Data Integrity in Pharmaceutical Manufacturing – Technical Considerations
Posted on August 13, 2015 by
Dr Joe Brady, Director for Global Compliance and Validation at Zenith Technologies
This is an opinion and a perspective on data-integrity associated with pharmaceutical manufacturing. Some ideas I like to convey to clients and students is never to assume that people will automatically trust your raw data or processed records, even though you may be the most honest and fastidious keeper of records. It may sound cynical but it is no harm to offer irrefutable proof of your trustworthiness, to begin with. In the same way no scientist would ever assume that a refereed scientific journal would simply publish their new hypothesis without them first conducting a peer-review of available reproducible data to ensure the article’s quality and merit.
Data without integrity is utterly meaningless. That’s the perception within the pharmaceutical manufacturing industries anyways, and it always has been that way. Especially when it comes to batch manufacturing records and associated quality control records. If data traceability is found to be questionable the offending company may eventual lose their licence to manufacture and distribute products, and may even have to face into the dreaded prospect of product-recall (if recall could even be achieved with poor quality records!).
An Industry Drive towards Transparency
Nowadays people are generally suspicious of facts, figures and data such as those emanating from financial institutes, corporations and government departments, for example. They can even be suspicious of the supposedly ‘independent’ auditors responsible for certifying those facts, figures and data because of the perception of real and supposed conflicts of interest. The public is demanding evermore transparency, traceability and accountability. People, and various regulatory bodies, are generally becoming more insistent that the information contained in published reports is deemed to be trustworthy.
Depending on circumstances, children are taught to be both suspicious and trusting either in equal or unequal measures. It would be impossible to teach someone only about trust, because without suspicion trust would have no context. Therefore, everyone learns a healthy degree of suspicion, particularly in regard to unfamiliar people and unknown situations. Trust, therefore is something that will always have to be earned and is never assumed. Suspicion on the other hand appears to be an automatic learned reflex (for better or for worse!) and its presumption needs to be disproven in order for it to abate. Therefore, expect greater regulatory oversight if you are a new organisation with a new manufacturing process; here you will need to work hard to earn your trustworthy status. Always be in anticipation of a tenacious data-integrity review by the regulatory authorities, and always be ready with documented evidence to defend against a certain degree of scepticism.
Technological Considerations – Data and Record Integrity
The crux of this article is to confidently provide data and records giving little or no cause for suspicion. Companies endeavour to constantly provide new assurances that provide increasing certainty. According to the MHRA, “Article 23 of Directive 2001/83/EC requires a authorisation holder to take account of scientific and technical progress and enable the medicinal product to be manufactured and checked by means of generally accepted scientific methods”. This can be interpreted as a recommendation to pharmaceutical manufacturers (authorisation holders) to implement technological controls, rather than devotion to and total dependence on procedural controls.
Technological controls comes as standard nowadays in many process and business applications (this was certainly not the case a decade or two ago). If such systems are installed and available, there is no compelling reason why we shouldn’t be judiciously activating technological controls where applicable. Inevitably, this should lead to greater assurances of integrity associated with our regulated records. Wherever possible, to enhance and multiply our site technological controls, perhaps we should always be sourcing additional cost-effective, robust and compliant applications.
With any such applications there are a number of very important prerequisites:
- Ensure the human-user has the ability to identify and detect invalid or altered records (be that intentionally or inadvertently): e.g., audit trails.
- Ensure record integrity and trustworthiness when information-objects are shared between multiple computing environments during normal business workflow.
- Ensure the application is robustly specified, design, implemented, validated, operated and maintained, and upgraded/replaced in accordance with standard documented good computer lifecycle practices.
There are many online dictionary definitions for records, and here are a select few:
- “A collection of related, often adjacent items of data, treated as a unit”
- “Constituting a piece of evidence about the past, especially an account kept in writing or some other permanent form”
- “Show or register, for example, a piece of evidence about the past to an observer”
It is a good idea to identify your regulated record types based on an assessment of applicable GxP guidance documents. Make a list of process steps where electronic signatures are applied. Whenever an electronic signature is applied, it should be clear when, why, and by whom. To begin with, data-historians should generally not be alterable. Prove this to be the case. If this is not the case then ensure you have an electronic audit trial in place. Sole reliance on procedural controls to govern authorised modifications to data historians and records will always have its uncertainties. It may also be a good idea to classify your GxP records as high, medium and low impact records, because the MHRA states, “The degree of effort and resource applied to the organisational and technical control of data lifecycle elements should be commensurate with its criticality in terms of impact to product quality attributes.”
