Ishai Nir Small Molecule Products Manager, Distek, Inc.
Abstract
Since the release of the latest FDA guidance documents on 21 CFR part 11 and data integrity, there has been much confusion regarding what is required for compliance. This is particularly true in dissolution testing. The industry itself contributed to this confusion by the ambiguous use of terms like “compliance” and “compatible”. This article will review how these guidance specifically apply to dissolution testing and what must be included to actually meet these requirements.
In 2018 the US FDA issued the final version of its guidance on Data Integrity titled “Data Integrity and Compliance With Drug CGMP Questions and Answers Guidance for Industry” as a follow up to the previous guidance on electronic records and signatures that was 21 CFR Part 11. That year alone 49% of all warning letters the FDA issued surrounded Data Integrity. Obviously, there were questions and confusion regarding the implementation of this guidance. Performance testing, and specifically dissolution testing was no exception. This was certainly not helped by confusing and inaccurate information provided within the dissolution equipment industry itself. For people who have been in the industry long enough, this is very reminiscent of the confusion and ambiguity that surrounded the original release of the 21 CFR Part 11 requirements for electronic data records in 1997 and what constituted compliance.
Having the advantage of several years’ worth of clarification, it is worth examining where the dust has settled regarding the actual requirements for meeting the data integrity guidance with respect to dissolution testing, how can they be achieved, and what does it mean to be “compliant”.
Requirements of Data Integrity
The FDA’s Data Integrity Guidance was designed to address the questions:
- Are controls in place to ensure that data is complete?
- Are activities documented at the time of performance?
- Are activities attributable to a specific individual?
- Can only authorized individuals make changes to records?
- Is there a record of changes to data?
- Are records reviewed for accuracy, completeness, and compliance with established standards?
- Are data maintained securely from data creation through disposition after the record’s retention period?
These questions have been abbreviated using the acronym ALCOA+: Attributable, Legible, Contemporaneous, Original and Accurate with the plus being Complete, Consistent, Enduring and Available.
How does the Guidance relate to dissolution testing?
Generally, a dissolution test is comprised of 3 parts: The dissolution of the dosage form into the media in a bath, sampling of the media at the appropriate time points, either manually or with some form of automation, and finally, analysis of the collected samples. From a data integrity standpoint, the first two steps fall under the category termed “static” data records, while the last is a “dynamic” data record.
A “static” data record is defined as “a fixed-data record such as a paper record or an electronic image”. This applies to records of involatile parameters that have a unique fixed value associated with a set of data. The Guidance explains: “During data acquisition, for example, pH meters and balances may create a paper printout or static record as the original record.” These are examples of invariant parameters that have a specific value at the time of measurement and are not subject to revision at a later time by some changed calculation or correction. Specifically with respect to dissolution testing, parameters such as the media volume, the speed of agitation and temperature at a given time point, the time when the corresponding sample was withdrawn, the volume collected, and the amount of sample returned or media replaced, are all examples of such invariant parameters that have a specific value at the time of sampling and should not be revised by some calculation or correction at a future time. As indicated in supplementary guidance 211.68(b) and 211.180, the data integrity requirement for these “static” parameters can be satisfied by simply recording them on paper. They are then archived or “backed up” by retaining these printouts. “In this case, the paper printout or static record, or a true copy, must be retained.” With regards to “static” records, requirements beyond the creation and retention of a printout only come into play if an electronic record such as one stored in an electronic “notebook” is going to be substituted. Then, of course, this record is additionally subject to the requirements of 21 CFR Part 11.
The data generated during the analysis of dissolution samples is an entirely different matter. Regardless of which analysis modality is to be used, such as UV or LC, these data are labelled as “dynamic” records, meaning that “the record format allows interaction between the user and the record content”. As a matter of fact, chromatography is the example of dynamic records explicitly used in the Guidance, citing that software “may allow the user to change the baseline and reprocess chromatographic data so that the resulting peaks may appear smaller or larger. It also may allow the user to modify formulas or entries in a spreadsheet used to compute test results or other information such as calculated yield.” The point is that these data and their corresponding record do not necessarily have a unique, involatile value, but are subject to alteration as the algorithm used to compute them from the raw measured data is modified or fitting parameters are changed.
Such data invoke much more stringent requirements for recording, storage, and backup. Quoting the Guidance:
“electronic records from certain types of laboratory instruments—whether stand-alone or networked—are dynamic, and a printout or a static record does not preserve the dynamic record format that is part of the complete original record. For example, the spectral file created by FT-IR (Fourier transform infrared spectroscopy) is dynamic and can be reprocessed. However, a static record or printout is fixed and would not satisfy CGMP requirements to retain original records or true copies (§ 211.180(d)). Also, if the full spectrum is not displayed in the printout, contaminants may be excluded.”
