post

What is Data Trending and How To Identify, Action and Report Trends

The following is an article I placed on LinkedIn and was written as part of my Developing My Writing While Helping Others series.

Paul Yeatman is a microbiologist with over 15 years’ experience in documentation, validation and running investigations in TGA and FDA regulated environments. He has a strong interest in process improvement, documentation, training and developing others. From 9-5 Paul investigates and solves software problems.  By night he works on his science chops.  He has an arty streak, runs several blogs and enjoys communicating his experiences and knowledge in arenas such as this.

What is Data Trending and How To Identify, Action and Report Trends

USP Chapter <1116> Microbiological Evaluation of Cleanrooms and other Controlled Environments requires viable environmental data be trended and examined.  Trends allow detection of drifts away from what is considered a controlled environment and can be used to tighten existing alert and action levels/limits.

A major goal of any production facility is to maintain consistency or a state of control.  Another major goal is to ensure the final product is what it is meant to be, free from defects and contamination.  Understanding trends is an important part of achieving this goal.

Examples outside of viable environmental monitoring are included so you get a better understanding of this topic.

What is Data?

Data, for the purposes of this discussion, is anything that can be measured and recorded.  Within a microbiology monitoring program, trends are typically colony forming unit counts and Genus, species recovery levels.

What Data Can Be Trended?

Anything that can be recorded in the form of a number or that can be classified can be trended.  A small selection follows:

  • Incidence of a specific genus and species of microbe
  • Microbe counts
  • Temperatures of cleanrooms
  • Out of Specification result incidence
  • Corrective And Preventative Action not being completed in the required time frame
  • Potency of stability samples
  • Time spent on tasks

Why Trend?

By plotting data and looking at it from afar, one can see what is happening with the data.  There could be a lot of noise in the data and large spikes such as those representing an out of specification result while the overall figures are steady, rising or falling.  A good trend for Viable Environmental Microbiology Monitoring would be down.  For an income or profit trend, seeing an upward trend is preferable.  Over summer, temperatures might be seen to be higher in filling rooms than in winter.  This might or might not represent a control issue.  In any event, the opposite of what is desired represents an opportunity to identify and implement corrective actions.

The Two Types of Trends

Long term trends

  • Initially, long term trends gathered over a minimum of 12 months are used to establish your base alert and action levels (tighter or in line with what the regulations require)
  • Nothing that is observed in a long term trend should be particularly surprising to the Quality Assurance Team. Spikes will have (or they SHOULD have) been investigated, actioned and reported on at the time. An auditor examining your trends will expect this and is likely to ask for the reports.
  • Long Term Trending Example

Adverse trends

  • Short or long term trends that indicate a loss of control is near.
  • Consecutive actions, always showing area in a state of alert, unwanted microbe species detected, “too many” alert level results in a small number of consecutive samples.
  • A LIMS system could be set up to automatically identify an adverse trend. If using a paper and pen system, the data review stage should identify an issue if not already escalated by those recording the data.
  • As for long term trends, an adverse trend needs investigation, actioning and reporting on.
  • Short term trends showing an adverse trend

Long Term Trends

  • A trend is a set of data that is moving (once the noise is factored out) consistently in one direction. Over the course of 12 months, where a state of control is maintained, the overall trend would be a flat line.   A loss of control would see the trend go one way.  Improvements in the state of control could see the trends go the other way.
  • I recommend trends be reported in a graph. This saves trawling through data looking for something out of place and use of a graph allows for easy trend determination.  You should also present the data in a summary table broken down into months.  If management (or an auditor) desired to dig deeper, access to the raw data, such as that in a batch record could be arranged and tends to be expected.
  • In the Viable Environmental Monitoring Program, a downward trend could be considered good. This trend could allow for the tightening up of alert and action limits.
  • If long term trends show a potential shift towards a loss of control, things should be investigated. If corrective action can be identified, it should be implemented and the effectiveness of this determined.
  • The absence of a trend might also represent a problem. If results were always within limits or zero that is seen as a red flag to an auditor as even with the best processes, operators will make errors and there will be outlier results.  A history of a zero count in a clean room might also indicate a poorly validated recovery process so that would need to be checked.

