An Introduction To Data Integrity For GxP Regulated Firms

Regulatory agencies have cited deficiencies in GMP data integrity and data management for at least the past 15 years. Yet it appears that the industry as a whole has made limited progress in recognizing and remediating these deficiencies. Regulators continue to identify the same set of shortcomings, including but not limited to: shared passwords, lack of enabled audit trails, failure to review electronic data, failure to review and investigate all failed testing results, and failure to contemporaneously record information, just to name a few. Perhaps this is due to a lack of awareness regarding requirements for electronic records, or more likely, firms may assign all computer and software system responsibilities to the IT groups without engaging a knowledgeable quality unit and other stakeholders as active partners. Failure to integrate assessments of data management and data integrity into internal GMP audit programs perpetuates inadequate practices. Waiting for regulatory authorities to identify poor practices and procedures is never a sound strategy.

In this three-part series, I will provide a structured look at the topic and include links to relevant documents, as well as an extensive list of primary references. You will learn about the regulatory enforcement background and why we’ve arrived at the point where data integrity is such a significant focus, the applicable regulations and guidance and the enforcement actions taken by global regulatory authorities in this area, and what actions you can take within your own company to begin to address the topic.

Introduction

Addressing the issue of data management and data integrity within the pharmaceutical industry can seem a daunting effort. Data management that ensures integrity of the associated data requires more than risk-based computer system validations. It requires understanding the events that precipitated this focus, understanding the intent of the governing regulations and guidance, and enforcement actions. This article series intendeds to remove some of the mystery surrounding the topic and to provide readers a broad background on data management and data integrity — as well as suggestions for how they might begin to address this issue within their company. Part 1 begins with a history of regulator focus on data integrity in GxP activities. Part 2 will proceed to identify the relevant global regulations and guidelines — including those from FDA, EMA, MHRA, WHO, and PIC/S — and highlight enforcement actions taken over the past 10+ years. Specific actions that firms can take will be identified in Part 3.

Data management and governance should be incorporated into a firms’ quality management system. The quality unit should be active in partnership with the IT functional area and provide appropriate collaboration to ensure compliant solutions are put in place and managed through their lifecycle. This should not be exclusively the responsibility of the IT department to implement and manage. Although high-level processes and oversight is essential to an effective data management program, this is an area where every employee of the company has a role to play in documentation of laboratory results, completion of batch records, and other records required by GxP rules.

Significant sections of the series will address QC laboratory functions and FDA enforcement actions for two reasons:

1. The quality control laboratory is currently the most common area in which to identify data management concerns, and
2. FDA publishes enforcement actions with greater granularity than other regulatory authorities. The reader should not, however, interpret this to mean that only FDA is applying enforcement actions.

Requirements for sound data management that ensure integrity of GxP data are recognized by major regulatory authorities, and enforcement actions have been taken by most.

I begin by providing background for this regulatory enforcement focus to provide context for understanding today’s actions.

Regulatory Enforcement Background

It is important to understand the history that gave rise to the current data management and data integrity focus by regulatory authorities. This focus represents an evolution over the past 30+ years and addresses both changes in technology and learnings from GMP inspections. Assurance of data integrity is a component of the larger category of data management and applies equally to paper records and electronic records. So, let’s begin with some history of how we reached this point.

The “generics scandal” of the 1980s raised the issue of falsified data submitted to FDA in support of drug approvals.ⁱ One outcome of this scandal was the shift in focus of the FDA pre-approval inspection (PAI) to evaluate raw laboratory data included in the marketing application and to evaluate whether the site was capable of manufacture as described in the application. This scandal also prompted implementation of the Application Integrity Policy in 1991, which “describes the Agency's approach regarding the review of applications that may be affected by wrongful acts that raise significant questions regarding data reliability”. Five firms are on the current CDER Application Integrity Policy List effective October 1, 2015.

In parallel, FDA recognized the increased reliance on computerized systems within the pharmaceutical industry. They developed and published 21 CFR Part 11, the final rule on electronic records and electronic signatures, in 1997. While the requirements for electronic signatures were reasonably well understood, confusion remained on both sides regarding the interpretation and enforcement of requirements for electronic records. In 2003, FDA published a Guidance for Industry, Part 11, Electronic Records; Electronic Signatures — Scope and Application to address enforcement priorities. FDA continues to communicate its interpretations in compliance actions such as form 483s and warning letters, podium presentations, and on the GMP Q&A page of its website.

