SESSION 14 Train Personnel on CSV and Data Integrity Compliance Chris Wubbolt – QACV Consulting Denise Botto – inVentiv Health April 28, 2016
SESSION 14
Train Personnel on CSV and
Data Integrity Compliance
Chris Wubbolt – QACV Consulting
Denise Botto – inVentiv Health
April 28, 2016
2
Chris Wubbolt -
Principal Consultant, QACV Consulting. Over 25 years experience
working with large, mid-sized, and small pharma and medical
device companies. Primary focus is data integrity assessments,
auditing, providing training, and quality management system
improvement and implementation.
3
Denise Botto
Associate Director, Computer Systems Quality at inVentiv Health.
Has been with the CRO for almost 15 years. Main area of focus is
GCP, and is responsible for conducting software related vendor
audits, as well as internal IT/CSV related audits.
4
Objectives
• Develop a Proactive Training Program for CSV and Data
Integrity Requirements
• Implement a Training Matrix to Provide Focused Role-based
Training to Personnel
• Monitor Effectiveness of Training Program
5
Who needs to be trained on data
integrity requirements and why it
is important?
6
What is Data Integrity?
Data integrity refers to the completeness, consistency, and accuracy of data.
7
Why train personnel on Data Integrity compliance?
Data Integrity Guidance…
Should personnel be trained in detecting data integrity issues as part of a routine CGMP training program?
Yes. Training personnel to detect data integrity issues is consistent with the personnel requirements under §§ 211.25 and 212.10, which state that personnel must have the education, training, and experience, or any combination thereof, to perform their assigned duties.
8
Why is Data Integrity Compliance important?
Data Integrity – Data integrity is critical to regulatory compliance,
and the fundamental reason for 21 CFR Part 11.
FDA uses the acronym ALCOA to define its expectations of
electronic data.
Attributable
Long-lasting (legible)
Contemporaneous
Original
Accurate
Enduring
Retrievable
9
Train Personnel on CSV and Data Integrity Compliance
Main Criteria for Data Integrity
[R.D. McDowall, Spectroscopy, Focus on Quality, December 2010]
• Accurate - No errors or editing without documented amendments
• Attributable - Who acquired the data or performed an action and when?
• Available (Retrievable) - For review and audit or inspection over the lifetime of the record
• Complete - All data is present and available
• Consistent - All elements of the record, such as the sequence of events, follow on and are dated or time stamped in expected sequence
• Contemporaneous - Documented at the time of the activity
• Enduring - On proven storage media (paper or electronic)
• Legible - Can you read the data?
• Original/Reliable - Written printout or observation or a certified copy
• Trustworthy - The data and the record have not been tampered with
10
Train Personnel on CSV and Data Integrity Compliance
Requirements with respect to data integrity:
• § 211.68 (requiring that “backup data are exact and complete,” and “secure from alteration, inadvertent erasures, or loss”);
• § 212.110(b) (requiring that data be “stored to prevent deterioration or loss”);
• §§ 211.100 and 211.160 (requiring that certain activities be “documented at the time of performance” and that laboratory controls be “scientifically sound”);
• § 211.180 (requiring that records be retained as “original records,” “true copies,” or other “accurate reproductions of the original records”);
• §§ 211.188, 211.194, and 212.60(g) (requiring “complete information,” “complete data derived from all tests,” “complete record of all data,” and “complete records of all tests performed”).
11
Train Personnel on CSV and Data Integrity Compliance
Data Integrity Warning Letters:
January 2008: “It was observed that the data stored on the computer can be deleted, removed, transferred, renamed or altered [without control].”
April 2008: “There is no audit trail or log of data changes that are made to the information in the database. Data cannot be verified against source records, since such records are not maintained.”
In such cases, data can’t be verified because the original source records (e.g., certificate of analysis) have been scanned in and then thrown away. As a result, there is no way of knowing whether or not this is the original. Anyone can go into Adobe and change the record. Thus, FDA says, you have no tracking or controls on this, so we cannot rely on it.
12
Train Personnel on CSV and Data Integrity Compliance
Data Integrity Warning Letters continued:
May 2010: “Your firm failed to check the accuracy of the input to and output
from the computer or related systems of formulas or other records or data
and establish the degree and frequency of input/output verifications.”
April 2010: “Your firm's laboratory analysts have the ability to access and
delete raw chromatographic data . . . Due to this unrestrictive access, there is
no assurance that laboratory records and raw data are accurate and valid.”
In the last example, FDA says there is no assurance of accuracy or validity. . .
What the Agency is driving with Part 11 is the need for data to be
trustworthy.
13
Train Personnel on CSV and Data Integrity Compliance
Here are some steps you should take to ensure data integrity:
• Implement a Data Integrity Policy and Plan
• Embed data integrity verification activities into internal audit
processes
• Train your internal auditors to understand what to look for when
detecting data integrity deficiencies
• Create awareness among staff so they can assist with this
endeavor, and report concerns before they become full-fledged
issues
• Seek external support to assure completely unbiased, third-party
investigations and/or to enhance your internal investigation program
14
Train Personnel on CSV and Data Integrity Compliance
Develop a Proactive Training Program for CSV and Data Integrity
Requirements
• Identify current regulatory requirements and industry standards
• List organizational responsibilities for CSV and data integrity
programs
• Review key validation processes and deliverables
• Identify electronic data integrity controls
15
Develop a Proactive Training Program for CSV and
Data Integrity Requirements
21 CFR Part 211
Subpart B – Organization and Personnel Policy A SOP 1
SOP 2
Subpart C – Buildings and Facilities Policy B SOP 3
Subpart D – Equipment Policy C SOP 4
Subpart F – Production and Process Controls Policy D SOP 5
21 CFR Part 58
Subpart B – Organization and Personnel Policy A SOP 6
Subpart C – Facilities Policy B SOP 7
Map each applicable regulatory requirement to a
policy and/or SOPs.
