Today, data integrity has become an important regulatory topic in quality management. It refers to the consistency and accuracy of stored data, and presents a major challenge to biotechnology and pharmaceutical companies that can either make or break the outcome of a specific product.
Information that is properly recorded, traceable, and reported is important to provide proof to regulatory investigators that products have indeed been produced according to the recognized protocols. Such information also helps ensure the identity, strength, quality, safety, and purity of products before they are distributed in the market.
This article describes the seven validation documents and records that should be included by all computerized data systems in order to conform to international standards and FDA regulations.
The crucial regulatory issue is turning out to be very important in a marketplace. The following list provides a viable solution on how to manage regulatory risk and thus realize a sustainable benefit in the market.
The regulatory framework of data integrity
For life science companies, data integrity is not an entirely new concept but regulatory bodies have some new expectations with regard to data quality and data trustworthiness. As such, there is a tremendous pressure to regulate data integrity owing to the industry’s growth and globalization.
In April, FDA issued a new draft guidance called “Data Integrity and Compliance with CGMP Guidance for Industry,” for the pharmaceutical sector to explain “the role of data integrity in current good manufacturing practice (cGMP) for drugs”2.
The new draft, in addition to answering frequently asked questions, defined data integrity as “the completeness, consistency, and accuracy of data. Complete, consistent, and accurate data should be attributable, legible, contemporaneously recorded, original or a true copy, and accurate (ALCOA).” The draft also emphasized several critical requirements from CFR parts 210, 211, and 212 with regard to data integrity, such as:
- 211.100 and 211.160 (requiring that certain activities be “documented at the time of performance” and that laboratory controls be “scientifically sound”)
- 212.110(b) (requiring that data be “stored to prevent deterioration or loss”)
- 211.68 (requiring that “backup data are exact and complete,” and “secure from alteration, inadvertent erasures, or loss”)
- 211.188, 211.194, and 212.60(g) (requiring “complete information,” “complete data derived from all tests,” “complete record of all data,” and “complete records of all tests performed”)
- 211.180 (requiring that records be retained as “original records,” “true copies,” or other “accurate reproductions of the original records”)
The key term “audit trail”, correspondingly detailed by the draft, is defined as “a secure, computer-generated, time-stamped electronic record that allows for reconstruction of the course of events relating to the creation, modification, or deletion of an electronic record.”
Audit trails are important for visualizing organizational activity both externally and internally and therefore, they serve as key concepts for compressive exploration.
A certain group of activity and data in various categories, such as: operational, management, technical controls, and security, are tracked by several audit trails present in each system.
By considering all the data relevant to a system and its users, audit trails collect data for system administrators to check and analyze and also offer insurance against legal evidence and system failures if protection from compliance issues are required.
Data audit reviews can be performed in periodic, real-time or as required based on the protocol and system. Audit trail data can be continually monitored and analyzed by implementing several tools (Figure 1). For instance, according to the Computer Security Division of the National Institute of Standards and Technology (NIST), this can include the addition of:
- Trends/variance-detection tools [that] look for anomalies in user or system behavior
- Preprocessors designed to reduce the volume of audit records to facilitate manual review
- Attack signature-detection tools [that] look for an attack signature, which is a specific sequence of events indicative of an unauthorized access attempt
Figure 1. Monitoring and analyzing audit trail data. © solarseven / Shutterstock.com
Recent intensification of data integrity sanctions
As FDA increased its on-site inspections of processes and systems at overseas facilities, the prevalence of cGMP infractions including document adulteration and data manipulation has also increased in international markets like China and India.
In India, concerns related to data integrity have been well-documented, but despite this fact, the FDA has cited 15 companies over the accuracy and consistency of their data since 2013. More serious violations identified companies that did not have the facility to backup and restore data, backdated lab data, and permitted lab analysts to share login IDs.
With regard to China, FDA inspection teams have come across situations where audit trails were disabled and names of the sample raw data files were changed.
Bloomberg informed that FDA inspectors recently visited a pharmaceutical factory located in the Chinese city of Taizhou and found that sometimes workers either do not record the results or delete them altogether while doing quality tests on drugs meant for U.S. export. An import ban list was later imposed on these violators, which prevented them from exporting products to the U.S.