Adverse Trends

  • Adverse, or short term trends are those that show a marked deviation (or potential deviation) from the norm. This could be three results of increasing values in a row or even four results out of six that show movement away from what is the baseline.  As these trends are short term, it is best to examine your trends on, at most every quarter as looking for adverse trends in a production facility every 12 months is a big risk. Assuming the adverse trend did not snowball into a big problem before the trends were examined, needing to investigate 12 months of batches compared to 3 is a huge difference in time, money, recalled batches (in a really bad scenario) and consumer confidence.
  • A stability sample might show that efficacy is maintained for 12 months at fridge temperatures and in the 15th month present a sharp decline. If the product has a 12 month expiry, not a problem. A 36 month registered shelf life could indicate an issue with the batch.  If a potency drop off was seen over three consecutive time points with the overall trend heading towards an ineffective (or unacceptable) level of API efficacy within the shelf life of the product then this would be an adverse tend.
  • As part of a viable environmental monitoring program, a single alert result every once in a while can be expected. Three or more in close succession (or in the same area if sampling is rotated over shirts and batches) could indicate a shift from control and a contamination problem.  The same goes for recovering the same microbe over and over again.  That might represent a clean room contamination issue, a media contamination issue, a test contamination issue or something else – it is up to you to investigate and determine the cause and take steps to fix things.
  • An adverse trend needs to be investigated and corrected.

For both long term and adverse trends and in accordance with the established schedules, I recommend you present the trends within a report. You will need to discuss the results, state whether they are acceptable or not and whether or not corrective action was implemented and if that was effective. You will need to reference the relevant reports. The trending report should be signed off by the head of quality and filed for quick retrieval. In the event that an adverse trend was identified, actions taken would be in accordance to established procedures. Relevant reports should be referenced in the trending summary.

Audit Considerations

Again, all adverse trends must be investigated, actioned and reported on. The Quality Assurance department, its internal auditors and third party auditors all expect this.

Your regular trending reports should point out any trends that are adverse or that represent a drift outside your state of control along with references to the reports that were written and the conclusions contained within.  Out of Specification results shown in the data should also be linked to their investigative reports. Not highlighting a drift away from control or an adverse trend could be seen concealment by an auditor.

If you use a computerised system to record your data or to produce your trends, you will need to demonstrate these systems are validated and potentially provide an IQ, OQ, PQ to the auditor(s).  You will also need to prove that data is unadulterated and that the figures presented are the figures originally entered into the system.

Conclusion

Anything that can be recorded can be trended.  By examining trends, long term and adverse trends can be identified and corrective action taken if necessary.  It is a regulatory requirement to trend your data and auditors will want to see the trends. Any “bad” trends must be investigated, actioned and reported on.

References

  • USP Chapter <1116> Microbiological Evaluation of Cleanrooms and other Controlled Environments
  • Title 21 CFR Part 11
  • PIC/S PE009-14 GMP Guide (Part I: Basic Requirements for Medicinal Products) 2018

 

Question regarding Bacillus subtilis recovery when testing for absence of Salmonella sp.

The Question posed on LinkedIn:

Dear experts, During microbial contamination testing for specific organisms – salmonella growing was observed. identification shows that is not Salmonella, but Bacillus subtilis. How i shoud interprated the results, pass specification or not?

Continue reading

post

Controlled Documentation. Identifying what goes into a Policy, a SOP and an OI

The following is an article I placed on LinkedIn and was written as part of my Developing My Writing While Helping Others series.

I am a microbiologist with over 15 years’ experience in the pharmaceutical realm.  I have a strong interest in regulatory compliance, documentation and developing others.  Recently I have been working closely with data security.  I have an arty streak, have developed and delivered training and have an affinity for computers.  I ride bicycles…a lot.

Controlled Documentation.  Identifying what goes into a Policy, a SOP and an OI

Introduction

Within a regulated environment, there are multiple levels of documentation.  The purpose of such documentation is to ensure work is carried out in a legal, regulatory complaint and consistent manner.  These documents must be clear, not open to interpretation and justified in their content.  There are three levels of controlled documentation.  Policies, Standard Operating Procedures (Procedures) and Operator (or work) Instructions.  Each type of document serves a specific purpose and needs to contain relevant information.  Here I discuss the three levels of documentation and identify the purpose of each and the information each should contain.

