LOGFILE 29 / August 2018 Maas & Peither AG – GMP Publishing
Data Integrity in the Pharmaceutical Industry
14 min
reading
time
by Gary Bird
Data integrity has become the most recent inspectional “buzz word” in the pharmaceutical
industry. Over the last 6 to 8 years, the focus on data reliability has hit an all-time high with
regulatory authorities across the globe. This has resulted in numerous regulatory actions.
The First International Conference on Data Integrity in Pharmaceuticals was hosted in London
on 2 March 2018 by PharmaConsult Global and PriceWaterhouseCoopers. Although the issues
being addressed by the conference were critical, the speakers agreed that the new focus on
data integrity was highlighting old issues in new ways, particularly with respect to personnel
issues, process execution, system controls and interactions with regulatory authorities.
The keynote
Keynote speaker David Cockburn (former European Medicines Agency (EMA) Good
Manufacturing Practice (GMP) lead reported on the status of the 2017 European Union (EU)-USA
mutual recognition agreement (MRA) and data integrity. He noted that the MRA was meeting
its established goals, which required an assessment of capability of the EU membership with a
completion of eight Member States in the originally published agreement and four more by 1
March 2018, and all Member States should be recognised by July 2019 according to the
agreement. Noting that the MRA was really in its infancy, he discussed the areas of potential
information sharing between the two international regulatory authorities (the Food and Drug
Administration (FDA) and the EMA).
• A potential, future extension to include pre-approval inspections (PAIs) and routine GMP
inspections.
• Exchange of GMP compliance information for non-compliance and quality defects.
• Issuance of GMP compliance-related certifications/documents.
Mr. Cockburn focused on the nature of the information sharing. While the EU inspector issues a
report and notes the conclusions drawn during the inspection, FDA investigators only make
observations and the conclusions are determined by FDA management. Consequently, this will
require the EU to rely more on the actual FDA observations and database information to draw
their own conclusions. The FDA will be informed by the EMA prior to uploading any GMP non-
compliance statements.
What does this mean to “data Integrity”? The FDA tends to be more proactively transparent and
data integrity is currently a “topical concern on both sides of the Atlantic”. Because the USA and
EU activities have been viewed as equivalent, the data may be discussed within the framework of
the MRA, confirming that the EU will conduct inspections on behalf of the FDA, or jointly. It is
expected that the FDA and EMA will exchange audit reports and information with each other.
Personnel issues and data integrity
The importance of properly motivated and managed personnel to prevent data integrity issues
was highlighted by Medicines and Healthcare Products Regulatory Agency (MHRA) expert,
Inspector Stephen Grayson, who noted that “personnel behaviour is a fundamental issue” for
http://www.gmp-publishing.com
© 2018 Maas & Peither AG – GMP Publishing, Schopfheim, Germany, All rights reserved Page 1
�LOGFILE 29 / August 2018 Maas & Peither AG – GMP Publishing
companies attempting to confirm the integrity of their data. He observed that “fear of failure” is
often the cause of “bad behaviour” because it drives the wrong actions in both management
and operational staff. Frequently, this fear leads to panic when mistakes are made and
disproportionate management action follows, which often results in “zero tolerance” and
inappropriate responses.
Fear for loss of job, reward and prestige within the companies often overwhelm those
individuals responsible for evaluating and remediating the very issues observed, and negatively
impact objective responses to address the issues. The opportunity for proper responses is often
missed due to unrealistic expectations for personnel actions, particularly in the midst of
significant challenges. He noted that the desire for “perfection is a barrier to progress”.
While the inordinate pressures exerted by management are often fundamental to data integrity
issues, simple mistakes are not always the root cause of actual data integrity concerns
documented by the authorities. Occasionally, Mr. Grayson explained, management engages in
actual attempts to deceive and manipulate the truth. He cited the presence of shadow facilities,
hidden but functional manufacturing areas, misrepresentation of facilities, and knowingly
providing incorrect and fraudulent responses which have been observed and documented by
regulatory authorities.
A healthy company should have a management group that
recognises that data integrity issues, regardless of the
causal agent, “can happen here” and leadership should
communicate realistic expectations, valid reporting
mechanisms and proportional investigation of errors and
data integrity failures to all personnel throughout the
company. He noted that data governance systems must be
implemented into a company’s present quality
management system. The accountability and responsibility
of GMP-relevant data (data ownership) over its entire
lifecycle must be specified in the data governance system.
