Chandresh Jain, GM – Informatics, Waters, elaborates more on data integrity issues, which has seen a steep rise, with the opening of a large number of regulated laboratories
Data integrity is the new buzz word in laboratories today. There is a distinct trend in the number of data-related issues uncovered by regulators. Since 2013, there has been a steep rise in the number of data integrity related incidences. And this is not just an India-specific phenomenon. Data integrity-related issues have been uncovered around the world. Given the large number of regulated laboratories operating in India, the numbers of incidences were expected to be high.
Data integrity is generally defined as maintaining and assuring the accuracy and consistency of the complete data over its entire life-cycle.
The US FDA’s Data Integrity and Compliance with CGMP Guidance for Industry, Draft Guidance 2016 document describes it as: Data integrity refers to the completeness, consistency, and accuracy of data. Complete, consistent, and accurate data should be attributable, legible, contemporaneously recorded, original or a true copy, and accurate (ALCOA).
MHRA GMP Data Integrity Definitions and Guidance for Industry March 2015 document defines data integrity as – The extent to which all data are complete, consistent and accurate throughout the data lifecycle. Even WHO’s Annex 5 Guidance on good data and record management practices 2016 refers to Data Integrity as – Data integrity is the degree to which data are complete, consistent, accurate, trustworthy and reliable and that these characteristics of the data are maintained throughout the data life cycle. The data should be collected and maintained in a secure manner, such that they are attributable, legible, contemporaneously recorded, original or a true copy and accurate. Integrity of data ensures safety, efficacy, and quality of drugs. It is a fundamental requirement of pharmaceutical quality system.
ALCOA comes up in almost all the data integrity-related discussions. The elements of Data quality in ALCOA are:
‘A’ stands for Attributable. It is expected that data be linked to its source. The data should be attributable to the individual who observed and recorded the data, as well as traceable to the source of the data itself. All entries on paper should be dated on the date of entry and signed or initialed by the person entering the data. The same is true for data collected on an electronic system. In an electronic system, the audit trails keep a track of this element.
In the warning letters, the data integrity issues related to ‘A’ show up as ‘All laboratory analysts share the same password for the HPLCs in the QC analytical chemistry lab and Omnilog in the microbiology lab’, ‘All employees in your firm used the same username and password’ and ‘several of the HPLCs had the audit trail functions disabled’. It is important that the users do not share their usernames and passwords. The audit trails lose their meaning and activities become untraceable when users share usernames and passwords.
Waters Empower3 Enterprise is the most commonly used chromatography data system in compliant laboratories today. All method information and raw data is stored with results, in a secure and embedded database. Nothing is overwritten and all versions are available for review. Audit trails allow traceability and proof of modification or deletion. Specific features have been implemented to allow compliance with ER/ES (21 CRF Part 11), Annex 11 etc. for customers who must comply with regulations.
A new Empower3 tool called ‘Result Audit Viewer’ allows the review of all sample result related audit trails in one window.
‘L’ stands for Legible. Legibility means that data are readable. It implies that data must be recorded permanently in a durable medium i.e. pen and ink on paper.
‘C’ stands for contemporaneous. Data should be recorded at the time the observation is made. This has showed up in warning letters as ‘Recording weights, LOD tests and manufacturing steps in documents before they were executed/ measured’, ‘Making balance printouts retrospectively after chromatographic runs were made’ and ‘Non contemporaneous recording of signatures on calibration and media preparation activities’.
‘O’ stands for Original. Original data is generally considered to be the first and therefore the most accurate and reliable recording of data. Examples given as, ‘There is no system in place to ensure that all electronic raw data from the laboratory is backed up and/ or retained’, ‘Your firm had no system in place to ensure appropriate backup of electronic raw data and no standard procedure for naming and saving data for retrieval at a later date’, ‘our investigator requested to review the electronic analytical raw data to compare the values for (b) (4) assay and degradation products.
