Data Integrity in a GxP-regulated Environment - Pauwels Consulting Academy

Data Integrity in a GxP-regulated environment
Dec. 6 2016
Angelo Rossi
Sr. Regulatory Compliance Consultant

22
Workshop objectives
Agenda
• Definitions and concepts of data integrity
• Change in regulatory focus
• Lesson from recent FDA warning letters
• Regulations and guidelines - highlights
• Data Integrity for Computerized System: a practical example
• How to achieve an acceptable data integrity control

33
Definition of Data Integrity
• In the context of a GxP environment, data integrity can be
defined as the act of maintaining and assuring the accuracy
and consistency of data over its entire life-cycle. Data integrity
is a critical aspect to the design, implementation and usage of
any system which stores, processes or retrieves data.
• Data integrity also refers to the protection of the original data
from accidental or intentional modification, falsification, or
deletion (McCulloch, Woodson and Long, 2014).
In a GxP environment

44
Industry & Data Integrity issues
Data Integrity Inspection statistics
• In recent years, regulatory inspections by both US and
European investigators have reported a significant increase in
the number and types of data integrity issues.
• The FDA issued 19 warning letters
(excluding those issued to
compounding pharmacies), 74% of
these regarding data integrity
associated deficiencies
• Even though the total number of
warning letters decreased during 3
years time period, the percentages
adressing data integrity increased

55
Change in Regulatory Focus
As a consequence, recently, regulatory inspections are looking
more closely at international facilities for altered and
manipulated records, and authorities…
introduced guidance to outline data integrity
expectations to support the existing regulations
increased the level of inspections and controls (with
specialized staff) focusing on systems’ data management
strengthened enforcement actions coupled with aggressive
prosecution

66
REGULATIONS AND GUIDANCE
• In March 2015, the HMA (Heads of Medicines Agencies) and
EMA (European Medicines Agency) issued a draft document
“EU Medicines Agencies Network Strategy to 2020” to plan
the strategy of the EU regulators for the upcoming 5 years.
This report also enforces controls to ensure that all suspicions
of problems with data integrity are thoroughly investigated
• In August 2016, the EMA and the Pharmaceutical Inspection
Co-operation Scheme (PIC/S) released a new draft guidance
”Good Practices for Data Management and Integrity in
Regulated GMP/GDP Environments” and a Q&A document

77
• In January 2014, the MHRA announced that the
pharmaceutical industry is expected to review data integrity
within the frame of self-inspections. In January 2015, the
MHRA published a Guideline GMP Data Integrity Definitions
and Guidance for Industry; a new draft was released in July
2016
• In April 2016, the FDA published a draft Guidance “Data
Integrity and Compliance With CGMP”
REGULATIONS AND GUIDANCE

88
Example of Warning Letters
Micro Labs Limited, 9 January 2015
• Failure to include complete test data to assure compliance
with defined specifications and standards (21 CFR 211.194(a));
not including OOS data for evaluation of batch release
• Failure to record and justify deviations from your SOPs (21
CFR 211.160(a))
• Failure to ensure authorized access control over computer or
related systems in order to prevent changes in master
production and control records, or other records (21 CFR
211.68(b)); audit trail not configured, data substitution

99
Hospira Spa, 31 March 2015
• Failure to ensure that laboratory records included complete
data derived from all tests necessary to assure compliance
with established specifications and standards (21CFR
211.194(a))
Transox Inc., 8 June 2015
• Failure to include complete Data necessary to document
conformance to final specifications for the drug product (21
CFR211.165(a))

1010
Mahendra Chemicals, 13 July 2015
• Failure to prevent unauthorized access or changes to data, and
to provide adequate controls to prevent omission of data; data
files in the recycle bin, no password functionality, no audit trail,
no CAPA plan
• Failure to record activities at the time they are performed and
destruction of original records; backdating batch production
data after batch release
• Failure to train employees on their particular operations and
related CGMP practices; destroying original production records

1111
Sun Pharmaceutical Industries Ltd, 12/17/15
• Failure to control the access to PLC levels or MMI equipment.
Missing audit-trail to ensure that individuals have not
changed, adjusted, or modified equipment operation
parameters.
• Failure to ensure, with equipment logbook, traceability to the
individual operator using a shared login

1212
Megafine Pharma Limited, 19 May 2016
• Failure to ensure that, for each batch of intermediate and API,
appropriate laboratory tests are conducted to determine
conformance to specifications; falsifying test data for stability
batch
• Failure to prevent unauthorized access or changes to data and
failure to provide adequate controls to prevent manipulation
and omission of data; deletion of unknown OOS peaks

