Data Integrity (A short History)

In Indian Pharmaceutical Industries, Data integrity is the favorite topic for regulatory auditors. Many organization had received warning letter on data integrity. 

Definition:

• Data integrity is the assurance of the completeness of data, accuracy (correctness) and consistency  of data  over its entire life-cycle, and is a critical aspect to the design, implementation and usage of any system which stores, processes, or retrieves data.

History of Data Integrity:

• The USFDA issued a draft guidance on data integrity related to current Good Manufacturing Practice (cGMP) compliance. Other regulatory agencies – such as European Medicines Agency (EMA) and Medicines and Healthcare products Regulatory Agency UK (MHRA) – are focusing on data integrity as well, especially in their publications. Although these guidelines are ‘non-binding recommendations’, we can’t disregard the fact that data integrity is usually a ‘hot topic’ during audits and inspections in the pharmaceutical industry. But why is data integrity so important? And how do pharmaceutical companies ensure compliance? Let’s take a closer look at data integrity.

Data and our digital society

• Few years ago, quality systems and regulated processes in the pharmaceutical industry were documented on paper. Lab note books, clinical trial binders, master recipes, batch records and procedures are some examples of these written or printed documents. Wet ink signatures and dates gave a clear indication about approval details.
• Nowadays, entire pharmaceutical processes have been digitalised, resulting in various advantages. We can look up data faster, regardless of where we are, make true copies and backups and bring data from multiple source systems together to provide new insights – to name a few new possibilities. However, our digital society also entails risks regarding data integrity. Entering data into electronic systems increases the risk of human errors. In addition, it becomes harder to determine original documents, since e-mailing, downloading, uploading and sharing of documents is common practice. In short, the current digitisation asks for a different approach of data integrity.

The importance of data integrity

• But why is data integrity so important? In a special report on data integrity, Pharmaceutical Engineering® lists three key points. First, regulatory agencies and the pharmaceutical industry need accurate and reliable data to ensure the safety, efficacy and quality of a product. Second, data integrity is crucial to guarantee trust between the industry and regulatory agencies. Third, regulatory agencies cannot constantly audit companies to inspect every little part of processes and production.
• In short, data must be complete, consistent and accurate. Problems with data integrity cannot only result in patient harm, but also in product recalls, regulatory incompliance and company image problems.
• How do companies guarantee data integrity?
• According to the FDA, “ALCOA” is an important framework to help companies in achieving data integrity. ALCOA means that data should be:

Attributable

• When creating a record, companies need to know who created it, when and why.

Legible

• Even in a digital age, readable data is not always self-evident. Ensuring records are readable and permanent assists with their accessibility throughout the data lifecycle. This includes storage of human-readable metadata that may be recorded to support an electronic record.

Contemporaneous

• Companies need to record data at the time the work is performed, by using the server time from an acknowledged organisation for example, and by adding the right time zone.

Original

• Original data, sometimes referred to as source data or primary data, is the medium in which the data point is recorded for the first time.

Accurate

• Of course, data can’t contain any errors, which includes both human and automated errors. They should be free from errors, complete, truthful and reflective of the observation.
• QbD is a member of ISPE, the international society for professionals involved in the engineering and manufacturing of pharmaceuticals and related products. We are happy to help your company with support or advice on data integrity. We can assist you in identifying critical records, mapping the records lifecycle and flow, and assessing technical and procedural data integrity gaps to defining an overall approach leading to data integrity compliance.

Few other points to be taken care::

• It is organization responsibility to develop a culture  which should ensure that data is complete, consistent and accurate in all its forms, i.e. paper as well as electronics. 


• Our SOP/Policy of data integrity should be design in such way with respect to people, systems and facilities to adapted and support a suitable working environment, i.e. creating the right environment to enable data integrity controls to be effective.


• The impact of company culture, the behavior driven by performance indicators, objectives and senior management behavior on the success of data governance measures should not be underestimated. The data governance policy (or equivalent) should be endorsed at the highest levels of the organization.


