Guest Column | May 3, 2016

Tips For Identifying And Correcting Data Integrity Deficiencies In Your Organization

By Barbara Unger, Unger Consulting Inc.

barbara-unger

Having covered (in some detail) the deficiencies that global authorities have addressed in the GMP and GCP areas in Part 2 of this series, we now turn to identify what pharmaceutical companies can do to identify data management and data integrity shortcomings within their organizations and at their contract partners. (Part 1, which provided context for the current global regulatory focus on data integrity, can be found here.)

Often, the thought of addressing computer system issues and data integrity evaluations becomes overwhelming to quality personnel, and thus these responsibilities are deferred to members of the IT department. I intend to simplify this topic and share some straightforward actions that firms can take to identify and correct deficiencies in the broad area of data management. The examples provided are only meant to be suggestions that a firm might consider. This becomes the starting point to develop a consistent means of evaluating electronic records, and associated paper records, within a firm and for their contract manufacturers and contract laboratories. It is not, however, meant to address technical issues associated with computer system validation but rather to look at this from a quality unit perspective.

Integrate Data Management Into Your Quality System

Data management that ensures security and reliability of the data must be effectively incorporated into the pharmaceutical quality system. Governance should be established that ensures procedures and processes are implemented and that staff are trained appropriately. The most senior management in the firm needs to support the effort and potential cost, and lead the way to ensure the data from their firm is always correct, valid, complete, and secure.

Get To Know Part 11

Firms must recognize that Part 11 requirements apply whenever electronic records and/or electronic signatures are used in GxP processes and activities. Part 11 is a regulation, just as Parts 210 and 211 are regulations. Firms that maintain they operate primarily paper-based systems should consider that their laboratories depend largely on laboratory instrument associated computer systems. A firm cannot write an SOP that exempts itself from compliance with this regulation. It is useful to read the preamble accompanying publication of the Part 11 final rule to more fully understand the intent of the rule and its applicability.

Update Your Quality System When Computer Systems Change

Quality system processes may need to be revised to address use of computer systems and electronic records. Computer systems should be appropriately developed, qualified, tested, and periodically assessed to ensure they remain in a validated state. A risk-based lifecycle approach should be taken from initial system development through production, decommissioning, and data archiving, where appropriate. Changes made to computer systems must be adequately assessed for their impact on GMP operations they support. Changes made to GMP computer systems should be reviewed and approved by the quality unit, which should have appropriate training and expertise.

Perform Gap Analysis For GxP Computer Systems

As part of system validation / revalidation, firms should perform gap assessments for each GxP computer system against the requirements of Part 11 using the MHRA and WHO guidelines to provide additional explanation and examples of expectations. Documented evidence supporting conclusions should be provided or referenced within the gap assessment. The simple result of “complies” is not sufficient. Where necessary, remediation activities should be identified and their progress tracked through the CAPA quality process.

Include Data Integrity Assessments In Your Internal Audits

Internal GMP audit programs should always incorporate assessments of data integrity. Internal audit staff should have documented training in assessments of data integrity. As the MHRA guidance states, these audits are not anticipated to include forensic type of audits. We provide a limited list of examples in the next section that might be addressed in internal audits, all of which can be found in form 483s or in waring letters. Additional considerations should be added or modified based on newly published enforcement actions or on company-specific needs. Further, when audit functions are outsourced to a third party, the firm should confirm that auditors have appropriate training in data integrity evaluations. This is particularly important for audits of contract laboratories, contract manufacturers, and manufacturers of excipients.

Special Considerations For Quality Control (QC) Laboratories

For the QC laboratories, specifically:

