Data integrity is a prerequisite for the regulated healthcare industry. Electronic data and computerized systems have introduced new challenges to maintaining data integrity. Main criteria for data integrity are provided. Major regulatory guidelines are referenced. Key areas of focus are identified. Relevant Warning Letter and FDA-483 citations are presented. Relevant literature papers are described. Given the increased scrutiny for data integrity, companies are well advised to establish internal assessment and monitoring programs to focus on data integrity.
Data integrity is a prerequisite for the regulated healthcare industry as decisions and assumptions on product quality and compliance with the applicable regulatory requirements are made based on data. Drug and medical device manufacturers or service providers, healthcare organisations, regulators and other government organisations, and users (patients and healthcare professionals) rely on data. Breaches in data integrity can have negative consequences and may lead to patient injury, or even death.
Whereas in the past data integrity was relatively easy to prove using forensic methods analysing ink and paper, the advent of computerised systems has brought with it a different level of complexity. Identifying whether there could have been undocumented or even malicious changes to electronic data or records requires additional tools and expertise.
As it is much easier to change electronic data and records than it is to change a paper or other physical record, there is a much higher chance of such changes being effected. The regulatory authorities have put much emphasis on data integrity in recent years, not least because they uncovered serious cases of data integrity breaches. This document provides references to the applicable regulations, guidances and reports on data integrity breaches.
The main criteria for data integrity are listed below: [R.D. McDowall, Spectroscopy, Focus on Quality, December 2010]
- Accurate - no errors or editing without documented amendments
- Attributable - who acquired the data or performed an action and when
- Available - for review and audit or inspection over the lifetime of the record
- Complete - all data are present and available
- Consistent - all elements of the record, such as the sequence of events, follow on and are dated or time stamped in expected sequence
- Contemporaneous - documented at the time of the activity
- Enduring - on proven storage media (paper or electronic)
- Legible - data can be easily read
- Original / Reliable - written printout or observation or a certified copy thereof
- Trustworthy - the data and the record have not been tampered
Breaches of data integrity (BDI) are acts of "falsification, document adulteration, forgery and providing misleading information [Carmelo Rosa ISPE FDA 3rd Annual GMP conference June 2014 Baltimore MD: Current Inspectional and Compliance Issues in Data Integrity (www.ispe.org)]
Major Regulatory Guidelines
- 21 CFR Parts 11, 211, 803. http://www.accessdata.fda.gov/scripts/cdrh/cfdocs/cfcfr/cfrsearch.cfm. Guidance for Industry Part 11, Electronic Records; Electronic Signatures - Scope and Application, August 2003
- Carmelo Rosa ISPE FDA 3rd Annual GMP conference June 2014 Baltimore MD: Current Inspectional and Compliance Issues in Data Integrity (www.ispe.org)
- EudraLex Vol 4 Chapter 4 and Annex 11 http://ec.europa.eu/health/documents/eudralex/vol-4/index_en.htm Directive 1999/93/EC of the European Parliament and of the Council of 13 December 1999 on a Community framework for electronic signatures http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:31999L0093&from=EN
- ICH Q7 [www.ich.org]
The MHRA www.mhra.gov.uk is setting an expectation that pharmaceutical manufacturers, importers and contract laboratories, as part of their self-inspection programme must review the effectiveness of their governance systems to ensure data integrity and traceability.
This aspect will be covered during inspections from the start of 2014, when reviewing the adequacy of self inspection programmes in accordance with Chapter 9 of EU GMP. It is also expected that in addition to having their own governance systems, companies outsourcing activities should verify the adequacy of comparable systems at the contract acceptor. The MHRA invites companies that identify data integrity issues to contact: [email protected]
- GMP/GDP Consultative Committee Note of Meeting; MHRA drew members' attention to the announcement on the website in relation to the Inspectorate's expectations in relation to self - inspection and data integrity http://tinyurl.com/octx665. If companies identify issues, they are invited to contact the MHRA to discuss the issues and how to move forward. MHRA are looking at how current inspection practice can be changed in order to build in data reliance checks early on in the inspection process. The result of the checks will then determine whether the remainder of the inspection process is carried out normally or if indeed a more forensic approach is taken.
