The Latest Regulatory Guidance for Data Integrity and Regulatory Compliance
The Latest Regulatory Guidance for Data Integrity and Regulatory Compliance
Complete the form below and we will email you a PDF version of "The Latest Regulatory Guidance for Data Integrity and Regulatory Compliance"
Owing to widespread data falsification and poor data management practices, data integrity and compliance with good manufacturing practice (GMP) regulations are currently a major topic in the pharmaceutical industry. To aid our understanding of data integrity concerns, regulatory authorities such as the World Health Organization (WHO),1 Medicines and Healthcare products Regulatory Agency (MHRA)2,3 and the US Food and Drug Administration (FDA)4 have issued guidance documents on the topic. In July 2021, the latest guidance document was released by the Pharmaceutical Inspection Cooperation Scheme (PIC/S) entitled Good Practices for Data Management and Integrity in Regulated GMP/GDP Environments.1 This article will give an overview of the whole guidance document and review specific requirements for computerized systems. This is an important document as it is written by inspectors for inspectors.
Figure 1: Structure of the final version of the PIC/S PI 041 Data Integrity Guidance.
What is PIC/S?
A word of explanation is needed about PIC/S. This organization is essentially a good manufacturing practice (GMP) inspector’s club of over 50 regulatory authorities. PIC/S’s aim is to harmonize GMP regulations globally. A regulatory authority applies to join PIC/S and after an assessment by other members is admitted if they meet the organization’s criteria. PIC/S has its own GMP regulations which are adopted by their members e.g., EU member states, UK, Australia and Japan; the exception being the FDA that still uses 21 CFR 211.
In addition, PIC/S publishes regulatory guidance documents. One of these is PI-041 on data integrity. This guidance has had a long gestation, with the first draft issued in 2016, the next in 2018 for public comment and the final version released in July 2021.1
European Compliance Academy review of the 2018 draft guidance
Following the issue of the third draft – PI-041 – for public comment, the European Compliance Academy (ECA) held a meeting in February 2019 in Berlin with 25 of its members to review and submit comments to the PIC/S secretariat. Two of the ECA members were Wolfgang Schumacher, formerly of Roche and Yves Samson from Kereon AG, a consulting company.
Wolfgang’s view of the new guidance document is:
“PIC/S 041 is the most comprehensive regulatory guidance on data integrity: it has been prepared by inspectors, with comments from industry. Compared to the FDA, MHRA, WHO and the various GAMP (Good Automated Manufacturing Practice) data integrity good practice documents, it provides a detailed ‘cookbook’ for the daily business, including all inspection risks if expectations are not met.”
“There is a big focus on the organizational and technical controls to be carried out in all areas of the QMS/PQS that deal with computerized systems together with the related data.”
“I like the document for its clarity, but I am aware that the implementation will cause lots of efforts in the industry.”
Yves’s comments are:
“An earlier PIC/S guidance PI-011 on Computerized Systems in GXP Environments clearly differentiates between inspector's expectation and recommendation (see PI-011-3 section 2.8).2 In contrast, PI-041 provides a lot of advice, sometime very prescriptive, without clearly differentiating between prescription and recommendation. PI041-1, at section 3.7, only mentions that ‘this guide is not mandatory or enforceable under law’. However, the guide content definitively raises a lot of ‘non-mandatory’ expectations from a regulator's side during an inspection.”
PIC/S PI-041: Good Practices for Data Management and Integrity
- Data governance within a pharmaceutical quality system
- Organization issues such as staff values, quality, ethics and conduct
- Considerations for paper records including the control of blank forms and master templates
- Considerations for computerized systems including hybrid systems
- Outsourcing and data integrity
- Regulatory actions
- Remediation of data integrity failures
Figure 2: Specific data integrity considerations for computerized systems (from PIC/S PI-041).
Not mandatory or enforceable under law?
Section 3.7 of PI-041 states that this guide is not mandatory or enforceable under law. The problem is that guidance on computerized systems in Section 9 can be traced to mandatory regulations in Annex 11, some examples are:
- Validation of computerized systems; Annex 11 principle and clause 4
- Inventory of computerized systems; Annex 11 clause 4.3
- Periodic evaluation; Annex 11 clause 11
- Data transfer; Annex 11 clause 5
- Audit trail; Annex 11 clause 9
Therefore, read this guidance with the knowledge and understanding of the applicable regulations.
