Data integrity has become a hot topic in recent years in the regulated industry. Several data integrity guidance documents have been published by FDA and MHRA. These documents describe the regulatory agencies current expectations related to data integrity.
There are a significant amount of confusion and misunderstanding of what data integrity requirements mean to the industry, including Quality Control laboratories. The confusion and misunderstanding sometimes includes denial, very conservative interpretations, misperception that data integrity requirements only apply to computer systems, and that it is a new requirement for the industry.
Quality Control laboratories play a critical role in ensuring the safety and ability of drug products to meet their Critical Quality Attributes. The quality of incoming raw materials is another critical responsibility for the QC laboratories. The integrity of data generated in the QC laboratories is critical to ensure that products and raw materials meet their quality attributes.
Equipment qualification is intended and required by regulatory requirements to ensure that manufacturing equipment is fit for its intended use. Data integrity in the QC laboratories is critical because the lack of integrity undermines the assurance and confidence in a drug safety, efficacy and quality.
Data integrity issues in QC also jeopardizes the trust in an organization, including with regulators.This article will discuss the background, challenges and strategies for data integrity in the QC laboratories, so that you can significantly reduce compliance risk.
Data integrity is not a new challenge for the industry. It has been a concern for over 20 years since electronic systems became prevalent in the industry. Concerns related to data integrity began with paper- based records, and the use of stand-alone integrators for chromatography data in the Quality Control areas. Some of these concerns were related to the ability to integrate peaks without any audit trails of the changes. Other concerns were related to the lack of security and the ability to delete and manipulate data. Several regulatory observations and warning letters were given to major companies that were found manipulating chromatography data and the lack of adequate controls related to data integrity. Regulations such as 21 CFR Part 11 Electronic Records and Signatures were issued in the late 1990’s by the FDA to define the following requirements for electronic systems:
- Audit trails
- Electronic signatures
In 2011, Annex 11 was issued by the European Commissioning in response to the increased use of computer systems and data integrity concerns.
In recent years, the FDA and other regulatory agencies have issued regulatory guidances related to data integrity. Also, regulatory agencies have increased their inspection activity related to data integrity. The increased inspection trends related to data integrity has found issues mostly with companies located in China and India, while some issues have also been observed in Europe and the United States.
QC DATA INTEGRITY CHALLENGES
One of the main areas of concern for regulators is the Quality Control laboratories. In recent regulatory audits, inspectors have found many data integrity issues in the Quality Control laboratories.
The following data integrity challenges are typically found in the QC laboratories:
- Not recording test results contemporaneously
- Backdating test results and entries
- Falsifying test data
- Copying and processing existing test data as new data
- Re-running samples until they pass test acceptance criteria
- Lack of controls when integrating chromatography peaks and data
- Not capturing and recording raw data
- Audit trail disabled in electronic QC instruments
From January 2014 through out September 2015, regulatory agencies issued 20 warning letters related to data integrity. A significant number of these warning letters were issues found in the QC laboratories.
Some of the challenges found during these audit that resulted in warning letters included failure to maintain complete data from laboratory test such as the following:
- Deletion of raw data
- Changes to raw data
- Incomplete raw data
- Unofficial testing
Failure to implement adequate controls for data acquisition computer systems include the following challenges:
- No audit trail function
- Disabled audit trail function
- Incomplete audit trail function
- No control over access to electronic test data
- QC analyst have administrator access to electronic data and system functions
- Unauthorized and uncontrolled file folder
- Shared or group passwords
Failure to record data at the time test are performed is another area of concern for regulators and these are pieces of data that are sometimes missed:
- Critical laboratory data documented days after testing was performed
- Belated test data entry of sample information
- Lots released prior to proper approval and release of QC test data
Many of these observations and challenges are related to the lack of understanding of QC laboratories and data integrity requirements. The lack of understanding related to data integrity is normally driven by not having a structure process and approach to assess the state of compliance with these requirements.
Normally companies fail to perform formal and documented gap assessments that identify data integrity issues in QC electronic systems and related procedures. One key misperception is that data integrity only applies to electronic systems and not processes executed in paper records.
