Data integrity in Pharmaceutical Quality System
Step-by-Step guide for understanding Data Integrity Requirements
Recently, excessive attention was given to Data Integrity nonconformance issues that were observed during cGMP inspections.??
This excessive attention arising from their impact on determining the credibility of any organization, as a single falsification discovery will arise many questions about how many incidents not detected yet? does this falsification intended? Does this falsification approved from management? and to what extent the data and records considered untrustworthy?
It should be terrifying that Number of FDA findings per year regarding Data integrity nonconformance are increasing that include but not limited to; deletion or manipulation of data, abortion of sample analysis without justification, invalidated OOS result without justification, destruction or loss of data, failure to document work contemporaneously and uncontrolled documentation.
We are living a real technological revolution which positively impacts pharmaceutical quality environment, accompanied to that more tools became available to achieve, improve and support data integrity of the quality system, and also detect any violations related to data integrity. implementation of these tools and technology requires investments which sometimes be obligatory to comply with the current requirements and other times it considered as improvement for the quality system and aids the organization to meet their quality standards.
Ongoing transformation from paper data and records to electronic forms will put in a necessity to use sometimes a hybrid system of both paper and electronic records, that is discouraged and not recommended and replacement of this system should be a priority to accelerate transformation towards electronic records which will minimizes human error and minimizes as a results all related risks.
Digital issue?
Some people till this moment think that Data integrity is confined to electronic records or any relevant digital forms of documents and records. This is considered one of the major misconceptions in quality environments as Data integrity should be achieved for both paper and electronic data and also if we are using hybrid system of both paper and electronic records.
It’s highly recommended to stop using hybrid systems and replacement of hybrid systems should be a priority.
ALCOA vs ALCOA+
Implementation of ALCOA requirements for data and records will achieve Data integrity in any pharmaceutical quality environments, and that will be empowered and enriched by implementation of ALCOA-PLUS which will be explained through the next words:
Attributable
Attributable: means information is captured in the record so that it is uniquely identified as having been executed by the originator of the data (e.g. a person or computer system). In order to fulfill requirements of this point (Attributable) we have to make sure of compliance with the following points:
For data recorded by person:
-?????????We should have sufficient controls that guarantee recording of data by the person or computer system originated it (strict supervision and internal auditing program).
-?????????If person who is the originator, he should record the data by himself and signs with date on it. If we have a recorded data without defining who is the originator; so, we can’t trace the recorded data of required. We can’t ensure that originator is qualified and trained to accurately capture and record the data, we can’t ensure if this person was present in place at that moment or not.
-?????????If the originator of the data can’t record the data by himself (that’s acceptable for employees with insufficient education or illiterate persons) but someone record it on behave of him, both persons (doer and recorder) should both sign on the recorded data and we should have a procedure that controls this issue and guarantee knowledge of those illiterate persons with the recorded data they sign on.
-?????????We should have a signature log/signature list as a reference for a signature and to whom employee does it belongs.
-?????????We should follow cGMP correction requirements (Single-line cross-out to record changes with name, date and reason recorded) without hiding the original data.-?????????If using personal seal to sign documents, another controls should be used for verification and control (e.g. hand written dates on the stamp). We have to define where personal seal stored and ensure presence of access limitation to that place for the specific individual who only have the right to use this personal seal. And we have to define procedure to be followed if misuse is discovered.
-?????????We should ensure that nobody uses stored digital image of his signature to sign on any records, that may lead to many misuses which may be difficult to be discovered.
For data recorded by computer system:
-?????????We should ensure that the system was validated and within scope of CSV.
-?????????We should ensure that the system acquire login for each critical step to add the electronic signature before execution of the step.
-?????????We should ensure that the system logs off after a certain period of time.
-?????????We should ensure that we have a unique username and password for each employee interfering with the system.
-?????????We should ensure presence of real segregation of roles and privilege, different access levels for users according to their training, criticality of the process and not guarantee absence of conflict of interests (e.g. the analyst not having the right to stop or turn off audit trail of Lab equipment).??
-?????????We should have a sufficient control that prevent sharing personal passwords between employees (e.g. password changed periodically, using complex passwords or using access verification system that uses fingerprint or retinal scan).
-?????????We should have a record for accounts added/deleted to have a permission for access the system and evidence for their training on the system.
-?????????If any data was edited/updated/corrected or undergone any type of intervention, Audit trail should display who performed this action and when.
Legible
Legible, traceable and permanent: The terms legible and traceable and permanent refer to the requirements that data are readable, understandable, and allow a clear picture of the sequencing of steps or events in the record so that all GXP activities conducted can be fully reconstructed by the people reviewing these records at any point during the records retention period set by the applicable GXP.