Data integrity and compliance starts with system purchase
To avoid perpetuating the data integrity problem, it is essential that any new analytical instruments and computerized systems have adequate technical controls in the software to protect the electronic records. Clause 9.1.4 notes that laboratories must ensure that suppliers have an adequate understanding of regulations and data integrity requirements and in 9.3 item 1 states that attention should be paid to the proposed evaluation of data integrity controls.
The purchase of inadequate instruments is still a problem as shown by Smith and McDowall who analyzed over 100 FDA citations for InfraRed instruments.4 Over 40% of the citations were due to lack of software controls present before the instrument was purchased e.g., no security, conflicts of interest, no audit trail.7 Although there is the regulatory expectation that one should not purchase inadequate systems, as laboratories focus on the instrument and not the software, data integrity problems will be perpetuated.
Let Instrument Systems Relieve the Burden of Compliance
The ever-changing regulatory environment faced by manufacturers in a pharmaceutical setting, as well as other regulated industries, can cause confusion and doubts about compliance. However, by adopting simplified workflows and incorporating instrument systems specifically designed to meet regulatory requirements it is possible to relieve this burden. Watch this webinar to learn how to adopt simplified workflows to ensure compliance from each analyst.Watch Webinar
Know and manage data vulnerabilities
The guidance is very clear, along with the WHO and MHRA guidances,3,5 that laboratories must know the criticality of data generated by any computerized system as well as any vulnerabilities. Data process mapping6 is suggested as a way of identifying these vulnerabilities e.g., shared user identities or data files stored in directories that can be deleted outside of the application with no audit trail entry. The regulatory expectation is that these vulnerabilities should be fixed using technical controls; although the guidance acknowledges that legacy systems may require procedural controls to ensure data integrity before these are updated or replaced. Clause 9.2.2 makes the point that a system may be qualified, calibrated and validated but there is no guarantee that the data contained within it are adequately protected. Hence the need to identify and mitigate any data vulnerabilities.
System security and access control
Section 9.5 of the guidance sets expectations for system security. Strict segregation of duties is essential so that administrators are independent of laboratory users, which is reflected in several other regulatory guidances. However, one of the common questions that arises during training is if a laboratory has a standalone system with only a few users, how should this be achieved? The PIC/S guidance recognizes that this is a potential problem for smaller organizations and suggests that a compliant system could have just two user roles:
- An administrator with no user functions
- A user with no administrator functions
However, if this option is selected it is critical that the audit trail records the respective activities to demonstrate no conflict of interest has occurred.
There is a specific section on the control of USB devices either as sticks or thumb drives but also cameras, smartphones, etc. This is to ensure that malware is not introduced into an organization.
There are many security expectations that read as a list of system requirements that most users won’t have even considered during the selection of an instrument and its data system.
For example, can a system generate a list of users with user identification and their role? Most networked systems can generate a similar list but not many standalone systems can as this does not feature on the horizon of supplier requirements. If you use spreadsheets, forget it!
Yves Samson has further concern about the security section, saying, “Some of the expectations are confusing – e.g., the recommendation to record log-in and log-out. Other expectations are too focused on solution instead of objectives, e.g., considering as an “objective” criteria the duration between the availability of a software patch and the time the patch is applied. Even if the intention of such an expectation is worthy, it is finally not a good idea to implicitly reduce the effectiveness of a cybersecurity strategy to the time required for deploying a security patch, ignoring that many constraints and requirements – such as qualification and validation requirements – could directly impact the needed time for applying software patches.”
The problem will be managing the expectations of an inspector who has been trained to use this guidance. To make this as smooth as possible, it is important that your approaches are justified and documented and where appropriate, risk assessed.
Backup vs. Archive: What’s the Difference and Why Do You Need Both?
Proper data management may not pay shareholders, but it fundamentally defines the integrity of the organization and its purpose for existing. Being the cheapest, fastest or most definitive is desirable, but it is all meaningless if the data is untrustworthy. Download this whitepaper to learn how an archive strategy can reduce backup and recovery times whilst removing manual intervention and variability.View Whitepaper
Don’t touch the system – it’s validated!