• Organizations are not expected to implement a forensic approach to data checking on a routine basis. Systems should maintain appropriate levels of control whilst wider data governance measures should ensure that periodic audits can detect opportunities for data integrity failures within the organization’s systems.


• The effort and resource applied to assure the integrity of the data should be commensurate with the risk and impact of a data integrity failure to the patient or environment. Collectively these arrangements fulfill the concept of data governance.


• Organizations should be aware that reverting from automated or computerized systems to paper-based manual systems or vice-versa will not in itself remove the need for appropriate data integrity controls.


• Where data integrity weaknesses are identified, companies should ensure that appropriate corrective and preventive actions are implemented across all relevant activities and systems and not in isolation.


• Appropriate notification to regulatory authorities should be made where significant data integrity incidents have been identified.

Regulatory Audit "Do's and Don'ts"

During regulatory audit in Pharmaceutical Industry it is very important to know each and every person of organization that what to do and what don't.

• Here some important tips are mentioned which we have to follow during audit. 

Remember:

"If it is not documented, it doesn't exist".

Do’s and Don't:

• Answer honestly with confidence. 


• Don't answer if you don't know or are not sure. 


• Avoid to use of phrases and Qualifiers during answering to auditor  for example....I think, Sometimes, Often, Usually, Generally etc.


• Answer only those question which is asked and Stop when question is answered.


• Ask for explanations 


• Control your temper during answering , even though auditor is not convinced with you. Don't make argument with auditor. 


• Maintain eye contact, it will give confidence to auditor. 

• Don't give volunteer Information.
• Investigator may read your body language, be aware of your body language. 
• Don't challenge the investigator. 
• Don't give false data, always tell the truth. 
• It is ok to say "I don't know".


• Don't attempt to answer “What If ?” or Hypothetical questions. 


• Don't stand around making face and looking worried.


• Don't interupt the investigator or employees when they are speaking.


• Don't point out deficiencies or errors.


• Don't become defensive or evasive.


• Don't look away, Fidget or look nervous.


• Don't make statements about your personal opinion of the FDA.

Apart from above precautions, there are many more things which should be taken care during regulatory audit. It is senior management responsibility to make aware down the line staff members. 

Computer System Validation (21 CFR Part 11)

Brief:

In any pharmaceutical organization compliance of 21 CFR part 11 is very important and basic requirements of FDA. 

21 Code For Federal Regulations Part 11 is a law that ensures organization implement good practices. Part 11 allows a company to implement computer systems that will highly increase th e efficiency of individuals, minimize the errors by identifying risks, and increase overall productivity of the organization.

The Code of Federal Regulations (CFR) contains the laws for each of the government agencies. Each title of the CFR addresses a different regulated area. Laws typically refer to records and approval signatures, which originally referred to paper documents and handwritten signatures. Part 11 allows any paper record to be replaced by an electronic record, and allows any handwritten signature to be replaced with an electronic signature.

While Part 11 is an essential and very successful law, there has been much controversy and misunderstanding about it. The law is less than three pages long and doesn't give much detail about electronic records and signatures. Don't be mislead by the almost 30 pages of preamble material that is not the law. Just go to the end of the Part 11 document and flip back three pages to the beginning of the law. Adding to the confusion is the rapid evolution of computer technology that has made 21 CFR Part 11 compliance a moving target.

According to both American FDA and UK MHRA, computer system validation is defined as

“Confirmation by examination and provision of objective evidence that software specifications conform to user needs and intended uses, and that the particular requirements implemented through software can be consistently fulfilled”

Validation of computer systems is not a onetime event it periodic activity.

Purpose of CSV:

The purpose of the validation process is to provide a high degree of assurance that a specific process (or in this case computer system) will consistently produce a product (control information or data) which meets predetermined specifications and quality attributes.

Need of CSV:

FDA regulations mandate the need to perform Computer System Validation and these regulations have the impact of law.

