Data Integrity for Computerized Systems in Gxp Regulated Applications
Total Page:16
File Type:pdf, Size:1020Kb
White Paper www.vaisala.com Managing GxP environmental systems to ensure data integrity In this paper, we provide an overview of data management best practices for life science systems and an overview of regulatory expectations. We offer eight recommendations for establishing and maintaining good practices for data integrity. More than Bytes management, companies can find Thanks to the publication of and Signatures changes hard to implement in terms enforcement actions such as GMP of updating systems and behavior. non-compliance reports, warning As efforts to ensure the quality and letters, import alerts, and notices, safety of drugs increase, so does it is evident that regulators are the amount of data generated by Data integrity: targeting data integrity failures those efforts. Over the last few Related regulations during inspections. Subsequent years, global regulatory scrutiny has turned to providing guidance Data integrity requirements are enforcement actions have led to on preserving the integrity of data. core elements of basic GMPs, and the withdrawal of supply across Throughout life science industries are broadly addressed in the FDA’s multiple markets, product recalls, — pharmaceutical, medical devices, Title 21 CFR Part 11 and the EU's consent decrees, and reputational and biotechnology research and GMP Eudralex Volume 4, Chapter damage for the firms involved. production — regulatory guidance 4 and Annex 11. However, with With increased targeting of and enforcement strategies are data integrity from regulators, being re-evaluated with a focus increasing automation based on it is now crucial that everyone on data integrity. With increasing computerized systems, as well as involved in GxP-regulated awareness of data collection and the globalization of operations storage, there comes increased and the increasing cost of bringing activities understand correct data awareness of gaps between products to market, new guidance management practices. industry practice and existing was needed to clarify regulatory technology. Although there are expectations around the creation, new strategies available for data handling, and storage of data. Principles and Practice The acronym ALCOA is used by the FDA, MHRA, the World Health Organization and others to outline expectations on records, including In essence, data integrity means paper-based, electronic, and hybrid records (systems that use both paper that data collected and stored and electronic records). ALCOA is a useful guide to remembering key must be original, complete and points of data management for GxP compliance. ALCOA stands for: traceable. Several regulatory agencies have defined the term “data integrity.” In the UK, the Medicines and Healthcare A = Attributable to the person generating the data products Regulatory Agency = Legible and permanent (MHRA) defined data integrity L in their 2015 document: “MHRA C = Contemporaneously recorded GMP Data Integrity Definitions O = Original or a true copy and Guidance for Industry” as the degree to which all collected A = Accurate data are “complete, consistent, accurate, trustworthy, reliable… throughout the data lifecycle.” The WHO added some extra definitions to ALCOA in their working document “Guideline on data integrity” expanding the acronym to For their 2016 draft guidance ALCOA+. In addition to original emphasis of ALCOA principles, the “+” for industry “Data Integrity and highlights the importance of the attributes of being complete, consistent, Compliance with CGMP” the enduring and available.* FDA defines data integrity as: “… the completeness, consistency, Thus, ALCOA+ is now the goal for every piece of GMP information – and accuracy of data. Complete, information that can impact the purity, efficacy, and safety of products. consistent, and accurate data ALCOA+ is the standard by which data integrity is evaluated. In practice, should be attributable, legible, this means that companies must maintain control over all intentional and contemporaneously recorded, unintentional changes to GMP data, including the prevention of data loss original or a true copy, and or corruption. accurate (ALCOA).” Data Management A review of enforcement actions ▪ Electronic data could have been Challenges proves that many companies manipulated or deleted without are misinterpreting guidance traceability. Regardless of the methods used to documents. Other industry gather and store data — manual, stakeholders try to help with ▪ Raw data were copied to a CD automatic, or a combination — more explicative documents. For and then deleted from the hard there are always opportunities for example, the European Compliance drive. Data copied were selected failure. Manual processes entail Academy (ECA) published an manually without assurance that obvious points of possible failure: article specifying data integrity all raw data was copied before operators can forget to record failures that caused one company being permanently deleted. information, record incorrect to receive an FDA Warning Letter. values, lose records, or even Observations included: Each of these deviations could intentionally falsify data. The risks have been addressed by systems Failure to exercise sufficient associated with computerized ▪ and methods including: controls over computerized systems are more technical. For systems to prevent unauthorized Unique usernames and passwords both manual and automated ▪ access or changes to data, and methods, regulatory agencies ▪ A durable and inerasable audit to provide controls to prevent have described the regulatory trail or event log omission of data. expectations in their guidelines ▪ Separate administrator and user and draft documents. ▪ The computerized system access rights lacked access controls and audit trail capabilities. ▪ Good standard operating * See also: WHO Technical Report procedures (SOPs) 996, Annex 5, “Guidance on good ▪ All employees had administrator data and record management rights and shared one user name. ▪ Oversight and regular review of practices” processes Key areas of data integrity control There are seven functional areas consistently mentioned in regulations and guidance on data integrity. Here we review these key areas, focusing on how they apply to environmental monitoring applications. Quality Risk Management1 Personnel2 Documentation ▪ Understand the potential ▪ Document and communicate ▪ Implement and require Good impact of all data on product roles and responsibilities. Documentation Practice quality and patient safety. (GDocP) in all written ▪ Provide technical support for documents and SOPs. ▪ Understand the basic systems administration. technologies used in your Follow relevant regulations data processes, and their Assign responsibility for data ▪ ▪ when creating and reviewing inherent limitations. throughout its entire lifecycle. documents. For example, ▪ Implement systems that ▪ Encourage a workplace culture CFR Title 21, Part 211 “Current provide an acceptable state that supports issue reporting. Good Manufacturing Practice of control that is matched for Finished Pharmaceuticals” to risks and criticality of the ▪ Implement systems that Subpart J - Records & Reports. process in question. can identify and minimize potential risks. ▪ Identify and document points of risk for unauthorized ▪ Create behavioral controls for or untraceable deletion personnel, procedural controls Data Life Cycle or amendment, as well as for processes, and technical opportunities for detection controls for technologies. ▪ Implement change through routine reviews. management and control of Analyze the root causes of Schedule and perform periodic ▪ incidents and deviations. ▪ compliance failures in order to risk assessments as technology fix them systemically. and processes change. ▪ Ensure corrective and preventive action (CAPA) Provide technology training to Authorize appropriate access ▪ ▪ processes and procedures. ensure existing technologies privileges for each system. are used to their full potential. Training Vendors/Providers Audits & Internal Inspections3 ▪ Provide regular training, and ▪ Ensure providers have qualified ▪ Create detailed review document training completion and trained personnel. processes for inspection including personnel identities findings, non-compliance and dates. ▪ Review providers’ quality management systems. reports, and Warning Letters. ▪ Ensure training is matched ▪ Perform routine in-house data to different roles involved ▪ Note compliance to standards audits, including: audit trails, with data - including quality such as ISO 9001, or ISO 17025. raw data and metadata, and assurance, quality control, ▪ Perform regular checks original records. production and management of providers’ systems ▪ Schedule regular review of - with an emphasis on Good and services; audit where system user access rights. Documentation Practices. necessary and/or allowable. Report audit results to senior ▪ Store training documentation ▪ Review contracts, technical ▪ where it is easily retrievable by management and other agreements, and quality those involved with regulatory relevant stakeholders. agreements. and 3rd party inspections. 1 A key document in this area 2 Personnel management directs 3 If a hybrid system is in use is ICH Q9. This guideline from and controls how companies (both paper and electronic data the ICH Expert Working Group function to achieve business goals. are generated), the original data provides a methodology for Focusing on personnel ensures should also be checked routinely a risk-based