WHITE PAPER www.vaisala.com Managing GxP Environmental Systems to Ensure Data Integrity In this paper, we provide some history of data management for life science systems and an overview of new regulatory expectations, including changes to guidance. We then offer eight recommendations for establishing and maintaining good practices for data integrity. More than Bytes and control strategies available Thanks to the publication of and Signatures for compliant data management, enforcement actions such as GMP pharmaceutical companies can find non-compliance reports, warning As efforts to ensure the quality and change hard to achieve, both in terms letters, import alerts, and notices, it’s safety of drugs increase, so does the of updating systems and behavior. evident that regulators are targeting amount of data generated by those data integrity failures during efforts. As a result, global regulatory inspections. Subsequent enforcement scrutiny over the last few years has Enforcement Action actions have led to the withdrawal turned to providing guidance on on Data of supply across multiple markets, preserving data quality. Throughout product recalls, consent decrees and Data integrity requirements have the life science industries — reputational damage for the firms been addressed in the FDA’s Title pharmaceutical research, involved. With increased targeting 21 CFR Part 11 and the EU's GMP manufacturing, medical devices of data integrity from regulators, it is Eudralex Volume 4, Chapter 4 and and biotechnology — guidance and now crucial that everyone involved in Annex 11. This is so far unchanged. regulatory enforcement strategies GxP-regulated activities understand However, with increasing automation are being re-evaluated with a focus correct data management practices. based on computerized systems, as on data integrity. With increasing well as the globalization of operations awareness among inspectorates of and the increasing cost of bringing problems inherent to data collection products to market, new guidance and storage, there comes increased was needed to clarify regulatory awareness of gaps between industry expectations around the creation, practice and existing technology. handling and storage of data. Although there are solutions Principles and Practice The acronym ALCOA is used by the FDA, MHRA, and the World Health Organization to outline expectations on records, including paper-based, Data integrity means that all data electronic, and hybrid (systems that use both paper and electronic records). collected and stored must be correct, ALCOA is a useful guide to remembering key points of data management for GxP traceable and reliable. In the UK the compliance. ALCOA means: Medicines and Healthcare products Regulatory Agency (MHRA) defined data integrity in their 2015 document: “MHRA GMP Data Integrity Definitions A = Attributable to the person generating the data and Guidance for Industry” as the L = Legible and permanent extent to which all collected data are = Contemporaneously recorded “complete, consistent and accurate C throughout the data lifecycle.” O = Original or a true copy A = Accurate For their 2016 draft guidance for industry “Data Integrity and Compliance with CGMP” the FDA The WHO added some extra definitions to ALCOA in their document “WHO defines it as: “…the completeness, Technical Report Series 996 Annex 5*, Guidance on good data and record consistency, and accuracy of data. management practices” expanding the acronym to ALCOA+. In addition to Complete, consistent, and accurate original emphasis of ALCOA principles, the “+” includes the attributes of being data should be attributable, legible, complete, consistent, enduring and available. contemporaneously recorded, original or a true copy, and accurate (ALCOA).” Thus, ALCOA+ is now the goal for every piece of information that can impact the purity, efficacy and safety of products, and the standard by which data will Full documents: MHRA GMP Data Integrity be evaluated. In practice it means that companies must maintain control over Definitions and Guidance for Industry* and intentional and unintentional changes to data, including the prevention of data Data Integrity and Compliance with CGMP* loss or corruption. Data Management However, a review of enforcement actions proves that many companies are Challenges misinterpreting guidance. Other industry stakeholders try to help with more explicative documents. For instance, the European Compliance Academy (ECA) Regardless of the methods of published an article specifying data integrity failures that caused one German gathering and storing data — manual, company to receive an FDA Warning Letter. Observations included: automatic or a combination — there ▪ Failure to exercise sufficient controls over computerized systems to prevent are opportunities for failure. Manual unauthorized access or changes to data, and to provide controls to prevent processes entail obvious points omission of data. of possible failure: operators can The computerized system lacked access controls and audit trail capabilities. forget to record information, record ▪ incorrect values, lose records, or ▪ All employees had administrator rights and shared one user name. even intentionally falsify data. The ▪ Electronic data could have been manipulated or deleted without traceability. risks with computerized systems ▪ Raw data were copied to a CD and then deleted from the hard drive. Data are more technical. For both copied were selected manually without assurance that all raw data was copied manual and automated methods, before being permanently deleted. regulatory agencies have described the regulatory expectations in their Each of these deviations could have been addressed by systems and methods guidelines and draft documents. including: ▪ Unique usernames and passwords Full document: WHO Technical Report ▪ An inerasable audit trail or event log Series 996 Annex 5, Guidance on good data and record management practices* ▪ Separate administrator and user access rights ▪ Good standard operating procedures (SOPs) Oversight and regular review of processes * See references at the end of this paper for links to sources. ▪ From Principles to Practicable There are seven functions and knowledge areas touched upon consistently in regulations and guidance on data integrity. Here we review these key areas, focusing on how they are applied to environmental monitoring applications. Quality Risk Management1 Personnel2 Documentation ▪ Understand the potential ▪ Document and communicate ▪ Implement Good impact of all data on product roles and responsibilities. documentation practice quality and patient safety. ▪ Provide technical support for (GdocP) in all written ▪ Understand the basic systems administration. documents and SOPs. technologies used in your ▪ Assign responsibility for data ▪ Refer to relevant regulations data processes, and their throughout its entire lifecycle. when creating and reviewing inherent limitations. documents. For example, ▪ Encourage a workplace culture CFR Title 21, Part 211 “Current ▪ Implement systems that that supports issue reporting. provide an acceptable state Good Manufacturing of control that is matched to ▪ Implement systems that Practice for Finished process criticality and risks. can identify and minimize Pharmaceuticals” Subpart J - potential risks. Records and Reports. ▪ Identify and document points of risk for unauthorized ▪ Create behavioral controls for deletion or amendment, as well personnel, procedural controls as opportunities for detection for processes, and technical Data Life Cycle through routine reviews. controls for technologies. Implement change Schedule and perform Reward proper conduct and ▪ ▪ ▪ management and control of periodic risk assessments. analyze the root causes of compliance failures in order to incidents and deviations. Provide training to ensure you ▪ fix them systemically. Ensure corrective and are using existing technologies ▪ preventive action (CAPA) to their full potential. ▪ Authorize individuals and grant appropriate privileges processes and procedures are for each system. in place. Audits & Internal Inspections3 Training Vendors/Providers ▪ Create detailed review ▪ Provide regular training, and ▪ Ensure providers have qualified processes for inspection document training completion and trained personnel. including personnel identities findings, non-compliance Review providers’ quality and dates. ▪ reports, and Warning Letters. management systems. Ensure training is matched ▪ Perform routine in-house data ▪ Note compliance to standards to different roles involved ▪ audits, including: audit trails, such as ISO 9001, or ISO 17025. raw data and metadata, and with data, including quality original records. assurance, quality control, ▪ Perform regular checks production and management. of providers’ systems ▪ Schedule regular spot-checks and services; audit where Store training documentation of system user access rights. ▪ necessary and/or allowable. where it is quickly retrievable Report audit results to senior ▪ by those involved with Review contracts, technical management and other ▪ regulatory and 3rd party agreements, quality relevant stakeholders. inspections. agreements. 1 A key document in this area is ICH Q9. This guideline from the ICH Expert Working Group provides a methodology for a risk-based approach to data management, including recommendations. See references at the end of this paper for links to sources. 2 Personnel management directs and controls how companies function