He noted that following a 2-year consultation period, the final draft of the MHRA ‘GXP’ Data
Integrity Guidance and Definitions was published on 9 March.
Management interactions and leadership
Continuing with the theme of renewed management concern for data integrity, Dr Geoff
Williams (Executive Director, Regulatory Affairs Operations International at Merck Sharp &
Dohme) discussed senior management-driven efforts to assess the status of data protection
within the Merck Research Labs. The company’s effort resulted in a restatement of activities
related to data protection in the Division and saw a significant emphasis on high data standards.
The updated Quality Manual includes a strong emphasis on data integrity, quality governance,
and implementation of the ALCOA (attributable, legible, contemporaneous, original and
accurate) principles for documentation. The refocused emphasis includes annual training
requirements, including an online component directly connected with maintaining data
integrity.
Data integrity in computerised systems
The focus on data integrity automatically causes one to consider the impact of computer-based
systems in the pharmaceutical industry. Dr Guy Wingate, Vice President and Compliance Officer
for Global Manufacturing & Supply at GlaxoSmithKline, reflected on the most common
challenges noted by regulatory authorities in their inspections.
http://www.gmp-publishing.com
© 2018 Maas & Peither AG – GMP Publishing, Schopfheim, Germany, All rights reserved Page 2
�LOGFILE 29 / August 2018 Maas & Peither AG – GMP Publishing
• Lack of basic access control and security measures allowing
unauthorised changes.
• Shared user logins.
• Missing or disabled audit trails.
• Lack of contemporaneous recording of activities.
• Failure to investigate data discrepancies.
• Testing into compliance.
• Incomplete collection, retention and review of data for quality decisions.
• Overwriting or deletion of original data.
• Data falsification.
Referencing the recommendations in the International Society for Pharmaceutical
Engineering/Good Automated Manufacturing Practice (ISPE/GAMP) Records and Data Integrity
Guide, Dr Wingate noted that the overall process for confirming computerised systems and
processes are properly controlled should be built on a risk-based approach which requires the
following.
• Perform initial risk assessment and determine system impact.
• Identify functions with impact on patient safety, product quality and data integrity.
• Perform functional risk assessments and identify controls.
• Implement and verify appropriate controls.
• Review risks and monitor controls.
External attacks
Simon Borwick of PriceWaterhouseCoopers noted that, especially with computerised systems,
anything that can be monetised is a likely target for third-party attacks, including areas such as
supply chains and manufacturing but also areas not conventionally considered in the data
integrity discussion, including patient data, research and development, cash and supply chains.
Noting that there is an increasingly active market in health data, he focused on the many
sophisticated attacks which have rocked companies in the last few years; many of which are
coordinated cyber espionage and theft activities connected to organised crime and even
governments. Cyber sabotage and extortion through uncontrolled or unprotected connected
devices and facilities have been directed at supply chains and have resulted in substantial
company losses.
Emphasising that cyber security is not an information technology (IT) issue but a business issue,
Mr. Borwick focused on the need for companies to properly map their processes, systems, and
networks to identify potential faults and weaknesses. He encouraged companies to recognise
that each lifecycle phase can have an impact on data integrity and has its own unique
challenges. Because the use of data to drive business processes is an ever-changing environment,
Mr. Borwick encouraged companies to confirm that all business processes with data flows are
understood and that those systems supporting business processes must be identified and
assessed in terms of data integrity risks. Without doing so, companies are likely to leave
http://www.gmp-publishing.com
© 2018 Maas & Peither AG – GMP Publishing, Schopfheim, Germany, All rights reserved Page 3
�LOGFILE 29 / August 2018 Maas & Peither AG – GMP Publishing
themselves open to external attack. The potential for data associated with a product or process
to cross various boundaries and interfaces throughout the data lifecycle demands that such
transfer processes be considered and appropriate controls established to prevent loss or
modification. Mr. Borwick suggested companies go to a simple question and answer process to
create an ongoing assessment.
• What data are important to you?
• Where are your important data?
• Who has access to it?
• Is cyber risk considered in key business decisions?
• Do your suppliers treat your data like their own?
• Are you monitoring your key assets?
• Would you know if you have been attacked?
• Will your knowledge of the attack be too late?
• Are our people your first line of defence?
• Do they know how to be secure?
• Do they care?
• Have you planned how you will deal what the specific issues?