Penalties in the form of a warning letter, Form 483, and import alert will be served to manufacturers who do not take appropriate corrective actions. Warning letters were served to certain companies for deficient corrections in response to observations made in the Form FDA 483. These companies include:
- BA General Devices, Ridgefield, NJ, USA4
- Sri Krishna Pharmaceuticals Ltd. - Unit II, Andhra Pradesh, India5
- Megafine Pharma Limited, Mumbai, India6
- Emcure Pharmaceuticals Ltd, Maharashtra, India7
It takes time to respond to violations, and regulatory actions equally affect the company’s revenue stream as well as the ability of a drug maker to obtain approval for novel drug applications.
Key factors in data integrity compliance
If data is properly recorded, managed, tracked, and kept in an easily accessible manner, then harmful sanctions and the resultant negative market can be prevented. Since 1997, the FDA has standardized automation of the data recordkeeping procedure using computer systems.
Recognizing all the needs within an organization and the numerous processes being used, marks the initial step for fulfilling data integrity compliance. The FDA expects all systems, whether they are computerized or software, to possess the required reliability and quality and to be operational for their intended applications, including designated applications for data integrity.
It is certainly not sufficient to just have data integrity because organizations would still need to prove that their system is secure and that their data is accurate. Organizations are expected by FDA to develop the objective evidence that they have fulfilled the data integrity needs and also have the required reliability and quality in their systems.
The FDA standards of data quality
The FDA, at its core, wants to find out how companies acquired and recorded their data and how they obtained it properly. The FDA goes on to stipulate that the source data should be legible, attributable, original, accurate, and contemporaneous when it comes to meeting the needs for the oversight, collection, and storage of electronic source data in clinical analyses. This list of criteria called ALCOA acts as a guidance for validating quality standards as a proof of data quality (Figure 2).
Figure 2. FDA standards of data quality. © bikeriderlondon / Shutterstock.com
As such, proper documentation as defined by the ALCOA standards is as follows:
- Attributable – Knowing where the data originated from and identifying the person who did the work or entered the data’s origin.
- Legible – Presenting the data in a clear, readable way. If changes are there in the data, both the new and old values can be reviewed
- Contemporaneous – Entering the data at the time or as close to possible when the activity occurred
- Original – Inclusion of the earliest record in all data which should not be obscured by following records
- Accurate – Valid representation of results from a data source and ensuring that all corrections are recorded and acceptable explanations are provided for why changes took place
From selection and collection of data through to analysis and reporting of data, there are several aspects of data integrity that contribute to compliance with the rules and international standards as well as FDA’s ALCOA standards.
Achieving data validation
When it comes to auditing computer systems for data integrity, it is important to know what to look for in validation documentation to be able to comply with the specified standards. This step is imperative because according to an established protocol, production process control software should be validated for its designated use.
Also, auditors should be able to detect and assess the documented proof of the validation process, such as documented proof of following the process and completing both the validation tasks and the validation activity results.
According to EduQuest experts in association with UL, the following are the seven software and system validation documents and records that must be included with all systems:
- Requirements documents describing the intended use(s) and user needs associated with the software and system
- Established validation protocol/plan describing the activities necessary to demonstrate that the requirements can be met
- Records of the results of the validation activities described in the validation protocol
- Records that show changes are appropriately controlled (where applicable)
- Records that show appropriate software, system, and quality requirements were established and provided to the vendor, if developed elsewhere. The vendor must be qualified, and the purchasing data and validation results should support that the requirements were met
- Records of testing and verification activities, including proper installation
- Validation report that summarizes the activities and documentation as described in the validation protocol/plan, including issues during development and testing
Building a culture of integrity
Top biotech and pharmaceutical companies are promoting a culture of integrity across their technology, processes, and people to realize a lasting organizational commitment towards integrity and validation of data.
As seen with nearly all regulatory and organizational objectives, the variation between ineffective or successful data integrity management is proportional to the organization’s culture. Harvard Business Review published a study that highlights “four factors that drive quality as a cultural value.”1 They are:
- Peer Involvement: Quality initiatives should be clearly defined by companies; companies should also develop a sense of pride by encouraging positive social pressure to create self-promoting and authentic peer engagement
- Leadership emphasis: Consistency should exist between the company’s mission and executive messaging and action. Any disconnect can impact commitment and enthusiasm which leads to lower quality work
- Message credibility: Management should be aware what drives committed and quality work and then modify messaging for staff
- Employee ownership of quality issues: After giving education and guidance to employees, they should be permitted to take actions, which enable them to apply their knowledge and skills in corrective or creative decision-making.
