Good Data Management and Integrity in Regulated GMP Environments.

" Data Governance is the sum total of arrangements to ensure that data, irrespective of the format in which it is generated, recorded, processed, retained and used to ensure a complete, consistent and accurate record throughout the data lifecycle"

1.Basic data integrity principles applicable to both paper and electronic systems (i.e. ALCOA +):

• Attributable:

It should be possible to identify the individual or computerised system that performed a recorded task and when the task was performed. This also applies to any changes made to records, such as corrections, deletions, and changes where it is important to know who made a change, when, and why.

• Legible

All records should be legible, the information should be readable and clear in order for it to be understandable of use. This applies to all information that would be required to be considered Complete, including all Original records or entries. Where the dynamic nature of electronic data is important to the content and meaning of the record, the ability to interact with the data using a suitable application is important to the ‘availability’ of the record.

• Contemporaneous

The evidence of actions, events or decisions should be recorded as they take place. This documentation should serve as an accurate evidence of what was done, or what was decided and why, i.e. what influenced the decision at that time.

• Original

The original record can be described as the first-capture of information, whether recorded on paper or electronically. Information that is originally captured in a dynamic state should remain available in that state.

• Accurate

Records need to be a truthful representation of facts to be accurate. Ensuring records are accurate is achieved through many elements of a robust Quality System. This can be included as:

-- Equipment related factors such as qualification, calibration, and maintenance, computer validation.

-- Policies and procedures to control actions and behaviours, including data review procedures to verify adherence to procedural requirements

-- Deviation management including root cause analysis, impact assessments and CAPA

-- Trained and qualified personnel who understand the importance of following established procedures and documenting their actions and decisions.

• Complete:

All information that would be critical to recreating an event is important when trying to understand the event. It is important that information is not lost or deleted. The level of detail required for an information set to be considered complete would depend on the criticality of the information.A complete record of data generated electronically includes relevant metadata.

• Consistent

Information should be created, processed, and stored in a logical manner that has a defined consistency. This includes policies or procedures that help control or standardize data (e.g. chronological sequencing, date formats, units of measurement, approaches to rounding, significant digits, etc.).

• Enduring

Records should be kept in a manner such that they exist for the entire period during which they might be needed. This means they need to remain intact and accessible as an indelible/durable record throughout the record retention period.

• Available

Records should be available for review at any time during the required retention period, accessible in a readable format to all applicable personnel who are responsible for their review whether for routine release decisions, investigations, trending, annual reports, audits or inspections.

2. Data governance systems

The data governance system should ensure controls over the data lifecycle which are appropriate with the principles of quality risk management. These controls includes [but not limited to]:

• Procedures, [e.g. instructions for completion of records and retention of completed records]
• Training of staff and documented authorisation for data generation and approval.
• Data governance system design, considering how data is generated, recorded, processed, retained and used, and risks or vulnerabilities are controlled effectively.
• Routine (e.g. daily, batch- or activity-related) data verification.
• Periodic surveillance, [e.g. self-inspection processes seek to verify the effectiveness of the data governance system]
• The use of personnel with knowledge in data management and integrity, including capability in data security measures.
• Computerised system validation, qualification and control, automation, the use of technologies that provide greater controls for data management and integrity.

3. Senior management Responsibility:

• The senior management is responsible for the implementation of a Data Governance System and must provide the necessary resources. With an effective Data Governance System, management can show that data governance requirements were implemented successfully.
• This includes appropriate organizational culture, understanding for the criticality of data as well as the risk of data and the data lifecycle. It also includes communication with the personnel on all levels and how an organisation enables and encourages individuals to report their own errors. This reduces the intention to falsify, change or delete data.
• Manufacturers and analytical laboratories must develop and employ a system which allows an acceptable state of control based on the data integrity risk. This data integrity/data governance system is to be fully documented and justified.
• When long-term measures are identified that have to be taken to reach the desired level of control, provisional measures must be implemented in the meanwhile so as to mitigate risk.
• The efficiency of these provisional measures is also to be verified. Also, if provisional measures are taken, senior management must be informed accordingly. Additionally, these measures must be included into the regular reviews.

