pharmaceutical data integrity: critical...
TRANSCRIPT
Pharmaceutical Data Integrity: Critical Considerations
www.pharmatechassociates.com
Agenda• Introduction• Key words defining data integrity (DI)• Components of a DI Strategy• DI Case Study• Consequences of auditor finding the integrity issues
2Compliance Through Science ®
Introduction
• Data integrity is the accuracy and consistency of stored data, indicated by an absence of any alteration in data between two updates of a data record
• Data integrity is imposed within a system at its design stage through the use of standard rules and procedures, and is maintained through the use of error checking and validation routines
3Compliance Through Science ®
Is Data Integrity a New Requirement?
NO
What is driving enforcement concerns?• Escalation of Virtual Business Models• Increasing Globalization• Evolving Documentation Practices• Smart devices, IoT
4Compliance Through Science ®
FDA Expectations• Agencies expect that pharmaceutical companies should
retain complete and accurate records and all raw data and to make that available to inspectors
• The integrity of data generated by a regulated pharmaceutical companies and laboratories matters most, because properly recorded information is the basis for manufacturers to assure product identity, strength, purity, and safety and non-compliances found in the integrity of data leads warning letters and a regulatory action from the agencies
5Compliance Through Science ®
How Do We Ensure Data Integrity- Key Words
Accurate no errors or editing without documented amendments
Attributable who acquired the data or performed an action and when
Available for review and audit or inspection over the lifetime of the record
Complete all data are present and available
Consistent all elements of the record, such as the sequence of events, follow on and are dated or time stamped in expected sequence
Contemporaneous documented at the time of the activity
Enduring on proven storage media (paper or electronic)
Legible data can be easily read
Original/Reliable written printout or observation or a certified copy thereof
Trustworthy the data and the record have not been tampered with 6Compliance Through Science ®
Just Remember ALCOA
Compliance Through Science ® 7
A L C A
Attr
ibut
able
Legi
ble
Cont
empo
rane
ous
Accu
rate• Clearly
indicates who recorded the data or performed the activity
• Signed / dated
• Who wrote it / when
• It must be possible to read or interpret the data after it is recorded
• Permanent• No
unexplained hieroglyphics
• Properly corrected if necessary
• Data must be recorded at the time it was generated
• Close proximity to occurrence
O
Orig
inal
• Data must correctly reflect the action / observation made
• Data checked where necessary
• Modifications explained if not self-evident
• Data must be preserved in its unaltered state
• If not, why not
• Certified copies
ALCOA Principles
Metadata• Metadata means "data about data". It is defined as the
data providing information about one or more aspects of the data, it is used to summarize basic information about data which can make tracking and working with specific data easier. Some examples include:– Means of creation of the data– Purpose of the data– Time and date of creation– Creator or author of the data– Location on a computer network where the data was created– Standards used– File size
8Compliance Through Science ®
Regulatory Guidances and ReferencesUS FDA• 21 CFR Parts 11, 211, 803
[http://www.accessdata.fda.gov/scripts/cdrh/cfdocs/cfcfr/cfrsearch.cfm]• FDA’s Application Integrity Policy at www.fda.gov • Guidance for Industry Part 11, Electronic Records; Electronic Signatures -
Scope and Application August 2003• Carmelo Rosa ISPE FDA 3rd Annual GMP conference June 2014
Baltimore MD: Current Inspectional and Compliance Issues in Data Integrity (www.ispe.org)
MHRA GMP Data Integrity Definitions and Guidance for Industry ---Published March 2015 • Eudralex-Volume 4 Good manufacturing practice (GMP) Guidelines
9Compliance Through Science ®
Regulatory Guidances and References• G. Heddell, “Data Integrity – An EU Perspective,”
ISPE/FDA Conference Baltimore, June 2014 (Director, Inspection, Enforcement and Standards, MHRA.)
• S. Wyn, “Data Integrity throughout the Computerized System Lifecycle,” ISPE/FDA Conference Baltimore, June 2014.
• GAMP® Good Practice Guide: “A Risk-based Approach to Compliant Electronic Records and Signatures”, 2005.
• GAMP® Good Practice Guide: “Electronic Data Archiving”, 2007.
• ISPE, “GAMP5: Risk Based Approach to Compliant GxP Computerized Systems”, 200
Compliance Through Science ® 10
Data/Information Controls
11
External Environment
External Environment(Societal, Political, Legal)
Internal Environment(QMS, IT Governance)
Data Life Cycle(ALCOA)
Good Documentation Practices
Fully supporting the different
steps in the lifecycle puts
demands on metadata, standards,tools and people.
