Each year, regulatory agencies from around the world focus on critical aspects of the pharmaceutical quality management system, bringing awareness to the industry and continuing to effect positive change. In the past five years, risk assessments, electronic records, and outsourced activities have been in the spotlight. As 2015 closed out, it was clearly the year of data integrity.
In March 2015, the UK’s Medicines and Healthcare Products Regulatory Agency (MHRA) published its GMP Data Integrity Definitions and Guidance for Industry, stating, “Data integrity is fundamental in a pharmaceutical quality system, which ensures that medicines are of the required quality” (1). This fundamental concept should not be taken lightly because consequences can be severe, but it can often be a challenge for organizations to successfully implement.
Here I outline basic expectations surrounding data integrity and the strategic, multitiered approach an organization can implement to ensure that its processes achieve the required quality. The focus is on training and awareness, system design and control, and data management practices.
Breaking Down Data
It is important to establish first that data integrity is not restricted to
electronic data; the requirements apply regardless of whether data are paper-based (manual) or generated within an electronic system. The need for proper controls cannot be removed by simply reverting to paper-based systems. It is also important to establish basic terminology. Data is defined as information derived or obtained from raw data (e.g., reported analytical results). Metadata are data that describe the attributes of other information and that provide context and meaning. Typically, they describe the structure, elements, interrelationships, and other characteristics of data.
For the purposes of this article, I define organizational controls as procedures and technical controls that a computer system accesses. The data life cycle comprises all phases in the life of data, from initial generations and recording through processing, archiving, and destruction.
Digging Deeper into Data integrity Failures
When examining the requirements for integrity, good manufacturing practice (GMP) facilities must exercise discretion when implementing both organizational and technical controls. The level of controls put in place should correspond with the criticality of the data being generated. That helps a company determine whether the level of controls and quality of data affect product quality as well as the complexity of the system or process being used.
The MHRA is very clear in its expectations that data meet all of the following criteria: be attributable to the person generating the data, be legible and permanent, be contemporaneous, be the original record (or “true copy”), and be accurate. These attributes are key to establishing trustworthy data that have not been tampered with or manipulated.
Simple enough? Not quite. Another common industry misunderstanding is that deliberate acts of fraud, falsification, and/or providing incorrect information are the only causes of data integrity failures. Certainly these are the most obvious root causes, but data integrity breaches are even more difficult to identify — and equally as harmful — if they are due to an incorrect system configuration or poor system controls. Failure with respect to data integrity has resulted in a number of agency actions, including FDA warning letters, import bans from Health Canada, and revocation of GMP Certificates from the European Medicines Agency (EMA) and the Australian Therapeutic Goods Administration (TGA).
Once data integrity definitions, expectations, and consequences of failure are clearly defined, the next critical task is to understand the process steps for ensuring data integrity.
GMP-compliant facilities and analytical laboratories must ensure that a culture of quality exists with accountability at the forefront. Operational, quality, and manufacturing staff must know about and understand their responsibilities for data integrity and be comfortable and confident that they can resolve concerns before they become significant issues. A culture in which individuals are empowered to report issues and recognize opportunities for improvements must be established at the senior leadership levels of an organization. A culture of fear will lead only to potential data integrity manipulations and failures.
Training is a cornerstone of GMP activities, and when it comes to data integrity, the same holds true. Having the right level of organizational controls in place is critical, but training on related procedures is essential for ensuring that data integrity practices are appropriately followed. Internal quality auditors need to be well-versed in detecting data integrity deficiencies, and data verification activities need to be part of every audit process. Manufacturing personnel and/or technical laboratory staff must also have a complete understanding and appreciation for the procedures and policies that govern and secure data integrity when conducting their daily responsibilities. Deviations do occur, and no facility is event-free; however, if everyone is trained appropriately and data integrity procedures are reinforced throughout an organization, the likelihood of product impact can be minimized significantly.
Technical controls can significantly reduce the possibility of human error when it comes to data integrity. The manner in which data are to be generated will dictate the level of risk. Paper-based manual observations usually provide more visibility to potential data integrity risks than does a configurable complex computerbased system. Manual recordings can nevertheless present opportunities for failure; therefore, all data must be recorded in real time, directly onto the GMP record. These records also must be controlled by issuance and reconciliation procedures for workbooks, batch records, and notebooks.
Laboratory equipment and systems must be configured to data generated by employees, the original data (source data), and any changes to the data and reasons for such changes. This can be accomplished by following a few simple guidelines:
- Audit trails must be enabled on systems.
- System-administrator access must be limited to a few distinct individuals. Determining the number of administrators should take into account the size and nature of a given organization.
- Laboratory personnel must not have access to delete, overwrite, copy, alter, or in any other way manipulate data.
- Each employee must have a unique ID and accompanying password for the system.
- The software must comply with CFR Part 11 and/or the European Union’s Annex 11 (2, 3).
Protecting the Data Life Cycle
Given the increased attention to data integrity by worldwide regulatory bodies, it is imperative for GMP organizations to establish robust and sound programs to protect their data life cycle. Failure in just one area of that life cycle will compromise data integrity for all other areas. When a culture of quality and accountability is present, a robust training program is being used, and organizational and technical controls are in place, the preservation of the data life cycle will be a success.
1 Medicines and Healthcare Products Regulatory Agency. GMP Data Integrity Definitions and Guidance for Industry, March 2015; www.gov.uk/government/uploads/ system/uploads/attachment_data/file/412735/Data_integrity_definitions_and_guidance_v2.pdf.
2 US Food and Drug Administration. 21 CFR Part 11, Electronic Records; Electronic Signatures — Scope and Application; www.fda.gov/RegulatoryInformation/Guidances/ ucm125067.htm.
3 EudraLex. Rules Governing Medicinal Products in the European Union, Volume 4, Good Manufacturing Practice, Medicinal Products for Human and Veterinary Use; http://ec.europa.eu/health/files/eudralex/vol-4/2009_06_annex13.pdf.
Doug Chambers is senior director, quality, for Global Biologics at BioReliance, firstname.lastname@example.org.