  • Laboratory instrument-associated computer systems and other computer systems should be identified and assessed for their risk to the GMP area, and requirements should be defined and validated appropriately. Periodic evaluations should be performed and documented to ensure they remain in a validated state.
  • Laboratory instrument-associated computer systems and other GxP computer systems should be assessed for compliance with 21 CFR Part 11 and the MHRA guidance on data integrity. Gaps should be identified with a timeline and plan for remediation.
  • Changes to computer system software and hardware should be appropriately assessed and should not be made outside of the quality system. For example, an outsourced help desk function should not make changes to GxP systems unless the staff has the appropriate training and qualification. These changes should be documented within the quality system process, not exclusively in a help deck ticket.
  • The following limited list of activities to evaluate in the QC laboratory includes items from warning letters and form 483s made available by FDA, as well as those described in regulations and guidelines:
    • Is configuration of the instrument-associated software qualified and tested appropriately to meet predefined requirements? Where is this documented?
    • Are passwords and logins shared, or are they unique to each individual? Shared passwords prevent the ability to attribute actions to a specific individual. This includes actions such as logging into the system, collecting data, processing data, and modifying or deleting data.
    • Are access privileges assigned appropriately? Is there a listing of who has which privilege and the actions that may be taken by each?
    • Are time/date stamps fixed, or can individuals alter them?
    • Is electronic data, including audit trails, reviewed as part of laboratory result verification, lot release, or out-of-specification (OOS) investigations? In the absence of audit trails and their review, it is impossible for the reviewer to determine whether data has been altered or deleted. Of particular importance is whether data was modified or deleted because it represented OOS results.
    • Is the review of electronic data described in an SOP, and are reviewers appropriately trained in what they are to evaluate? How is the review of the electronic data documented?
    • How quickly can the audit trails be shown to an auditor? When it takes four staff member a half hour to locate the audit trail, it suggests they are not routinely evaluated.
    • Is data periodically backed up to a secure server, or is it deleted to make space on existing hard drives? Is the backup automatic or manual? If the transfer is manual, how does the firm ensure that the transfer is complete and that data is not inadvertently deleted or altered in the process? Are these backups conducted according to a predefined schedule? If using automatic backup, has the process been validated and is it routinely successful?

Don’t Overlook Manufacturing Equipment Controls

Equally important as the laboratory instrument-associated computer systems are computerized controls applied to on-the-floor in the manufacturing equipment. This area has received minimal attention from regulators to date. However, deficiency #6 in the December, 2015 warning letter to Sun Pharmaceuticals addresses such an issue.

Keep Up-To-Date On Regulatory Changes And Trends

Finally, firms should ensure they are informed regarding current regulations, guidance, and the enforcement environment. Enforcement actions evolve over time, and it is important to be aware of current trends. All of this information is publicly available. Enforcement actions can be monitored by review of available form 483s, warning letters, Eudra GMDP reports of noncompliance, and WHO’s notice of concern.

Conclusion

It does not take a complicated mathematical formula to show that severe financial consequences result from enforcement actions where data integrity is compromised. For example, Able Laboratories ceased doing business after receiving their form 483 in 2005, Cetero Research is no longer a business entity, Ranbaxy has been acquired by Sun Pharmaceuticals in India, and Wockhardt’s sales are severely diminished in the U.S. All were cited in inspection form 483s or warning letters for deficiencies in assurance of data management and data integrity.

While the quality control laboratory is the most frequent area where data integrity issues are identified, it is by no means the only area. Data management spans all functions within pharmaceutical and device firms. Companies are encouraged to address and provide consistent data management governance in all GxP areas, including enterprise planning systems, clinical/medical affairs, and research and development.

Further:

  • Data management and the assurance of data integrity should be effectively incorporated into the quality management system and should address both paper records and electronic records.
  • All GxP audits should evaluate data management and data integrity.
  • Computer system validation and lifecycle management should not be isolated within the IT function but rather should be shared with the quality unit and other stakeholder functions.
  • The quality unit staff may need additional training to provide meaningful review and approval of computer system associated processes and procedures.
  • Finally, governance should be established across all GxP areas, and management involvement and support should be highly visible.

Data is publicly available to inform companies and their staff about changes in GMP laws, regulations, guidance, inspection focus, and enforcement trends regarding data integrity. These changes can be monitored directly by reviewing regulatory agency website publications and or a variety of both free and paid newsletter publications. Enforcement actions are made available on regulatory agency websites, though the level of detail may vary among the agencies. Requirements for electronic records are not going away, and failures in this area are demonstrated to be costly to remediate. It is far better to identify any deficiencies internally and remediate without intervention by a regulatory authority.

References:

 

About The Author

Barbara Unger formed Unger Consulting, Inc. in December 2014 to provide GMP auditing and regulatory intelligence services to the pharmaceutical industry. She has extensive expertise in this area having developed, implemented, and maintained the GMP regulatory intelligence program for eight years at Amgen Inc. This included surveillance, analysis, and communication of GMP related legislation, regulations, guidance, and industry compliance enforcement trends. Barbara was the first chairperson of the Rx-360 Monitoring and Reporting work group (2009 to 2014) that summarized and published relevant GMP and supply chain related laws, regulations, and guidance. She also served as the chairperson of the Midwest Discussion Group GMP-Intelligence sub-group from 2010 to 2014.

Before Amgen, Barbara worked for the consulting firm Don Hill and Associates, providing regulatory and quality services to the pharmaceutical industry, and for Eli Lilly and Company in quality and CMC regulatory affairs positions. She began her career in the pharmaceutical / device industry with Hybritech Inc. and received a bachelor's degree in chemistry from the University of Illinois in Urbana Illinois.