preparing for successful data integrity audits in the …asqraleigh.org/conference/2017/mary chris...
TRANSCRIPT
Preparing for Successful Data Integrity Audits in the Pharmaceutical and Medical
Device IndustriesMary Chris Easterly
ASQ Raleigh, QIT 2017
General data integrity concepts Regulatory focus for inspections How to audit paper and electronic records
Overview
GMP Data Integrity Definitions and Guidance for Industry, MHRA (Medicines & Healthcare products Regulatory Agency, United Kingdom),March, 2015https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/412735/Data_integrity_definitions_and_guidance_v2.pdf
Draft GxP Data Integrity Definitions and Guidance for Industry, MHRA, July, 2016https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/538871/MHRA_GxP_data_integrity_consultation.pdf
Guidance on good data and record management practices, World Health Organization, May, 2016http://www.who.int/medicines/publications/pharmprep/WHO_TRS_996_annex05.pdf
Draft Data Integrity and Compliance with GMP Guidance for Industry, Food & Drug Administration, April, 2016https://www.fda.gov/ucm/groups/fdagov‐public/@fdagov‐drugs‐gen/documents/document/ucm495891.pdf
Draft Good Practices for Data Management and Integrity in Regulated GMP/GDP Environments, Pharmaceutical Inspection Convention Pharmaceutical Inspection Co‐operation Scheme (PIC/S), August, 2016
Data Integrity Requirements
General Data Integrity Concepts
Data Integrity:The extent to which all data are complete, consistent and accuratethroughout the data lifecycle
General Data Integrity Concepts
DATAAll original records, including source
data, metadata, subsequent transformations and reports, generated or recorded at the time of the activity. Allows full and complete reconstruction
and evaluation of the activity.
RAW DATAOriginal records and
documentation, retained in the format in which they were originally generated
(paper or electronic)
Original record: Data as the file or format in which it was originally generated, preserving the integrity (accuracy, completeness, content and meaning) of the record original paper record of manual observation electronic raw data file from a computerized system
General Data Integrity Concepts
Data must be: Attributable to the person generating the data
Legible Contemporaneous Original record Accurate
General Data Integrity Concepts
ALCOA, with additional emphasis on data being: Complete Consistent Enduring Available
General Data Integrity ConceptsGood Doc Practices
PrinciplePaper Electronic
Attributable Initials/signature by person who performed activity
Electronic signature (username + password)
Legible Indelible inkNo erasure or correction fluid/tapeChanges are corrected properly
Data is visible in fields
Contemporaneous Recorded at time of activityNo pre‐ or post‐dating
Record is saved when data is enteredTime/date stampsSynchronized time (for accuracy)
Original Paper formNo post‐its or temporary method of recording then transcribing data
Data generated by computerized systemIncludes metadataNot able to modify original data
Accurate Data recorded is accurateCalculations are checkedSecond person verification
Data transfers from original data system accurately (e.g., to LIMS, archival)Calculations correctSecond person verification
DI is not a new expectation of regulatory bodies. Predicate rules: 21 CFR 211, ICH Q7, 21 CFR Part 11, EudraLex Annex 11
General Data Integrity Concepts
§211.68: Changes in records are made by authorized personnelBackup data are exact and complete, and secure from alteration, inadvertent erasures, or loss
§211.160 Laboratory activities are documented at the time of performance
§211.188 Documentation that significant steps were accomplished including identification of person performing and supervising the steps
§211.194 Laboratory records include all data secured in the course of each test
EudraLex Vol. 4, 4.9
Changes made to entry are signed and dated; alteration permits reading of original information
EudraLex Vol. 4, Annex 11
Audit trails (record of all GMP‐related changes and deletions) need to be available and regularly reviewed
Primary Considerations for CGMP Enforcement: Is drug adulterated? Most important – patient risk High risk FDA takes quick action Sub‐ or super‐potent Contamination Sterility concerns Other defects
Regulatory Focus for Inspections
‐ Paula R. Katz, CDER, India Pharmaceutical Forum
Regulatory Focus for Inspections
‐ Paula R. Katz, CDER, India Pharmaceutical Forum
54 warning letters
47 import alerts