- In order to prepare for the process, industry can look at the way they design their systems, enabling the operators of those systems to comply. Easy checks that can be carried out during supplier audits or self-inspection include sample reconciliation and building in appropriate checks of audit trails and raw data. These are the types of things that will be initially reviewed. Additionally, a section on data falsification will be added to the Compilation of Community Procedures.
- Falsification in the context of EU GMP. Changes are being made to the definition of "Critical" deficiency in EU GMP. Any wilful misstatement, misrepresentation, manipulation, adulteration, rewriting, hiding, replacing of quality related documents, materials, activities or buildings in order to give an item the appearance of GMP compliance when this is not the case. EU Compilation of Community Procedures [Gerald W. Heddell at the ISPE/FDA conference Baltimore June 2014]
WHO Notices of Concern for Micro Labs Limited http://apps.who.int/prequal/assessment_inspect/info_inspection.htm
Warning Letter and 483 citations
Trifarma 2014 href="http://tinyurl.com/lhudyyn Your firm's lack of data control causes us to question the reliability of your data.
During the inspection, the responsible IT person was not able to answer any questions on backups, audit trail and password management href="http://tinyurl.com/pp85fl7
We observed and documented practices during the inspection that kept some samples, data and results outside of the local systems for assessing quality. This raises serious concerns regarding the integrity and reliability of the data generated at your Kalyani plant. For example,
a. Our review of the Chromeleon and Empower II software found that your firm was testing samples unofficially, and not reporting all results obtained. Specifically, "test," "trial" and "demo" injections of intermediate and final API samples were performed, prior to performing the tests that would be reported as the final QC results.
b. Out-of-specification or undesirable results were ignored and not investigated.
c. Samples were retested without a record of the reason for the retest or an investigation. Only passing results were considered valid, and were used to release batches of APIs intended for US distribution.
d. Unacceptable practices in the management of electronic data were also noted. The management of electronic data permitted unauthorized changes, as digital computer folders and files could be easily altered or deleted.
Your inability to detect and prevent poor data integrity practices raises serious concerns about the lack of quality system effectiveness. It is imperative that the data generated and used to make manufacturing and quality decisions at your firm is trustworthy and reliable. Senior management initially informed FDA investigators that they were unaware of information generated at the Kalyani plant that may have an impact on the quality of API. Your senior management, at the local and corporate levels, is responsible for assuring that strict corporate standards, procedures, resources, and communication processes are in place to detect and prevent breaches in data integrity, and that such significant issues are identified, escalated, and addressed in a timely manner. This responsibility starts with designing computerized systems with appropriate security features and data audit trails, as well as many other elements that assure proper governance of your computerized systems. This indicates that your current quality risk management approach, for identifying and controlling any potential risks to the quality of the drugs you manufacture, was not properly functioning. [Fresenius Kabi Oncology 2013 http://tinyurl.com/kv7mvxr
Your response stated that the analyst incorrectly dated the worksheet as July 29, 2011, instead of July 31, 2011, and that there was no intention to deliberately backdate the document. However, your response contradicted your analyst's backdating admittance during the inspection. In addition, your response did not explain the reviewer's signature which was also dated July 29, 2011. Backdating documents is an unacceptable practice and raises doubt about the validity of your firm's records. [RPG Life Sciences 2013 http://tinyurl.com/n6hwjtc]
Additionally, your quality control HPLC raw data files can be deleted from the hard drive using the common PC login used by all (b)(4) analysts. This deletion eliminates all records of sample injections and analyses. Your response indicates that this deletion function is only available on the software used for one of (b)(4) sets of HPLC instruments. You also indicated that you have changed the access control privileges such that laboratory analysts in a "user" role cannot delete or rename files.
We also note that on March 20, 2013, your Quality Control Analyst stated to the investigator that he had used "other samples" to complete the test methods for (b)(4) Injection, USP ((b)(4)mg/ml).
