Information Age Audits - - BioPharm International


Information Age Audits

BioPharm International

Quality audits are often very focused in their performance and in the distribution of the findings. Quality assurance, operations, and procurement departments review the results. Realistically, that information never leaves the protection of operations and rarely reaches the executive level — the very people who are on the liability firing line.

Printout and electronic record differences. As we find more processes that can be linked to electronically generated records and documentation, auditors will encounter new challenges. Electronic data are intangible, a series of magnetic or optical–magnetic impressions on durable media that require machine transposition to become readable by humans. And auditors are human, not cyborgs. Fingers, although tactile and soft-wired to a central neural ganglion, cannot plug into a machine and upload data to the brain. The logical alternative is to print hard copies and verify data points between the database and the source document. But that is not truly auditing the electronic record. A printout of an electronic record is not the actual electronic record. An electronic record has search and sort capabilities, can have algorithms, and contains metadata about the users' changes and the time and date those changes were made. These metadata are not present in the printout.

That difference is particularly problematic in audits of development processes in which many participants generate quantities of data. The complexities associated with product development and design control with the increasing reliance on computer-generated drawings, spreadsheets, reports, and test data exacerbate the difficulties facing auditors when they wade through an organization's knowledge architecture, attempting to verify data integrity.

An Audit SolutionSo how can you audit electronic data? It cannot be seen; it cannot be touched; and special devices are needed to interpret it. Very simply, you do not: You do not audit electronic data. You must audit the process and ensure that all the supporting systems are properly validated so that they generate verifiable, trustworthy data.

FDA's acceptance of data from electronic records for decision-making depends on the agency's ability to verify the quality and integrity of that data during on-site inspections and audits. To be acceptable, the data should meet certain fundamental elements of quality whether collected and recorded electronically or on paper. Data should be attributable, original, accurate, contemporaneous, and legible. Electronic data are generated using computers and computer systems. FDA has long required that all computer systems be properly validated, and the agency intends to apply the same validation concepts and standards to electronic records and signature systems as it does to computer systems.

FDA defines computer validation as providing documented evidence and assurance that computer systems that "touch" the process perform in a reliable and repeatable manner. That requires written proof that the computer system is suitable for use, is reliable and will continue to be so, functions as it purports to do in the system’s documentation, is secured and protected from unauthorized access, is maintained in a controlled manner, and is protected against uncontrolled change. In manufacturing, "Failure to comply . . . shall render the drug adulterated . . . and such drug, as well as the person who is responsible for the failure to comply, will be subject to regulatory action" (4).

The audit process, therefore, is a systems audit like any other system audit. The exception is that this audit requires specialized information technology (IT) and technical skills to evaluate the quality and the fiduciary and security requirements of the information system. Those skills are in addition to the audit skills mentioned and required for other system audits. The "ERES Checklist" box lists typical questions and tasks involved in the data system audit.

ERES Checklist
Dynamic Knowledge ArchitectureOrganizations must establish a knowledge architecture that acknowledges changing needs, meets compliance requirements, and engenders a new paradigm using and managing the complex information highway. The task before management is to effectively bridge the gap between the objectives and values expressed by upper management and the processes and behavior exercised at lower levels into a coherent compliance risk management strategy.

A successful effort must ensure protection of the organization and its personnel from regulatory sanctions. You cannot inspect quality into a product, and you cannot audit integrity into data. You need to build in quality and integrity at the design stage — and that design process can be audited and evaluated to ensure that risk exposure is appropriate and cost-effective.

Organizations and people do not like surprises. Just as there are financial audits to reduce business risks, there need to be audits to reduce electronic and computer risks. FDA has the authority and the power to maintain the public welfare through its inspection program. Recently, the agency exercised its power and authority by assessing multimillion dollar fines and withholding new product approvals until manufacturing and validation problems with products already on the market were resolved. Regulatory issues, therefore, have been escalated to business financial issues.

Although the 21 CFR Part 11 regulation does not appear on the surface to be that challenging, and many organizations have adopted a "wait and see" philosophy, it is a major event worthy of action to avoid unnecessary risk exposure. This is because any violation of 21 CFR Part 11 equates to a violation of FDA predicate GMP, GLP, or GCP regulations. Therefore organizations must think about new ways of acting, or unanticipated exposure could materialize.

References(1) Code of Federal Regulations: Food and Drugs, Title 21, Part 11, "Electronic Records; Electronic Signatures" (U.S. Government Printing Office, Washington, DC, July 1999). Also Federal Register 62(54), 13429–13466.

(2) Office of Regulatory Affairs, "ORA Field Management Directive 146: Electronic Records: Electronic Signature Certification," Inspection References: Field Management Directives (FDA, Rockville, MD, 20 August 1997).

(3) Code of Federal Regulations: Food and Drugs, Title 21, Section 210.1, "Current Good Manufacturing Practice for the Manufacture, Processing, Packing, or Holding of Drugs," (U.S. Government Printing Office, Washington, DC, June 1997).

(4)Code of Federal Regulations: Food and Drugs, Title 21, Section 820, "Quality System Regulation" (U.S. Government Printing Office, Washington, DC, revised April 2001).

For Further ReadingJ.F. Noferi and D.E. Worden, "Auditing Electronic Data in Clinical Research," Applied Clinical Trials 10(5), 58–64 (2001).

J.F. Noferi and D E. Worden, "Where Has Quality Gone?" Risk Management 48(5), 35–38 (2001). BPI

blog comments powered by Disqus



GPhA Issues Statement on Generic Drug Costs
November 20, 2014
Amgen Opens Single-Use Manufacturing Plant in Singapore
November 20, 2014
Manufacturing Issues Crucial to Combating Ebola
November 20, 2014
FDA Requests Comments on Generic Drug Submission Criteria
November 20, 2014
USP Joins Chinese Pharmacopoeia Commission for Annual Science Meeting
November 20, 2014
Author Guidelines
Source: BioPharm International,
Click here