The Three Types of Documentation

Within a controlled documentation system, a hierarchy of documents is advantageous.  In the companies I have worked for, there have typically been three.  Policies, Standard Operating Procedures and Operator (or work) Instructions.  Each document has a specific purpose and contains specific information.

The Policy

A high level document that generalises what goes on.   These documents contain regulator information (or references to the information), internal polices, rules and principles and why they are in place.

The Standard Operating Procedure (SOP)

This document describes overarching areas, such as Bacteriology, the Viable Environmental Monitoring Program, Site Validation, and Sterility Testing.

A SOP details a series of tasks that takes place over time with an identifiable goal.

As an example, a bacteriology SOP would bring together everything to do with this subject including plating, identification, maintaining a culture collection with the aim (perhaps) to allow staff to identify and maintain microbes.

The language in this document should be clear and not open to interpretation.

The Operator Instruction (OI)

This is the lowest level of documentation and describes a specific process that usually can fit on a page or two and has a specified outcome.  Examples based on the subjects listed in the SOP section above include for Bacteriology: Perform a Gram Stain, for the Viable Environmental Monitoring Program: Operation of the MAS100 Air Sampler, for Site Validation: Validate A New Incubator and for Sterility Testing:  Sanitise the Isolator with Hydrogen Peroxide.

Using the Perform a Gram Stain example, this would detail the step by step process for taking a colony off a plate and staining it using the Gram stain method.

What Information goes in each document

A policy explains the reasons behind a process.

A SOP provides the who, what, where when and order of something. If a process takes more than a day (generally) then a SOP is the appropriate document to write.  A SOP might be used by more than one person at a time.

An OI is more time limited than a SOP and the task the OI details is normally conducted by a single person at a time.  Steps that may be generalised in a SOP are specifically stated within a OI.  Do this.  Do that.  Do this other thing.

Document Structure

Like any well planned writing, a logical structure is important.  All documents should have a header and footer containing such information as writer, verifier and approver, approval and expiry dates, document number, title, page number and total pages.

A policy could be set out as follows:

Purpose, Background, Roles and Responsibilities, Overview, Listing of related polices, Glossary, References.

A SOP could be set out as follows:

Purpose, Who uses the policy, EHS considerations, Before you begin, Procedure, Additional information, Glossary, References.

An OI could be set out as follows:

Purpose, Who uses the OI, Before you begin, Overview, Instructions.

Other Considerations

Templates

Useful for providing consistency of format and providing examples of acceptable content. A template ensures consistent document structure and formatting of titles, headings, body and table content.

Scheduling and Planning

Used alongside document validity dates.  Enable the documentation controller and users to proactively schedule document review and update. Planning is important so the document is updated without rushing (i.e. the week before it is due to expire).

Who Writes the Documents

The subject matter expert (SME) is the best writer.  Don’t be afraid of delegation however. A technical writer can be used provided the document is written in consultation with the SME.

Who Reviews and Approves Documents

The reviewer should be a peer or someone in the management chain for the writer as they should also have knowledge of the process being documented.  The reviewer looks for content accuracy, correct grammar and correct references.  Ideally, the writer does the review and a verifier is used to confirm the work of the reviewer.  This reduces work for both the writer and the verifier as the document does not have to keep going back and forth between the two.

The Approver will ideally be the manager of the department responsible for the process being documented.

Change History

It is very important to track changes and document the reasoning behind changes.  Helps an auditor to identify and approve changes.  In my view, this section can never contain too much information.

Training

Staff need to be trained to follow SOP’s and OI’s and when a significant change to a SOP or OI is made, your staff need to be trained in the changes.

Standard Procedure for Documents

In order to produce consistent documentation with sensible content in a consistent format, procedure for doing this is helpful and within a regulated environment, a necessity.

Conclusion

You will now be familiar with the three main types of controlled documents: Polices, SOPs and OI’s, when they are suitable for use and what sort of information each type of document should contain.

 Appendix

Summary table of the types of information that goes into a SOP and an OI

Question Regarding Time Stamps

The Question posed on LinkedIn:

Hello Dear LinkedIn friends. I have few questions related to computerized system.

