The basics of Data Integrity in GMP
Updated: May 29, 2019
From research and development all throughout manufacturing and into the supply chain you are expected to vouch the for integrity of the data you gather on your product in our highly-regulated life science industry. Easy task? Definitely not. After all, it usually includes international networks of suppliers, manufacturers, labs and everything that follows in the supply chain. Following all of the required regulations at the different phases can be daunting but making sure your data is compliant, ultimately results in higher-quality products on the market and the public should be able to trust on this.
So, what are all the different vital elements you should be aware of to be sure you are meeting all requirements for data integrity compliance?
FDA 21CFR Part 11: Electronic Records and Signature
The FDA’s Regulations on electronic records and electronic signatures (ERES). Usually known as Part 11, it defines the criteria under which electronic records and electronic signatures are considered trustworthy, reliable, and can be used to replace to paper records in your process.
According to the regulations, data records need to be reliable and accurate over their entire lifecycle. And to this purpose the FDA actually refers to the well-known ALCOA principle/acronym.
FDA: Data Integrity and Compliance with cGMP
Besides the regulations in Part 11, the FDA also provides a guidance document which helps to clarify the impact of data integrity in cGMP environment. Although it is not legally binding it contains a great Q&A that answers many practical questions regarding data integrity. If you are checking your own systems and/processes for data integrity, it is a great document to start with.
GAMP Record & Data Integrity
Although GAMP is very well-known, it is not legislation, but it does present helpful guidelines. For those involved in the implementation of automated production systems, it describes principles and procedures that facilitate the production of high-quality products. It focuses on the complete manufacturing process by stipulating that ‘quality cannot be tested into a batch of product but must be built into each stage of the manufacturing process’. That being said, these are helpful guidelines for development of systems for raw materials receipt up to the training and hygiene of staff.
EU-GMP Annex 11
In the European Union we have Annex 11 is the part of the GMP Guidelines that defines the terms of reference for computerized systems, but it is not a regulation, like the FDA’s 21 CFR Part 11. These guidelines are quite similar to their US counterpart and define criteria under which electronic records and electronic signatures should be managed.
MHRA, PIC/S, WHO, and EMA.
Different organization have all drafted guidelines of their own and are all designed to facilitate compliance in their own way, whilst clarifying their own position on this subject and what they expect from manufacturers. Some of the others that are definitely important (but outside the scope of this blog) are:
PIC/S - Good practices for data management and integrity in regulated GMP/GDP environments
EMA – Data Integrity
The ALCOA principle and the Data Lifecycle
If you google data integrity there is no getting around ALCOA. Even the FDA refers to it and this acronym has proven to be a worthful tool to provide proof of compliance and operational integrity for your data.
Attributable: Who acquired the data or performed an action?
Legible: Is it possible for a regular person to read the data?
Contemporaneous: Was the data documented at the time of the activity?
Original: Written printout or observation or a certified copy thereof
Accurate: Have there been no errors or editing without documented amendments?
Besides the principles the data records are also expected to be complete, consistent, enduring (not on a napkin) and should always be available for review or inspection.
These principles apply all throughout the lifecycle of a data record for which the EMA gives a succinct overview:
Generation and recording of data
Processing into usable information
Checking the completeness and accuracy of reported data and processed information
Data (or results) are used to make a decision
Retaining and retrieval of data which protects it from loss or unauthorised amendment
Retiring or disposal of data in a controlled manner at the end of its life
Elements of Data Integrity Compliance
The different authorities may have slightly different views on some aspects of being compliant, but the following elements that should be on your checklist if you’re aiming to set up a data integrity compliant system.
1. Audit Trail
The secure, computer-generated, time-stamped electronic record that allows you (or the inspection) to reconstruct certain events that relate to the creation, modification, or deletion of an electronic record. Basically, it comes down to the chronologic order of who, what, when and perhaps why did this happen to a record. Actions that such an audit trail also needs to capture are overwriting or deleting, aborting runs, backdating, or simply altering data. When you think about it these are all necessary data to be able trust that records are correct (and have not been tampered with). It’s also recommended (FDA) to schedule routine audit trail review based on the complexity of a system and its intended use.