Having the evidence that computer systems are correct for their purpose and operating properly represents a good business practice.
Chalange test:
All positive as well negative challenge test should be performed at the time of installation and this should comply to it's Pre-approved acceptance criteria.

Audit Trail in Pharmaceutical industries.

Audit Trail:

"An audit trail (also called audit log) is a security-relevant chronological record, set of records, and/or destination and source of records that provide documentary evidence of the sequence of activities that have affected at any time a specific operation, procedure, or event".

Challenge Test for Audit Trails:

Before start the Use of any software, it should be completely validated through Chalenge test for its compliance. 

Authorization limitation:
Every software which is used for data generation should have limited access for analyst, reviewer, approver as per their job role and Administrative authorization should be with IT-Quality head. Our SOPs should be very clear about these authorizations. 

Further we can elaborate  it as the Audit trail is a form of metadata containing information associated with actions that relate to the creation, modification or deletion of GXP records. An audit trail provides for secure recording of life-cycle details such as creation, additions, deletions or alterations of information in a record, either paper or electronic, without obscuring or overwriting the original record. An audit trail facilitates the reconstruction of the history of such events relating to the record regardless of its medium, including the “who, what, when and why” of the action.

Automization:
Where computerised systems are used to capture, process, report, store or archive raw data electronically, system design should always provide for the retention of audit trails to show all
changes to, or deletion of data while retaining previous and original data. It should be possible to associate all data and changes to data with the persons making those changes, and changes should be dated and time stamped (time and time zone where applicable). The reason for any change, should also be recorded. The items included in the audit trail should be those of relevance to permit reconstruction of the process or activity.

Audit trails (identified by risk assessment as required) should be switched on. Users should not be able to amend or switch off the audit trail. Where a system administrator amends, or switches off the audit trail a record of that action should be retained.

The relevance of data retained in audit trails should be considered by the organisation to permit robust data review/verification. It is not necessary for audit trail review to include every system activity (e.g. user log on/off, keystrokes etc.).

Where relevant audit trail functionality does not exist (e.g. within legacy systems) an alternative control may be achieved for example defining the process in an SOP, and use of log books. Alternative controls should be proven to be effective.

Where add-on software or a compliant system does not currently exist, continued use of the legacy system may be justified by documented evidence that a compliant solution is being sought and that mitigation measures temporarily support the continued use.

Routine data review should include a documented audit trail review where this is determined by a risk assessment. When designing a system for review of audit trails, this may be limited to those with GXP relevance. Audit trails may be reviewed as a list of relevant data, or by an ‘exception reporting' process. An exception report is a validated search tool that identifies and documents predetermined ‘abnormal’ data or actions, that require further attention or investigation by the data reviewer.

Reviewers should have sufficient knowledge and system access to review relevant audit trails, raw data and metadata (see also ‘data governance’). Where systems do not meet the audit trail and individual user account expectations, demonstrated progress should be available to address these shortcomings. This should either be through add-on software that provides these additional functions or by an upgrade to a compliant system.
Where remediation has not been identified or subsequently implemented in a timely manner a deficiency may be cited.

Source: MHRA GXP Data Integrity Guidance and Definitions.

About Form 483 of USFDA

Form FDA 483:

USFDA declare an audit of any Pharmaceutical plant after ANDA filling or schedule GMP audit to check the adequacy of Drug products/Drug Substance. 

The U.S. Food and Drug Administration (FDA) is authorized to perform inspections under the Federal Food, Drug, and Cosmetic Act, Sec. 704 (21 USC §374) "Factory Inspection".

Form FDA 483, "Inspectional Observations," is a form used by the FDA to document and communicate concerns discovered during these inspections.
Also referred to as "Fo.rm 483" or merely "483", it states thereon that it.

The FDA Form 483 is officially called a "Notice of Inspectional Observations," commonly referred to simply as a "483."
The 483 is issued at the end of an on-site inspection if the FDA field investigator observed deficiencies in your quality system or conditions that violate the Food, Drug, or Cosmetic Act.