4 untitled letters
2016 OMQ Enforcement Actions
2016 Warning Letters: 19 ‐ Data Integrity Lack of control over access
to computerized systems Non‐contemporaneous
record‐keeping Deletion, falsification,
alteration, or othermanipulation
FDA concerns with data integrity: Shared login accounts: cannot identify a unique individual System administrator role: assign to personnel
independent from those responsible for record content All electronic data generated to satisfy a CGMP
requirement is a CGMP record Using actual samples during “system suitability” or test or
equilibration runs is a means of testing into compliance
Regulatory Focus for Inspections
‐ Paula R. Katz, CDER, PDA Data Integrity Workshop
FDA recommends audit trails that capture changes to critical data be reviewed with each record and before final approval of the record
Regular review of audit trails should include, at a minimum, changes to: History of finished product test results Sample run sequences Sample identification Critical process parameters
Regulatory Focus for Inspections
‐ Paula R. Katz, CDER, PDA Data Integrity Workshop
2 kinds of data integrity problems Top down, pervasive, dictated by management Bottom up, isolated, one or a few operators or analysts
If FDA finds DI issue in one place, assume it’s everywhere unless a credible audit determines otherwise
When something doesn’t look right, take a tangent and zero in on it
Regulatory Focus for Inspections
‐ Takahashi: Look Out for These Data Integrity Issues
Examples of what doesn’t look right: Test results for a one batch used to release other batches
(too many tests run in the time available)
Audit trail disabled until passing test results were obtained Failing and passing batches of active pharmaceutical ingredient blended to produce passing results lab and management knew about this practice
Created falsified training records that were requested during the inspection
Regulatory Focus for Inspections
‐ Takahashi: Look Out for These Data Integrity Issues
Look for data that is too good No complaints, deviations, or out‐of‐specification
investigations
Regulatory Focus for Inspections
‐ Takahashi: Look Out for These Data Integrity Issues
26 Active Pharmaceutical Ingredient FDA warning letters 12 focused primarily on data integrity concerns 4 focused secondarily on data integrity concerns Quality System records Only 2 of 17 complaints in complaint log; complete list found
on warehouse floor Many production deviations in a GMP Anomalies folder that
were not investigated or reported
Regulatory Focus for Inspections
‐ Bowman Cox, FDA GMP Warning Letters Review
Active Pharmaceutical Ingredient FDA warning letters Laboratory records and computerized systems Unofficial test records and deleted unknown peaks in
chromatograms – potential impurities Reference standard tested instead of 12 month stability
sample Retested samples until in‐specification results were
reported
Regulatory Focus for Inspections
‐ Bowman Cox, FDA GMP Warning Letters Review
Active Pharmaceutical Ingredient FDA warning letters Laboratory records and computerized systems Microbiologist did not record test results contemporaneously QC worksheet completed after FDA investigators asked for it Gas chromatograph clock set back to make it appear stability
test was done months earlier; failing tests deleted HPLC system configured to automatically delete aborted
tests, and turn back clock for passing results
Regulatory Focus for Inspections
‐ Bowman Cox, FDA GMP Warning Letters Review
2 Drug Product FDA warning letters focused on data integrity concerns Laboratory records and computerized systems
Trial HPLC injections; data stored separately from reported test results
Administrator privileges given to analysts, who changed time and date settings then overwrote and deleted HPLC test data
Unreported gas chromatography results, including out of specification test results for a raw material
Regulatory Focus for Inspections
‐ Bowman Cox, FDA GMP Warning Letters Review
2 Drug Product FDA warning letters focused on data integrity concerns Other records Batch record pages destroyed and replaced with
backdated revised pages Workers in production failed to record activities
contemporaneously Workers incinerated GMP documentation
Regulatory Focus for Inspections
‐ Bowman Cox, FDA GMP Warning Letters Review
Every quality audit is a data integrity audit. Outside auditors have the lowest probability of finding
Data Integrity Issues; internal auditors have the highest probability.