Identify organizational roles responsible for activities,
including review and approval.
16
Develop a Proactive Training Program for CSV and Data
Integrity Requirements
Organizational responsibilities for CSV and data integrity programs
• End Users
− Use of system as intended in compliant manner
• System Owner (Business)
− Owns the business process
− Responsible for GxP data generated from business process (Data
Governance)
− Review/approval of change requests
• IT
− Technical accuracy, viability and compatibility of a technology solution.
− Data backup
− Security
− Review/approval of change requests
17
Develop a Proactive Training Program for CSV and Data
Integrity Requirements
Organizational responsibilities for CSV and data integrity programs
• QA
− Perform audits to verify that use of system and all validation activities and
documents comply with applicable regulations and internal procedures.
− Review and approve validation documents.
− Review/approval of change requests.
• Compliance
− Assure that systems used are in compliance with applicable regulations.
• Validation
− Overseeing validation program and activities.
− Development of validation documentation.
• Other
18
Calibration
Calibration
IT Controls
Record Management
IT Controls
- User access
Record Retention
& Archival
IT Controls
Validation
Develop a Proactive Training Program for CSV and Data
Integrity Requirements
19
Develop a Proactive Training Program for CSV and Data
Integrity Requirements
What do these individuals need to know about CSV and Data
Integrity?
• End Users
• System Owner
• IT
• QA
• Compliance
• Validation
20
Develop a Proactive Training Program for CSV and Data
Integrity Requirements
Key validation processes and deliverables
• Based Data Integrity Policy and Related SOPs
• Planning –Validation Plan Include data integrity and risk assessments as part of the validation program
• Requirements – URS Include data integrity requirements
• Design - Functional, Design, and Configuration Specification
− Include data integrity controls
• Development – Coding Standards (as applicable)
• Testing – Test Plan, UAT, Test Report
• Release – Validation Summary Report, Release Statement
• Operation and Maintenance
− Change Control
− Backup and Restore
− Disaster Recovery
21
Develop a Proactive Training Program for CSV and Data
Integrity Requirements
Key validation procedures
• SDLC (as applicable)
• Data Integrity/Risk Assessment
• Validation Plan
• Requirements
• Design
• IQ/OQ/PQ
• Validation Summary Report
• Exception Resolution
• Change Control
• System Administration and Maintenance
22
Develop a Proactive Training Program for CSV and Data
Integrity Requirements
Who owns the data?
• Originate
• Review
• Approval
• Report
• Backup
• Restore
• Archive
• Destroy
23
Develop a Proactive Training Program for CSV and Data
Integrity Requirements
Electronic data integrity controls
Archivist
• One of the most important things to understand is that we need to take a lifecycle approach to data integrity. Remember that adverse events records will have to be stored for 10 years, and batch records for seven or eight years. The key is to focus on the record.
• Documents and e-data spend more than 80% of their lifespan in an archived (e.g., stored) state
• It’s important to recognize that the records we’ve created and used are going to spend most of their lifetimes sitting in storage, with nobody looking at them. This is absolutely critical to understand, because if you don’t build in controls to spot check those archived records, you may find that they’re gone.
*ARMA [Authority on Managing Records and Information].
24
Develop a Proactive Training Program for CSV and Data
Integrity Requirements
Electronic data integrity controls
• Backup and Restore
• Disaster Recovery
• Replication
25
Develop a Proactive Training Program for CSV and Data
Integrity Requirements
Electronic data integrity controls
Backup and Restore
Replication
Disaster Recovery
• Data Loss
• Recovery Time
• Testing
• Co-location facilities
26
Train Personnel on CSV and Data Integrity Compliance
Implement a Training Matrix to Provide
Focused Role-based Training to Personnel
• Identify key tasks necessary for each role
within the CSV and data integrity program
• Create a role-based training program to
focus training activities
• Develop training exams to ensure
comprehension of training
27
Implement a Training Matrix to Provide Focused Role-
based Training to Personnel
Key tasks necessary for each role within the CSV and data integrity program
• End Users
• IT
• QA
• Compliance
• Validation Manager
• Other?
28
Implement a Training Matrix to Provide Focused Role-
based Training to Personnel
RACI model is a tool used for identifying roles and responsibilities during.
R – Responsible A – Accountable C – Consulted I - Informed
29
Implement a Training Matrix to Provide Focused Role-
based Training to Personnel
Create a role-based training program to focus training activities
• End Users
• IT
• QA
• Compliance
• Validation Manager
• Other?
30
Implement a Training Matrix to Provide Focused Role-
based Training to Personnel
SOPs/Policies related to the key tasks
Record Integrity Policy
Good Documentation Practices
Raw Data Definition
Operational Procedures
Handling of data
Roles and Responsibilities
Review and approval of data
31
Implement a Training Matrix to Provide Focused Role-
based Training to Personnel
SOPs/Policies related to the key tasks
Validation
Security and Administration
Record Retention
Backup and Restore
Disaster Recovery
Monitoring Data Integrity Program
Audits
Reviews
32
33
Implement a Training Matrix to Provide Focused Role-
based Training to Personnel
Develop training exams to ensure
comprehension of training
34
Train Personnel on CSV and Data Integrity Compliance
Monitor Training Program
• Review investigations, CAPAs and other quality systems to
determine if re-training is necessary
• Update training materials as new information is obtained
• Periodic refresher training
• Audit the training program
35
Break Out Session
• Provide an Outline for a Data Integrity Plan
© 2016 All Rights Reserved | CONFIDENTIAL36
Questions