In order to fulfill requirements of this point (Legible, traceable and permanent) we have to make sure of compliance with the following points:
For paper documents, records and data:
-?????????We should have a comprehensive risk assessment study for archiving system for paper records in order to have an adequate system for archiving that guarantee preservation of data, documents and records through their entire lifecycle/retention period and eliminate any risk of deterioration or losing them or part of them for any reason including, but not limited to, natural disasters, fires, intended destruction by someone.
Note: this should be applicable for electronic documents, records and data.
-?????????We should have a record for archived records in order to facilitate ease of access to them and guarantee not missing any record out of archiving system.
-?????????We should ensure that records related to a specific process, machine, equipment or apparatus should be serialized and traceable and it should be easy to discover any missing record if checking serial.
-?????????We should ensure that the data should recorded by a permanent indelible ink that can’t be erased or fainting till disappearance.
-?????????We should ensure that any correction done according cGMP correction requirements (Single-line cross-out to record changes with name, date and reason recorded) without hiding the original data.
-?????????We should ensure that opaque correction fluid used not used to correct any mistake, and pencil not used for initial recording of any data.
-?????????We should ensure that any blank forms used (laboratory notebooks, master production and control records) printed with known count and are reconciled after completion. That’s important to guarantee withdrawal of all expired form or Non-updated form and trace missed forms.
-?????????We should ensure that the bound paginated notebooks are stamped or issued by designated person, pages should be bounded to guarantee that no pages will be lost or replaced by another one, if there is risk that it’s not well bounded; so, all pages should be verified or stamped with document control stamp prior to use to prevent any replacement of a paper from the record.
-?????????We should ensure that higher level of authorization applied for issuing blank forms to use (Two or three signatures) to ensure that it’s official and valid for use.
-?????????We should ensure that there is robust system to prevent and detect unofficial or uncontrolled notebooks or any blank form.
For electronic documents, records and data:
-?????????We should ensure that we retain a soft backup of the electronic data and records if it was generated by a computer system.
-?????????Data generated by the computer system are complying with the data recorded on the paper records (e.g. it’s not logic that production machine system displays the reject quantity is 500 bottles where 5 bottles recorded in the batch record with no justification for this difference).
-?????????We should ensure that a hard copy of the electronic data is printed and kept throughout the product life cycle (e.g. it’s not accepted that a production machine can generate a printout for batch data but this printout is not printed and attached to the batch record).
-?????????We should ensure that we obtain a backup of electronic data for standalone computer systems. And what measures and controls taken to guarantee not losing the data (e.g. during sudden breakdown or sudden electricity shutdown before auto-saving or auto-backup of the data).
-?????????If we have a printout from specific machine or apparatus (e.g. some thermal printouts), We should ensure that it sustained unchanged till the end of this document lifecycle and the printed data not faints gradually till disappearance. We should retain a photocopy of it as an evidence if there is no other choice.
-?????????We should ensure that we perform a challenge check to check the integrity, validity, quality and goodness of restored and data and records after backup.
-?????????We should ensure that we have a robust risk assessment study for these computer systems covering any supposed sudden loose of data (e.g. sudden electricity power shutdown) through using generators or UPS or any relevant solution or by presence of system to handle such non-conformances associated with such these issues.
-?????????We should ensure that audit trail does NOT permit editing, deletion or can be stopped or switched off. And audit trail giving all necessary data (e.g. who, what, when and also not overwrite the old data) for any critical transaction.
-?????????We should ensure that enhanced system access permissions NOT given to personnel outside maintenance roles to avoid conflict of interest.
领英推荐
Contemporaneous
?Contemporaneous data are data recorded at the time they are generated or observed.
In order to fulfill requirements of this point (contemporaneous) we have to make sure of compliance with the following points:
-?????????We should ensure presence of sufficient controls and follow up periodically (e.g. through Strict supervision and internal audit program) to ensure recording of the data at the same time of occurrence or same time of performing activity.
-???????We should ensure efficiency of training of the employees to ensure that the data was captured directly on the official record at the same time of occurrence, and to ensure that there is no scrap of paper used for recording data before re-record it or transfer it to the official records forms, usage of sticky notes should NOT be permitted, and backdating for any events are NOT allowed, and if there is a need to record previously obtained data; so we have to record both date of entry and date of recording.-?????????We have to ensure presence of synchronized tool for displaying time (e.g. Centrally synchronized clocks) or at least there is a follow up record to check periodically synchronization of all clocks inside the facility and clocks of standalone operating systems.
-?????????We should ensure presence of these clocks in all necessary locations inside facility, or at least, clocks are present in the range of vision if not present in the same room.
-?????????For standalone computers we have to ensure that sufficient restrictions are applied to prevent modifying time or data.