Data integrity and routine business practices
Novartis Technical Operations Quality Assurance Regional Data Integrity Head EU, Steven Brown,
focused his comments on challenges to data integrity arising from routine business practices.
Noting that the aim of any data integrity assessment is to ensure accurate, complete, consistent
and secure data sets upon which to base decisions, particularly release activities, Mr. Brown
asked the question “Why is data integrity so hard to get right?”.
Commenting on the complexity of numerous processes, he elaborated on performance and
business pressures which frequently lead to inappropriate decision-making activities within a
company. He noted that a lack of awareness and capability among employees is also a frequent
observation. Inadequate processes and technology may lead to inappropriate decision-making
processes for specific data activities. Novartis specifically developed a programme which relies on
four key elements to address their routine concerns.
• Education and communication.
• Detection and mitigation of risk.
• Technology and IT systems.
• Governance of data integrity.
Implemented as a component of their routine quality system, each of these items are focal points
in their complementary assessment of data integrity and related activities. By reviewing
regulatory authority issued documents, specifically FDA warning letters and European
http://www.gmp-publishing.com
© 2018 Maas & Peither AG – GMP Publishing, Schopfheim, Germany, All rights reserved Page 4
�LOGFILE 29 / August 2018 Maas & Peither AG – GMP Publishing
statements of non-compliance, Novartis has created a system that focuses on specific elements of
data intelligence. These include evaluation of audit trails, electronic security, good
documentation practices, and quality control practices.
The Novartis team noted that regulatory authorities have frequently indicated that audit trails
are not available, properly enabled, or not properly reviewed as a component of investigations
and routine activities. With respect to electronic security, internal administrative levels, data
manipulation and backups are common observations within any regulatory action.
Most frequently found within document practices are concerns related to contemporaneous data
recording, record management, and the use of unofficial records upon which companies base
decisions and determinations. Quality control practices, while frequently observed, included such
actions as making trial injections of actual samples and analysis and ignoring out-of-specification
results. Mr. Brown stated “these areas have the potential for significant challenges within
technical operation and business processes”. By creating specific work processes relating to each
of them, Novartis has been able to identify additional, frequently abused areas of data integrity
confirmation. By asking questions related to these significant areas, gaps have been identified in
current work processes that are resolved in new, improved work processes. This continuous
improvement builds upon a solid framework without having to “reinvent the wheel”.
Serialisation and data integrity
Turning the conference focus to the evolving area of data integrity in supply chains and
traceability systems with respect to the implications of the Falsified Medicines Directive, Mark
Davison, President, rfxcel, highlighted safety features on prescription medicines and tamper-
evidence features on all unit-of-sale packs. Currently, before serialisation, every pack is
effectively identical within a batch regardless of whether or not someone takes samples,
removes, checks, destroys or replaces one or more packs during or after production. However,
after serialisation, every pack is unique, that is, the batch size is effectively “one”. Consequently,
a high level of control must be developed for production, release and supply chain processes to
avoid data errors. Ultimately, every code must be readable at the pharmacy, for its entire shelf
life. If its unique identity is compromised at any point prior to dispensing to the patient, the pack
will be returned.
The systems developed for serialisation must be able to stand up to the life-cycle challenges from
distribution to patient and inspections from MHRA and EU regulators who will audit these
systems. Well-written procedures and training more staff on computer systems validation will be
critical to the successful implementation of each programme. The systems used to control the
serialisation process must be compliant with EU Guidelines to GMP Annex 11…and stay that way.
This means all the processes will have to be adequate to show regulators that you maintain
control over changes made, whether by you or anyone else.
Vendor audit programs for data integrity
The December 2013 announcement may have been missed by some members of the industry, but
the MHRA announced their intention to begin evaluating company’s self-inspection systems as
part of their inspection programme. This means that companies must review the effectiveness of
their governance systems to ensure data integrity and traceability. Data integrity was covered
during inspections from the start of 2014, when reviewing the adequacy of self-inspection
programmes in accordance with Chapter 9 of the EU Guidelines to GMP.
David Thompson of Clarity Compliance Solutions noted that, in addition to having their own
governance systems, there is an expectation that company outsourcing activities should also be
able to verify the adequacy of comparable systems prior to contracting and on an ongoing basis.
Simplifying what is a very complex activity, Mr. Thompson suggested that a series of five simple
questions likely to be asked by MHRA inspectors can help each contract giver both create its self-
inspection programme and confirm it is achieving its intended goals.
http://www.gmp-publishing.com
© 2018 Maas & Peither AG – GMP Publishing, Schopfheim, Germany, All rights reserved Page 5
�LOGFILE 29 / August 2018 Maas & Peither AG – GMP Publishing
• Do you outsource any GxP services?
