Are you always ready to be inspected for Data Integrity (DI) activities in your facility? Are compliance and data integrity aspects implemented in your organization’s QMS? Are the systems in your GxP areas constantly in a validated state? Are all your colleagues trained according to the necessary prerequisites? And, most of all, how well do you establish and monitor the data integrity culture in your organization?
Although there are various types of audits and inspections, and in the current landscape there has been a shift to virtual audits, there is a trend that shows regulators are focusing increasingly on overall data governance and end-to-end data integrity. An effective implementation of compliance and data integrity aspects within your organization will assure that you pass each inspection without any hassle. Having this in place will prevent delays to the introduction of new products to the market.
To help you achieve data integrity compliance, ProPharma's created a five step plan to follow accompanied by an overview with knowledgeable background information. Read more below, or contact us to learn how we can help you develop and maintain an effective data integrity program.
The ALCOA Principle
Many of us are aware, you should always be ready for a(n) (un)planned internal or external inspection. Preparations for external audits can be done by planning ahead and conducting internal audits, to ensure that both compliance and performance are controlled, and corrective actions can be taken at an early stage for a mature data integrity governance. An established data integrity culture carried by all employees, contractors and visitors is key to being ready for all audits. This way of working ensures you and your colleagues are all prepared to face an auditor or regulator as they make their way through your facility and documentation during an audit.
So, what does it mean when data integrity is mentioned? From a mindset perspective, it can be thought of in terms of the ALCOA+ acronym and the associated principles:
| Attributable |
|
Who acquired the data or performed an action? |
| Legible |
|
Can you read and understand the data entries? |
| Contemporaneous |
|
Were records documented at the time of the activity? |
| Original |
|
Is it the first recorded observation, or a verified true copy? |
| Accurate |
|
Is the result scientifically valid and error free? |
The plus “+” behind ALCOA puts an additional emphasis on the principles and associated criteria of the data being:
| Complete |
|
All data including any repeat or reanalysis performed. |
| Consistent |
|
All elements of the analysis are date/time stamped and in the expected sequence. |
| Enduring |
|
Recorded in a permanent, maintainable form throughout its lifecycle. |
| Available |
|
For review, audit, or inspection over the lifetime of the record. |
Data integrity expectations are met if the degree to which a collection of data associated with a given (system) lifecycle sufficiently addresses all aspects of the ALCOA+ principles. When data integrity controls are in place and being monitored, it assures your data is complete and its accuracy and consistency will be guaranteed over its entire lifecycle.
Organizations must use their overall data governance program(s) to sufficiently address the applicable ALCOA+ aspects of a given data lifecycle based on the affected people, processes, and systems/technologies. One might consider a system or facility’s ALCOA+ compliance (rating) similar to a FICO (Fair Isaac Corporation) credit score.
If your data falls short of these ALCOA+ expectations (e.g., after an inspection or gap assessment), you have encountered a data integrity issue and facing potential warning letter for it. This issue can be a situation or event that could cause, or is evidence of potentially false, misleading, inaccurate, or incomplete data and/or documentation.
Data integrity issues have serious consequences for your facility, compromising your company’s legal status and/or even leaving you vulnerable to lawsuits. Government agencies actively conduct audits more and more on this topic and enact fines related to data integrity issues.
Data integrity and compliance are entangled to such an extent that good data integrity management has become an important component of the pharmaceutical industry’s responsibility. It’s being integrated not only in the companies Quality Policy statement, but also in the legal framework to ensure patient safety and also the efficacy and quality of medicines and/or medical devices. Because of this, it should be firmly embedded in your QMS and all people involved should be trained accordingly.
5 Step Plan for Data Integrity Compliance
With the foundations of data integrity in mind, here are 5 steps you can take to achieve and maintain data integrity compliance.
- Create Awareness
In the pharmaceutical industry, training of all personnel is key and an understanding of data integrity principles and issues should be included in training formats. If your personnel are trained adequately, they’ll be able to identify possible data integrity issues while performing their own assigned tasks and duties; use this to your advantage to identify and correct potential issues before they are discovered in an audit situation. These training sessions should be documented in a training record and stored correctly so they can be presented to the inspectorate if necessary. Besides training the company as a whole, the data integrity culture should be embedded in the basic quality vision of the company.
