Data integrity is a major concern in the regulated pharmaceutical industry due to discovery of either poor record management practices or falsification of data. This has resulted in numerous FDA warning letters as well as guidance for data integrity issued by regulatory agencies such as MHRA, WHO, FDA and PIC/S [1-7], industry associations [8-10] and others [11, 12].
To find out the current data integrity issues, I asked three people - two consultants and a GMP inspector - what their three top data integrity issues were. These concerns are shown in Table 1 and as you can see they appear to be different – but how different? To understand how these apparently different answers are linked we have to start at the top, with management.
Who? | Three Top Data Integrity Issues |
Chris Burgess, Consultant | 1. Leadership – senior management who don’t learn or facilitate data integrity 2. Management who don’t support and promote data integrity in an organisation 3. People lacking technical knowledge and regulatory understanding to perform the job adequately |
Karl-Heinz Menges, GMP Inspector | 1. Blurring the line between "normal" errors and criminal activity 2. Exaggerated requirements for data reprocessing without an idea of how to "freeze" data after release in order to prevent subsequent changes 3. Establishment of an overflowing administration / bureaucracy without contributing to product quality and/or data quality
|
Yves Samson, Consultant | 1. Lack of process and product knowledge 2. Data completeness 3. Cybersecurity
|
Table 1: Key Concerns in Data Integrity
Role of Senior Management in Data IntegritySenior management are responsible and accountable for the pharmaceutical quality system in a company and the interpretation of the applicable good practice (GXP) regulations. Management lead, others follow. This is the foundation of data integrity and data governance as the requirements for data integrity are contained in the GXP regulations. To comply with the regulation requires data integrity and good documentation policies, procedures and training to be put in place coupled with an open culture where mistakes can be admitted that is reinforced by management [13]. The problem is that management often think of data integrity as an IT problem or just requiring cheap procedural controls when they should be taking a holistic approach to the problem.
Operational Impact
Without appropriate and effective data integrity training coupled with managerial backing, the following issues become apparent when we come to the operational level with the processes and computerized systems used in drug testing:
• People lacking technical knowledge and regulatory understanding to perform the job adequately (as mentioned by: Burgess)
• Lack of process and product knowledge (Samson)
Data integrity requirements only can be consistently implemented if process owners are able to understand its impact on the product at both technical and regulatory levels. This knowledge is often missing in many pharmaceutical companies. For example, how robust are the analytical procedures, are the critical process parameters known and how are they controlled? How are data acquired and how are they interpreted? What control and review oversight is there of these two critical operations?
Without this knowledge many data integrity approaches are manifested as the following topic from Table 1:
• Lack of data completeness (Samson).
Although the requirement for complete data has been in the GMP regulations since 1978 [14], paper is often regarded as the final record and electronic records have been ignored. The guidance documents and FDA warning letters have made it clear that all records generated in an analysis – even when an instrument has failed mid run – must be part of the record set. It is imperative to define for each computerized system the complete record set including the measured data and the associated metadata from the start to the end of the analysis.
Then we have the processes for controlling the generation and processing of analytical data to ensure integrity that can often result in:
• Exaggerated requirements for data reprocessing without an idea of how to "freeze" data after release in order to prevent subsequent changes (Menges)
• Establishment of an overflowing administration / bureaucracy without contributing to product quality and/or data quality (Menges)
Often companies will establish very bureaucratic processes to ensure that data are processed correctly. This mainly relies on manual procedures but either they forget to implement them consistently, or the application used does not have the function to lock records and stop any further manipulation of data. If available, this would enable subsequent audit or inspection to view what has been performed from the start of the analysis to the generation of the reportable result. It would be much better if management decided to make the process electronic to save time and effort and improve overall business efficiency in the analytical laboratory.
Cybersecurity
One area that is not usually considered for data integrity is cybersecurity. However, if batch release data are not available to support product release it could result in an expensive recall. As the pharmaceutical industry makes extensive use of information technology (IT) it can become vulnerable to malware attacks. This was the situation with Merck and the NotPetya ransomware attack in 2017 that caused extensive shutdown of systems, data loss and cost the company over $600 million to resolve.
