The use of the risk assessment tool Failure Mode and Effects Analysis (FEMA) in the management of the quality, compliance and business risks associated with critical function failure of laboratory instruments is described.
The processes involved are illustrated using a UV/visible spectrophotometer as an example.
1. Introduction
Modern analytical laboratories are equipped with an extensive array of analytical instruments which possess the sensitivity too accurately and precisely measure most analytes at very low levels. The use of auto-samplers provides many hours of unattended operation, permitting the analysis of hundreds of samples in a single session.
Assuring the quality, reliability and trustworthiness of the analytical results produced, are a fundamental requirement for all laboratories. This is particularly the case for laboratories which operate to one or more a number of international quality assurance schemes, such as Good Laboratory Practice [1], Good Manufacturing Practice [2] and the International Standards Organisation ISO 17025 [3], which have been established to provide a framework of principles so that the quality of data produced in one country can be readily assured and accepted in another.
Analytical instrument qualification is the quality assurance process of establishing, through documented evidence that analytical instruments perform to predetermined specifications and are capable of consistently providing high quality, reliable and trustworthy data. The actual process followed, in a particular situation, will depend on the instrument being evaluated and the requirements of the laboratory.
The general approach, however, typically follows a multi-phase process consisting of:
Assuring the reliability of a laboratory’s instruments can require considerable investment in both time and resources. In the cost conscious commercial environment it is recognised that the cost of instrument qualification increases rapidly as the extent of qualification increases.
In particular it is recognised the extent of the qualification performed, on a particular instrument, should be consummate with the potential risk of non-compliance. The challenge therefore is how to measure the risk of a laboratory instrument not complying with its established specifications, and then managing the risk of non-compliance; as an inadequately qualified instrument will leave a laboratory vulnerable to providing inaccurate, erroneous or otherwise unreliable data.
Failure Mode Effect Analysis
Failure Mode and Effects Analysis (FMEA) [4] is a inductive reasoning risk assessment tool, that considers the potential risks associated with a system failure as a product of the potential severity, probability of occurrence and probability of non-detection [5]. The general process consists of first assessing the potential risks associated with a failure of a particular function in the absence of any mitigating systems. These are assigned a risk level of high, medium or low.
Controls are then devised and applied to functions which were initially assigned a high medium level, until an acceptable level of residue risk is achieved. This process does not seek to eliminate all risk, but instead to manage the residual risk.
This article describes the application of the Failure Mode and Effects Analysis tool to managing the quality, compliance and business risks associated with laboratory instrument qualification, illustrating the process by using a UV visible spectrophotometer as an example.
2. Quality Functions of an UV/visible Spectrophotometer
UV/visible spectrophotometers are widely used in analytical laboratories to perform two principle tasks:
- Using the UV/visible spectrum to confirm the identity of compounds
- Using the absorbance measurement in combination with a standard solution of known concentration to determine the concentration of analytes
Identifying user requirements specifications (URS) is an early stage activity in the qualification of any instrument, which takes place during the DQ phase prior to selection of the make and model of the instrument to be procured. The key functions of the instrument are tested against the URS during the OQ and PQ phases of the qualification.
The functions of a laboratory instrument can be divided in to two categories:
2.1 Operating Functions
Operating functions relate to those that enable the laboratory instrument to perform its technical operations. For a UV/visible spectrophotometer the operating functions are presented in Table 1:
In addition to the above requirements, there are the requirements relating to the operating software. Essentially these are the functions that operate the spectrophotometer.
2.2 Data Quality and Integrity Functions
Quality and data integrity functions are the system of controls intended to assure the quality, security and integrity of the data produced and stored by the spectrophotometer.
These consist of:
1. Access Controls
1.1 Restricting system access to authorised persons who will have sufficient privileges to perform their assigned roles
1.2 Controlling access to the system will be via user accounts which will require input of an electronic signature
1.3 Auto-log off after a fixed period of inactivity e.g. 10 minutes
1.4 Disabling a user account when the user leaves the organisation or is transferred to a position not requiring access
1.5 Detecting unauthorised login attempts and alerting management/security
2. Control of Electronic Signatures
2.1 Electronic signature should consist of two components: a public component which will identify the user (username) and a private component (password) (which the user should keep secret|)
2.2 Electronic signature should be specific to an individual user and should be considered legally equivalent to a traditional hand written signature
2.3 The electronic signature shall be permanently linked to the respective record
3. Password Controls
3.1 Passwords should conform to specified characteristics designed to make guessing difficult, such as not be shorter than a minimum length
3.2 Users should be able to change their password at any time. For example if compromise is suspected
3.3 To protect against password aging, passwords should expire after a fixed period of time
3.4 Users should not be able to reuse the same password
4. Audit Trail Control
4.1 Shall be capable of providing an audit trail to log all changes to method, report, raw and processed data files.
4.2 Shall be capable of recording the times changes were made, who made the changes and the reason for making the changes
5. Data Security Controls
5.1 Users should not be able to delete, overwrite, move or rename data files
5.2 Data files should be saved to a specific location
5.3 Data files should be backed up daily
5.4 Data files should be able to be archived
5.5 Archived data files should be able to be restored
6. Time Stamps
6. 1 The application software should be capable of time stamping all records, raw and processed data, method, and report files created
6. 2 Time stamps should be referenced to a document standard clock/time server
6. 3 Time stamps should indicate the time zone
Part 2 of this article will be released next week when we dive deeper into Failure Mode Effect Analysis (FMEA) and the process around it.