Data Integrity Theresa McCarthy ASQ Granite State 16 September 2015.

Data Integrity

Theresa McCarthy

ASQ Granite State

16 September 2015

Agenda• Welcome to ASQ Granite State• Data Integrity

– Regulatory Viewpoint– What is Data Integrity?– Industry Examples– Conscious Competence Learning matrix

Regulatory Viewpoint & Messaging

• “Data Integrity is the single Most Important Issue for the FDA, and Integrity Violations are given the Highest Priority”

Ramon Hernandez, FDA, San Juan DO

• “Management has the Responsibility (duty and power) and moral obligation to Prevent and Detect data integrity Violations”

Ramon Hernandez, FDA, San Juan DO


• Breaches of data integrity (BDI) are acts of “falsification, document adulteration, forgery and providing misleading information”

Carmelo Rosa ISPE FDA 3rd Annual GMP Conference June 2014, Baltimore MD

• MHRA Data Integrity Definitions & Guidance for Industry – Issued March 2015

• A strong proactive data integrity program is required to meet regulatory expectations


• Although data integrity issues are not new, companies are being cited more frequently for observations related to data integrity.

• There is a noticeable increase in the number of enforcement actions taken by regulators, particularly the US FDA related to data integrity.


• We are experiencing a new style of inspectional conduct

• Laboratory Data Integrity is a focal point

• There is a greater emphasis on– Trust but VERIFY– Does your DATA tell the same story as you– Investigators are learning our e-systems– No space is inaccessible (computers, drives,

trash cans)

What is Data Integrity

What is Data Integrity ?

Data integrity from IEEE*

•The degree to which a collection of data is complete, consistent, and accurate

*Institute of Electrical and Electronics Engineers

8

Data integrity from Wikipedia!

Data integrity refers to maintaining and assuring the accuracy and consistency of data over the entire data life-cycle:

•ensure data is recorded exactly as intended

•upon later retrieval, ensure the data is the same as it was when it was originally recorded

What is Data Integrity• It is not limited to electronic data

• An acronym you may be familiar with is “ALCOA”• A – Attributable to the person generating the data• L – Legible and permanent (paper or electronic)• C – Contemporaneous• O – Original record (or “true copy”)• A – Accurate

What is Data Integrity

• Systems should be able to ensure “ALCOA”.• Outsourcing should be robust and ensure DI at

the contractor. It is not limited to our in-house operations.

• Once data integrity issues are found, the firm is responsible to conduct an assessment to determine all impacted products and to inform them to the FDA home District Office.

• Quality Risk Management approaches to detect, prevent and control potential risks are essential.

Industry Examples

• Backdating stability test results to meet the required commitments

• Creating acceptable test results without performing the test

• Using test results from previous batches to substitute testing for another batch

Some Reasons for DI Issues

• A poorly performing process can create motive

• A weak system can create opportunity

• Real time detection or control is key

14

Data Integrity - issues

UNCONSCIOUS INCOMPETENCE

Unaware of the skill and your lack of proficiency

Conscious Competence Learning matrix

15

CONSCIOUS INCOMPETENCE

Aware of the skill but not yet proficient

CONSCIOUS COMPETENCE

Able to use the skill but only with effort

UNCONSCIOUS COMPETENCE

Performing the skill becomes automatic


Do not know about the issue and unaware of the

gap

Corporate Consciousness – Data Integrity

16


Aware of the gap but not yet able to deal with it


Getting a handle on the problem but only with

effort


Good practice becomes automatic



gap


17

Company not aware of the existence or relevance of the issueCompany not aware that they have a particular deficiency in the area concernedCompany might deny the relevance or usefulness of addressing the issueCompany must become conscious of their incompetence before development of a solution can beginManagement and if necessary Regulators must move the Organisation into the 'conscious competence' stage, by demonstrating the gap and identifying the benefit that addressing it will bring to the Organisation