1313
Common findings
Non-
contemporaneous
recording
Back-dating
Copy of existing
data as new
information
Re-running
samples to obtain
better results
Data fabrication Data discarding

1414
• Non-contemporaneous recording: Failure to record activities
at the time when activity was performed; there is evidence
that the records were signed by company personnel when the
person was actually absent on that day
• Document back-dating: Back-dating stability test results to
meet the required commitments
• Copy of existing data as new information: Test results from
previous batches were used to substitute testing for another
batch or acceptable test results were created without
performing the test
Common findings

1515
• Re-running samples to obtain better results: Multiple analyses
of assay were done with the same sample without adequate
justification and in some cases samples were tested
unofficially or as a trial analysis until desired test results were
obtained
• Data fabrication and data discarding: Original raw data and
records were altered e.g. by using correction fluid or
manipulation of a poorly defined analytical procedure and
associated data analysis in order to obtain passing results
Common findings

1616
Common findings
Computerized System
Use of shared
accounts/shared
password/incorrect
privileges
Audit-trail not
enabled or
deactivated
System time/date
not protected or
not reliable
Unofficial testing
of samples
No back-up of
electronic data
Archived (old)
records with
unsupported
format

1717
Consequence of failure
Patient
Patient Safety
Product Efficacy
Business
Regulatory Actions
Undermine Trust
IMPACT
DATA
INTEGRITY
BREACH

1818
Importance of Data Integrity
• It is very important that the records (paper and electronic)
generated in a pharmaceutical environment meet the
necessary requirements to ensure product quality and patient
safety.
When we fail to follow these rules, it can have a
significant impact on the quality of the product being
manufactured.

1919
Reasons for Data Integrity Violations
Root Causes

2020
• Even with an appropriate governance system to ensure data
integrity in place, individuals can give rise to falsification of
records and fraudulent data:
• Falsification: creating, altering, recording, or omitting data in such a
way that the data do not represent what actually occurred
• Fraud: Wrongful or criminal deception intended to result in financial
or personal gain
• Falsification of data is a major concern for regulators and a
major driver for regulators to increase the level of concern
of data integrity
• A regulator does not distinguish between human error and
data falsifications when assessing data-integrity failure
Reasons for Data Integrity Violations
Falsification and fraud

2121
Regulations and Guidelines
• Regulations
• GxPs: Good Documentation Practices (paper)
• FDA 21CRF Part 11 (electronic)
• EU/PICS Annex 11 (electronic)
• Guidelines from agencies and industry
• FDA Data Integrity and Compliance with cGMP (paper and
electronic)
• UK MHRA GMP Data Integrity (paper and electronic)
• (EMA and) PIC/S Draft Guidance “Good Practices for Data
Management and Integrity in Regulated GMP/GDP
Environments” (paper and electronic)
• Enforcements actions
• Warning Letters and 483 inspectional observations

2222
FDA draft guidance - Highlights
• The FDA draft guidance is
complementary to the 21CFR211
regulations for current GMP (cGMP);
it enforces its interpretation toward
the integrity of data generated in
pharmaceutical manufacturing
• Unlike those from the WHO and MHRA guidance
documents, it is presented in the format of FDA draft
guidance 18 questions and answers

2323
Principles from the paper-and-ink era still apply, e.g.:
• § 211.68 requires that backup data are exact and complete, and
secure from alteration, inadvertent erasures, or loss
• § 212.110(b) requires that data be “stored to prevent deterioration
or loss”
• §§ 211.100 and 211.160 require that certain activities be
documented at the time of performance and that laboratory
controls be scientifically sound
• § 211.180 requires true copies or other accurate reproductions of
the original records
• §§ 211.188, 211.194, and 212.60(g) require complete information,
complete data derived from all tests, complete record of all data,
and complete records of all tests performed.

2424
Terms associated with ALCOA+
A Attributable
Who performed an action and when? If a record is changed, who did it
and why? Link to the source data
L Legible
Data must be legible (readable), permanent and accessible throughout
the data lifecycle
C Contemporaneous
Data are recorded at the time the work is performed; date & time
stamps are chronologically in order
O Original
Original data, sometimes referred to as source data or primary data, is
the medium in which the data point is recorded for the first time
A Accurate
Accurate data and records are free from errors, complete, truthful and
any editing is documented
+ Complete All data including repeat or reanalysis performed on the sample
+ Consistent
All elements of a study, such as the sequence of events, are dated or
time stamped in the expected sequence
+ Enduring
Data must be recorded on controlled worksheets, laboratory
notebooks or electronic media (no post-it, uncontrolled notebooks..)
+ Available Available / accessible for review / audit for the life time of the record
FDA draft guidance - ALCOA