“Lists observations made by the FDA representative(s) during the inspection of your facility.
They are inspectional observations, and do not represent a final Agency determination regarding your compliance”

A recipient of a 483 should respond to the FDA, addressing each item, indicating agreement and either providing a timeline for correction or requesting clarification of what the FDA requires.

Responses should be comprehensive, well-reasoned, well-documented and timely, and that each observation should be addressed individually.

An FDA Form 483 is issued to firm management at the conclusion of an inspection when an investigator(s) has observed any conditions that in their judgment may constitute violations of the Food Drug and Cosmetic (FD&C) Act and related Acts.

The FDA Form 483 notifies the company’s management of objectionable conditions.
At the conclusion of an inspection, the FDA Form 483 is presented and discussed with the company’s senior management.
Companies are encouraged to respond to the FDA Form 483 in writing with their corrective action plan and then implement that corrective action plan expeditiously. Respond to the 483 or a Warning Letter promptly and identify your course of action to correct the findings within the FDA's specified timeframe.

The best way to minimize your chances of receiving a Form 483 is to always be "inspection ready." In other words.

Lab Incident investigation for Extraneous peak

In Pharmaceutical Industries, Lab Incident investigation and root cause analysis to identify the source of Extraneous peak is very difficult. In most of the cases it is tuff to convince the regulatory auditor that there is no issue with the product quality, if our investigation is not design to rule out all the possibility of product quality genuiness.

Here I am sharing a case study to understand it in a better way.

Note:Before initiation for Lab incident investigation, It should be ensured by Lab incharge that result is not OOS/OOT. If result is OOS/OOT then it should be investigated through the OOS/OOT SOPs.

Is your SOP of Lab incident is enough transparent for " peak area response" percentage of extraneous peak (Except Related substance test) to initiate the event?

Description of Event:

Extraneous peak observed in dissolution test in one unit (other five units have no extraneous peak) .
Results of all 06 units are between 92% to 98%  -Limit is NLT 85%(Q). Subject unit result is 96%.

Preliminary investigation:
From preliminary investigation, no laboratory error (i.e.presure fluctuation or re-use of hplc vial etc. ) is identified.

Re-measurement:
Re-measurement from same solution (same vial, refilled vial) is found in line to the initial  i. e. same area response of extraneous peak. Hence instrument error and vial filling error is ruled out.

If peak observed in all hypothesis testing then same vial should be run on PDA detector to know about the spectrum of the unknown peak.

Root cause analysis:
From above investigation, it's seems that there is no instrument malfunction and no vial contamination. So from where this extraneous peak came.

Probabilities:
1- From test tube: Is test tube was cleaned before use for collection of sample.
2- From Dissolution bowl: Is dedicated bowl was used and cleaned before use.
3- From basket/paddle: Is dedicated basket/paddle had been used and cleaned before use.
4-From Autosampler tubing of dissolution: Is cleaning cycle followed as per SOP/Cleaning validation recommendation.
5-Is batch was contaminated from previous manufactured product on same equipment.

To rule out 1 to 4 probabilities quality control unit should work and for 5 probability manufacturing investigation required to identify the history of previous product on same equipment and cleaning validation evaluation. 

Outcome of above proposed investigation:
Based on above investigation (1to4) if there is any gap, identified, the drugs which are impacted.
Based on manufacturing investigation (point 5) identify the previous manufactured products on same equipment.
Prepare a list of  products based on above investigation and run it on PDA detector.
Match the spectra of each product to the spectrum of inital unknown peak.
If spectrum is not match with manufacturing related products, then there is no issue with the product quality.
If spectrum match with any of product from 1to 4 based product list, then take proper CAPA to avoid re-occurence.
If spectrum not match with any of product, even though we can report the results as no impact on principal peak.

In above investigation we can do more brain storming to identify the root cause and CAPA.