4. Data governance system review:

• The effectiveness of data integrity control measures should be assessed periodically as part of self-inspection or internal audit, or other periodic review processes. Self-inspection should ensure that controls over the data lifecycle are operating as proposed.
• A review for consistency of reported data/outcomes against raw entries.
• A risk-based sample of computerised system logs / audit trails to ensure that information of bearing to GMP/GDP activity is reported accurately.
• A review of quality system metrics also consider as quality system trending.
• An effective review of the data governance system will establish understanding about importance of collaboration of company behaviors with organisational and technical controls. The outcome of the review should be promptly communicated to the senior management.

5. Organisational Influences on Successful Data Integrity Management

Data integrity breaches can occur at any time, by any employee, so management needs to be aware in detecting issues and understand reasons behind gaps, when found, to allow investigation of the issue and implementation of corrective and preventive actions and also need to monitor the effectiveness.

• Open Cultures: Good data governance in ‘open’ cultures may be facilitated by employee empowerment to identify and report issues through the Pharmaceutical Quality System,
• Closed Cultures: In ‘closed’ cultures, a greater importance on oversight and secondary review may be required to achieve a correspondent level of control due to the social barrier of communicating undesirable information. The availability of a confidential escalation process to senior management may also be of greater importance in this situation.
• Management should make personnel aware of the importance of their role in ensuring data quality and the implication of their activities

6. How to implement the quality Culture by Management:

• Ensuring awareness and understanding of expectations (e.g. Code of Values and Ethics and Code of Conduct),
• Leading by example, management should demonstrate the behaviours they expect to see,
• Being accountable for actions and decisions, particularly delegated activities,
• Staying continuously and actively involved in the operations of the business,
• Setting realistic expectations, considering the limitations that place pressures on employees,
• Allocating appropriate technical and personnel resources to meet operational requirements and expectations,
• Implementing fair and just consequences and rewards that promote good cultural attitudes towards ensuring data integrity, and
• Being aware of regulatory trends to apply “lessons learned” to the organization.

7. How to Increase the Pharmaceutical Quality System

• Quality Risk Management,
• Investigation programs,
• Data review practices
• Computerised system validation,
• IT infrastructure, services and security (physical and virtual),
• Vendor/contractor management,
• Training program to include company’s approach to data governance and data governance SOPs,
• Storage, processing, transfer and retrieval of completed records, including decentralised/cloud-based data storage, processing and transfer activities,
• Appropriate oversight of the purchase of GMP/GDP critical equipment and IT infrastructure that incorporate requirements designed to meet data integrity expectations, e.g. User Requirement Specifications,
• Self-inspection program to include data quality and integrity, and Performance indicators (quality metrics) and reporting to senior management
• Regular management review
• Management should allocate appropriate resources to support and sustain good data integrity management.
• There should be regular management reviews of performance indicators, including those related to data integrity.

8. Dealing with data integrity issues:

• Internal: In the event that data integrity lapses are found, they should be handled as any deviation then correcting the issue to its full extent and implement preventive measures and scientific evidence should be in place when considering the impact on patient safety and product quality.
• External: [Regulatory Actions] In Response to Data Integrity Findings Deficiencies relating to data integrity failure may have varying impact to product quality. Frequency of the failure may also vary between the actions of a single employee to an endemic failure throughout the inspected organization.
• “A critical deficiency is a practice or process that has produced, or leads to a significant risk of producing either a product which is harmful to the human or veterinary patient or a product which could result in a harmful residue in a food producing animal. A critical deficiency also occurs when it is observed that the manufacturer has engaged in fraud, misrepresentation or falsification of products or data

Appropriate to assign classification of deficiencies by taking into account the following.

Impact to product with actual or Potential risk to patient health: Critical deficiency:

• Product failing to meet Marketing Authorisation specification at release or within shelf life.
• Reporting of a ‘desired’ result rather than an actual out of specification result when reporting of QC tests, critical product or process parameters.
• Wide-ranging misrepresentation or falsification of data, with or without the knowledge and assistance of senior management, the extent of which critically undermines the reliability of the Quality System and erodes all confidence in the quality and safety of medicines manufactured or handled by the site.