2. Meta Data
Metadata is the contextual information that is necessary to understand data because values like numbers, for instance, would be useless without additional information describing what it ‘means’ (think in terms of mg, s, and m but also the time and place of electronic stamps). Besides this, meta data also facilitates the retrieval, use, or management of data. Just like the actual record, the meta data should be saved throughout the record’s legal lifetime to be able to reconstruct any CGMP activity in an audit trail, for instance.
3. Identification Control ID & Password
Just like the records themselves, the users of systems that generate electronically or digitally signed records are subject to identification rules. This might seems like an open door but experience teaches us that there are often issues with password and ID Code (unique usernames), absent password periodical changes to ensure compliance, and lack of role definition and accessibility status like operator and administrator. For obvious reasons this could possibly lead to data tampering in worst cases.
4. Difference between Static and Dynamic Records
Specifically mentioned in the FDA Guidance document it states you should keep in mind the difference between the use of “static” and “dynamic” in relation to record format:
Static: fixed data document such as a paper record or an electronic image
Dynamic: record format allows interaction between the user and the record content such as a chromatogram where the integration parameters can be modified
5. Backup Data
The backup of your data should be exactly like your original records. Defined by the FDA as a ‘True copy of the original data that is maintained securely throughout the records retention period that should include the metadata and is maintained securely throughout the record retention period’
So, keep in mind that your backup data is exact, complete, and secure and has not been altered in any way. Simply creating a temporary backup copies would be deemed insufficient by the authorities.
6. System Validation
The definition of a system in this case is quite broad and includes not only both hardware and software but also: peripheral devices, networks, anything you might have cloud based (upcoming topic). Besides these technical aspects, the system operators are also included and the user manuals/SOPs.
Within this system you should make sure to:
validate every workflow in the system
install controls to assure authorized access only
assign the administrator role to someone independent from recording content
maintain a list of authorized individuals and their access privileges
Company culture influence and employee can affect data integrity greatly. So, be sure to train personnel in detecting data integrity issues periodically as part of their training manual and also keep records of it.
Although staff at all levels should have an understanding of data integrity and their responsibilities in the process (according to their roles), process, system, and data owners should receive additional training on the consequences of integrity breaches to assure a proper mindset regarding this subject.
Data Integrity Issues
Sooner or later you will come across a data integrity issue and you’ll have to decide upon it’s criticality. The two important questions ‘Which decision does the data influence?’ and ‘What is the impact of the data to product quality or safety?’ should be your main focus in determining how critical the situation you are in actually is.
Does it have to do with:
Alteration, deletion, loss or re-creation, falsification
Inconsistent processes, open-ended
Methods of generating and processing data
Manual interfaces with IT
Or the general belief that there is “no risk” of DI failure
2. Finding weaknesses
The PIC/S guidelines actually present a very helpful checklist of areas to start if you want to prevent, detect and correct DI weaknesses in your pharmaceutical Quality Management system:
Quality Risk Management
Data review practices
Computer system validation
Storage and retrieval of completed records, including out-sourced data storage activities
Oversight of purchase of GxP critical equipment that incorporate requirements designed to meet data integrity expectations, e.g. URS
Self-inspection program to include data quality and integrity
Performance indicators (quality metrics) and reporting to senior management
3. Dealing with DI issues
In case you have found a data integrity issue that you need to deal with the agreed approach doesn’t differ from any other deviation you come across:
Root cause analysis
Take Corrective and Preventive Actions (CAPA) including the ALCOA principle
Based on sound scientific evidence
Besides these standards actions consider open and transparent communication of these issues and DI expectations, additional evaluation of vulnerability of computerized systems, and implementation of specific DI policies.
Blog by: Nick Veringmeier - Business Director NL