- Classify Your Data
Data can be classified by levels of sensitivity, value, and criticality regarding your processes and products. This classification of your data will help you to determine baseline security controls for the protection of your data. For example, confidential data is a generalized term that typically represents data classified as restricted to authorized persons only. This term is often used interchangeably with sensitive data. The way that your company classifies data should be documented in the Quality Management System (QMS).
- Keep Track of Data Flows
Keep in mind that all your activities regarding data handling in a controlled data lifecycle environment must cover the following aspects:
- Creation or recording of GxP information
- Collecting, processing and transferring data
- Data use, reporting, replicating, and distribution
- Data retention (including archiving), backup, restoration, obsoleting, and retirement
This list for data management and GxP records is applicable to all personnel involved in e.g, research, design and development, sourcing, production, testing, retention, shipping, distribution, installation, service, marketing, and postmarket surveillance of any regulated product. Data flows should be defined early on and starting at a high level in system-specific requirements, then further detailed, verified, and supported through the applicable system development lifecycle validation and ongoing maintenance and review processes.
You always need to be able to reconstruct a complete data roadmap of a drug or medical device’s history and you’re accountable to be able to resolve who has contributed what to which activity where and when.
- Implement Access Controls
Working with a computerized system in a controlled environment forces you to have access controls and audit trails (technical measures) in place. This is to ensure that only authorized people can log in with their credentials using only the role(s) there have been assigned. This role is assigned based on personal training and the level of activities to be performed in the system. To ensure access can be granted correctly, appropriate policies, procedures, and controls need to be integrated in the QMS to remain compliant with the applicable legal requirements.
Once logged into the system, the software should have an up-to-date audit trail which is basically a chronological record of activities performed in the system. It’s considered sufficient when you’re able to reconstruct, review, and examine the sequence of activities surrounding or leading to each event from inception to the final output.
An audit trail review needs to be performed on a regular basis. So, what does that mean for your facility? You need to arrange for a periodic assessment that should include a sample of relevant audit trails, raw data, and metadata as part of self-inspection to ensure ongoing compliance with relevant policies and procedures. The way of performing the assessment should be written down in a work instruction which is maintained in the QMS.
- Prepare for Inspections
Ideally, you should have a stable situation in your facility where a complete QMS integrated with DI controls, containing work procedures, describes and guides all your processes. By having this QMS in place, trained personnel create various integer deliverables according to predefined processes. And the inspection should only be a confirmation of this.
Closing
Obviously, nobody’s perfect and probably no QMS is either. With this in mind, it’s encouraged to demonstrate that you have remedied possible data integrity issues. This is achievable by the expert advice of a third-party auditor to determine the scope of the problem, executing a gap assessment, and by implementing a corrective action plan. This yields extra confidence that you are proactively closing gaps in processes related to your facility, equipment, personnel, or procedures.
Consider this takeaway:
After an inspection or mock inspection, analyze the results. Frequently, deficiencies relating to data integrity are the ones leading to GxP non-compliance. Subsequently, data integrity is far from only being an IT-related topic; it includes all handling of information in GxP environments. Every change to data must be initialed and dated by an authorized person, and the reason for change needs to be clear. The original data has to stay legible despite all changes performed, for both paper documentation and electronic records.
Get Expert Guidance Creating and Implementing a Plan to Achieve Mature Data Integrity Compliance
If you have questions about data integrity in your organization, contact us to discuss how we can help implement or maintain a compliant, efficient program to fit your unique needs.
This blog contains information derived from the following documents:
- Data Integrity and Compliance with Drug CGMP Q&Q Guide
- ISPE GAMP RDI Good Practice Guide: Records and Data Integrity
- ISPE GAMP RDI Good Practice Guide: Data Integrity – Key Concepts
- ISPE GAMP RDI Good Practice Guide: Data Integrity – Manufacturing Records