How to Audit Paper and Electronic Records
Request auditee to provide at opening meeting: List of all GMP computerized systems
How to Audit Paper and Electronic Records
Laboratory • LIMS (Laboratory Information Management System)• Chromatography, including HPLC, GC• Standalone vs. networked systems
Manufacturing • Manufacturing Requirements Planning• Building Automation Systems – monitor and alarm for
environmental conditions• Automated production equipment
Enterprise/ Quality System
• Complaints, training, deviations, change control, document control
Data Storage • Backups, archiving, retrieval of data after retirement
Request auditee to provide at opening meeting: Procedures for laboratory data generation, review, and approval; CofA
generation Procedure for providing, changing, and removing user access to e‐systems Procedure for investigating
deviations Certificate of Analysis (CofA)
for specific released batch –select a test that uses computerized systems: Trace from generation of
data to CofA
How to Audit Paper and Electronic Records
If you have concerns about putting instructions for how to handle DI issues into an SOP, know that all companies have some type of DI
occurrence. It’s part of human nature.
During opening meeting, select automated test from CofA: For specific instrument: SOPs for use of equipment, data archival, system
administration, user access/security levels Qualification of equipment showing how aspects of system
use were qualified Flowchart of data flow for computerized system, including
data backup and archival Who has access to modify or delete data from generation to archival?
How to Audit Paper and Electronic Records
Data Governance/Data Management: Procedure/Program/Plan for Data Integrity
Computerized systems not fully compliant? Gap analysis and remediation plan
Employee training on DI principles and their responsibilities Oversight of contractors and suppliers
Ensure contract laboratories and manufacturers have DI program and procedures
DI included in audits of contractors and suppliers DI included in quality agreement with contractors and suppliers
DI included in all Internal Audits
How to Audit Paper and Electronic Records
During audit walkthrough, for selected system: System administrator, user, second person reviewer present Ask for demonstration of system to generate, manipulate,
and review data Review related paper logbooks (equipment maintenance,
use)
How to Audit Paper and Electronic Records
During audit walkthrough: Review configuration settings for computerized system Password changes: change at first logon, # days to change Users with specific access types
Generic system administrator username should not be enabled Number of people with system administrator access (should be minimal)
Which people have system admin access (personnel with responsibility for data generated?)
Functions that specific access types perform
How to Audit Paper and Electronic Records
During audit walkthrough: Users with active accounts – current employees?
Training and access approval records Unique username/password (not shared)
Recorded password ‐ under keyboard, behind monitor, in drawers
Audit trail turned on; users cannot turn it off Contents of trash can
Data files that did not pass testing specifications? User ability to change computer or server time/date
How to Audit Paper and Electronic Records
During audit walkthrough: Data folders & files Look at data chronologically
Aborted runs – reason documented in e‐record or paper record
Sequential files with same or slightly modified name Files hidden in folders separate from official test data Dates and times on files Tests performed match paper use logbooks for
instrument
How to Audit Paper and Electronic Records
During audit walkthrough: Paper records: Documents posted, on counters, in trash cans, in drawers Personal notebooks in production and laboratory areas
Do they include GMP information?
Controlled issuance and reconciliation of laboratory forms ALCOA plus principles
How to Audit Paper and Electronic Records
Management Responsibility Work environment: staff encouraged to communicate
failures and mistakes, including data reliability issues Corrective and preventive actions taken Ensure adequate information flow between staff at all
levels Actively discourage management practices that might
inhibit the active and complete reporting of such issues (hierarchical constraints and blame cultures)
How to Audit Paper and Electronic Records
Data that is too good to be true Paper records from computerized systems are considered
original (raw) data although they do not include metadata
Red Flags
Our employees would never falsify data
The FDA reviewed our computer
systems and had no observations
We have never had a data
integrity issue
Our computer systems are
Part 11 compliant
Auditors need to determine: Is occurrence of a data integrity issue isolated or a
pattern for an individual, operational unit, or an entire organization?