2525
Question 1d: Static versus Dynamic Data
Static data are typically discrete values
such as temperature and pH that cannot
be interpreted or as the guidance
mentions a paper printout or image
Dynamic data require human
interpretation or processing, such as with
chromatography or process trend data
files. These types of data are of major
concern to the FDA and other regulators
for manipulating data and testing to pass

2626
Questions 4 and 5: within a computerized system persons must
be uniquely identified and their actions tracked and audit trailed:
• Shared log-on accounts are not allowed
• Admin privileges must be separate from those involved
with generating, processing, and reviewing data
• A list of authorized individuals with their access privileges
should be maintained and cover both current and historical
users of a system

2727
• §211.180(d), ….paper printouts are not the
original records or true copies of the underlying
e-records
• §211.68(b), ……paper is not a complete and
exact copy of the electronic records as the
latter contain more information than printouts.
Question 10: paper printout (static format) should not be the
only record because it may only display part of the original
record (dynamic format); electronic records and not paper
should be the raw data
Print-out
Raw data

2828
Questions 12 and 2: cGMP Records and GMP Data exclusion
• “When generated to satisfy a CGMP requirement, all data
become a CGMP record. You must document, or save, the
data at the time of performance….”
• Records should be sent to long-term storage as soon as they are
generated
• Electronic data that are automatically saved into temporary memory
could be manipulated, before creating a permanent record
• Data (paper, hybrid, or electronic) if provided with scientific rationale,
can only be excluded, not deleted [§211.194(a)]

2929
• The MHRA expects a so-called "data governance system” to
be developed and run in order to give an acceptable state of
control based on the data integrity risk
• Data governance is expected to utilize the principles of ICH Q9
when applying controls
MHRA draft guidance - Highlights
• MHRA guidance supplements the GMP
expectations in Eudralex Vol. 4 and it is
applicable to both electronic and
manually recorded data

3030
• Provide system Design examples to ensure data integrity, e.g.:
• Systems clocks: need to be secured and synchronized for recording
timed events
• Data capture: Automated capture or printers attached to equipment
are preferable
• Data changes: User access rights that prevent (or audit trail)
unauthorized data amendments
• Guidance includes this statement, “... it is expected that GMP
facilities should upgrade to an audit trailed system by the end
of 2017”
MHRA draft guidance - Highlights

3131
PIC/S draft guidance - Highlights
• The document provides guidance for
inspectorates in the interpretation of
GMP/GDP requirements in relation to
data integrity and the conduct of
inspections
• An effective data governance system will demonstrate
Management’s understanding and commitment to effective
data governance practices
• The document focuses on specific DI considerations for paper-
based and computerized systems, including the potential risk
of not meeting expectations

3232
Data Review is one of the critical areas of Data Integrity
• Risk Assessment is deemed to identify the GMP/GDP relevant
electronic data generated by computerized systems; identifying
critical data and changing these (data audit-trail) should be part of the
routine data review within the approval process
• “The frequency, roles and responsibilities of audit trails review should
be based on a risk assessment … for changes of electronic data that
can have a direct impact on the quality of the medicinal products, it
would be expected to review at each and every time the data is
generated.”
PIC/S draft guidance - Highlights

3333
Context: data generated by the system are used to support GMP
processes
 The reliability of data generated by the system (DI) could be
determined with the following activities:
• Identifying the data generated by the system during critical processes
(data flow diagram)
• Defining the DI requirements (e.g. ALCOA data attributes) during the
lifecycle of data
• Identifying the risks and mitigation strategies (e.g. technical or
procedural controls) to avoid DI breaches
Computer System Validation
eRecords Integrity, a practical example

3434
• Computer System, server-client architecture
Ensuring eRecords Integrity, a practical example

3535
Audited events
Users
· Login
· Login failure
· Create users
· Password change
Application (Program)
· Launch
· Termination
· Preferences
· Site Options
Setup
· Creation
· Modification
· Download
Calibration
· Start
· Terminate
· Copy
Study
· Start
· End
· Copy
6 AUDIT
Data Location
Business Process/Data flow
Create Setup
Save Setup
Load Setup
Save calibration file (PC)
Load/Save Setup
Save Qualification Study
Load Setup
Save Calibration
Operations not managed by the application
Verify Instrument
Configuration
Verify Instrument
and Modules'
Calibration
Defining
Qualification
Activity
Calibration of TCs
Execute
Qualification activity
Calibration
Verification of TC-s
Reporting
1 SETUP
1 SETUP
1 SETUP
3 QUALS
1 SETUP
1 SETUP
2 CAL
4 REPT
2 CAL
Access
Granted?
Windows
Login
Authorization
Stop
Start
Windows
Active Directory
Application
Login
Authorization
database
response
database
query
Application network
User Database
Yes
No
Access
Granted?
Stop
Start Application
Operations
Yes
No
database
response
database
query
Application Security

