Data integrity is achievable when data collection is complete, consistent, and accurate (1). Failure to maintain data integrity compromises a company’s ability to demonstrate the safety and efficacy of its products. Escalation of serious regulatory actions related to data integrity violations has prompted the need to assess data integrity compliance and implement systems designed to guarantee it. Comprehensive measures must be taken to ensure that data are attributable, legible, contemporaneous, original, and accurate (ALCOA) (2). Preventive measures need to be implemented to ensure that validity, accessibility, and integrity of data are maintained throughout a defined retention period. Automated system controls aimed at data integrity assurance include written procedures, system validations, change control, system security (physical and logical), electronic signatures, and audit trails, as well as data archive, backup, and retrieval. Incorporation of those basic automated measures into a quality system allows for enhanced confidence in the trustworthiness of data.
Data Integrity Violations
On-going escalation of serious regulatory actions related to data integrity violations has prompted the bioprocessing industry to take a close look at its systems (both paper-based and automated) to strengthen internal controls and oversight of data integrity. In 2016, the US Food and Drug Administration (FDA) issued a higher percentage of warning letters for data integrity violations than ever before. Of those warning letters, the agency cited unofficial testing and falsification of data more than any other category of data integrity violations (62%) (Figure 1). That category includes (but is not limited to) unofficially performing pretests, deleting data, aborting tests, adjusting acceptance criteria, and falsifying test results.
User role violations accounted for 19% of warning letters related to data integrity. Examples of such violations include using a generic user login, sharing passwords, modifying time or date stamps, and deleting audit trails. Falsification of manufacturing documentation occurred 12% of the time and often related to recording data after the fact, falsifying manufacturing data, inadequately verifying activities, and transcribing and discarding original data. Three percent of the overall data integrity violations related to manufacturers not having alternative means for tracing data generated on computer systems that did not comply with 21 CFR Part 11. Process validation violations made up 3%, occurring when manufacturers made changes to a manufacturing process without performing a revalidation. That could have led to a loss of manufacturing process control (3–19).
Ensuring Data Integrity
A common misconception is that lacking data integrity is attributed only to fraud or falsification. Many contributing factors can compromise assurance of data accuracy, truthfulness, and/or completeness. Such factors can be intentional (e.g., fraud) or unintentional (e.g., transcription errors or omissions). Risks in data integrity can occur when manufacturers do not take steps to confirm data accuracy or completeness or when they assume quality systems are robust.
A high-quality working environment begins with management. Managers should create a culture in which employees take pride in their contributions to their company. Managers must ensure that their companies provide all employees, managers, supervisors, analysts, and operators with the tools, know-how, and authority needed to detect and report data integrity breaches routinely. Management is responsible for instituting policies, procedures, and controls to prevent data integrity risks.
Selected preventative measures detailed below can be implemented throughout different key quality systems to comply with global data integrity regulations (20–29). These steps can be taken to ensure data integrity, including quality metrics, process validation, and corrective and preventative actions (CAPA).
Quality metrics are objective measures used to monitor the overall state of quality at manufacturing sites. They include measures to assess effective functioning of quality system controls as well as product performance, quality, and safety. The US Food and Drug Administration (FDA) Guidance for Industry: Request for Quality Metrics was developed to decrease surveillance inspection frequency for certain manufacturers (30).
The goal of the proposed program (which has yet to be implemented) is for companies with highly controlled manufacturing processes to be inspected less often than similar companies that have data demonstrating uncontrolled processes. The FDA is considering requesting the following data by product and manufacturer: effectiveness of the CAPA system, critical investigation rate, batch-failure rate, confirmed out-of-specification (OOS) rate, and rightthe-first-time rate. That data would be used to calculate four key metrics: lot acceptance rate, product quality complaint rate, invalidated OOS rate, and annual product review on-time rate. Incorporating those metrics into a company’s quality review can establish confidence in data accuracy and product quality.
Process Validation: All manufacturing processes should be validated using a lifecycle approach (28, 29). Modifications or changes to validated processes or computer systems should be subject to change management. Processes that are not validated and operating outside a state of control can compromise data if a manufacturer is under pressure to release its products.
One of the most important quality system elements is a CAPA system. It is used to collect and analyze information, identify and investigate quality problems, and take appropriate and effective corrective and/or preventive actions. Manufacturers must verify or validate CAPAs, communicate CAPA activities to responsible people, present CAPAs for management review, and document all such activities. A solid CAPA system is essential to dealing with product and quality problems, preventing their recurrence, and ensuring the manufacture of safe and effective products. Properly correcting issues and preventing them from reoccurring sets a foundation in which products are less likely to fail testing. Manufacturing high-quality products eliminates the pressure on employees to make data pass. Effectively, monitoring all data sources to detect and correct root cause minimizes the potential for recurrence of data integrity lapses.