Compliance Through Science ®
Managing the Data Life Cycle• Do I have all my data?
– Design of data collection: protocol, process, method– Data Life Cycle controls for data + metadata
• Has my data been objectively processed?– Controls to Prevent & Detect Testing Toward Outcome
• Am I reviewing all my data?– Printouts versus Source Electronic Records– Review of Audit Trails
• Am I reporting all my data?– Controls to Prevent & Detect Selective Reporting
12Compliance Through Science ®
Risks to Data Integrity• Overseas Testing and Manufacturing Supply Chain• Out‐sourcing of Operations (e.g., QC Labs, Manufacturing)• Economic Stressors—cutting corners• Incomplete Quality Sensibility (Quality Maturity)• Data Review Practices• Increasing use of Electronic Systems without
commensurate understanding and implementation of risk‐based controls for Electronic Data Integrity, e.g. MES, LIMS, EBR– Controls to Prevent Data Integrity Issues– Controls to Detect Data Integrity Issues
13Compliance Through Science ®
Data Life Cycle (DLC)• How do we think about “data” and how do we design our
business processes?• How do we validate systems that generate source data
with direct impact on patient safety, product quality, application integrity…?
• How do we manage risks across the entire DLC?• We must evolve our understanding of original data-
printout vs. raw data/metadata
14Compliance Through Science ®
Functional Hierarchy of Information Systems ISA 95
15Compliance Through Science ®
Business vs. Data Processes
CreateData
TransferData
StoreData
RetrieveData
ProcessData
Create Data
Review Data
BusinessProcess
Report Data
DataProcess
Compliance Through Science ® 16
Risk Management Framework
17Compliance Through Science ®
ICH Q9/Q10- Quality Risk Management Principles
Applying a Risk Based Approach to Data Review
• Critical” Thinking Skills for Data Reviewer– What about ERROR PATTERNS?
• Frequency• Pattern• Determinate or Indeterminate• Failure Mode• Failure Effect
18Compliance Through Science ®
Attacks Take Planning
19Compliance Through Science ®
DDoS: DDoS is a type of DOS attack where multiple compromised systems, which are often infected with a Trojan, are used to target a single system causing a Denial of Service(DoS) attack
Current Security Strategies
Compliance Through Science ® 20
• Current solutions are defensive (reactive)• Designed to defend after attack points have been
identified (attack reconnaissance)
– Password Access– Data Encryption– Network Firewall– Security Overhead
Business vs. Data Processes
CreateData
TransferData
StoreData
RetrieveData
ProcessData
Create Data
Review Data
BusinessProcess
Report Data
DataProcess
Compliance Through Science ® 21
The Network-Data Security Elements
22
Data BreachTarget Areas
Compliance Through Science ®
Data Integrity - The property that data hasnot been altered in an unauthorizedmanner. Data integrity covers data instorage, during processing, and while intransit. (NIST SP 800-33)
The Network-Data Security Elements
23
Data BreachTarget Areas
Compliance Through Science ®
• Annex 11-1, Risk Management
• Annex 11-4.4, Requirements Document
• Annex 11-12, Security• Annex 11-13, Incident
Management • Annex 11-16, Business
Continuity• Annex 11-3, Suppliers
and Service Providers.
Data in Motion• Establishing a secure network
security strategy is one critical piece of preventing data breaches
• LIMS, Clinical and ERP systemsmust have a solution in place to monitor and prevent unauthorizedaccess and data corruption threats
Compliance Through Science ® 24
Motion
Data in Motion• IT Infrastructure should be
qualified.Annex 11-5, Data• Computerized systems
exchanging data electronically with other systems should include appropriate built-in checks for the correct and secure entry and processing of data, in order to minimize the risks.
Compliance Through Science ® 25
Motion
Data in MotionAnnex 11-6, Accuracy Checks• For critical data entered manually,
there should be an additional check on the accuracy of the data.
• This check may be done by a second operator or by validated electronic means.
• The criticality and the potential consequences of erroneous or incorrectly entered data to a system should be covered by risk management.