-?????????We should ensure that there is time and data stamp accompanied with each electronic signature and each significant event on computerized systems.
Original
Original data include the first or source capture of data or information and all subsequent data required to fully reconstruct the conduct of the GXP activity.
In order to fulfill requirements of this point (Original) we have to make sure of compliance with the following points:
-?????????We should ensure that all raw data are retained and achieved throughout the entire data lifecycle.
-?????????For original data that may be fainting by time (e.g. thermal printouts), a signed photocopy should be attached with it throughout the record/data lifecycle.
-?????????We have to ensure that all original records are reviewed for their completeness, and setting frequency of reviewing based on a risk assessment study according to criticality of each process. Quality of data recorded should be verified.
-?????????Reviewing of original data and original records should be well defined in a controlled procedure. That’s applicable for both paper and electronic records. We have to define appropriate actions to be taken in case of detecting Nonconformity during reviewing or any manipulation of procedure or data to change the results. We may need to expand our investigation as impact may not be limited to this incident only, but may impacted other results.-?????????The personnel responsible for reviewing original data or original records, especially electronic records, should have sufficient training to protect our data from being lost, deleted or destructed.
Accurate
The term “accurate” means data are correct, truthful, complete, valid and reliable.
In order to fulfill requirements of this point (accurate) we have to make sure of compliance with the following points:
-?????????Accuracy of data can be achieved by ensuring that any machine, equipment, apparatus is qualified, calibrated and maintained.
-?????????For computerized systems; they should be validated. As validated methods lead to accurate data.
-?????????For critical data, 4-eyes principle should be applied (e.g. entry of data done by an authorized person and verified by a second authorized person).
-?????????Migration of data between systems should be validated to guarantee that data not effected.
-?????????Any alteration of raw, original data and records should be justified and documented.
-?????????Multiple testing for same sample should be accompanied with documented justification and if not documented that should be investigated.
-?????????One falsification incident should arise many questions about how many times that happened without being discovered.
ALCOA+ / ALCOA-PLUS
All the previous requirements cover ALCOA, and for fulfilling ALCOA+ requirements, data and records should comply with the following 4 requirements:
Complete
we have a well-known golden rule here (Not written, Not done!), if this rule not applied; we have to worry about the cost and resources which will be spent to prove that it was actually done! empty spaces in pages specified for data entry need to be filled with data or blocked by cross-out line with dated signature to exclude any doubts concerning missed data.
Consistent
all relevant data recorded should be harmonized with each other and having logic sequencing and no contradiction should be present between recorded data and what happens actually, e.g.:
-?????????we can’t start filling of cream before end of preparation of the same batch.
-?????????DC Comics Superman who can sign different documents and records in different areas for different processes at the same moment is not existing in real world.
-?????????we can’t record weights without having in place a calibrated balance with sufficient capacity.
Enduring
records and data should be kept throughout records retention period, that included paper records and electronic records and also ensure that retrieval process will not negatively impacts the records.
Available
?make sure that data and records are available upon request, we have to ensure that we can define where the record or data present, and we can reach it when we need.
if we have a contract or agreement with a second party to be responsible for archiving of paper and electronic records, we have to have a robust risk assessment study for all possible risks and how to deal with it.
Why seeking compliance with data integrity requirements?
Pharmaceutical facilities have to guarantee integrity of its data, and set the required measures and controls to ensure data integrity achieved during entire data lifecycle (generation, recording, process, transformation, migration, retention, archiving, retrieval and destruction). The benefit will not only be compliance with guidelines, standards and regulatory authorities, but that will have a direct positive impact on the organization itself and will be reflected on their overall performance through:
ü?Ability to take informed decisions:
No improvement can be achieved based on incorrect or manipulated data.
evaluation of performance of any machine or equipment can’t be precise if the data reflect its performance Not contemporaneously recorded, Not accurate (even if conforming to specification), not present or not protected during archiving.?
Quality of the product during APR/APQR will not express real quality of the product if measures results or laboratory testing results were manipulated or incorrect data.
ü?Get the results you wanted:
any organization pays salary to each individual of its employees to perform his role in the right way from the first time, setting a system that guarantee compliance with data integrity requirements will detect and trace any violations (intended or not intended) and enables us to take further steps to prevent such that events from re-occurrence.
ü?Quality culture enforcement:
Management adopt quality culture within their organization that encourages employees to be transparent about failure. That will be helpful to prevent molehill from turning to a mountain. That will result in containment of any deviation happened before being exaggerated.
----------------------------------------------
pdf file for this article can be downloaded through this link for ease of access:
https://www.dhirubhai.net/feed/update/urn:li:activity:6865555781899620352/