Data integrity is currently one of the hottest topics in GMP compliance and regulatory inspectors are committed to ensure pharmaceutical companies comply with regulatory requirements (as seen in Figure 1). Furthermore and most importantly, data integrity compliance is for the sake of the patients. Data integrity compliance and thereby trustworthy, accurate and complete data are necessary for assuring the safety, efficacy and quality of medicines and medical devices. In the pharmaceutical industry, a lot of emphasis has been put into control strategies within multiple areas: process validation, equipment qualification, production process control, and analytical strategies often applying a wide array of analytical methods. The concept is not widely applied for data integrity controls, but is a valuable tool that forces you to address focal points of data integrity compliance.
Figure 1 – Number of warning letters (FDA) and non-compliance reports (EMA) between 2010 and 2016. This graphic demonstratesthe regulatory authorities’ increasing focus on data integrity
What is a Data Integrity Control Strategy?
A Control Strategy is an overview of key attributes within a certain domain area. Within the scope of this article, the focus is on data integrity. The main objective of a data integrity control strategy is to outline the level of controls (and the measures utilized in order to ensure control) for key data integrity requirements: Attributable, Legible, Contemporaneous, Original and Accurate (ALCOA).
Furthermore in this context, in order to create a value-added data integrity control strategy, the following key elements have been identified:
- Defining (limiting) scope
- Ensuring management oversight
- Evaluating current training level
- Map data flows
- Assess current data flows and systems
- Future initiatives
Defining (limiting) Scope
Defining what must be in scope for the strategy is one of the most important elements to get right to ensure a) time and effort is invested correctly by your organization, and b) a quality, consistent approach to all data integrity controls are in place. The scope can be defined by identifying which systems – and within which areas – are subject to both 21 CFR Part 11 requirements, and also EU GMP Annex 11 requirements. This can be done via the aid of a decision-tree as the one shown in Figure 2.
What’s equally important is being clear about what should not be in scope to avoid any ambiguity. One must look at their respective data generating processes (both laboratory and production) and avoid being distracted by administrative IT systems. This is essential as the focus must be on critical systems handling product quality or patient safety relevant GMP-data.
Figure 2 – System evaluation decision tree
Ensure Management Oversight
According to Annex 5, Section 4.6 of the World Health Organization’s (WHO) Guidance on Good Data and Record Management Practices, the document states, "To establish a robust and sustainable good data management system it is important that senior management ensure that appropriate data management governance programmes are in place" (1).
Elements which consist of effective management governance include, but are not limited to:
- Application of modern Quality Risk Management(QRM) principles and good data management principles that assure the validity, completeness and reliability of data
- Allocation of adequate human and technical resources such that the workload, work hours and pressures on those responsible for data generation and record keeping do not increase errors
- Ensure staff is aware of the importance of their role in ensuring data integrity and the relationship of these activities to assuring product quality and protecting patient safety
Evaluating Current Training Level
In general it is highly advantageous to automate processes as much as possible through technical controls to ensure that data integrity compliance gaps are not created and that manual verifications are not needed. Not all systems can be automated and even if they could beit is still highly important to create a data integrity 'mind-set' within your organization for personnel working under GMP requirements. The data integrity control strategy should identify if there is a gap with the current level of training provided and also state a clear plan for ensuring personnel are trained and refreshed.
Specific training should be given to critical personnel (GMP auditors performing internal and external audits) to help them identify data integrity issues also in alignment with current guidance documents from WHO, FDA, PICS and EMA (2 – 5).
Mapping and Assessment of Data Flows and Systems – An Assessment of the Current Level of Control
The core ofthe data integrity control strategy is the assessment of the current level of control(s) for each system in scope. A good approach is to take a dialogue in a workshop setting with the right personnel involved. This could be the system owner, process owner, QA representative, and data integrity expert.
- Begin by drawing a simple data flow of the equipment (as seen by Figure 3). This allows anyone at a glance to quickly grasp at a high level the system and its high level components. This data flow can also be expanded to include additional supplementary information as deemed useful to the understanding of the flow, such as the equipment PC operating system version. The database type and version, and so on.
Figure 3 – Simple data flow
- The next step is to carry out an assessment against the ALCOA requirements. What this means in practice is that you take each requirement and discuss if there are any data integrity gaps and then discuss potential control measures, which can be put in place and also to evaluate if the current control measures in place is sufficient. Table 1 below shows a sample assessment
|Data Integrity Requirement||Requirement Description||Data Integrity Control||References|
|Attributable||The data is attributable to the person who created/edited it||
PQ – Application software makes use of an access control list that documents all users, revocation dates and assigned privileges
OQ – Audit trail ensures all data generated is attributable to individuals
|OQ & PQ Documentation|
|Legible||All data will be readable throughout its long-term retention period||
PQ - Ensure a validated backup of electronic records to ensure disaster recovery
PQ – Validated archival of electronic records in secure and controlled electronic archives
|PQ and associated plan(s) documented|
|Contemporaneous||The data was created at the time it was observed||
OQ – Secure system time/date stamps that cannot be altered by personnel
Availability of the system to the user at the time of activity
|Original||The data is the original data or a verified true copy hereof||
OQ – Raw data is write-protected for standard users
OQ – All actions are recorded by audit trail
|Accurate||All data accurately represents what was observed||
PQ – Data generation according to validated methods.
Review of data and audit trail described in analytical procedures
|PQ and associated review documentation|
Table 1 – ALCOA assessment and Data Integrity controls
A strategy by definition is about reaching a 'desired future,' and a good way is to be explicit in what a desired future looks like. This should include a plan of what your organization must focus within the short term (1-3) years as well as the long term (5+ years).
Such examples could be that within the short term manual controls will be replaced with technical controls that can be validated and automated. Long term initiatives could reflect infrastructure changes, simplification and consolidation activities to go above and beyond todays current minimum requirements.
The term cGMP relates to current GMP. The term should also be applied when dealing with data integrity in that we should strive to be best in class and adapt to our technological changes for the benefit of our patients.
Aryan Adam Tabaie
Philip Væring Petersen