18

Company aware of the existence and relevance of the issueCompany is therefore also aware of their deficiency in this areaCompany need to recognise that by addressing the issue their Compliance will improve (and therefore the long term sustainability of the Organisation)Ideally the Company has a measure of the extent of their deficiency in this area and a measure of where they need to be (Gap assessment / CAPA)Company makes a commitment to address the issue and to move to the 'conscious competence' stage



effort


19

Company implements the structure, processes and systems to ensure good data integrity is the minimum standardCompany will need to remain alert – concentration will be required, continued Self InspectionStaff can perform the requirements without assistance (through Procedures and Training)Staff may not reliably perform the skill unless thinking about it - the skill is not yet 'second nature' or 'automatic'Staff shall continue to operate in line with the new requirements and in time become 'unconsciously competent'




20

Good data practices become so ingrained that it enters the unconscious parts of the Organisation - it becomes 'second nature' like walking, breathing

Staff might now be able to teach others in the skill concerned, although after some time of being unconsciously competent the person might actually have difficulty in explaining exactly how they do it - the skill has become largely instinctual

This gives rise to the need for long-standing unconscious competence to be checked periodically against standards – Corporate Audits/External Auditor



gap


21





effort



Data Integrity:Overview

Meta Data “data about data”…. information generated as you use technology,

Examples include the date and time you called somebody or the location from which you last accessed your email.

The data collected generally does not contain personal or content-specific details, but rather transactional information about the user, the device and activities taking place.

In some cases you can limit the information that is collected – by turning off location services on your cell phone for instance – but many times you cannot.

23

Data Integrity Issues

2013: increased international regulatory focus on data integrity:

Global problem

Potential future change in inspection approach

EU Compilation of Procedures revision to include ‘falsification in the context of GMP/GDP’

24

International regulatory focus

2010 / 2011

US FDA Inspectors received data integrity training

2012

World Health Organisation trained

2013

MHRA with guests from throughout the EU trained

25

Causes of data integrity issues

Lack of understanding

Willingness to please

Sloppiness

Inadequate Quality Systems to –Detect, Correct and Prevent

Intentional – data fraud

26

Types of data fraud

27

‘Tidying’

• ‘Tidying’ often includes changes from original

• Undeclared duplication compromises integrity of all data presented

Data Integrity:Impact

Impact of data integrity issues

Impact on Patients

– Products may be sub standard

– Resolution of issues may impact on supply • Stock shortages

– Patients may lose confidence in the Manufacturer

30


Impact on Industry

– Recalls– Statement of Non-Compliance– Additional regulatory burdens– Costs of remediation plans– Loss of market share & reputational damage

31

Reputational Damage

• Batches of medicines on the Australian market recalled

• 219 products identified for immediate recall

• Approval to supply export products cancelled (approximately 1650)

32

Reputational Damage

On that day

•Hundreds of people lost their jobs

•$350 million was wiped off the Sydney stock exchange

•Scores of businesses, customers and service providers were very badly affected

33


Personal Impact

– Job loss– Career loss– Enforcement action

34

Personal Impact

35

Data Integrity:Self Inspection and reporting

MHRA web alert to Industry:Data governance 16 Dec 2013

• The MHRA is setting an expectation that pharmaceutical manufacturers, importers and contract laboratories, as part of their self-inspection programme must review the effectiveness of their governance systems to ensure data integrity and traceability.

• This aspect will be covered during inspections from the start of 2014, when reviewing the adequacy of self inspection programmes in accordance with Chapter 9 of EU GMP.

• It is also expected that in addition to having their own governance systems, companies outsourcing activities should verify the adequacy of comparable systems at the contract acceptor.

• The MHRA invites companies that identify data integrity issues to contact: [email protected]

37

mailto:[email protected]

Systems should be designed in a way which encourages compliance with the principles of contemporaneous record keeping.

Examples include:•Access to clocks for recording timed events

•Accessibility of batch records at locations where activities take place so that ad hoc data recording and later transcription to official records is not necessary

•Automated data capture or printers attached to equipment such as balances

•Proximity of printers

•Access to sampling points (e.g. for water systems)

38

Self Inspection – where to start?Are your systems designed to comply

Electronic systems:•Do I have all of my electronic data?•Do I review my electronic data?•Does my review of electronic data include a review of meaningful metadata (such as audit trails)?

– Is this in SOPs? Is it trained?•Is there proper Segregation of Duties in security access permissions?•Is my system validated for “intended use”?

39

Self Inspection – where to start?

What if we find issues?