Additionally
“Backup data must be exact, complete, and secure from alteration, inadvertent erasures, or loss (§ 211.68(b)). The backup file should contain the data (which includes associated metadata) and should be in the original format or in a format compatible with the original format.”
The implication of this is that the calculated % dissolved data cannot be simply stored as a printout or independent electronic record, even if that record meets all the requirements of 21 CFR part 11. Instead, “Data should be maintained throughout the record’s retention period with all associated metadata required to reconstruct the CGMP activity”. Metadata is defined as “the contextual information required to understand data.” And “Among other things, metadata for a particular piece of data could include a date/time stamp documenting when the data were acquired, a user ID of the person who conducted the test or analysis that generated the data, the instrument ID used to acquire the data, material status data, the material identification number, and audit trails.”
Thus, the understanding of “static” and “dynamic” data records informs us of the requirements for recording, reporting, and archiving dissolution data. “Static” data records such as bath and sampling parameters can be simply printed and then stored as a paper copy, as long as the “report” also contains the required metadata and is then appropriately reviewed and signed. If an electronic record is used as alternative, all these functions are then also subject to 21 CFR Part 11 requirements. For “dynamic” data records such as the calculation of the % dissolved values, the larger requirements come into effect. All the data, the calculations and parameters used to generate these data, and all the subsequent review and signature validation and approval of these data must be stored and archived in accordance with both 21 CFR Part 11 and the Data Integrity guidance. These are the requirements for a dissolution system to be completely “21 CFR Part 11 and Data Integrity Compliant”.
As always, the problems come with the interpretation. One source of confusion is that some stand-alone dissolution testing equipment is confusingly presented as 21 CFR Part 11 and Data Integrity “Compatible”, or even worse, “Compliant”. Most modern dissolution instruments include the ability for user log ins, and the generation of a paper or electronic reports that include parameters like the agitation speed and temperature of the bath at the sampling times, or the times and volumes of the samples collected. When combined with a manual or PC/network software-based review and signature process, these stand-alone dissolution baths and autosamplers can be a part of a 21 CFR Part 11 and Data Integrity solution. But they cannot do so on their own.
The degree that additional steps are required to validate and archive even “static” records is misrepresented by the term “Compatible”. No stand-alone dissolution system on the market is capable of storing an unlimited number of users, methods, reports, audit trail entries, etc. for the “record retention period” required by these guidance documents. Similarly, to comply with user access limits required in the guidance and further defined by individual companies, one must have the ability to define multiple levels of privileges; two-parameter identification, including unique, never repeated passwords of determined length and complexity rules; automatic logout timeout; limit to username and password guesses; restricted access to data, method files; separation of data generators/users from administrators; and more.
Based on the above, it is even more of a misnomer to classify any of these stand-alone units as “compliant”. Compliance is binary. Something is compliant or it is not. There is no such thing as “partially compliant” or even “mostly compliant”. Buyer beware! If a true 21 CFR Part 11 and Data Integrity solution is required, one must go beyond just a stand-alone system. One needs a PC/Network/Cloud software solution. Fortunately, the dissolution market includes multiple such offerings. Some are brand specific while others integrate equipment from multiple vendors. Regardless, these external software packages are the only way to achieve compliance. Understand your needs, and then select the appropriate level of solution that will meet these requirements.
References
- “Data Integrity and Compliance With Drug CGMP Questions and Answers Guidance for Industry”, U.S. Department of Health and Human Services Food and Drug Administration, December 2018
- “Guidance for Industry Part 11, Electronic Records; Electronic Signatures — Scope and Application” U.S. Department of Health and Human Services Food and Drug Administration, August 2003
- CFR - Code of Federal Regulations Title 21 “CURRENT GOOD MANUFACTURING PRACTICE FOR FINISHED PHARMACEUTICALS” Subpart D – Equipment Sec. 211.68 Automatic, mechanical, and electronic equipment. April 1, 2011
- CFR - Code of Federal Regulations Title 21 “CURRENT GOOD MANUFACTURING PRACTICE FOR FINISHED PHARMACEUTICALS” Subpart J - Records and Reports Section 211.180 - General requirements. April 1, 2012
Subscribe to our e-Newsletters
Stay up to date with the latest news, articles, and events. Plus, get special offers
from American Pharmaceutical Review – all delivered right to your inbox! Sign up now!