Compliance Through Science ® 26
Motion
Data in Use
Compliance Through Science ® 27
• Built-in Checks (Annex 11-5)• Accuracy Checks (Annex 11-6)• Data Storage (Annex 11-7)• Printouts (Annex 11-8)• Audit Trails (Annex 11-9)• Security (Annex 11-12)• Electronic Signature (11-14)• Archiving (Annex 11-17)• Operational Checks (21 CFR
Part 11)
In Use
Validation (Annex 11-4) +Periodic Evaluation (Annex11-11)
Components of the DI Strategy
1• Education and Communication
2• Detection and Risk Mitigation
3• Technology and IT Systems
4• Governance and Data Integrity
Compliance Through Science ® 28
Establishing the Data Integrity Mindset• Establish a DI Culture through consistent messaging
(Communication) and education• Programs could include:
– Executive Awareness Training– Auditors Training– Process Owners– Highlight Data Integrity Risks and Impact– Change Management– Data Integrity Checklists and Monitoring Programs
Compliance Through Science ® 29
Detection and Mitigation Risks
• Assess current data repository and management systems– Spreadsheets: Version Control, Access Control,
Traceability, Part 11 Compliance– Stand Alone Systems: Audit Trail, Data Archiving and
Retrieval– System Access: Access Control, Accountability,
Traceability
Compliance Through Science ® 30
Process Mapping
Map the transformation and transmittance of data in order to identify system risks which have not been addressed and optimize the process
Compliance Through Science ® 31
Create Electronic
Data
Generate Paper
Printout
Place Printout
in Notebook
Review and
Approve Notebook
Review Electronic
Data
Technology and IT System Roadmap
Establish formal requirements for all IT systems
Establish IT operational standards which segregate those who create data from those that can change it
Control access to systems
Compliance Through Science ® 32
Governance and Data Integrity Structure
Compliance Through Science ® 33
DI Subject Matter Experts provide guidance, recommend improvements
Division
Local
cc
Local
LocalLocal
Division
DivisionDivision
Global
Define DI strategy and standards Monitor developments internally and externally
Global
Owners of business processes and systems
Local
Expect Issues To Rise with Awareness
Compliance Through Science ® 34
Build Your Tactical Framework
Compliance Through Science ® 35
EXAMPLE TEXT
CharacterizeMonitor
Detect Identify
Tactical Framework
What is the DI Issue? What is the
Root Cause?
What is the Solution?
Has the solutionBeen effective?
Data Integrity Case Study• A DI audit reveals an issue• Current users aren't properly managing the raw data
created as part of the IT system• Additional GDP errors are identified- data transcription,
verification
Compliance Through Science ® 36
Practical Data Integrity Roadmap
What Quality Systems are Impacted? • Data and Record Management • Document Management & Change Control • Quality Assurance • Management Oversight
Compliance Through Science ® 37
Data Integrity Audit Readiness (Method/Roadmap):
Workshops/Training • How to conduct an Audit Trail Review and Group
Account Review • System Inventory • Assessment Tool • Audit Guides and Training • Remediation Plan Template • Review Findings Regularly
Compliance Through Science ® 38
• Assessment of Controls Related to Data Management • To provide an overview of the data collection systems and the level
of electronic and or management controls in place • Used to determine follow-up items, as needed • Applicable to all points of data collection for GMP and GLP systems
in the laboratory, development and production (manufacturing) environments
• Consisted of a series of questions related to the inventory of electronic systems or processes involving data and the state of controls which are required
• The objective of the assessment is to identify controls and data integrity
Compliance Through Science ® 39
Data Integrity Audit Readiness (Assessment):
• Audit trail – active and reviewed • Part 11 Compliance – how determined • Raw Data (Manf) - is data contained with the batch
record and subject to review as part of the release process
• Raw Data (Lab) – is data contained with the analytical record and subject to review as part of the release process
• Log Book – audited or verified • Qualification Status
Compliance Through Science ® 40
Data Integrity Audit Readiness (Assessment):
User Accounts • Passwords controlled and access rights reviewed • Accounts personalized • Administrator accounts - access restricted according to
its business function • Are system administrators able to generate, change or
even delete data • Training
Compliance Through Science ® 41
Data Integrity Audit Readiness (Assessment):
Non-networked Stand-alone Systems • Data management and control practices • Is raw data in the system considered an electronic
record and handled/retained accordingly? • Can reported results be fully traced to source data
whether or not it is in paper or electronic form? • Is data availability ensured throughout defined retention
period even after system retirement? • Is data backed up and verification ensured?
