted this data
• Our investigators found your practice of performing initial “trial” sample high performance liquid
chromatography (HPLC) analyses prior to acquiring the “official” analyses. The “trial” sample results
were subsequently discarded. “Trial” HPLC analyses for (b)(4) USP ((b)(4)) were apparently run as
part of the 12-month long-term stability studies on batch #(b)(4) for related substances.
• The inspection revealed that on August 26, 2011, your employee ran an HPLC analysis sequence
with the sample names (b)(4) and subsequently deleted the raw data files. It was noted that the
assigned names for the sequence injections indicates that your quality control staff named the
samples using the last three digits of the batch numbers to link the "trial" injections for the batches
with the official assay analyses.
• Your Senior Quality Control (QC) Officer confirmed that these were analyses of batch
samples. Furthermore, we found that on August 27, 2011, this batch was analyzed for unknown
impurities and the results were reported to be within specifications. However, the chromatographic
data showed that the "trial" injection data for this batch failed the unknown impurities specification
of (b)(4)% in multiple cases.
Reference : WL: 320-14-08 / Sun Pharmaceutical Industries Limited - Karkhadi 5/7/14

43. Your firm frequently performs “unofficial testing” of samples, disregards the results, and reports results
from additional tests. For example, during stability testing, your firm tested a batch sample six times
and subsequently deleted this data
• Similar unacceptable data handling practices were observed in your laboratory’s conduct of gas
chromatography (GC) analyses. The FDA investigators reviewed what appear to be data from
“unofficial” injections for GC analyses for recovered (b)(4) raw material batch #(b)(4). On February
11, 2012, your analyst performed testing on recovered (b)(4) raw material batch #(b)(4) and the
sample was within specifications. The following day, February 12, 2012, your analyst ran a GC
analysis sequence with the sample names (b)(4) and subsequently deleted the raw data files. Your
staff performed calculations during the inspection, at our request, that showed that these samples
did not meet the (b)(4) impurity specification for this material. Therefore, it appears that out-of-
specification data for batch #(b)(4) was considered to be “unofficial,” while passing data were
reported as the "official" results for the batch.
• In addition, the inspection revealed numerous examples of deleted GC electronic raw data files on
the computer controlling the GC instruments that were replaced with identical “official”
chromatogram file names. The identically named GC data files that were deleted had been created
at different times and contained disparate data. Also, it appeared that data was not consistently
archived to the central server.
Reference : WL: 320-14-08 / Sun Pharmaceutical Industries Limited - Karkhadi 5/7/14

44. Failure to maintain complete data derived from all testing and to ensure compliance with established
specifications and standards pertaining to data retention and management.
• Your firm did not retain complete raw data from testing performed to ensure the quality of your
APIs. Specifically, your firm deleted all electronic raw data supporting your high performance liquid
chromatography (HPLC) testing of all API products released to the U.S. market.
• In addition, your firm failed to retain basic chromatographic information such as injection sequence,
instrument method or integration method for the tests. Your firm’s lack of data control causes us to
question the reliability of your data.
• In addition, your laboratory management was unaware of, and therefore did not follow, the written
procedure detailing the review of analytical data.
• Furthermore, your management confirmed that the review of analytical data did not include
evaluating the system suitability parameters to ensure proper column performance.
Reference : WL: 320-14-10 / Trifarma S.p.A. 7/7/14

45. Failure to prevent unauthorized access or changes to data and to provide adequate controls to prevent
omission of data
• Your firm did not have proper controls in place to prevent the unauthorized manipulation of your
laboratory’s raw electronic data.
• Specifically, your laboratory systems did not have access controls to prevent deletion or alteration of
raw data.
• The inspection noted that all laboratory employees were granted full privileges to the computer
systems.
• In addition, prior to January 7, 2014, HPLC and gas chromatograph (GC) computer software lacked
active audit trail functions to record changes to data, including information on original results, the
identity of the person making the change, and the date of the change.
Reference : WL: 320-14-10 / Trifarma S.p.A. 7/7/14

46. Failure to manage laboratory systems with sufficient controls to ensure conformance to established
specifications and prevent omission of data.
• Our inspection revealed serious deficiencies related to your documentation practices, including
missing raw data. It is a basic responsibility of your quality unit to ensure that your firm retains the
supporting raw data that demonstrates your APIs meet specifications that they are purported to
possess.
• For example, during the inspection, our investigator found a chromatogram related to (b)(4), API in
the trash, dated October 15, 2013, which reported an additional chromatographic peak when
compared to the standard. During the inspection, your firm stated that the analyst discarded the
chromatogram because it was present in the blank injection. However, the analyst was unable to
retrieve the blank chromatogram from the system because it was overwritten by a subsequent
injection.
Reference : WL: 320-15-04 / Novacyl Wuxi Pharmaceutical Co., Ltd. 12/19/14