1. In a country where there is a change in time due to day light saving. How does audit trails and reports are managed in software? ( Here software is operated in multiple time zones) Example: if someone logs in at 9:55 AM and start activity which lasts for 15 mins (means completion at 10:10). What if, in between there is day light saving happened at 10 AM and time goes 1 hr back. It will show that personnel logged in at 9:55 and activity was completed at 9:10. How shall we handle impact of day light savings in such case for reports and audit trails?

2. Do we require Audit trails for each activity. ? E.g. If software is prepared to manage documents. And we have some activities like News and Events on dash board for employees which is not critical step or basic requirement of application.

So do we require audit trail for such activities which are not critical for intended use of software. And if yes, do we require reason for each step?

Continue reading

post

Ten GMP Self Inspection or Internal Audit Considerations

Posted as a LinkedIn article on 20190718

Preamble

I am a microbiologist with over 15 years’ experience in the pharmaceutical industry supporting the manufacture of liquids, creams, ointments and tablets. I have a strong interest sterile manufacturing, leading and developing others. Recently I have been working closely with data security. I have an arty streak, an affinity for computers and ride bicycles…a lot.

Introduction

Good Manufacturing Practice in Australia uses recommendations presented in the PIC/s Guide to GMP (PE009-13). The section on Quality Management states, “there is a procedure for self-inspection and/or quality audit, which regularly appraises the effectiveness and applicability of the Pharmaceutical Quality System”. Chapter 9 deals entirely with Self Inspection and lists 3 points – not entirely helpful. Continue reading

What are the guidelines for autoclave re-Validation?

The Question posed on LinkedIn:

Dear Experts, What are the guidelines that clarify the frequency and number of cycles required for re-Validation of equipment? For example, during re-qualification of the autoclave should each cycle be repeated 3 times (empty, minimum and maximum loads)? Or is it based on risk assessment by choosing the maximum loads only? (On initial qualification each cycle was performed 3 times consecutively). Also for depyrogenation tunnels, should the runs be repeated 3 times? Thank you

Continue reading

Question regarding classification of passthroughs and laminar flow hoods

The Question posed on LinkedIn:

Can we provide the grades of pass box and lafs in on critical area with respect to material movement ? For example if a pass box installed between grade c and grade d environment can be designated as grade b? Similarly laf installed in grade c area can be designated as grade c? If yes what woukd be the viable and non viable limits to be applied?

Continue reading

post

10 Ways to Protect Your Digital and Physical Security

The following is an article I placed on LinkedIn and was written as part of my Developing My Writing While Helping Others series.

I am a microbiologist with over 15 years’ experience in the pharmaceutical industry supporting the manufacture of liquids, creams, ointments and tablets. I have a strong interest sterile manufacturing, leading and developing others. Recently I have been working closely with data security. I have an arty streak, an affinity for computers and ride bicycles…a lot.
Before I began working in IT security, my only thoughts to security were install an anti-virus, never share your password and to lock your doors and not to travel to dangerous parts of the world. These days, I have a more nuanced understanding of how to protect your physical and digital property.
Today your data is everywhere online. You can potentially lose your savings, access to various account and even your identity. With or without access to your online data, thieves can access your property and make off with your stuff.
In no particular order, here are my top 10 tips to protect your digital and physical self.

1. Restrict access

Without physical access to your property, it cannot be stolen. Physical access to a computer system makes theft easier. Hard drives can be removed and inserted into other systems. Routers can be reset. USB drives can be used to auto load malicious payloads.
Use user accounts for general use and save administrator accounts for system administration such as software installation or configuration. Systems that are not secure or are breached allow access to your data. Blocking ports on your devices that are no needed reduces your attack surface. Don’t give your grandkiddies access to your computer unless they have their own restricted access account. I periodically remind my parent of this.
When creating an account or installing a new device, change the default password immediately.

2. Use complex unique passwords

Use one key for your screen door, another for your front door, another for your server rack and another for your study. This may be inconvenient. Losing your property is more so.
For data, make sure your passwords are unique for each resource you access. Password managers are handy here. NEVER use passwords such as “12345” or “guessme”. NEVER recycle passwords by adding numbers or letters to the end of an existing password when prompted to update one. If using a password manager, give it a long and complex password.