(Note: GMPs don’t appear to recognise software code and internal system configurations as regulated electronic records. These typically are more than adequately controlled by change control and configuration management, and validation. Sometimes version-control audit trails can be activated, but it is up to the authorisation holders to determine whether this brings any additional value.)
Assigning Responsibility and Accountability
Data and records should be attributable to the person generating the data, with information on who and when they acquired the data or performed the action. A session on an electronic records system assumes control of a device by an individual operator, and by an event that terminates the session. An enterprise policy should be in place declaring the equivalence of electronic signatures to handwritten signatures, and making a declaration about the non-repudiatable nature of such signings. In terms of individual responsibility, the significance of electronic signatures and the consequences of misuse or falsification should be documented. Workflow activities should be configured with integrated detection mechanisms to verify a specific device as the correct input source, and technical health checks on such devices should be performed periodically.
Data and Record Best Practice
Data and records should be legible and permanent, and available for review and audit-inspection over the lifetime of the record. GxP regulations define those instances where records are to be established and subsequently kept for specified periods of time. Applications that manage access to such records for the purpose of use should be configured so that only authorized persons can access records, only approved equipment is used to access records, and that records are not altered during use (e.g.: the archiving environment and equipment).
Data and records should be contemporaneous and consistent, with all elements of the record, such as the sequence of events, being dated and/or time stamped in the expected sequence. Sequence checks can be configured to direct process and workflow activities. Application environments can be configured to execute a work process while interacting with human operators, either in the direct control of equipment or ensuring that manual operations are performed in the correct order.
Original records should be complete with all data present and available. Applications that allow for the modification of records for the purpose of editing original information, such as laboratory chromatography systems, should be configured to ensure that only authorized persons can make a modification, such modifications are executed from approved portals, and that modifications are auditable and do not obscure original information.
Data and records should be accurate, and with no errors or editing without documented amendments. Audit trails associated with a record provide the users/auditor with a history of operations and transactions affecting record content, structure, and context. All record-manipulation activities should be recorded in order to result in a higher degree of record integrity and trustworthiness. The historical account provided by the audit trail can then be configured to reconstruct preceding events and demonstrate the continuing integrity of the application’s environment.
To summarise, for enhancements to data-integrity the suggestion is to always be endeavouring to implement technological controls over procedural controls. Take advantage of the perpetually evolving technologies in this regard. Perhaps consider replacing, more and more, your manual laboratory data-entry and collection systems with robust and trustworthy electronic applications. Be sure that such electronic applications do indeed have appropriate audit trail functionality, record integrity and trustworthiness is maintained when the chain of custody moves from one system to another, and that they are specified, designed, implemented, validated and maintained correctly throughout the system lifecycle.
- Elayne Best (2015). “Data Integrity Issues – Causes and Solutions”. PDA Letter, Volume LI, Issue 4. www.pda.org
- MHRA (2015). ‘GMP Data Integrity Definitions and Guidance for Industry’. March 2015
- ISPE (2005). ‘GAMP® Good Practice Guide – A Risk Based Approach to Compliant Electronic Records and Signatures’. www.ispe.org
- PDA (2004). ‘Good Practice Compliance for Electronic Records and Signatures: Part 3 – Models for System Implementation and Evolution’. www.pda.org
- ISPE – PDA (2002). ‘Complying with 21 CFR Part 11 Electronic Records and Electronic Signatures – Part 1 – Good Electronic Records Management (GERM)’. www.ispe.org / www.pda.org
- ISPE – PDA (2001). ‘Good Practice and Compliance for Electronic Records and Electronic Signatures – Part 2 – Complying with 21 CFR Part 11 Electronic Records and Electronic Signatures”. www.ispe.org / www.pda.org
Dr. Joe Brady is the Director for Global Compliance and Validation at Zenith Technologies. He is also an assistant lecturer with the Dublin Institute of Technology (DIT), in the School of Chemical and Pharmaceutical Sciences.