Preparing for Health Authority Inspections
Health authority inspections play an important role in ensuring the high quality of manufactured products. Authorities review process data and other data reported by biomanufacturers. Thus, data security has become an increased focus during these inspections. To prepare for an inspection, establish a list of all computer systems used. They should be identified as automated production systems, laboratory systems, or software used for calculating and reporting quality attributes of manufacturing materials or products. Clarify whether computer systems are networked or stand-alone.
For automated production systems and software, list the dates they were last qualified for their intended use and the date of the last process validation for processes supported by each automated production system and/or software. For laboratory computer systems, list the dates they were last qualified for their intended use and when the analytical methods were validated. If a computer system has had any modifications, updates, or patches, a risk assessment should be performed to determine the potential need for a requalification and/or revalidation.
A list of the names and titles of all users and administrators, including rights for all computer systems, should be readily available. Users are people performing operations or analyses. Each one must have a unique user identification (ID), and all actions performed by users on computer systems should be recorded in audit trials that cannot be altered. Administrator rights include creating and managing user roles, database amendments or system configuration changes, and data archives and backup. Administrator rights should not be assigned to individuals with direct interest in data.
For companies using electronic signatures, the procedure for obtaining them must include formal verification of the identification of a person issuing an electronic signature. When applying an electronic signature, a two-level method of security (user ID and password) is required. Passwords should be changed periodically. Methods of securing computers (log out, screen lock) should be defined procedurally to prevent unauthorized use of electronic signatures (31).
During health authority inspections, companies should be prepared to discuss what types of data are produced by their computer systems (dynamic and/or static) and the lifecycle of those data (creating, processing, reviewing, reporting, and retaining). Dynamic data allow for interactions between users and content. For computer systems that produce dynamic data, a procedure must exist for archiving (permanent retention of complete data set and metadata), backup (retention of a copy of data, metadata, and configuration settings in case of a catastrophic event), and data retrieval. Controls should be in place that prohibit the generation, processing, and deletion of data in temporary memory.
Computer systems that produce static data must be qualified and calibrated, and they must have scheduled, periodic preventative maintenance regularly performed. Static data reside in a fixed document such as a paper printout or electronic image. Static data can be in an original record (e.g., print-out from a balance or pH meter) or in a true copy (an exact verified copy of the original data). Biomanufacturers should record all associated metadata with static data. Metadata could consist of product, batch number, analysis performed, date and time, and analyst identification. Time and date stamps should be locked from user modification.
When appropriate, contemporaneous data reporting and verification are essential for the integrity of data produced during manufacturing. Data must be documented contemporaneously and should not be transcribed at a later time.
Even though facility security is an important factor in the assurance of product quality, it is often overlooked with respect to data integrity. Secured areas with limited access generate important data that should be reviewed as part of deviation investigations and system failures. Facilities should be accessed only by people with secured identifications that can be stamped with time and date and fully traceable to specific employees who are allowed access.
Training: Personnel must be trained to review electronically derived data, including how to detect data integrity issues. Training should include a process by which employees can escalate suspected data integrity issues that can affect the safety, identity, strength, or purity of drug products for quality impact. Trained personnel are responsible for the performance of routine self audits of data produced by biomanufacturers. A positive, high-quality culture incorporates employee knowledge through training and involvement in data integrity evaluations and encourages escalation of data integrity issues and concerns.
CGMP Data Systems
For all computer systems supporting good manufacturing practice (GMP) activities, procedures must to be in place that define the review of a complete data set before data approval. System audit trail reviews should be defined procedurally and performed periodically based on risk. Such procedures should detail actions to be taken if a review identifies an error or omission.
Biomanufacturers should put procedures in place that define alternative means to ensure data integrity (e.g., processes to create an audit trail) for computer systems lacking a computer-generated audit trail. This procedure could consist of using a log book to document all analyses performed on an instrument, including metadata. Each entry should be verified contemporaneously by a second person, and log books should be reviewed for data approval and reviewed periodically based on risk.
Another procedure should be established for archiving, backup, and recovery of original data, including metadata. This procedure must be validated and periodically assessed, and it must include a contingency and disaster recovery plan. Figure 2 shows the process by which data generated should be backed up and archived.
For retired computerized systems, biomanufacturers should define procedures by which to review original data and associated metadata on compatible replacement systems. If data from a retired system are incompatible with a replacement system and those data support products within expiry or submission of marketed products, then technological steps must be taken to capture the data.
The Cloud: Companies can improve their data security by moving to cloud technology. Cloud computing can be seen as a way to outsource information technology (IT) infrastructure and operations to a third party. Cloud computing can reduce IT operational costs significantly. Although operations are outsourced, responsibility and accountability for GMP compliance remain with the owner of cloud-stored data. Cloud computing systems must be validated to ensure consistent performance and confirm security of stored and managed data. Cloud suppliers must be regularly audited to confirm that services are being performed in a validated and secured way.