Impact to product with No risk to patient health: Major deficiency:

• Data being misreported, e.g. original results in specification, but altered to give a more satisfactory trend.
• Reporting of a desired result rather than an actual out of specification result when reporting of data which does not relate to QC tests, critical product or process parameters.
• Failures arising from poorly designed data capture systems (e.g. Usage of scrap paper to record info for later transcription in to GMP record).

No impact to product evidence of moderate failure: Major deficiency:

• Bad practices and poorly designed systems which may result in occurrences for data integrity issues or loss of traceability across a limited number of functional areas (QA, production, QC etc.). Each in its own right has no direct impact to product quality.

No impact to product, limited evidence of failure: Other deficiency:

• Bad practice or poorly designed system which result in opportunities for data integrity issues or loss of traceability in a discrete area.
• Limited failure in an otherwise acceptable system, e.g. manipulation of non-critical data by an individual

9. Remediation of Data Integrity Failures

Responding to Significant Data Integrity issues

Consideration should be primarily given to resolving the immediate issues identified and assessing the risks associated with the data integrity issues. The response by the company in question should outline the actions taken as part of a remediation plan. Responses from implicated manufacturers should include:

A comprehensive investigation into the extent of the inaccuracies in data records and reporting, to include

• A detailed investigation protocol and methodology; a summary of all laboratories, manufacturing operations, products and systems to be covered by the assessment.
• Interviews of current and where possible and appropriate, former employees to identify the nature, scope, and root cause of data mistakenness. These interviews may be conducted by a qualified third party.
• An assessment of the level of data integrity deficiencies at the facility. Identify errors, alterations, deletions, record destruction, non-contemporaneous record completion, and other deficiencies.
• Determination of the scope (data, products, processes and specific batches) and timeframe for the incident, with justification for the time-boundaries applied;
• A description of all parts of the operations in which data integrity lapses occurred, additional consideration should be given to global corrective actions for multinational companies or those that operate across multiple sites;
• A comprehensive retrospective evaluation of the nature of the data integrity deficiencies, and the identification of root cause(s) or most likely root cause that will form the basis of corrective and preventative actions, as defined in the investigation protocol. The services of a qualified third-party consultant with specific expertise in the areas where potential breaches were identified may be required.
• A risk assessment of the potential effects of the observed failures on the quality of the substances, medicines, and products involved. The assessment should include analyses of the potential risks to patients caused by the release/distribution of products affected by a lapse of data integrity, risks posed by ongoing operations, and any impact on the integrity of data submitted to regulatory agencies, including data related to product registration.

Corrective and preventive actions taken to address the data integrity vulnerabilities and timeframe for implementation, and including:

• Interim measures describing the actions to protect patients and to ensure the quality of the medicinal products, such as notifying customers, recalling product, conducting additional testing, adding lots to the stability program to assure stability, drug application actions, and enhanced complaint monitoring. Interim measures should be monitored for effectiveness and residual risks should be communicated to senior management and kept under review.
• Long-term measures describing any remediation efforts and enhancements to procedures, processes, methods, controls, systems, management oversight, and human resources (e.g. training, staffing improvements) designed to ensure the data integrity. Where long term measures are identified interim measures should be implemented to mitigate risks.

CAPA effectiveness checks implemented to monitor if the actions taken has eliminated the issue.

• comprehensive description of the root causes of the data integrity lapses, including evidence that the scope and depth of the current action plan is commensurate with the findings of the investigation and risk assessment. This should indicate if individuals responsible for data integrity lapses remain able to influence GMP/GDP-related or drug application data.
• A detailed corrective action plan that describes how the regulated user intends to ensure the ’ALOCA+’ attributes of all of the data generated, including analytical data, manufacturing records, and all data submitted or presented to the Competent Authority.

Thanks to Peter Baker Sir & Bob McDowall Sir

#datagovernance #dataintegrity #pharmaceuticalindustry #qualityassurance #pharma #investigations #riskassessment #response #audits #inspection #healthcare