Great care needs to be taken with ensuring IT infrastructure and cybersecurity is robust and effective to ensure that there is no data loss. This is especially important with the trends generally to outsource IT services to third parties to run internal IT operations, use of Cloud computing and move to SaaS applications. This is a large subject spanning many levels e.g. IT infrastructure design and monitoring operations, selection of system, effective auditing of IT operations and supplier. However, it is critical to ensuring data integrity.
Error or Falsification?
The last issue in Table 1, “blurring the line between "normal" errors and criminal activity” is worthy of discussion. As most of the current data integrity issues are focused in the QC laboratory there are some examples of this:
• In the late 1990s a US facility of Elan Corporation was inspected and when reviewing the 24-hour dissolution testing of extended release formulations the inspector noticed there were a number of test failures due to “air bubbles” between the dissolution apparatus and the UV spectrometer. These all occurred at about 16 hours into the experiment – further investigation revealed all tests that failed would have resulted in out of specification (OOS) results. A warning letter resulted.
• Lupin Pharmaceuticals had a 2017 inspection that found over 90% of stability testing results were invalidated without a scientifically justified reason – most were put down to analyst error with subsequent retraining [15].
Instrument failures will occur, but they must not be used as a way of hiding OOS results. It is the responsibility of senior management to ensure that the policies, procedures and training are in place but also that the culture is open and that problems are investigated.
Summary
Asking three experts in data integrity to identify three of the key issues each resulted in apparently nine different issues. However, analysis of these identifies four main areas: responsibility of senior management for data integrity, ensuring compliant operations, cybersecurity and avoiding the descent into falsification and criminal activity.
References
1. MHRA GMP Data Integrity Definitions and Guidance for Industry 1st Edition. 2015, Medicines and Healthcare products Regulatory Agency, London.
2. MHRA GMP Data Integrity Definitions and Guidance for Industry 2nd Edition. 2015, Medicines and Healthcare products Regulatory Agency: London.
3. MHRA GXP Data Integrity Guidance and Definitions. 2018, Medicines and Healthcare products Regulatory Agency: London.
4. WHO Technical Report Series No.996 Annex 5 Guidance on Good Data and Records Management Practices. 2016, World Health Organisation: Geneva.
5. PIC/S PI-041 Draft Good Practices for Data Management and Integrity in Regulated GMP / GDP Environments. 2016, Pharnaceutical Inspection Convention / Pharmaceutical Inspection Co-Operation Scheme: Geneva.
6. EMA Questions and Answers: Good Manufacturing Practice: Data Integrity. 2016; Available from: http://www.ema.europa.eu/ema/index.jsp?curl=pages/regulation/general/gmp_q_a.jsp&mid=WC0b01ac058006e06c#section9.
7. Administration, F.a.D., FDA Guidance for Industry Data Integrity and Compliance With Drug CGMP Questions and Answers 2018, Food and Drug Administration: Silver Spring, MD.
8. GAMP Guide Records and Data integrity. 2017, Tampa, FL: International Society for Pharmaceutical Engineering.
9. GAMP Good Practice Guide: Data Integrity - Key Concepts. 2018, International Society for Pharmaceutical Engineering: Tampa, FL.
10. Technical Report 80: Data Integrity Management System for Pharmaceutical Laboratories. 2018, Parenteral Drug Association (PDA): Bethesda, MD.
11. S.Schmitt, Assuring Data Integrity for Life Sciences. 2016, River Grove, IL: DHI Publishing, LLC.
12. R.D.McDowall, Data Integrity and Data Governance: Practical Implementation in Regulated Laboratories. 2019, Cambridge: Royal Society of Chemistry.
13. ISPE Cultural Excellence Report. 2017, International Society of Pharmaceutical Engineering: Tampa, FL.
14. Part 211 - Current Good Manufacturing Practice for Finished Pharmaceuticals. Federal Register, 1978. 43(190): p. 45014 - 45089.
15. FDA 483 Observations: Lupin Limited. 2017, Food and Drug Administration: Silver Spring, MD.