SESSION 14 Train Personnel on CSV and Data Integrity ... 14 Train Personnel on CSV and Data Integrity Compliance Chris Wubbolt –QACV Consulting Denise Botto –inVentiv Health April

SESSION 14

Train Personnel on CSV and

Data Integrity Compliance

Chris Wubbolt – QACV Consulting

Denise Botto – inVentiv Health

April 28, 2016

2

Chris Wubbolt -

Principal Consultant, QACV Consulting. Over 25 years experience

working with large, mid-sized, and small pharma and medical

device companies. Primary focus is data integrity assessments,

auditing, providing training, and quality management system

improvement and implementation.

[email protected]

3

Denise Botto

Associate Director, Computer Systems Quality at inVentiv Health.

Has been with the CRO for almost 15 years. Main area of focus is

GCP, and is responsible for conducting software related vendor

audits, as well as internal IT/CSV related audits.

[email protected]

4

Objectives

• Develop a Proactive Training Program for CSV and Data

Integrity Requirements

• Implement a Training Matrix to Provide Focused Role-based

Training to Personnel

• Monitor Effectiveness of Training Program

5

Who needs to be trained on data

integrity requirements and why it

is important?

6

What is Data Integrity?

Data integrity refers to the completeness, consistency, and accuracy of data.

7

Why train personnel on Data Integrity compliance?

Data Integrity Guidance…

Should personnel be trained in detecting data integrity issues as part of a routine CGMP training program?

Yes. Training personnel to detect data integrity issues is consistent with the personnel requirements under §§ 211.25 and 212.10, which state that personnel must have the education, training, and experience, or any combination thereof, to perform their assigned duties.

8

Why is Data Integrity Compliance important?

Data Integrity – Data integrity is critical to regulatory compliance,

and the fundamental reason for 21 CFR Part 11.

FDA uses the acronym ALCOA to define its expectations of

electronic data.

Attributable

Long-lasting (legible)

Contemporaneous

Original

Accurate

Enduring

Retrievable

9

Train Personnel on CSV and Data Integrity Compliance

Main Criteria for Data Integrity

[R.D. McDowall, Spectroscopy, Focus on Quality, December 2010]

• Accurate - No errors or editing without documented amendments

• Attributable - Who acquired the data or performed an action and when?

• Available (Retrievable) - For review and audit or inspection over the lifetime of the record

• Complete - All data is present and available

• Consistent - All elements of the record, such as the sequence of events, follow on and are dated or time stamped in expected sequence

• Contemporaneous - Documented at the time of the activity

• Enduring - On proven storage media (paper or electronic)

• Legible - Can you read the data?

• Original/Reliable - Written printout or observation or a certified copy

• Trustworthy - The data and the record have not been tampered with

10


Requirements with respect to data integrity:

• § 211.68 (requiring that “backup data are exact and complete,” and “secure from alteration, inadvertent erasures, or loss”);

• § 212.110(b) (requiring that data be “stored to prevent deterioration or loss”);

• §§ 211.100 and 211.160 (requiring that certain activities be “documented at the time of performance” and that laboratory controls be “scientifically sound”);

• § 211.180 (requiring that records be retained as “original records,” “true copies,” or other “accurate reproductions of the original records”);

• §§ 211.188, 211.194, and 212.60(g) (requiring “complete information,” “complete data derived from all tests,” “complete record of all data,” and “complete records of all tests performed”).

11


Data Integrity Warning Letters:

January 2008: “It was observed that the data stored on the computer can be deleted, removed, transferred, renamed or altered [without control].”

April 2008: “There is no audit trail or log of data changes that are made to the information in the database. Data cannot be verified against source records, since such records are not maintained.”

In such cases, data can’t be verified because the original source records (e.g., certificate of analysis) have been scanned in and then thrown away. As a result, there is no way of knowing whether or not this is the original. Anyone can go into Adobe and change the record. Thus, FDA says, you have no tracking or controls on this, so we cannot rely on it.

12


Data Integrity Warning Letters continued:

May 2010: “Your firm failed to check the accuracy of the input to and output

from the computer or related systems of formulas or other records or data

and establish the degree and frequency of input/output verifications.”

April 2010: “Your firm's laboratory analysts have the ability to access and

delete raw chromatographic data . . . Due to this unrestrictive access, there is

no assurance that laboratory records and raw data are accurate and valid.”

In the last example, FDA says there is no assurance of accuracy or validity. . .

What the Agency is driving with Part 11 is the need for data to be

trustworthy.