The traditional approach to validation of a computerized system in a regulated laboratory is once validated, no changes are made. In contrast, in the security section, the PIC/S guidance takes a more rigorous approach and suggests that computerized systems should be updated in a timely manner including security patches and new application versions. This is good in principle, but there needs to be a different mindset within industry to commit and follow this in practice as well as finding the time and resources to perform the work.
For example, it is easier to update an application incrementally with minor revalidation rather than wait until the application goes out of support and panic as a full validation and possible data migration project may be required. However, the detail provided here appears to be more of an inspector’s checklist with little flexibility for a laboratory.
Audit trails are critical for data integrity
In contrast with the security section, the one for audit trails is shorter, which is surprising given how critical an audit trail is for ensuring traceability of actions and data integrity. The definition of audit trail in the glossary is inadequate and you should use either the FDA or MHRA definitions.5,7 The first expectation is that a laboratory purchases a system with an audit trail. However, there is an alternative option available in EU GMP Annex 11 clause 12.4 that management systems for data and for documents should be designed to record the identity of operators entering, changing, confirming, or deleting data including date and time.8 Therefore, if an application can meet 12.4 requirements, then an audit trail is not required. As Annex 11 is law it overrules PIC/S PI-041.
The PIC/S guidance reiterates that proper system selection should ensure that software have an adequate audit trail. Users must verify the functionality of this audit trail during validation. Some applications may have more than one audit trail and it is important to know which are important for monitoring changes to data. Where an application has more than one audit trail, the review of any non-critical audit trails can be performed in periodic reviews at longer time intervals compared with data audit trails.
One problem with the guidance is that in section 5.6.2 there is confusion between system logs and audit trails – a system log or an operating system event log can never be a substitute for an audit trail.
Managing hybrid systems
For those that use hybrid systems, Section 9.10 does not make for comfortable reading: such systems are not encouraged, should be replaced as soon as possible and require additional controls due to the complexity of the record set and increased ability to manipulate data. This is essentially the same as the stance taken by the WHO guidance.3
A potentially onerous requirement is a detailed system description of the entire system that outlines all major components, how they interact, the function of each one and the controls to ensure the integrity of data. How many hybrid systems do you have in your laboratory – including spreadsheets?
This article has focused on the section of the new PIC/S PI-041 guidance on Good Practices for Data Management and Integrity in Regulated GMP/GDP Environments dealing with computerized systems. It is a good guidance with a wide scope and a lot of detail. In places, it veers from guidance with room for interpretation to a regulatory to-do list, especially for computerized systems. This may make it difficult for some organizations to implement fully.
1. PIC/S PI-041 Good Practices for Data Management and Integrity in Regulated GMP/GDP Environments Draft. Pharmaceutical Inspection Convention/Pharmaceutical Inspection Cooperation Scheme. https://picscheme.org/docview/4234. Published July 2021. Accessed September 2021.
2. PIC/S Computerised Systems in GXP Environments (PI-011-3). Pharmaceutical Inspection Convention/Pharmaceutical Inspection Co-operation Scheme. https://picscheme.org/docview/3444. Published September 2007. Accessed September 2021.
3. World Health Organization. WHO Technical Report Series No.996 Annex 5 Guidance on Good Data and Records Management Practices. World Health Organization: Geneva. Published 2016.
4. Smith PA, McDowall RD. Analysis of FDA Infra-Red 483 citations – Have you a data integrity problem? Spectroscopy. 2019;34(9):22-28.
5. MHRA GXP Data Integrity Guidance and Definitions. Medicines and Healthcare products Regulatory Agency. https://www.gov.uk/government/publications/guidance-on-gxp-data-integrity. Published March 9, 2018. Accessed September 2021.
6. McDowall RD. Data integrity focus II: using data process mapping to identify integrity gaps. LCGC N.America. 2019;37(2):118-123.
7. FDA Guidance for Industry Data Integrity and Compliance With Drug CGMP Questions and Answers. US Food and Drug Administration. https://www.fda.gov/media/119267/download. Published December 2018. Accessed August 2021.
8. European Commission. EudraLex - Volume 4 Good Manufacturing Practice (GMP) Guidelines, Annex 11 Computerised Systems. European Commission: Brussels. Published June 30, 2011.