Ensuring Data Integrity
Preventive measures can be put into place to ensure data validity and integrity. Incorporation of the measures delineated here supports ALCOA of data throughout the lifecycle of that data. Companies must establish a strong quality culture and comprehensive oversight practices to prevent, detect, and remediate data integrity issues. Measures can be taken to ensure data integrity, thus ensuring the production of safe and effective products.
1 IEEE Standards Collection, Software Engineering, Institute of Electrical and Electronic Engineers Inc.: New York, New York, 1994.
2 Woollen SW. Data Quality and the Origin of ALCOA. Newsletter of the Southern Regional Chapter Society of Quality Assurance. Summer, 2010.
3 FDA Warning Letter: Ipca Laboratories, Mumbai, India, 29 January 2016.
4 FDA Warning Letter: Emcure Pharmaceuticals Ltd., Maharashtra, India, 3 March 2016.
5 FDA Warning Letter: Sri Krishna Pharmaceuticals Ltd., Hyderabad, India, 1 April 2016.
6 FDA Warning Letter: Polydrug Laboratories Pvt. Ltd., Mumbai, India, 14 April 2016.
7 FDA Warning Letter: Tai Heng Industry Co. Ltd., Shanghai, China, 12 May 2016.
8 FDA Warning Letter: Megafine Pharma Ltd., Nashik, India, 19 May 2016.
9 FDA Warning Letter: Shanghai Desano Chemical Pharmaceutical Co. Ltd., Shanghai, China, 16 June 2016.
10 FDA Warning Letter: Chongquing Lummy Pharmaceutical Co. Ltd., Chongqing, China, 21 June 2016.
11 FDA Warning Letter: Zhejiang Medicine Co. Ltd. Xinchang Pharmaceutical Factory, Zhejiang, China, 4 August 2016.
12 FDA Warning Letter: Pan Drugs Limited, Vandora, India, 25 August 2016.
13 FDA Warning Letter: Hebei Yuxing Bio-Engineering Cr. Ltd., Hebei, China, 6 September 2016.
14 FDA Warning Letter: Teva Pharmaceuticals Works Pvt. Ltd., Godollo, Hungary, 13 October 2016.
15 FDA Warning Letter: Interpharm Praha AS, Modrany, Czech Republic, 18 October 2016.
16 FDA Warning Letter: Beijing Taiyang Pharmaceutical Industry Co., Ltd., Beijing, China, 19 October 2016.
17 FDA Warning Letter: Srikem Laboratories Pvt. Ltd., Navi Mumbai, India, 8 November 2016.
18 FDA Warning Letter: Sekisui Medical Co., Ltd., Iwate, Japan, 8 November 2016.
19 FDA Warning Letter: Wockhardt Limited, Gujarat, India, 23 December 2016.
20 Draft Guidance for Industry: Data Integrity and Compliance with CGMP. US Food and Drug Administration: Silver Spring, MD, April 2016.
21 Draft Guidance on Good Data and Record Management. World Health Organization: Geneva, September 2015.
22 Guidance on Good Data and Record Management Practices: Technical Report Series No 996, Annex 5. World Health Organization: Geneva, Switzerland, 2016.
23 Draft GxP Data Integrity Definitions and Guidance for Industry. Medicines and Healthcare products Regulatory Agency: London, March 2018.
24 The Rules Governing Medicinal Products in the European Union, Volume 4: Good Manufacturing Practice, Medicinal for Human and Veterinary Use — Annex 11: Computerized Systems. European Commission: Brussels, 2011.
25 Draft Guidance Good Practices for Data Management and Integrity in Regulated GMP/GDP Environments. Pharmaceutical Inspection Cooperation Scheme (PIC/S): Geneva, 2018.
26 ISPE GAMP 5 A Risk-Based Approach to Compliant GxP Computerized Systems, 2008.
27 FDA, General Principles of Software Validation; Final Guidance for Industry and FDA Staff, January 2002.
28 FDA, Guidance for Industry, Process Validation: General Principles and Practices, January 2011.
29 The Rules Governing Medicinal Products in the European Union, Volume 4, Good Manufacturing Practice, Medicinal for Human and Veterinary Use, Annex 15: Qualification and Validation. European Commision: Brussels, Belgium, 6 February 2014.
30 Draft Guidance for Industry: Submission of Quality Metrics Data. US Food and Drug Administration: Silver Spring, MD, November 2016.
31 Guidance for Industry, Part 11, Electronic Records; Electronic Signatures-Scope and Application. US Food and Drug Administration: Silver Spring, MD, August 2003.
Kimberley Buytaert-Hoefen, PhD, is principal consultant at PAREXEL International, 195 West Street, Waltham, MA 02451; 1-720-417-6091; kimberley.buytaert-hoefen@PAREXEL.com; www.PAREXEL.com.