13


Here are some steps you should take to ensure data integrity:

• Implement a Data Integrity Policy and Plan

• Embed data integrity verification activities into internal audit

processes

• Train your internal auditors to understand what to look for when

detecting data integrity deficiencies

• Create awareness among staff so they can assist with this

endeavor, and report concerns before they become full-fledged

issues

• Seek external support to assure completely unbiased, third-party

investigations and/or to enhance your internal investigation program

14


Develop a Proactive Training Program for CSV and Data Integrity

Requirements

• Identify current regulatory requirements and industry standards

• List organizational responsibilities for CSV and data integrity

programs

• Review key validation processes and deliverables

• Identify electronic data integrity controls

15

Develop a Proactive Training Program for CSV and

Data Integrity Requirements

21 CFR Part 211

Subpart B – Organization and Personnel Policy A SOP 1

SOP 2

Subpart C – Buildings and Facilities Policy B SOP 3

Subpart D – Equipment Policy C SOP 4

Subpart F – Production and Process Controls Policy D SOP 5

21 CFR Part 58

Subpart B – Organization and Personnel Policy A SOP 6

Subpart C – Facilities Policy B SOP 7

Map each applicable regulatory requirement to a

policy and/or SOPs.

Identify organizational roles responsible for activities,

including review and approval.

16

Develop a Proactive Training Program for CSV and Data


Organizational responsibilities for CSV and data integrity programs

• End Users

− Use of system as intended in compliant manner

• System Owner (Business)

− Owns the business process

− Responsible for GxP data generated from business process (Data

Governance)

− Review/approval of change requests

• IT

− Technical accuracy, viability and compatibility of a technology solution.

− Data backup

− Security

− Review/approval of change requests

17



Organizational responsibilities for CSV and data integrity programs

• QA

− Perform audits to verify that use of system and all validation activities and

documents comply with applicable regulations and internal procedures.

− Review and approve validation documents.

− Review/approval of change requests.

• Compliance

− Assure that systems used are in compliance with applicable regulations.

• Validation

− Overseeing validation program and activities.

− Development of validation documentation.

• Other

18

Calibration

Calibration

IT Controls

Record Management

IT Controls

- User access

Record Retention

& Archival

IT Controls

Validation



19



What do these individuals need to know about CSV and Data

Integrity?

• End Users

• System Owner

• IT

• QA

• Compliance

• Validation

20



Key validation processes and deliverables

• Based Data Integrity Policy and Related SOPs

• Planning –Validation Plan Include data integrity and risk assessments as part of the validation program

• Requirements – URS Include data integrity requirements

• Design - Functional, Design, and Configuration Specification

− Include data integrity controls

• Development – Coding Standards (as applicable)

• Testing – Test Plan, UAT, Test Report

• Release – Validation Summary Report, Release Statement

• Operation and Maintenance

− Change Control

− Backup and Restore

− Disaster Recovery

21



Key validation procedures

• SDLC (as applicable)

• Data Integrity/Risk Assessment

• Validation Plan

• Requirements

• Design

• IQ/OQ/PQ

• Validation Summary Report

• Exception Resolution

• Change Control

• System Administration and Maintenance

22



Who owns the data?

• Originate

• Review

• Approval

• Report

• Backup

• Restore

• Archive

• Destroy

23



Electronic data integrity controls

Archivist

• One of the most important things to understand is that we need to take a lifecycle approach to data integrity. Remember that adverse events records will have to be stored for 10 years, and batch records for seven or eight years. The key is to focus on the record.

• Documents and e-data spend more than 80% of their lifespan in an archived (e.g., stored) state

• It’s important to recognize that the records we’ve created and used are going to spend most of their lifetimes sitting in storage, with nobody looking at them. This is absolutely critical to understand, because if you don’t build in controls to spot check those archived records, you may find that they’re gone.

*ARMA [Authority on Managing Records and Information].

24




• Backup and Restore

• Disaster Recovery

• Replication

25




Backup and Restore

Replication

Disaster Recovery

• Data Loss

• Recovery Time

• Testing

• Co-location facilities

26


Implement a Training Matrix to Provide

Focused Role-based Training to Personnel

• Identify key tasks necessary for each role

within the CSV and data integrity program

• Create a role-based training program to

focus training activities

• Develop training exams to ensure

comprehension of training

27

Implement a Training Matrix to Provide Focused Role-

based Training to Personnel

Key tasks necessary for each role within the CSV and data integrity program

• End Users

• IT

• QA

• Compliance

• Validation Manager

• Other?

28



RACI model is a tool used for identifying roles and responsibilities during.

R – Responsible A – Accountable C – Consulted I - Informed

29



Create a role-based training program to focus training activities

• End Users

• IT

• QA

• Compliance

• Validation Manager

• Other?

30



SOPs/Policies related to the key tasks

Record Integrity Policy

Good Documentation Practices

Raw Data Definition

Operational Procedures

Handling of data

Roles and Responsibilities

Review and approval of data

31



SOPs/Policies related to the key tasks

Validation

Security and Administration

Record Retention

Backup and Restore

Disaster Recovery

Monitoring Data Integrity Program

Audits

Reviews

32

33



Develop training exams to ensure

comprehension of training

34


Monitor Training Program

• Review investigations, CAPAs and other quality systems to

determine if re-training is necessary

• Update training materials as new information is obtained

• Periodic refresher training

• Audit the training program

35

Break Out Session

• Provide an Outline for a Data Integrity Plan

© 2016 All Rights Reserved | CONFIDENTIAL36

Questions