Data Integrity: 3 Common Pitfalls in pharmaceutical, biotech manufacturing and GxP environments
In the US and EU, 21 CFR Part 11 and Annex 11 respectively try to ensure that the use of computerized systems do not put product quality at risk. One of the most important aspects of computerized systems is the data they gather, record and store, and the "elevens" seek to ensure that data is correct, complete, controlled and secure. Controls must be in place to safeguard data, including data checks within software or with a manual process and permission-based access. The EMA and FDA publish the results of their inspections and looking at deviations from GMP in these published reports (Statements of Non-Compliance from the EMA, and Form 483 from the FDA) we can see details of where organizations are failing to ensure data integrity.
From EMA inspection Non-compliance reports:
"In total 27 deficiencies were found: 3 classified as Critical were found in the area of Documentation management system, Falsification and Security and integrity data…"
"The material stored in this area was to be managed outside of the Quality Assurance system and the investigation carried out by the inspection team concluded there was a serious risk of data falsification…"
"Storage of quality documents in an uncontrolled location, involving staff from QC, QA, maintenance and production - Deficient management of paper documents - Deficient management of the computerized system…"
"Lack of data integrity in the QC laboratory (No access control, inadequate traceability and archiving practices, no audit trail, no restriction on the deleting of data, etc.) and falsification of the analytical results for [the product]…"
From FDA Form 483s:
"Records are not maintained so that data therein can be reviewed at least annually to evaluate the quality standards of each drug product to determine the need for changes in specifications or manufacturing or control procedures…"
"Failure to maintain a backup file of data entered into the computer or related system…"
"Laboratory records did not contain a complete record of all data obtained in the course of each test…"
"Appropriate controls are not exercised over computers or related systems to assure that changes in master production and control records or other records are instituted only by authorized personnel…"
From these samples the importance of data integrity in computerized systems is apparent. The themes of user controls, data security and completeness are common.
In GMP compliance, unlike the rest of life, it's not necessarily easier to apologize after the fact… In GMP compliance it's easier (and more cost effective) to be proactive and ensure data are complete, secure, and accurate.
In our experience, the best place to focus your effort is data traceability. In computerized systems, this means programs that write data indelibly and have user access controls. Essentially, you need to know where the data came from and assurance that it was not tampered with.
The "Elevens" try to preserve integrity
What do these look like in practice? Basically, it means password protection for users of a system and audit trails that cannot be edited once created. These are such common features in software and instrumentation used in pharmaceutical manufacturing operations, that if your system does not have these features, you know the system should not be used in any GxP-regulated application.
You may generate complete data, but without user controls and audit trails, the records will not comply with CFR 21 Part 11 or Annex 11. According to Part 11, Subpart B "Section 11.10 Controls for closed systems" procedures and controls must be in place to ensure the "authenticity, integrity, and, when appropriate, the confidentiality of electronic records." In addition, access to the raw data for any time period is required for presentation upon request from auditors and inspectors.
Regarding Annex 11, the EMA takes a risk-based approach, expecting firms to weight data integrity and system security in terms with the risks associated with what the computerized system does. Software that is used in the execution of GxP-related tasks must have built-in checks for the correct and secure entry and data processing.
Always worth reviewing:
Three Common Pitfalls
Here are three common pitfalls of data integrity that we've seen in the field:
- No built-in data back-up mechanisms. Look for software and systems that ensure data gaps cannot occur due to power outage or network downtime. Two common solutions are Uninterrupted Power Source combined with devices that can switch to an alternate power source (battery) when required.
- No permission-based access to software. Ensure system use is at least password protected. Preferred are systems where administrators can assign access to users according to their security level and functions within the organization.
- No tamper-proof audit trail. Look for software where data once recorded are unchangeable, and if tampered with, leave a clear indication.
Each of these data integrity issues is avoidable using systems and instrumentation designed for use in regulated environments.
Validate (Test Tamper & Pen Testing)
Finally, remember that upon installation of a computerized system or software, you need to test the data integrity. Ensure your software validation includes an attempt to tamper with data and access the system without a password- or ID- enabled entry. If the system has those as features, they need to be verified. If the system doesn't have those features, don't use it in an area subject to inspection by EMA or the FDA. From both agencies point of view, a lack of control over data integrity puts into question the authenticity and reliability of your computerized system, and therefore the safety, efficacy, and quality of the product.
The issue is more complex that we have outlined here with pitfalls. For a more in-depth look at data integrity, read "GMP Data Integrity Definitions and Guidance for Industry" published March 2015 by the UK's Medicine and Healthcare Products Regulatory Agency (MHRA) and "Current Good Manufacturing for Finished Pharmaceuticals" specifically 211.194 - Laboratory Records.
As always, if you have any questions on this article, contact your local Vaisala sales team.