3636
• DI requirements should comply with ALCOA attributes:
ALCOA - URSs
ATTRIBUTABLE: Defining Source data and who performed an action on it
req.: The source of data must be identified and traceable to data
req.: Data generated must be traceable to users
req.: Access to data must be granted to authorized people
 data are traceable to users; study data traceable to system/instrument
LEGIBLE: Permanent recording of information and Access to easy reading any time
req.: Data must be recorded permanently in a durable medium
req.: Data must be recorded in a human readable format and readily available
 data are recorded in a central database on network server (permanent record); authorized
people can always access and read data; same for archived data following restore
Ensuring data integrity, a practical example

3737
ALCOA - URSs
CONTEMPORANEOUS: Recording the date & time when work is performed
req.: Data must include the date and the time of its generation
req.: System date and time must be reliable and locked for changes
 Records are generated in contemporaneous when activity is conducted; system date and time
is sync with a reliable source and associated to records
ORIGINAL: Justifying if the information / data is a true copy
req.: Original data must be the original record or a true copy
req.: Changes to data (e.g. reprocessing) must be recorded by the system audit trail
 Data captured are true copies of data generated by instruments; modification to data is
audit trailed
Ensuring data integrity, a practical example

3838
ALCOA - URSs
ACCURATE: Is the data accurate, with no errors or editing
req.: Process and equipment must be validated
req.: Data, including audit-trails must be reviewed
req.: Accuracy of data transfer/migration to a new system must be verified
req.: Data backup and archive must be verified
req.: Data, including failed test runs shall not be deleted
 (SOPs) Audit-trail is reviewed before system release ; Back-up is periodically tested ;
data cannot be deleted and all data of a study are stored in same folder (application)
Ensuring data Integrity, a practical example

3939
Data Risk Assessment
• The hazards for each eRecord
should be assessed and, if required,
mitigation actions (procedural
and/or technical) defined
• Risk assessment has to consider all
steps of the data lifecycle
Data lifecycle Create
Process
and
Use
Report
and
Archive
Discard

4040
• Understand regulatory requirements, inspectional concerns
and approach
• Create awareness of data integrity among all personnel so
they can report concerns and contribute optimizing the
implementation processes
• Integrate Data Management Into Your Quality System
• Perform Gap Analysis for GxP Computer Systems, e.g. during
revalidation
Ensuring Data Integrity and
Successful Regulatory Inspections

4141
• Train internal auditors to understand what to look for
• Include data integrity verification activities into internal audit
• Seek external support to enhance your internal investigation
program
• Share knowledge and experiences with other companies
• If not clearly documented, create an overview document
that outlines company understanding and approach to Data
Quality Management
Ensuring Data Integrity and
Successful Regulatory Inspections

4242
Conclusion - how Data Integrity
breaches can be avoided
DATA
RELIABILITY
Procedural
Controls
Technical
Controls
Organizational
Quality Culture

4343
 Education on data integrity
requirements
 Knowledge sharing, Training
and Personnel Development
 Quality Management and Issue
Escalation
 Internal Audits/self-inspections
 Continuous Improvement
 Enforcement of Standard
Procedures for:
• Access management
• Computerized system compliance
• Minimize Operational Errors
• Minimize manual interventions
• Ensure segregation of duties
• Designate independent reviewers
of data/results
• Guide how to handle data error
• Ensure proper system Design and
Configuration
 Security Access, Audit trail, Data
storage, Back-up, Retrieval
 Integrate multiple processes (increase
use of direct interfaces)
 Build-in checks (check input entries,
use drop-down lists)
 Automate data capture
 Centralize the source of data used
across multiple systems
 Adopt and use industry standards and
processes
Organizational
Quality Culture
Procedural
Controls
Technical Controls

4444
• Implementing an effective framework of procedural controls
supported by an adequate technology should minimize
genuine human error and ultimately reduce opportunities for
deliberate falsification
• Corporate leadership instead should provide the paradigm for
the success and sustainability of data integrity

4646
Thank you
Thank You
• Angelo Rossi
• +32 484 964 908
• angelo.rossi@outlook.com
• www.pauwelsconsulting.com

Data Integrity in a GxP-regulated Environment - Pauwels Consulting Academy

More Related Content

What's hot (20)

Viewers also liked (20)

Similar to Data Integrity in a GxP-regulated Environment - Pauwels Consulting Academy (20)

Recently uploaded (20)

Data Integrity in a GxP-regulated Environment - Pauwels Consulting Academy

Editor's Notes