Weaknesses, if identified early, can be managed as a compliance issue

USE YOUR QUALITY SYSTEM

40


•Raise a deviation

- must be at a level where QA see it

41



•Find and document the Root Cause

•Implement Corrective Actions Preventative Actions

42


Data integrity issues

The monitoring and control system

(for computer system reviews and system ownership)

failed to detect loss of control and ensure that the computer validation review system

stayed in a compliant state

(for example through deviation trending)

43

Data Integrity - Deficiencies

•Non contemporaneous records– Batch record not actually available on the packaging lines– Kept in IPQA or travels from primary to secondary as they use the

same Batch Packaging Record

•Inaccurate recording of data– Maximum / Minimum Temperature / RH data observed over the

limit– Records show no previous evidence of Out of Specifications

44

Data integrity issues

Since identifying the overall compliance gap ongoing non adherence to procedural

requirements have not been addressed through the deviation process

The use of the deviation system for departures from procedural requirements within operational IT

areas was not routine

45

Corresponding Lab book entries for sample weights:


Excel spreadsheet used to calculate assay:

Corrective Preventative Actions

Companies need to design Systems and Culture which ensure data integrity

Systems – processes and procedures - that meet the requirements of EU GMP

Culture – No Blame….? Attitude? Approach?

47

Open (No Blame?) culture, attitude, approach:

Disparity between: •‘changing culture’ ‘encouraging reporting’ ‘supporting staff’ ‘no blame reporting’ ‘training’

and •‘staff have been told that any data integrity issues will result in dismissal’

You cannot accept staff who continually, knowingly falsify data BUT how can you encourage reporting with a threat hanging?

48

Total Quality Management

Corrective Preventative Actions

No Blame Culture….? attitude, approach………

Once the Systems are in place•Personal accountability to follow Policies and Procedures•Organisation to have a tolerance of mistakes providing that people learn from these mistakes

Don’t shoot the messenger

Consider a “Notification to senior management” system

49

Total Quality Management

Need a clearly described escalation process •Reporting•Training•Better system design

and then (if continuing), personnel action

Balanced with

“Targets” that are fully defined and appropriately resourced

Properly analysed

50

EU GMP Chapter 4 ISO 9001 Control of Quality Records

• Record/Report type:

• Records: Provide evidence of various actions taken to demonstrate compliance with instructions, e.g. activities, events, investigations, and in the case of manufactured batches a history of each batch of product, including its distribution. Records include the raw data which is used to generate other records. For electronic records regulated users should define which data are to be used as raw data. At least, all data on which quality decisions are based should be defined as raw data

• Reports: Document the conduct of particular exercises, projects or investigations, together with results, conclusions and recommendations.


The Quality Management System lacks adequate controls to ensure a common understanding of the requirements of good documentation practice

Data Integrity - DeficienciesThere was no awareness that the records for good practice compliance require either a handwritten signature and date or an equivalently controlled record generally with a date stamp within an electronic system

Examples include but are not limited to: •The Change Control process, including approvers of change proposals•Approvals of incident management events (Quality Deviations) and associated Corrective and Preventative Actions. (CAPA) •Qualification records

EU GMP Chapter 4

Good Documentation Practices

4.7 Handwritten entries should be made in clear, legible, indelible way.

4.8 Records should be made or completed at the time each action is taken and in such a way that all significant activities …………… are traceable.


At least one in process control and test results from 11:38 am have been recorded in the Batch Packing Record that could not have been performed as no blisters were finished on the packing line between 11 am and 11.43 am

Full and accurate documentation of events on the line is essential for both the review of the batch packing record and the subsequent complaint investigations

55

EU GMP Chapter 4

Good Documentation Practices

4.9 Any alteration made to the entry on a document should be signed and dated; the alteration should permit the reading of the original information. Where appropriate, the reason for the alteration should be recorded.


There are records where alterations made to the entries on the documents are not signed and dated

The alterations do not ensure that the original information may be read and they lack explanations for the alterations

Obliteration (including Liquid correction fluid, tape (or stickers) and overwriting) had been used to amend original entries

EU GMP Chapter 4

Retention of Documents

•4.10 It should be clearly defined which record is related to each manufacturing activity and where this record is located. Secure controls must be in place to ensure the integrity of the record throughout the retention period and validated where appropriate.