Compliance Through Science ® 42
Data Integrity Audit Readiness (Assessment):
QA unit relationship to production management • QA Unit
– Describe conditions under which data can be altered, updated, changed, etc., or when equipment controls can be overridden or shut off. How is this communicated to management and documented?
• In Process Testing – Describe how data is collected and what information is
maintained with the batch record and what is maintained elsewhere.
• Availability of Procedures and General Controls – Are the relevant SOPs in place for data handling, management,
record retention and good documentation practices?
Compliance Through Science ® 43
Data Integrity Audit Readiness (Assessment):
• Manufacturing/Production questions relating to Electronic Signature (ES) and Records (ER)
• eCompliance– Is ER/ES handled and appropriately managed at the local,
operational and equipment level? • User Accounts
– Describe process for maintenance of password controls. • Non-networked standalone systems • Calibration Management – the process • Incident Management – the process • Process Validation – the process • Change Management – the process
Compliance Through Science ® 44
Data Integrity Audit Readiness (Assessment):
Lessons LearnedControls must be in place to ensure the integrity of data • A well prepared GxP document provides objective
evidence of an “action” and the result of an “action” • Why it is critical to ensure data is accurate and controlled • Data must be safe from manipulation or loss, intentional
or unintentional • It is critical to educate personnel on data integrity and its
overall impact on product identity, strength, purity and safety
Compliance Through Science ® 45
Lessons Learned
Data Handling is key to Data Integrity • We must consider:
– How data is collected and reported – How data is reviewed – How the integrity of data is protected – How calculation errors are handled – How alarms are managed – Who has the authority to invalidate data
• What happens to this data? (i.e., discarded, archived with sample analysis package, etc.)
– How electronic data is protected from editing, changing, deletion? • How are passwords assigned and protected?
Compliance Through Science ® 46
Data Integrity EnforcementActivity
Compliance Through Science ® 47Compliance Through Science ®
Common Data Integrity Failures• Lack of controlled access to computer systems• “Trial” HPLC injections
• Trial injections in stand alone equipment, outside a quality structure
• Deleted data• Not recording activities contemporaneously• Backdating• Fabricating data• Copying existing data as new data• Re-running samples
Compliance Through Science ® 48
Recent Warning Letters• Completed batch production records days after
operations ended. Also released lots before Quality Unit approvals – July 2015
• Failure to maintain original manufacturing data, contained in “rough notes” – July 2015
• Failure to control access to data systems – July 2015• Lack of access controls to prevent manipulation of data –
April 2015• Lack of audit trails for lab instruments – April 2015• Turning off audit trail – April 2015• Altered results of identity test results – April 2015
Compliance Through Science ® 49
Keys to Successful Data Integrity Assurance Program
• Management Commitment & Governance• Quality Risk Management• Critical Thinking Skills• Embracing Innovation
Compliance Through Science ® 50
What are your next steps? Get ready!• Data Integrity enforcement is on the rise • Accuracy, reliable design, consistent intended
performance of record systems, both paper document systems and computerized systems
• Data Controls (both paper and electronic) to ensure authenticity, integrity, confidentiality, readily retrievable, accuracy, consistency, completeness throughout Data Life Cycle
• Signature Controls (both hand‐written and electronic) to ensure legally‐binding Quality Systems and Management Governance in place to assure data integrity
Compliance Through Science ® 51
References used in Presentation
• Carmelo Rosa ISPE FDA 3rd Annual GMP conference June 2014 Baltimore MD: Current Inspectional and Compliance Issues in Data Integrity (www.ispe.org)
• Eudralex-Volume 4 Good manufacturing practice (GMP) Guidelines • 2015 PDA/FDA Joint Regulatory Conference Enforcement Trends CDER
Office of Compliance Tom Cosgrove, Office of Manufacturing Quality Director, September 29, 2015, Washington, DC
• Data Integrity Training Lessons Learned & Case Studies, Monica J. Cahilly, M.S. Green Mountain Quality Assurance LLC
• Designing Data Integrity into your Practices, Orlando López, SME -GAMP Data Integrity SIG, PTEA Meeting, September 18, 2014,Overland Park Convention Center, KS
Compliance Through Science ® 52
Contact Information
Bikash [email protected]
Pharmatech Associates, Inc.22320 Foothill Blvd. #330Hayward, California 94541Telephone: 510-732-0177Toll Free: 877-787-0177
Visit our website at:www.pharmatechassociates.com
53Compliance Through Science®