47. Failure to manage laboratory systems with sufficient controls to ensure conformance to established
specifications and prevent omission of data.
• In addition, the inspection documented that your firm made changes to integration parameters for the impurities
test without appropriate documentation or justification. Your firm relied upon hand written notes on a
chromatogram discovered in a drawer at the laboratory as the documentation for this change. Furthermore,
your firm implemented this change without an audit trail that would have captured the date of the change and
who made the change.
Other significant deficiencies noted in your laboratory system include:
a) Failure to have a written procedure for manual integration despite its prevalence.
b) Failure to use separate passwords for each analyst’s access to the laboratory systems.
c) Use of uncontrolled worksheets for raw analytical data in your laboratory.
d) Presence of many uncontrolled chromatograms, spreadsheets and notes of unknown origin found in a
drawer.
• The lack of controls on method performance and inadequate controls on the integrity of the data collected raise
questions as to the authenticity and reliability of your data and the quality of the APIs you produce.
Reference : WL: 320-15-04 / Novacyl Wuxi Pharmaceutical Co., Ltd. 12/19/14

48. pharmauptoday@gmail.com
483’s related to CDS

49. 483’s Related to CDS
Reference : Ranbaxy Laboratories Limited – Toansa – Jan-2014

50. 483’s Related to CDS
Reference : Ranbaxy Laboratories Limited – Toansa – Jan-2014

51. pharmauptoday@gmail.com
EU – Non compliance Reports

52. EU Non Compliance Reports
Firm Name Observation
Zhejiang Apeloa Kangyu
Bio-Pharmaceutical Co.
Ltd., China; Nov 2014
• The company failed to establish a procedure to identify and validate GMP-relevant
computerized systems in general.
• HPLC chromatograms had been copied from previous batches and renamed with
different batch and file names.
• Several electronically stored HPLC runs had not been entered into the equipment
log books. The nature of these data could not finally been clarified.
• Neither the individual workstation nor the central server had been adequately
protected against uncontrolled deletion or change of data.
• The transfer of data between workstations and server showed to be incomplete.
• No audit trail and no consistency checks had been implemented to prevent misuse
of data.

53. EU Non Compliance Reports
Firm Name Observation
Zeta Analytical Ltd, UK;
Jan 2014
• It could not be confirmed who had conducted the testing or when because of
discrepancies in the raw data; consequently staff competence could not be
confirmed.
• Raw data were not being recorded contemporaneously nor by the performing
analyst.
• Failed HPLC injections of QC standards in place to demonstrate the correct
operation of the HPLC were deleted, repeated many hours after the original
analysis and re-inserted into the analytical sequence without explanation
invalidating the batch data. The company provided commitments to address the
data traceability concerns.

54. EU Non Compliance Reports
Firm Name Observation
Wockhardt Limited, Nani
Daman, India Oct 2014
• Issues were identified which compromised the integrity of analytical data produced
by the QC department. Evidence was seen of data falsification.
• A significant number of product stability data results reported in the Product Quality
Reviews had been fabricated. Neither hard copy nor electronic records were
available.
• In addition issues were seen with HPLC electronic data indicating un-authorised
manipulation of data and incidents of unreported trial runs prior to reported
analytical runs.

55. pharmauptoday@gmail.com
WHO – Notice of Concern

56. WHO – NOC : Microlabs, Hosur

57. Summary of observations

58. pharmauptoday@gmail.comHow to avoid observations ?

