Four CDS Compliance Lessons

What you should know about recent non-compliances, current trends and changes in the FDA’s approach to pre-approval inspections

Unfortunately, there are always some organizations that end up serving as an example for others not to follow. Some typical examples of these practices can be seen by trawling through the warning letters on the U.S. Food and Drug Administration (FDA) Web site or reading some of the 483 observations given to worthy organizations. In this article, I would like to present and discuss two examples involving chromatography data systems (CDS). Then, based on four lessons that I believe that industry should learn from these two cases, I will look at how these have influenced the current trends in FDA thinking with respect to pre-approval inspections (PAI).
 

Read More: Is It Time to Replace Your Chromatography Data System?

The two companies on which I would like to focus are the Able Laboratories Form 483 observations dealing with the fraud uncovered there in 2005¹ and the Concord Laboratories warning letter issued in July 2006.²

Able Laboratories
The Able Laboratories is a major fraud case that is still having major ramifications throughout the FDA, and the effects of this will soon be felt by the pharmaceutical industry — as we shall see at the end of this article. In essence, the FDA had inspected Able Laboratories, a New Jersey generic drug manufacturer, previously. However, during an inspection that began in May 2005, major fraud was discovered. This triggered the withdrawal of at least seven abbreviated new drug applications (ANDA) and a batch recall of 3184 batches (their entire product line). The main points of the 483 from a CDS perspective are noted here, but for more information please read the more detailed paper that ran in Quality Assurance Journal.³
 

• Observation 2: Products failing specifications were not rejected or investigated
  The problems centered on the fraudulent use of a chromatography data system where data were used to reanalyze samples, or even to cut and paste results from other assays into reports. Two of the gems noted in the 483 were:
   

• Atenolol tablets — The dissolution test had a specification of not less that 85 percent, one original result was 30.9 percent, but on the Certificate of Analysis a value of 102.8 percent was reported.
   
• Propoxyphene napsylate — Tablets had a dissolution specification for the stability samples of not less than 80 percent. For one batch, the initial results were 72.8 and 73.2 percent; but were reported as 98.5 percent and 96.9 percent. This is not merely checking the positioning of baselines or the modification of integration parameters within the CDS, but something far more significant.

This last point is a hint of what is to come as you read further in the 483:
 

• Observation 5: Laboratory records do not include complete data

  The U.S. good manufacturing practice (GMP) regulations §211.194 require that laboratory records contain ‘complete data‘ in contrast to production records (§211.188) that only require ‘complete information.’ The citation in the Form 483 states

However, much more was uncovered by the Inspectors:

However, the CDS at the center of the fraud then helped the inspectors, as the information about the fraud was contained in the audit trail of the system:

• “OOS results not documented in laboratory records. Unreported OOS results were found in electronic data files.
   
• Changed chromatogram headers by cutting and pasting, so during review all sample injections would appear to be in sequence.
   
• Original sample weights not recorded in notebook. Sample weights were changed by the analyst until a passing result was obtained. Processing methods changed by analyst until the processing method resulted in a passing result. Original processing method not recorded in laboratory notebook.”

• Observation 6: Inputs and output from the computer are not checked for accuracy

  This is a GMP predicate rule citation from §211.68(b) which states

However, the 483 observation notes that audits were not conducted of the CDS used to control the chromatographs and to acquire the data during the analysis of products.

In summary, as the fraud unraveled, Able Laboratories went from a $100 million quoted company at the beginning of May 2005 to a bankrupt shell at the end of October 2005.

Concord Laboratories
Let us now move on a year to look at the next company deserving of FDA attention — Concord Laboratories. The warning letter was issued in July 2006 and has three citations on which I would like to focus:
 

• Citation 2: Failure to identify the individual responsible for testing

• Citation 3: Unattributed changes to chromatographic methods

• Citation 4: Unauthorized changes and failure to review the audit trail

In essence, sharing user identities has caused all of these citations for the company. Bearing in mind that Able and Concord are inspected from the same field office of the FDA, it is not surprising that the inspectors focused on the CDS.

CDS compliance lessons 
As a result of these two examples of non-compliances involving chromatography data systems, I want to draw out and discuss the four main lessons for us all going forward. Many of these are merely good computing practice and common sense.
 

• Lesson 1: Failure to uniquely identify individual users

  A root cause of the Concord Laboratory warning letter is that the company appears to have saved money on software licenses and users’ shared accounts. Managers logged onto the system, stayed logged in and an analyst continued to work on the same session. How can you identify who has done what in a situation like this? Quite simply — you cannot. This is a basic tenet of any quality system, either inside the pharmaceutical industry or outside of it, to be able to attribute any action to a specific individual.