• Who to? – provide a list.
• Have you audited them for data integrity?
• What were the findings and how are you managing the actions?
• When are you going back?
As a result of asking these simple questions themselves, each company should be able to confirm
the adequacy of their own self-inspection system(s).
The basis of any good vendor audit programme is the auditor. Properly trained, knowledgeable
and focused individuals who are aware of proper interview techniques and data analysis
processes will prove invaluable in an external evaluation programme. Customised data integrity
worksheets (checklist) will provide good guidance to the appropriate assessment of
documentation, systems and personnel capabilities. Where necessary, technically trained
individuals familiar with the technology of the specific process or activity may be required.
Consider, for example, types of person needed to assess computer system interfaces,
spreadsheets and databases, network storage activities, and access systems computer networks.
A single auditor will seldom possess all skill sets necessary to evaluate both the manufacturing
and the computer systems without specialised training. Mr. Thompson noted that the report
format utilised by many companies does not lend itself to the assessment of data integrity.
Instead, he suggested that report formats be customised to include the necessary data integrity
assessment areas which would allow the auditor to specifically assess the data integrity systems.
The responsibilities of the qualified person (QP) to ensure data integrity
The role of the QP in the release of drug product in EU countries is well established. EU
Guidelines to GMP Annex 16 Certification by a Qualified Person and Batch Release establishes 21
points that QPs must evaluate to ensure the product is appropriate for release. According to
John Jolley, Managing Director of PharmaConsult Global, Ltd, Annex 16 includes certain key
changes intended to document the verification of evidence related to the integrity and identity
for different batches of drug product even when they originate from the same bulk. The QP is
now required to confirm storage and transportation of both bulk and finished product and
ensure the following.
• That the consignment has remained secure.
• There is no interference or tampering during storage or transportation.
• The correct identification of product has been clearly established.
• The samples originally tested are representative of all subsequent batches.
All of these requirements may be compromised as a result of human error, data manipulation
including selection of good or passing results or unauthorised changes, data transmission errors,
software problems, hardware problems, or changes in technology where one item becomes
replaced.
As a QP with more than 20 years of experience, Mr. Jolley suggested the only way for a company
to remain compliant and to protect itself from both wilful and accidental data integrity issues
was to develop a process specifically designed to “ferret-out” data integrity issues. He specifically
http://www.gmp-publishing.com
© 2018 Maas & Peither AG – GMP Publishing, Schopfheim, Germany, All rights reserved Page 6
�LOGFILE 29 / August 2018 Maas & Peither AG – GMP Publishing
suggested that such a system required more than a simple evaluation of the data provided in
support of a batch for release, but that the QP should also develop a practical system of checks.
• Increase the frequency of review.
• Do surprise/spot checks.
• Have a procedure and check list for review mechanism.
• Compare hand writing styles/signatures.
• Verify attendance/presence of the person.
• Verify the traceability and log book entries.
• Internal/external audits.
• Trend the observations and provide the training.
Correcting FDA-identified data integrity issues
In what forms an excellent model for conducting internal investigations, especially for data
integrity investigations, the USA FDA has developed a specific set of requirements for companies
responding to 483 observations and warning letters. Dr. Gary Bird, PharmaConsult Global, noted
that the FDA is focusing its efforts on confirming remediation activities are adequate and then
deliver the expected improvements.
The FDA is primarily focusing on comprehensive investigations related to the reasons for the
inaccuracies in the data records observed during inspections. They specifically request detailed
investigation protocols and methodologies which will involve a summary of all manufacturing
operations in the systems to be covered by the assessment. Whenever any system or area is not
included as part of the assessment, the FDA requires the justification for its exclusion be included
in the investigation protocol. A significant component of the investigation is interviews of both
current and former employees to identify the nature, scope, and root cause of data inaccuracies.
The FDA has requested that these interviews be conducted by a qualified third party.
The investigation should include an in-depth assessment to identify the extent of any data
integrity deficiencies at the facility. The extent of the investigation, while dependent upon the
nature of the observed observations, should evaluate the potential for omissions, alterations,
deletions, record destruction, non-contemporaneous record completion, and other deficiencies.