58

EU GMP Chapter 4

Testing

•4.26 There should be written procedures for testing materials and products at different stages of manufacture, describing the methods and equipment to be used. The tests performed should be recorded.

59


Stability summary reports for Products A, B and C could not be provided to the inspector for review

Nine-month stability results for Product A were reported in the product quality review (PQR) for the period December 2010 to February 2012 however no raw data (in either hard copy or electronic format) could be located to verify the authenticity of these results

Whose responsibility?

The person/people doing the self inspection should have knowledge of both the self inspection process and of the potential Data Integrity issues

Cooperation with Personnel is vital

Any required action should be implemented in a timely manner

61

EU GMP Chapter 6

Good Quality Control Laboratory Practice

General

6.1 Adequate resources must be available to ensure that all the Quality Control arrangements are effectively and reliably carried out.

62

Consideration

Formal reconciliation process

for the samples within the Laboratory

to include test samples received, tested and destroyed (to include the routine finished product samples and stability samples)

May protect the company to “know” whether more testing has been conducted than

should have been

MHRA web alert to Industry:Data governance 16 Dec 2013

• The MHRA is setting an expectation that pharmaceutical manufacturers, importers and contract laboratories, as part of their self-inspection programme must review the effectiveness of their governance systems to ensure data integrity and traceability.

• This aspect will be covered during inspections from the start of 2014, when reviewing the adequacy of self inspection programmes in accordance with Chapter 9 of EU GMP.

• It is also expected that in addition to having their own governance systems, companies outsourcing activities should verify the adequacy of comparable systems at the contract acceptor.

• The MHRA invites companies that identify data integrity issues to contact: [email protected]

64

mailto:[email protected]

Paper vs Electronic

ALCOA Paper controls Electronic ControlsAttributable Hand signatures

Initials

Electronic sign in, log-ons

Electronic signature (where used) with associated meaning (Author, Reviewer)

Audit trails for create/modify/delete

Paper vs Electronic

ALCOA Paper controls Electronic ControlsLegible, Traceable, Permanent

Ink

No Pencil

No correction fluid

Rules on crossings out

Controls and traceability on blank forms (not free issue)

No discarding of records

Archival processes

Controls on overwriting

Audit trails

No “annotation tools” (Electronic correction fluid)

Archiving, Keeping all records

Controls on hidden fields or voided records (access controls, audit trail records)

Controls on voiding records

Paper vs Electronic

ALCOA Paper controls Electronic ControlsContemporaneous Dates on Records Time and date stamps from

system clock – Networked or standalone, operating or server clock Time and date stamps are more easily adjusted on un-networked systems.

Needs to be traceable to an atomic clock. Synchronisation of clocks between systems. Locking of clocks on PCs if data is captured locally (less of an issue if the PC is just acting as a portal).

Paper vs Electronic

ALCOA Paper controls Electronic ControlsOriginal Second Person

Verification of exact copies of original records.

or

Retention of original records.

Electronic back up, verification of the back-up should also be in place, either manually or by use of an automated tool.

Back-up logs are often maintained but have not been seen in the past as GMP records.

Paper vs Electronic

ALCOA Paper controls Electronic ControlsAccurate Direct print out

Original records

Records review confirms the accuracy, completeness, content, and meaning of the record)orDocumented verification that the printed records are representative of original electronic records (preserving all accuracy, completeness, content and meaning).

Note .pdf printouts of chromatography records are unlikely to represent a True and Complete copy, due to lack of associated Meta Data and selectivity over what can be printed

AgencyUnderstanding and Resolution

Essential: Understand that if you have issues

and have not told us

then the consequences may (potentially) be worse

Misleading your Inspector could lead to a lack of trust which is very hard to resolve

Agency is aiming to create an environment where disclosure is more advantageous than concealment

70

Summary

Quality Management SystemQuality Management System

QualityQualityManualManualQuality Quality

ProceduresProcedures

Work InstructionsWork Instructions

Records Records

Management Review

Corrective andPreventive Action

Internal Audit

Questions

• Please Email me at

• [email protected]

• 978 987 2087 cell phone

• 978 247 3260 (work)

Data Integrity Theresa McCarthy ASQ Granite State 16 September 2015.

Documents

data integrity systems

data integritywhat

collection of data

consistency of data

data integrityit

entire data lifecycle

us fda

acceptable test results