Is occurrence a bad practice or intentional manipulation?
How to Audit Paper and Electronic Records
What is the risk to the product quality?
MHRA GMP Inspection Deficiency Data Trend 2016 https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/609030/MHRA_GMP_Inspection_Deficiency_Data_Trend_2016.pdf
Current Expectations and Guidance, including Data Integrity and Compliance With CGMP, Sarah Barkow, PhD, Team Lead, CDER/OC/OMQ Guidance & Policy, ISPE DI Workshop, June 5, 2016 https://www.fda.gov/downloads/aboutfda/centersoffices/officeofmedicalproductsandtobacco/cder/ucm518522.pdf
Compliance Trends, Paula R. Katz, J.D., Dir., Mfg. Quality Guidance & Policy Staff, Office of Mfg. Quality, Office of Compliance, CDER, India Pharmaceutical Forum, Mumbai, India, Feb. 24, 2017 https://www.fda.gov/downloads/AboutFDA/CentersOffices/OfficeofMedicalProductsandTobacco/CDER/UCM549445.pdf
Additional Sources of Information
Regulatory Perspective: Data Integrity Guidance, PDA Data Integrity Workshop, Paula R. Katz, J.D., Dir., Mfg. Quality Guidance and Policy Staff, CDER/Compliance, Sep. 14, 2016 https://www.fda.gov/downloads/AboutFDA/CentersOffices/OfficeofMedicalProductsandTobacco/CDER/UCM539554.pdf
Takahashi: Look Out for These Data Integrity Issues, Pink Sheet & Gold Sheet, by Bowman Cox (subscription required), Mar. 28, 2014
FDA GMP Warning Letters Review: API Supplier Warnings Surge on Data Integrity Concerns, Pink Sheet, by Bowman Cox (subscription required), Apr. 26, 2017
FDA GMP Warning Letters Review: Foreign Drug Product Firms Hit Hard on GMP Basics, Pink Sheet, by Bowman Cox (subscription required), Apr. 27, 2017
Additional Sources of Information
Uncontrolled documentation was noted throughout production engineering notebooks with set up details and passwords, crib notes on the wall of the goods in area, scraps of paper containing numbers of components brought onto line.
Printouts of particle count data from HEP filter testing were not transferred from thermal paper to non‐volatile media to ensure the integrity of the record throughout the retention period.
DI Observations ‐ EU
Following a software update, data was lost from an autoclave control system. The system backup was unable to recover lost data as the backup was only performed on a 3 monthly basis.
The backup CD/DVD for the autoclave control system was not stored within a controlled environment to assure its integrity.
Data from the integrity test was not backed up. The system was observed to overwrite previous data.
Backups were permitted to be made on the same computer drive which failed to ensure that a separate copy was available following drive failure or corruption.
DI Observations ‐ EU
Access to files and the system clock on the hard drive were available to all users
The lock screen used a shared password. If a user had logged into the software behind the lock screen and another user opened the computer, they could perform actions under the initial user’s login.
Users had more authorisation on the chromatography data system than was permitted according to the Sop.
Access control systems were not considered GMP systems despite their intended purpose to control access to GMP areas.
DI Observations ‐ EU
HPLC software in the laboratory was not configured for GMP compliance: Unique user passwords were not enforced Users were permitted to :
Change the default audit trail Change the default “require user comments” Copy non‐related projects Use annotation tools
DI Observations ‐ EU
Control of dosimeter readings was deficient: Dosimeters could be reread and individual thicknesses
be input into the system if a variation of 6% was identified for a location; this did not result in a deviation to review the validity of previous acceptable results
New thickness readings had no second person verification to ensure accuracy of the data used
DI Observations ‐ EU