In light of these two events — the generic drug scandal and the rule on electronic records and electronic signatures — the current warning letters and form 483s that cite issues associated with data integrity should come as no surprise. As early as 2000, a warning letter issued to Schein Pharmaceuticalsⁱⁱ cited lack of control over computerized laboratory systems including lack of password control and broad ranging staff authority to change data. FDA issued a 15-page form 483 to Able Laboratories in New Jersey in 2005. Failing laboratory results were identified that were not reported, and among the observations was failure to review electronic data, including audit trails. Warning letters citing deficiencies in the broad area of data integrity were issued to Actavis Totowa LLC site in the U.S. in 2007. Ranbaxy received two warning letters regarding its Paonta Sahib site (in 2006 and 2008) and one related to its Dewas facility (2008), both located in India.

Based on these compliance actions, FDA announced a pilot program in 2010 to evaluate data integrity as part of routine GMP inspections. FDA planned to use the information gained from these inspections to determine whether revisions to Part 11 or additional guidance on the topic were necessary. FDA also committed to take appropriate enforcement actions on issues identified during the inspections. The program is described in a slide deck presented by FDA’s Robert Tollefsen at a variety of industry conferences in 2010. In the slide deck FDA stresses that it will “continue to enforce all predicate rule requirements, including requirements for records and recordkeeping.” In fact, deficiencies in Part 11 are rarely, if ever, cited in warning letters referencing data integrity deficiencies because almost all are failures to comply with the predicate rules.

FDA found the problems were widespread during this pilot evaluation, and enforcement actions in this area continue. With this background, we will move to address the regulations and guidance published in this area in Part 2.

Endnotes

i. Notre Dame Law Review, Volume 75, Issue 1, October 1, 1999, page 312.

ii. The warning letter is not available on the current FDA web site and must be requested under FOI. Following is the specific deficiency, #6 among the deficiencies listed in the warning letter:

6. Failure to maintain the integrity and adequacy of the laboratory's computer systems used by the Quality Control Unit in the analysis and processing of test data. For example:

a) There was a lack of a secure system to prevent unauthorized entry in restricted data systems. Data edit authorization rights were available to all unauthorized users, not only the system administrator.

b) The microbiology departments original reports on sterility test failures of Penicillin G Potassium for injection, lots 9804024 and 9811016 due to environmental mold, which were sent via electronic mail to the Quality Assurance Management, differed significantly from the versions included in the Quality Assurance Management's official reports.

c) The network (b) (4) module design limitations, which can only support up to four chromatographic data acquisition systems, had up to five chromatographic systems connected. There was no validation showing this configuration to be acceptable.

d) System testing was not conducted to insure that each system as configured could handle high sampling rates. Validation of the systems did not include critical system tests such as volume, stress, performance, boundary and compatibility.

About The Author

Barbara Unger formed Unger Consulting, Inc. in December 2014 to provide GMP quality consulting services to the pharmaceutical industry. She has extensive expertise in this area, having led the Amgen Inc. corporate GMP audit group that had responsibility for API and drug substance sites, quality systems, and computers. She also developed, implemented, and maintained the GMP regulatory intelligence program for eight years at Amgen. This included surveillance, analysis, and communication of GMP-related legislation, regulations, guidance, and industry compliance enforcement trends. Barbara was the first chairperson of the Rx-360 Monitoring and Reporting work group (2009 to 2014) that summarized and published relevant GMP and supply chain-related laws, regulations, and guidance. She also served as the chairperson of the Midwest Discussion Group GMP-Intelligence sub-group from 2010 to 2014.

Before Amgen, Barbara worked for the consulting firm Don Hill and Associates, providing regulatory and quality services to the pharmaceutical industry, and for Eli Lilly and Company in quality and CMC regulatory affairs positions. She began her career in the pharmaceutical / device industry with Hybritech Inc. and received a bachelor's degree in chemistry from the University of Illinois in Urbana Illinois.