3. Backup, backup, backup

For property, maintaining an inventory database is useful. This ensures in the event of theft or fire, you can substantiate (to the police, to your insurer) what has been lost and replacements sourced.
For data, if it is important, back it up. Ideally a local backup for convenience and an off-site backup for disaster. In the past this involved burning data to tape, CD or DVD and storing copies off site. Today, many cloud providers allow you to back up data in real time off site. If you have gone to the trouble of backing up, you should test your backups periodically. There is no point losing data only to find your backups are corrupt. I backup my main PC to my server. I also backup online. I don’t care about the data on my laptop.

4. Hide keys to your identity

Access passes, addresses or rego numbers on keys These are ways to identify where they can be used in the event of loss. Don’t store you keys in obvious locations when not using them. When keys were stolen from my partner’s car, what they accessed could not identified. They were not keys for anything local.
You should never wear your work passes on the way to work. A malicious actor could view your name and place of work while you commute and then send a targeted email as part of a social engineering or phishing campaign. You may even be called directly or your contact details found via social engineering.
Never store passwords in human readable form. Do not place them under your keyboard or stick them to your monitor of insert them behind the photo of a loved one.

5. Don’t give away information for free

See point 4 regarding passes and other personally identifiable information.
Don’t discuss private information in public. Conversations on public transport, in a café, while walking and talking on your phone etc. are not private. Useful information about you and your movements and associations can be gleaned from these conversations.
If you value your data, keep it to yourself. Most services perceived as free are not. Your data is the payment. Examples include Facebook, Google searches, email receipts sent to your phone, competitions requiring email entry etc.
When using portable computers, use a privacy shield to reduce the ease of shoulder surfing.
Information you should never share includes social media posts about where you are. If a criminal knows where you live and knows or finds you on social media, a post about your current overseas or out of town holiday is an invite to rob you. Your fitness app profile could be used to find your social media profile and from there, your address and movements. If you must post about your holiday, do it when you get home.

6. Use Multiple layers of security

Two or more layers of security are good here. Lock your external doors. Place a lock on your study/computer room door. If your router is in a rack or another room, lock that too. Some companies use what are known as man traps. Only one person can pass through the entrance (or even exit) of a restricted area at any one time.
For data, make sure your passwords are unique. Ideally use user accounts for general use and save administrator accounts for system administration such as software installation or configuration. Consider multiple forms of authentication, such as a password and also a fact or physical attribute.

7. Never open email attachments (or click on links)

Most of your security comes down to your actions and opening an email attachment without 100% verifying the sender sent it is very unsafe. Email can be used to verify the account exists, seek information from you such as passwords, download and install ransomware, download and install CPU hijackers and more. Clicking on links could take you to websites that use known or unpatched flaws on your computer to compromise it and your data. Linked sites can also be used to elicit private information such as account numbers and passwords.
Even with the latest and greatest security program, there is a risk malicious programs or system compromise can occur. Security software relies on known malicious programs and known attack techniques. Criminals are constantly honing and improving their attacks.

8. Encrypt

In the event that access to your data was obtained, encryption can prevent it being used. Only you (assuming you used solid passwords and a modern encryption protocol) will be able to access your data. If local or online data compromise occurs, encrypted data is useless to thieves.
Lost or stolen laptop? Stolen computer? Lost phone? These are all useless (other than possibly resale value) to a criminal. Without encryption, data compromise is inevitable. With encryption, despite what you see on CSI, it will take more than 1000 years to gain access to your encrypted data.

9. Monitor your property

For your property, keeping an eye on it helps you to track it and prevent theft. This could extend to security cameras. Auto notification emails or texts can be set up on systems where motion is detected.
Systems such as intrusion detection and prevention system can be used to monitor hacking attempts. Many online services send emails when an unrecognised IP address access an account of yours. Examining user access logs and system logs allows you to determine out of place activity.

10. Provide a false impression

You can use pseudonyms when using the Internet. If you run servers, use a honey pot to mislead hackers. Use a device that emulates TV glow when you are travelling. Use timers for lights. Arrange a neighbour to empty your letterbox to give the impression someone is home if you are not.

Do you agree with this list? Do you have anything to add or your own security ideas? Share them in the comments section or message me directly.