David Thompson of Clarity Compliance Solutions Ltd explains why data integrity is not just about data risk assessments.
The issue of data integrity (DI) has now been with us for several years since regulatory bodies such as the Medicines and Healthcare Products Regulatory Agency (MHRA), the US Federal agency the Food and Drug Administration (FDA), the World Health Organization (WHO) and the European Medicines Agency (EMA) to name just a few started to raise concerns to the industry in 2011/12. Following on from that they issued draft guidelines and more recently provided more formalised ones. In March this year the MHRA issued its ‘GXP Data Integrity Guidance and Definitions’.1 This new guidance has formally extended the data integrity issue into good clinical practice (GCP), good laboratory practice (GLP), good distribution practice (GDP) and good pharmacovigilance practice (GPvP) areas which had only been inferred previously.
The world of data integrity is becoming clearer from a regulatory perspective, but there is still variety, inconsistency and effectiveness in how companies are implementing data integrity into their organisations.
This article captures some of the common findings while providing data integrity consultancy, training, auditing and project/programme support for a wide variety of impacted GCP, GLP, GDP and GPvP as well as good manufacturing practice (GMP) organisations and concludes with recommendations for enhancing existing data integrity programmes.
Taking a project/programme approach
The data integrity activity at several of the companies encountered could only be described as ‘uncontrolled, sporadic activity being delivered by untrained people using inconsistent and unapproved methodologies’, which is exactly the opposite of what is needed. While this may well be the extreme it does highlight the issue.
Taking a programme approach with clear strategic objectives, supported by a well-thought out project plan, is essential. The plan should cover the activities for creating a robust governance-led approved framework of standard operating procedures (SOP) and template work instructions (WI) in which to operate the data integrity assessment of existing systems and the associated gap analysis and remediation activities. It should also include components to build DI into the fabric of the organisation – from new projects to system retirements, ongoing audit activities and development of repeatable DI training.
The objective is to create a description statement of ‘a well-structured and controlled programme being delivered by trained people using well thought through approved methodologies, supported by a company data governance committee’.
Focus on all systems – not just existing legacy systems
A good proportion of companies are focusing their DI activities primarily around their existing systems in their labs, manufacturing and warehousing areas, and while this may represent a high proportion of systems there is also a need for consideration of new systems and systems from third party suppliers.
All the while DI assessments are being carried out, new systems are being implemented which may be non-compliant. As such it is imperative to incorporate controls for new project implementation and even controls within the purchasing departments to prevent systems being purchased and implemented without DI ‘design’ assessments being completed.
Within the regulatory frameworks and associated guidance there are requirements that, where third party suppliers are used in a good practice (GxP) environment, there is an expectation that companies need to verify adequacy of comparable systems i.e. audit the suppliers systems for DI.
There is a varying response from companies in this area, but once again the challenge is to implement robust repeatable processes that are defendable. Can you answer the five simple questions below?:
- Do you use third party GxP suppliers – Yes/No?;
- Who are they – can you provide a list?;
- Have you audited them for data integrity – Yes/No?;
- What were the findings and how are you managing the actions?; and
- When are you going back? – audit schedule.
A recently issued FDA 483 highlights the issue of risk of reliance on supplier PDF Certificate of Analysis (COA) – in that the citation read the four COAs in question were created ‘BEFORE the batch was made…’.
New roles and responsibilities
New roles have been introduced in the various guidance from good automated manufacturing practice (GAMP) and pharmaceutical inspection co-operation scheme (PICs) to provide clear responsibility for key activities supporting DI. Examples of these roles are:
- Data integrity owner;
- Data integrity subject matter expert;
- Process owner;
- System owner;
- Data owner;
- Data custodian; and
- Data steward.
And these are in addition to other roles such as:-
- Data integrity programme manager; and
- Data integrity assessment leader.
Companies have struggled to make changes to their organisational structure, allocate the new roles and responsibilities, develop and deliver appropriate training for the new roles and carry out associated and necessary human resources consultation or change processes.
Such major changes in roles and responsibility are a challenge to provide training for – how do you develop/implement training for roles and responsibilities that are new to you and you aren’t trained in?
As part of the programme approach, it’s important to build in an appropriate training programme for these roles that can be delivered as:
- Classroom/hands on training – for DI programmes and DI practitioners;
- SOP/WI read and understood training – for direct impacting roles; and
- Online – an introduction to data integrity – is ideal for training the masses and avoiding the logistical challenges of training several hundred people face to face.
Behavioural and organisational culture
Becoming more and more important to the regulators is building an open quality focused behavioural and organisational culture into which DI and all other processes can operate.
From the outset of DI-related issues first being raised in the Far East, a negative quality and oppressive culture was seen to be the cause of many DI issues. The majority of companies encountered are looking at this but not in any real drive or focus.
However it is essential to build an environment which, from an individual perspective, removes the fear of failure (or indeed the failure of others – since it’s not the lab analyst’s fault the batch is out of specification), and from an organisational perspective that by raising quality issues or failures there will be no bonus or career impacting outcomes.
It is worth reminding staff that DI issues can cause impact to human life for both bad and good quality product:
- The impact of a bad product or batch with poor quality (underdose or overdose of active ingredient) or contamination caused by DI issues can directly impact human life; and
- The impact of a good product or batch that is prevented from being released because of DI issues in the master batch record (MBR) will also impact human life as the drug will not be available.
Data Integrity recommendations
- It is essential that a major thread of the DI programme is focused on ‘it’s all about the patient’. It might not be the easiest element to detail but there are many different ways of delivering this: appropriate organisational incentives for raising quality issues; DI programme progress reporting, training, and video etc.
- From conception to delivery look at DI as a project or programme that has a design phase, an implementation/execution phase and, importantly, an ongoing operational phase. Ensuring that these phases are thought about correctly will help ensure DI is built into the fabric, and embedded into every facet, of the organisation on an ongoing basis. It is not just a legacy systems activity. It needs to fall into the same mindset as riding a bike or driving a car – we do it without thinking. If we can achieve this, we hit our goal.
- Irrespective on the size of the organisation, or the industry sector (GMP/GCP/GLP/GPvP) it will be highly beneficial to have the DI programme audited by an external expert. Asking internally how to present the DI programme will help prepare not only for an external auditor but also for regulatory audit or client audit. Regulatory audits may have findings but client audits may have immediate positive revenue impact (we like what we see) or negative (we don’t like what we see – lets walk away). Any findings from the external audit can be rolled back into the DI programme, so there is an ongoing improvement process on the effectiveness of the DI programme and the way it is presented at audit.
- MHRA GXP Data Integrity Guidance and Definitions, March 2018
The author is a member of the GAMP Data Integrity Special Interest Group, GAMP MES Special Interest Group and contributory author on the upcoming GAMP DI GPG Retention, Recovery, Retrieval, and Retirement Guide and has been providing data integrity training, consulting and auditing to regulated companies for a number of years.