Your response is inadequate because you failed to provide the root cause for the unacceptable practice of performing undocumented "trial" runs at your facility, failed to expand the scope of your investigations to include other instruments that use computerized electronic records both inside and outside the stability laboratory, and failed to provide risk assessments on all the drugs where samples had been tested by these instruments. Your response failed to completely address how your firm will ensure the integrity and completeness of all analytical raw data. Wockhardt 2013 http://tinyurl.com/lpkpvqm
EudraGMDP entries http://eudragmdp.ema.europa.eu/inspections/displayWelcome.do Zeta stumbles on data integrity Data integrity concerns led the UK's Medicines and Healthcare products Regulatory Agency on Jan. 31 to withdraw the European Union GMP certificate from Zeta Analytical Ltd. of Watford, UK.
The problems surfaced during an August 2013 inspection and a November 2013 re-inspection.
MHRA found issues with the testing done for certificates of analysis used for batch certification. "It could not be confirmed who had conducted the testing or when because of discrepancies in the raw data, "MHRA said". Raw data were not being recorded contemporaneously nor by the performing analyst."
Apparently, after staff failed to demonstrate competence in running a high pressure liquid chromatograph, results of the failed test runs were deleted - and replaced with results from successful runs conducted many hours later.
Upon re-inspection, MHRA determined that the laboratory had underestimated the resources that would be required to implement corrective actions while also managing the backlog and additional client requirements.
MHRA said it will issue a restricted GMP certificate for continued testing of "medically critical" products, and that national competent authorities should request marketing authorization holders to remove the laboratory from applicable authorizations, and to assess the potential risk to patients. The lab is assessing whether it needs to recall any product.
Smruthi seen manipulating data
As a result of an Oct. 16, 2013, inspection of Smruthi Organics Ltd.'s Solapur, India, facility, the French Health Products Safety Agency on Jan. 15 determined that the plant was seriously out of compliance with the European Union's GMP Guideline and withdrew its GMP certificate.
The agency observed 29 deficiencies, including two that were critical and four that were major, when inspecting the active substance manufacturer's production of amlodipine besylate, the active ingredient in Pfizer's Norvasc blood pressure medication and generic equivalents.
Critical: The agency observed manipulation and falsification of documents and data in different departments. Also critical: Some actions to correct and prevent deficiencies observed in February 2013 during the previous inspection, which also resulted in a finding of GMP non-compliance, were not satisfactorily addressed.
The major deficiencies: An analyst deemed an out-of-specification result for an in-process control to be compliant; process validation documentation practices were unacceptable; there was insufficient understanding of GMP requirements to re-qualify equipment; and there was no raw data in the QC lab to verify compendial analytical methods.
The inspection was done under the aegis of the European Directorate for the Quality of Medicines & HealthCare, or EDQM, which among other things certifies suitability of active substances. The French agency noted that EDQM on Dec. 13 withdrew all six of Smruthi's certificates of suitability, or CEPs, including the one for amlodipine besylate.
Data integrity problems continue to bedevil pharmaceutical manufacturers, if recent warning letters issued by FDA are any indication. Of the five drug GMP warning letters issued since late December, the three addressed to Ranbaxy, Sunshine Pharmaceuticals and Xian Libang Laboratories showed data integrity lapses. [Data Integrity Problems Continued to Surface in Recent Warning Letters, The Gold Sheet February 2010]
FDA inspectors using a new forensic approach to inspections in responding to a rash of data integrity problems found in pharmaceutical manufacturing facilities. Attorneys advise firms to pay careful attention to their adverse event reports and field alert reports as data integrity breaches can be found there too.