The lack of adequate gap assessments, remediation plans, and corrective actions create a significant compliance and business risk for the industry.
DATA INTEGRITY STRATEGIES
Strategies for data integrity related to systems and processes in the QC laboratory need to include both paper-based processes and electronic systems.
In the QC laboratory, normally there is a hybrid of both paper-based processes and the use of automated electronic systems for data acquisition, processing, and reporting test results. Failing to understand the fact that data integrity also applies to paper-based processes is quite common and creates a significant compliance and business risk. Unfortunately, there is a misperception in the industry that data integrity only applies to electronic systems.
In paper-based processes, raw data and test results can be easily falsified, manipulated, changed, and deleted without any traceability or audit trail. Paper-based processes in the QC laboratory are subject to data integrity requirements and are an area that needs to be assessed to identify and remediate gaps in the process.
Electronic systems used in the QC laboratory are also subject to data integrity requirements. Data integrity requirements for QC electronic systems include both technical and procedure control that are clearly communicated in Annex 11, recent FDA and MHRA guidance documents.
Although the requirements are clearly communicated, the industry continues to struggle with understanding, identifying gaps, and implementing corrective actions that will facilitate compliance with data integrity requirements.
The data integrity strategies for QC laboratories need to include the following activities:
- Gap Assessments
- Remediation Plan
- Implementation Plan
- Remediation Summary Report
The activities above provide a structure and objective approach to identify, remediate, correct, and implement data integrity gaps identified during the assessment process.
A Gap Assessment tool should be created to assess systems and processes against data integrity requirements. The Gap Assessment tool needs to assess systems and processes against data integrity requirements found in Annex 11, FDA, and MHRA guidance documents.
The Gap Assessment tool provides a template that documents the following information:
- Requirement – This section of the template includes the data integrity requirements from the guidance documents above
- Response – This section of the template is intended to provide a response on whether the system or process meet the requirements
- Procedure References – This section is intended to describe the procedures that provide alignment or need revision to meet the data integrity requirements
- Gap (Yes/No) – This section is intended to document whether any gaps are identified
- Gaps Identified – This section is intended to describe the gaps found that need to be remediated
- Performed by – This section is intended to identify and document the person leading and documenting the gap
- System Owner Approval – This section is intended to document the system owner approval and agreement with the gap assessment results
- Quality Approval – This section is intended to document the quality approval and agreement with gap assessment results
It is highly recommended that regulated companies create gap assessment procedures that define the procedural controls for this process. Procedures for gap assessment ensure that each time new regulatory and guidance document requirements are issued, there is a formal process to assess for any gaps and implement corrective actions. Once the gaps are identified a remediation plan should be created to describe the strategy for remediating all the issues found during the gap assessment.
The remediation plan is needed to identify all the gaps and activities that are needed to remediate all issues found during the assessment. The remediation plan needs to be approved by the system owner and quality team.
Once the remediation plan is approved, CAPA’s should be open to manage and control all corrective actions activities. The CAPA’s should provide a description of the gap and corrective actions activities needed to close all issues found during the assessment. The CAPA should be managed, controlled and closed using an approved Quality Management System (QMS) and procedures.
The implementation plan should be created to describe the strategy to implement all remediation activities and CAPA’s that will facilitate closure of all gaps identified during the assessment.
Once all remediation is done, CAPA’s and implementation plan activities are completed and close the Remediation Summary Report should be created. The Remediation Summary Report should summarize the all the activities performed to remediate and close all the gaps.
The gap assessment process provides a structured approach that ensures consistency when assessing QC system and processes against data integrity requirements. This process provides objectivity and assurance that all data integrity gaps are identified, remediated, and closed using a formal Quality Management System.
In order to meet data integrity requirements, regulated companies need to have formal processes to identify, remediate, and correct all gaps and issues found in the QC laboratories.
Data integrity is a critical requirement for QC laboratories, and most companies are not in complete alignment with all the requirements found in Annex 11, FDA, and MHRA guidance documents.
System owners and quality needs to be engaged in the data integrity gap assessment and remediation process.