Data Integrity: Progress and Challenges

By Patricia Van Arnum - DCAT Editorial Director

September 26, 2018

Data integrity is fundamental to ensure compliance with current good manufacturing practices (cGMP) and other GXP standards. Regulatory agencies and industry trade groups have released guidance documents to raise standards and compliance. DCAT Value Chain Insights looks at the latest developments.

Inside the problem

Data integrity, always of paramount importance, has taken on greater significance due to increased enforcement actions by regulatory agencies in citing compliance issues and resulting action by regulatory agencies and industry trade groups in releasing further guidance documents on the issue. In 2017, the US Food and Drug Administration (FDA) issued 82 Warning Letters, excluding those issued to compounding pharmacies and outsourcing facilities, with 56, or 68% containing a data-integrity component, according to a recent analysis by Unger Consulting (1). The number of FDA Warning Letters with a data-integrity component increased from 15 in 2015 to 41 in 2016 to 56 in 2017 (1). The number of countries associated with these Warning Letters also increased and in 2017, nine countries were associated with the sites that were the subject of these Warning Letters (1).

Regulatory response

In addition to increased enforcement action, regulatory agencies have issued guidance to address the problem of data integrity.

FDA. Title 21 of the FDA’s Code of Federal Regulations (CFR) Part 11 applies to records in electronic format that are created, modified, maintained, archived, retrieved, or transmitted according to requirements set in FDA regulations. In 2016, the FDA issued a draft guidance, Data Integrity and Compliance With cGMP,  to provide the agency’s current thinking on the creation and handling of data in accordance with cGMP requirements with the expectation that such data be reliable and accurate. The draft guidance clarifies the role of data integrity in cGMP for drugs as required in 21 CFR Parts 210, 211, and 212. The draft guidance specifies that cGMP regulations and guidance allow for flexible and risk-based strategies to prevent and detect data-integrity issues. The draft guidance, which is still to be finalized, advises firms to implement meaningful and effective strategies to manage their data-integrity risks based upon their process understanding and knowledge management of technologies and business models. The draft guidance spells out questions and answers relating to compliance for data-integrity compliance.

For purposes of the draft guidance, the FDA defines “data integrity” as the completeness, consistency, and accuracy of data. Complete, consistent, and accurate data should follow what it terms “ALCOA” as being attributable, legible, contemporaneously recorded original or a true copy, and accurate. The draft guidance specifies that data should be maintained throughout the record’s retention period with all associated metadata, which is defined as the contextual information required to understand data, required to reconstruct  cGMP activity. It also specified the need for an audit trail, as a secure, computer-generated, time-stamped electronic record that allows for reconstruction of events relating to the creation, modification, or deletion of an electronic record. This includes the chronology (who, what, when, and sometimes why) of a record and the GMP-compliant record-keeping practices to prevent data from being lost or obscured.

European Medicines Agency. Annex 11 of the GMP guidelines of the European Union (EU) relate to computerized systems. In 2016, the European Medicines Agency (EMA) issued GMP guidance in the form of questions and answers to provide additional interpretation of the EU GMP guidelines and good distribution guidelines (GDP) published by the European Commission to ensure the integrity of data that are generated in the process of testing, manufacturing, packaging, distribution and monitoring of medicines. The EMA’s GMP/GDP Inspectors Working Group developed a set of questions and answers with advice for stakeholders on measures that ensure data integrity and minimize risks at all stages of the data lifecycle in pharmaceutical quality systems. The advice applies to both paper-based and electronic systems. It specifically addresses: (1) assessment of risks to data integrity in the collection, processing and storage of data; (2) risk-management measures at various stages of the data lifecycle; (3) design and control of both electronic and paper-based documentation systems; and (4) measures to ensure data integrity for activities contracted out to another company. The document is aligned with existing GMP guidance published by some regulatory authorities participating in the Pharmaceutical Inspection Co-operation Scheme (PIC/S), a non-binding, informal co-operative arrangement between regulatory authorities for GMPs. PIC/S also issued a draft guidance, Good Practices for Data Management and Integrity in Regulated GMP/GDP Environments in August 2016.