FDA and the pharmaceutical industry are recommending a forensic approach to inspections and internal audits to combat growing data integrity problems. Digging through trash cans and drawers is not considered out of bounds in the current environment. [FDA Aggressively Looking for Data Integrity Problems in Inspections, The Gold Sheet June 2014]
Data Integrity Issues Everywhere? [Data Integrity, Pharmaceutical Technology Europe, Volume 38, Issue 7, pp. 82, July 2014 - www.pharmtech.com
Q: "Data integrity issues" have been making headlines recently, in response to foreign inspections by the Food and Drug Administration or European regulatory agencies. Based on these reports, it appears that the issues centre largely on manufacturing companies in Asia. Should we conclude that this only concerns firms already struggling to comply with basic good practices in this part of the world?
A: In general, media tend to report on the most serious violations uncovered by regulators.
Oftentimes when companies find similar issues through their own internal investigations, they remain confidential and unreported. Therefore, it would be presumptuous to assume violations reported on by the press are representative of the industry as a whole.
However, what inspections have triggered is increased attention toward potential data integrity issues lurking across the industry. Few companies would have data integrity verification activities integrated into their quality oversight programs before these examples of serious violations of healthcare regulations became public knowledge in the form of warning letters, consent decrees or reports in the European EudraGMDP database.
Conscientious companies have taken these potential data integrity issues seriously by starting internal investigations, incorporating data integrity assessments into their quality assurance oversight programs, and in some cases, establishing a special data integrity office. Companies - even those in good standing with regulators - have initiated such activities regardless of existing or anticipated compliance concerns.
The question now is, what have these internal investigations uncovered, if anything? The answer, surprisingly, is that they have uncovered a significant amount. Once you start studying analytical data, root cause analyses, logbooks and any other data source, gaps are repeatedly found in data traceability and trustworthiness. A few data-related issues include: uncertainty where the data originated from and who created it - e.g. where several analysts use the same user ID and password on a set of similar instruments; which raw information produced the reported data - e.g. where a summary table reports stability data results, but all raw data on the chromatography instrument have since been deleted, and whether these are the original data - e.g. where there is no audit trail on the analytical instrument. These issues are not necessarily the result of wilful malpractice, but are often caused by insufficiently controlled processes, poor documentation practices, suboptimal quality oversight and, often enough, professional ignorance.
Occasionally people do intentionally falsify data. This is unfortunate but, thankfully, still a rarity.
Here are some steps you should take to ensure data integrity:
- Embed data integrity verification activities into internal audit processes
- Create awareness among staff so they can assist with this endeavour, and report concerns before they become full-fledged issues
- Train your internal auditors to understand what to look for when detecting data integrity deficiencies
- Seek external support to assure completely unbiased, third-party investigations and/or to enhance your internal investigation program.
It should come as no surprise that companies already struggling to meet basic compliance standards are at a disadvantage when it comes to data integrity. However, making data integrity a key element of your compliance approach will give you a competitive advantage. It is always better to proactively prevent issues, such as data integrity failures to occur, than trying to remediate and resolve inspection findings. Compliance excellence makes good business sense.
The need to ensure data integrity through the life cycle of a clinical trial and across all the systems involved is of paramount importance as inconsistent, incorrect or corrupted data could endanger the safety of patients, adversely affect the outcome of the trial, and increase the risk of a failure during the submission procedure. Therefore, this aspect has increasingly become the focus of regulatory oversight. One of the main drivers for this has been that the industry has embraced individual or strategic outsourcing of clinical trial activities to Contract Research Organizations (CROs) and sponsors as well as CROs also adopting Software as a Service (SaaS) offerings especially in the area of Electronic Data Capture (EDC) or Interactive Voice Response Systems/Interactive Web Response Systems (IVRS/ IWRS). Often this leads to a chain of partners with an increasing risk of losing direct control for the sponsor. Even when strategically partnered with a CRO, the responsibility to address these risks resides with the Sponsor and cannot be delegated. This requires extensive and increasing efforts for oversight, which must be considered when addressing the risks with regard to data integrity. [Validation and Data Integrity in eClinical Platforms June 2014, http://blog.ispe.org/?p=1526
Given the increased scrutiny for data integrity, companies are well advised to establish internal competency, assessment and monitoring programs, and assure data integrity is an integral part of their internal audit / self inspection program.