The FDA is asking that all of these assessments be related to the areas in which they were
discovered and documented. This would lead companies to evaluate how widespread the
practices are for which the observations were made. Further, a comprehensive, retrospective
evaluation of the nature of the testing of data integrity deficiencies is also required. The Agency
again requested a qualified third party with specific expertise in the area where potential
breaches were identified should conduct the evaluation in all areas in which data integrity lapses
were observed.
The FDA is requesting submission of risk assessment of the potential effects of the observed
failures on the quality of the company’s drugs. They expect the assessment to include analyses of
the risks to patients caused by the release of drugs affected by a lapse of data integrity and risks
posed by ongoing operations. The Agency is also requesting details of a management strategy
that includes the details of a company’s will and global corrective action and preventive action
plan which will include the following.
• A detailed corrective action plan.
http://www.gmp-publishing.com
© 2018 Maas & Peither AG – GMP Publishing, Schopfheim, Germany, All rights reserved Page 7
�LOGFILE 29 / August 2018 Maas & Peither AG – GMP Publishing
• A comprehensive description of the root causes of data integrity lapses.
• Interim measures describing the actions to be taken in the event that long-term actions
require an excessive amount of time to complete.
• Long-term measures describing any remediation efforts and enhancements to procedures,
processes, methods, controls, systems, management oversight, and human resources (e.g.
training, staffing improvements).
• A status report for any of the above activities already underway or completed.
Summary
It is clear that a new era in complementary and relational regulatory affairs is developing. The
new MRA was intended to provide a forum for USA and European regulatory authorities to
create a mutual basis upon which to consider a unified direction to protect their citizens. Each of
the areas related to data integrity were also related to some other area. By considering all
elements of the company’s manufacturing capabilities, including personnel, processes, and
procedures, the regulatory authorities are suggesting that our approach to quality must be
modified to adequately address the developing areas of concern. Even though the issues may be
old, it is obvious that the solutions must be innovative so that we no longer have the same
problems facing the industry from inspection to inspection and year after year. It may be called
data integrity today, but it is still “Compliance 101”.
Billed as the most significant changes to medical device legislation in decades, these new
regulations seek to increase the safety and effectiveness of medical devices available in the EU
market and address weaknesses in the regulations revealed in several high-profile incidents.
Medical device and in vitro diagnostic device manufacturers large and small who supply product
to the EU market will be impacted and need to start planning now on how to transition to the
new requirements.
Author
Dr Thomas Gary Bird is President, PharmaConsult-US, LLC, and Managing Partner,
PharmaConsult Global, Ltd., an international cooperative supplying GXP quality consulting
services.
The article was first published in gmp review Vol.17 No.1 April 2018 and is reprinted in
our LOGFILE Newsletter by courtesy of gmp review.
Excerpt from GMP Review
This article, ‘Data Integrity in the Pharmaceutical Industry’ is reproduced from a recent issue of
gmp review, a quarterly journal researched and edited by an expert team experienced in all
aspects of pharmaceutical manufacturing and control.
gmp review provides in-depth analyses of international pharmaceutical manufacturing
regulations.
gmp review keeps readers up to date on the latest Directives, Regulations and Guidelines
applicable to the pharmaceutical industry from the FDA, EU, CPMP and ICH positions. Each item
comes with analysis and comment on its effect on your company. The dry legal jargon is made
http://www.gmp-publishing.com
© 2018 Maas & Peither AG – GMP Publishing, Schopfheim, Germany, All rights reserved Page 8
�LOGFILE 29 / August 2018 Maas & Peither AG – GMP Publishing
understandable to you and your colleagues in manufacturing and quality. As such gmp review is
the perfect companion to the GMP Compliance Adviser and will help provide further useful
commentary on the new regulations.
If you are involved in any aspect of GMP then gmp review will provide much needed information
and analysis in a convenient quarterly journal format. gmp review subscribers will also receive
gmp-review news a monthly news service to keep you up-to-date on new developments in GMP
and associated regulations.
SPECIAL OFFER
All readers of this newsletter can apply for a special introductory offer of a 10% discount to GMP
Review by ordering through our webshop and quoting under “Comment”: ‘Member Extras Offer
10%’ or send an email to: service@gmp-publishing.com
For further information on the GMP Review please click on the following link:
http://www.euromedcommunications.com/publications/journals/197-gmp-review
http://www.gmp-publishing.com
© 2018 Maas & Peither AG – GMP Publishing, Schopfheim, Germany, All rights reserved Page 9