In 2017, the EMA adopted new policy on handling information on alleged improprieties from external sources as a means to facilitate the reporting of such improprieties and to formalize policy on this issue. These improprieties may include allegations of departures from standards of good practices that could have an impact on the evaluation and supervision of medicines. The goal of the policy, said the EMA, is “to create an environment where individuals from outside the Agency feel confident to raise their concerns on improprieties in their area of work. The policy helps EMA assess these reports and coordinate any further investigation in a structured way while protecting the confidentiality of the reporter.”

Medicines and Healthcare products Regulatory Agency. The most recent guidance on data integrity is from the Medicines and Healthcare products Regulatory Agency (MHRA), the UK’s pharmaceutical regulatory body, which published final guidance on data integrity earlier this year (March 2018) entitled: 'GXP’ Data Integrity Guidance and Definitions. The guidance is intended to be a useful resource on the core elements of a compliant data- governance system across all GXP sectors (good laboratory practice, good clinical practice, good manufacturing practice, good distribution practice, and good pharmacovigilance practice).

Industry trade groups and data integrity

Industry trade groups, such as the Parenteral Drug Association (PDA) and the International Society of Pharmaceutical Engineering (ISPE), also have supported compliance with data-integrity with various technical documents. PDA is developing a set of tools for industry that includes a code of conduct, technical reports and points to consider documents, along with educational workshops. Through the development and dissemination of these tools, PDA intends to: (1) promote harmonized standards for compliance with regulatory expectations for maintaining data integrity; (2) define mechanisms for detecting non-compliance and outline a clear methodology for remediating gaps; (3) serve both industry and regulators by creating and defining solutions for the increasing number of failed inspections where firms lack not only the necessary controls to ensure data integrity but also the expertise to detect and resolve non-compliance; and (4) develop a methodology for restoring confidence in a system and organization to avoid revenue loss and regulatory impacts.

PDA published the Code of Conduct for data integrity in 2016. It outlines key elements necessary to help ensure the reliability and integrity of information and data throughout all aspects of a product's lifecycle. It is intended to be used in whole or in part to guide a company’s internal practices, create or modify an existing data integrity code of conduct, or in developing agreements with outsourcing partners or other suppliers. The elements identified throughout this document are intended to reinforce a culture of quality and trust within the pharmaceutical industry.

It provides a collection of recommended best practices for employee and management conduct related to data integrity. It was written to apply to employees, corporate officers, third-party suppliers and others acting on behalf of, or at the behest of, a company. This includes individuals that develop, test, manufacture or submit marketing authorizations for pharmaceutical and biological products. The Code of Conduct was designed to be useful for both large and smaller manufacturers. For smaller manufacturing firms, or those that supply raw materials, components or testing services, the code is designed to be useful for those who may not yet have taken to shore up existing quality systems and advance quality cultures and systems. Additionally, the code has utility for larger firms or contract providers to use elements of the code to assess their current internal codes or use it to when drafting or revising supply and quality agreements (2).

In August 2018, PDA issued PDA Technical Report 80 (TR 80): Data Integrity in Laboratory Systems, to provide the framework and tools necessary to establish a robust data-integrity management system to ensure data integrity for paper, hybrid, and computerized systems within the laboratory. It is intended to outline regulatory requirements and expectations, along with best industry practices, to ensure data integrity, to highlight common gaps in laboratory data management practices, and to recommend methods of remediation.

In 2017, ISPE issued a guidance document, ISPE GAMP Guide: Records and Data Integrity to provide an overview of principles and practical guidance on meeting current expectations for the management of GXP regulated records and data to ensure they are complete, consistent, secure, accurate, and available throughout their lifecycle.

References
1. B. Unger, “An Analysis Of 2017 FDA Warning Letters On Data Integrity,” Pharmaceutical Online, May 18, 2018.
2. PDA, PDA Data Integrity Code of Conduct Impacts Industry, Parenteral Drug Association, Jan. 2, 2018.