Establishing electronic signatures and digital audit trails that conform to EU Annex 11 and 21 CFR Part 11 will always form the main elements in effective integrity and validation of data. Life science experts will place more importance on directly incorporating data integrity into business operations and day-to-day considerations of their organization.
Adopting these criteria will set a basis for a data integrity program that fulfills FDA expectations, validation of documents and records is just one of the areas to ensure data integrity.
As a result, companies should be ready to apply effective and meaningful strategies to regulate their data integrity risks across the whole scope of their operation. These strategies include:
- Isolating web servers and database servers on individual networks
- Disabling and securing unwanted network services
- Implementing real-time security warnings
- Recognizing and eliminating known exploitations and vulnerabilities
- Instilling and enforcing access controls
- Constantly updating, monitoring, and auditing systems regularly
A quality approach to production that prevents instances of mix-ups, contamination, errors, failures, and deviations in manufacturing processes and facilities is required for securing good documentation practices and organizational data integrity and also for staying off the regulatory radar practices.
In accordance with FDA’s cGMP, this can be achieved by acquiring proper quality raw materials, establishing strong operating processes, establishing robust quality management systems, detecting and studying deviations in product quality, and sustaining consistent testing laboratories.
Even the most systemized and organized organizations have to comply with many regulations and controls. This is the reason why companies partner with UL to ensure compliance with data integrity.
UL can teach organizations about audit management systems and best practices, while UL consulting can guide organizations through the FDA inspections, auditing, and compliance mitigation protocols.
UL also allows companies to promote awareness of the issues and foster a culture of excellence and enhanced behaviors. This is a part of a new data integrity program comprising of eLearning courses written by industry leaders.
Ultimately, whether companies do it alone or seek external expertise or knowledge, it is their responsibility to apply effective oversight and controls before FDA inspections. Efforts should be made to ensure data accuracy and reliability so that consumers are protected from buying products that are dangerous to their health.
- Srinivasan, Ashwin and Kurey, Bryan. “Creating a Culture of Quality.” Harvard Business Review. April 2014.
- Data Integrity and Compliance With CGMP Guidance for Industry. U.S. Department of Health and Human Services Food and Drug Administration Center for Drug Evaluation and Research (CDER) Center for Biologics Evaluation and Research (CBER) Center for Veterinary Medicine (CVM) April 2016 Pharmaceutical Quality/Manufacturing Standards (CGMP).
- An Introduction to Computer Security: the NIST Handbook. Doi: 10.6028/NIST.SP.800.12. Chapter Summarization. October 1995.
- 86 Harriet Ave Corporation DBA General Devices. Public Health Service Food and Drug Administration Warning Letter. 6/1/16.
- Sri Krishna Pharmaceuticals Ltd. - Unit II. Public Health Service Food and Drug Administration Warning Letter. 4/1/16.
- Megafine Pharma Limited. Public Health Service Food and Drug Administration Warning Letter. 5/19/16.
- Emcure Pharmaceuticals Limited. Public Health Service Food and Drug Administration Warning Letter. 3/3/16
- Analyzing the State of Data Integrity Compliance in the Indian Pharmaceutical Industry, Ernst & Young, 2015.
- Data Integrity and Compliance With CGMP Guidance for Industry – Draft Guidance, US Food & Drug Administration, April 14, 2016.
- Facts About the Current Good Manufacturing Practices (CGMPs). http://www.fda.gov/Drugs/DevelopmentApprovalProcess/Manufacturing/ucm169105.htm
About UL Compliance to Performance
UL Compliance to Performance provides knowledge and expertise that empowers Life Sciences organizations globally to accelerate growth and move from compliance to performance.
Our solutions help companies enter new markets, manage compliance, optimize quality and elevate performance by supporting processes at every stage of a company’s evolution.
UL provides a powerful combination of advisory solutions with a strong modular SaaS backbone that features ComplianceWire®, our award-winning learning and performance platform.
UL is a premier global independent safety science company that has championed progress for 120 years. It’s more than 12,000 professionals are guided by the UL mission to promote safe working and living environments for all people.
Sponsored Content Policy: News-Medical.net publishes articles and related content that may be derived from sources where we have existing commercial relationships, provided such content adds value to the core editorial ethos of News-Medical.Net which is to educate and inform site visitors interested in medical research, science, medical devices and treatments.