  Furthermore, good practice suggests that CDS users who also are system administrators should be able to log on as either a system administrator with no user privileges and vice versa. This avoids a conflict of interest and the role in which a user is logged on is clearly stated in the audit trails within the system.

  In addition, a new FDA guidance document on computerized systems in clinical investigations released in May 2007 recommends that users of computerized systems keep a list of current and historic users of any computerized system.⁴ Ideally, the CDS should be able to do this for the users but few, if any, do.
   

• Lesson 2: Failure to understand the predicate rule in relation to computer systems

  All the 483 observations and warning letter citations for the CDS systems were under the GMP predicate rule — not Part 11. As such, there was a failure by the laboratory and QA staff in both organizations to understand the regulations to which they were working. Although there are few direct references to computerized systems in the regulations, there are enough compliance policy guides and industry guidance documents to realize that the term “equipment” applies to computerized systems.
   

• Lesson 3: Failure to define electronic records and electronic working practices

  My assumption is that the laboratories were working with paper as the primary records — this is wrong and is an antiquated approach with the current generation of CDS systems. The reason is that, with a CDS, the primary records are electronic and both the predicate rule and Part 11 regulations apply — no discussion or debate.

  The world is changing, and we need to get wise quickly or there will be some very unpleasant shocks ahead for many CDS users. The FDA Guidance on Part 11 Scope and Application recommendation was to establish whether Part 11 applied and what electronic records are created by a system.⁵ Concord Laboratories did not do this or consider anything more than paper. Able Laboratories based their fraud on paper and it was the electronic system that was one of the reasons for their downfall.

  Working practices when using a CDS designed for the pharmaceutical industry should be electronic, not paper, as this will provide the laboratory staff with business benefits and the compliance should be reinforced automatically by the system. From a personal perspective, how many of those who are reading this article enjoy checking records for transcription errors? Has your laboratory ever lost or misplaced any paper records?
   

• Lesson 4: Failure to review the CDS audit trails

  An observation and a citation from both Able and Concord were failures to review the audit trails in the CDS. There is a specific requirement in the laboratory records §211.194(a)(8):

The issue is that, if you have a system that generates electronic records with an audit trail, then the audit trail should be reviewed to check the integrity of the records and the final reported results to see if there are any changes to records that merit further review. This is no different from the paper environment: if a reviewer sees entries that have been changed or altered they need to ask the question why these have occurred and to satisfy themselves that the appropriate procedures have been followed. Typically, the second-person check required by the regulation is performed by the quality control (QC) laboratory staff and there is no stated requirement for quality assurance to do anything.

In many organizations, the quality assurance (QA) staff does not wish to review electronic records. Rather, they are quite content to review the signed paper output from a computerized system. However, as we become more and more electronic, there will be an increasing requirement to review electronic records and documentation electronically. Perhaps this is a wake-up call for QA to gear-up and acquire the skills for this new direction, as they are responsible for compliance oversight in a regulated organization.

FDA is changing tack 
The ramifications of the Able Laboratories case continue to play out with the FDA, who will focus on data integrity and fraud during PAI. The August issue of the Gold Sheet contained the report of a conference held in June 2007 where Rick Friedman asserted that FDA’s new approach was prompted by recent criminal investigations, including the Department of Justice’s prosecution in March 2007 of four employees of Able Laboratories involved with falsification of records.⁶

Other examples of fraud include biased manipulation of study data, alternating weights of samples and changing weights of standardized samples. To combat this problem, FDA is “reinvigorating” specialized training of investigational staff to address data integrity, manipulation and fraud issues. Friedman recommended that manufacturers

Conclusions
In my view, reliance on paper records when using a CDS is no longer tenable or workable either from business or regulatory perspectives. Despite there being enforcement discretion for some sections of 21 CFR 11, if you are using a CDS system you should work electronically and check your electronic records including the audit trail. Ensure that users are uniquely identified and that records of their access privileges are maintained. Vendors of CDS systems must ensure that audit trails are easy-to-use and actually contain information that is useful to the users to determine the quality and integrity of data.

References
1. Able Laboratories 483 Observations, July 2005
2. Concord Laboratories Warning Letter 11 July 2006 (g5973d)
3. R.D.McDowall, Quality Assurance Journal 10 (1) pp15-20, 2006
4. FDA Guidance for Industry, Computerized Systems in Clinical Investigations, May 2007
5. FDA Guidance for Industry, Part 11 Scope and Application, September 2003
6. Gold Sheet, August 2007

R.D.McDowall is Principal, McDowall Consulting. He may be contacted at [email protected].

Acronyms
ANDA Abbreviated New Drug Application | CDS Chromatography Data System | FDA U.S. Food and Drug Administration | GMP Good Manufacturing Practice | PAI Pre-Approval Inspections | QA Quality Assurance | QC Quality Control