However, your firm provided only the printed copies of the raw data because your firm did not have the software programme available to view the electronic raw data’ and ‘Your firm did not retain complete raw data from testing performed to ensure the quality of your APIs. Specifically, your firm deleted all electronic raw data supporting your (HPLC) testing of all API products released to the US market’ are some of the issues uncovered related to original raw data.
MHRA GMP Data Integrity Definitions and Guidance for Industry document describes raw data retention in more detail. ‘Raw data (or a true copy thereof) generated in paper format may be retained for example by scanning, provided that there is a process in place to ensure that the copy is verified to ensure its completeness. In another section, Original Record/ True Copy, there is more explanation on electronic data – ‘It is conceivable for raw data generated by electronic means to be retained in an acceptable paper or PDF format, where it can be justified that a static record maintains the integrity of the original data. However, the data retention process must be shown to include verified copies of all raw data, metadata, relevant audit trail and result files, software/ system configuration settings specific to each analytical run, and all data processing runs (including methods and audit trails) necessary for reconstruction of a given raw data set. It would also require a documented means to verify that the printed records were an accurate representation. This approach is likely to be onerous in its administration to enable a GMP compliant record.’
Data retention may be classified as archive or backup. Data and document retention arrangements should ensure the protection of records from deliberate or inadvertent alteration or loss. Secure controls must be in place to ensure the data Integrity of the record throughout the retention period, and validated where appropriate.’ Labs must have systems in place to archive the raw data. One of the commonly used archival solutions for electronic raw data is NuGenesis Scientific Data Management System.
And the last ‘A’ stands for Accurate. It implies that no errors or editing was performed without documented amendments. Within an electronic system, the audit trails will record the original version and the changed version of the changes made, along with user identity and data/ time stamp. References of failing accuracy have showed up as ‘Your management failed to prevent the practices of product sample retesting without investigation, and rewriting and/ or omission of original CGMP records persisted without implementation of controls to prevent data manipulation’.
The acronym ALCOA+ stands for ALCOA in addition to the following attributes: Complete, Consistent, Enduring, and Available. Complete data includes all data to obtain the final result. It includes all metadata, calibration curves, system suitability tests and even failed runs, including audit trails. Consistent data is created using methods or procedures that can be repeated following a logical sequence of activities. Procedural controls or standard operating procedures are critical for creating consistent data. Enduring means data must be protected from loss, damage, and/ or alteration and must be available throughout the defined retention period. Data should be stored on a medium such that it is available for review during the entire retention period. It is advisable to store data backups at a different location than the original/ raw data. Available means that the data are readily retrieved throughout the lifecycle of the system, or the appropriate retention period, and that it must be available in human readable form.
The repercussions of data integrity failures are immense. The first and foremost is the financial impact. On receiving a Warning Letter or a Notice of Concern or similar adverse comments, the stock value of the pharmaceutical company goes down. There is a risk of losing markets due to import alerts and eventually revenues. Next, the company reputation takes a big hit. The investor’s and the customer’s confidence is eroded. Finally, there could be legal consequences as well. In a worst case scenario, the pharma company may invite lawsuits and debarments.
A strong company culture of compliance is very important in avoiding data integrity issues. It is important to find a balance between compliance and business goals because both are important. The employees should be trained on compliance and must be rewarded for the right behaviour.
In the majority of cases, concerns about data integrity are in no way related to deliberate creation of fraudulent results, but stem from a lack of understanding, either about the goals and purpose of laboratory testing or manufacturing controls, or about the correct use of the technical controls built into GxP applications. Regulators will cite concerns whether there is evidence of data manipulation or not, if they feel that the regulated companies are not using the technical controls correctly to manage the user behaviour in the right way, or to detect possible fraud situations. Just as different regulators are now challenging the use of laboratory and manufacturing software and reviewing the original electronic data rather than relying on printed (or PDF) reports, it is essential that regulated companies also take the time to fully understand the workflow, the potential data integrity risks, correctly implement the controls available to them and devise and follow appropriate review processes to manage those risks.