59. Data Integrity – Rebuilding Trust
• Know the Regulations & Intensity of Data integrity related to CDS
• Perform a GAP Analysis
• Determine the scope of the problem / Detect the integrity related to CDS
• Implement a corrective action plan (global) & Prevent the Integrity related to CDS
• Remove individuals responsible for problems from CGMP positions
• Complete a satisfactory inspection

60. GAP Analysis
• Perform GAP analysis by
brainstorming with cross
functional team to identify and
prevent the issues related to
CDS.
Review
System
Identify gap
Change
control
process
Develop,
Training &
implement
ion
Implications
Recommen
dations

61. Summary of Data Integrity issues
• HPLC integration parameters were changed and re-run until passing
results were obtained
• Audit trail function was disabled.
• Unofficial testing of samples with file names like test, trial, or demo
• There are no controls to prohibit unauthorized changes to electronic
data / inadequate access controls.
• Files were saved on personal computers instead of a network
• Sharing passwords / unauthorized access.
• Lack of security on electronic data systems.
• Failure to maintain back-up of electronic data.
ElectronicData

62. Detecting & Preventing CDS issues
• CDS should not be file based (easy to delete data), it should be with
an integrated database.
• Don’t use standalone workstations (easy to change date), use only
networked systems.
• Don’t use local workstation, acquire data on networked server.
• Restrict access to networked server except via CDS application.
• Follow the backup and recovery process.
• CDS application should be configured with full audit trails, Electronic
signatures, user types with access privileges.
• Document the complete software configuration.
ConfigurationofCDS

63. Detecting & Preventing CDS issues
• Define a clear policy / procedure on various activities (e.g.
Password policy, Project creation & back-up)
• Have clear procedure and controls over the electronic data /
software administration.
• Cross check Privileges Vs. Job responsibilities.
• Check the adequacy of the procedures.
Policies&Procedures

64. Detecting & Preventing CDS issues
• Strategic planning
• Determine the level of compliance that we are seeking
• Identify the weaknesses and strengths in our computerized
systems
• Conduct an inventory of the systems
• Determine if the system must comply with Part 11
• Conduct the assessment using a checklist or spreadsheet
• Provide documented justification if certain system are exempt
from Part 11
• Implement and execute a remediation plan
• Conduct the required follow-up as warranted.
Part11GAPAssessment

65. Detecting & Preventing CDS issues
• Equilibrate chromatographic systems before they are ready for analysis.
• The time taken for equilibration shall be established during the method
development/validation/verification/transfer work performed in the laboratory and
this should be documented in the analytical procedure.
• Train the users and Follow good chromatographic practices and good start-up
procedures. Refer : http://www.slideshare.net/skvemula/good-chromatographic-
practices
• Follow proper change over procedures for mobile phase and modes (Normal
phase & Reverse phase).
• Inject the sample only after the system suitability criteria is met.
• Upon completion of the analysis, document the number of system evaluation
injections as part of the analytical report for the run.
TrialInjections

66. Detecting & Preventing CDS issues
• Roles provide administrators with straight forward method for managing user
privileges.
• Administrator can define roles based on job responsibilities.
• User types / groups should be defined based on the structure of the laboratory.
• Have independent User ids for the computer systems and CDS.
• Users should not have privilege to delete / modify / overwrite the data.
• Audit trails for access (System audit trails) shall be checked frequently.
• Data security shall be maintained.
AccessControls

67. HPLC - Peak Integration for Chromatography
Have a defined procedure on peak integration.
The presentation on “Peak Integration for Chromatography” is accessible form
the link : http://www.slideshare.net/skvemula/hplc-peak-integration-for-
chromatography-38032765
Contents:
- Introduction - Definitions
- How Peaks appear
- ApexTrack Integration
- Timed Events
- Peak Integration Events
- Peak Labels
- Manual Integration
- Warning letter Citations

68. pharmauptoday@gmail.com
Conclusion

69. Conclusion
• A structured and systematic evaluation of current compliance state can go a long way to ensuring
that your next CDS implementation is truly compliance-ready and maintains that compliant state.
• Lessons from past FDA warning letters
• Ensure that users are uniquely identified and that records of their access privileges are maintained.
• Have controls on re-integrations & methods.
• Understand the predicate rule in relation to computer systems
• Don’t delete / don’t give access privilege to delete raw data.
• Trial injections are not allowed.
• Stand alone systems are not allowed.
• Define electronic records and electronic working practices
• Review the CDS audit trails
• Vendors of CDS systems must ensure that audit trails are easy-to-use and actually contain information
that is useful to the users to determine the quality and integrity of data.

70. pharmauptoday@gmail.com
Data Integrity Part I is available at:
http://www.slideshare.net/skvemula/presentation-on-data-integrity-in-pharmaceutical-industry

71. pharmauptoday@gmail.com
Thank You
For “Pharma Uptoday” free daily newsletter write a mail to pharmauptoday@gmail.com
for few previous posts browse our website:
https://sites.google.com/site/pharmauptoday
for other Pharma Uptoday presentations & Monthly Magazines browse:
http://www.slideshare.net/skvemula