Should Data Integrity Detection be a Part of Routine cGMP Training Programs?

The FDA’s focus on data integrity in recent years has proven that it remains an industry issue. The focus has resulted in significantly increased issuance rates of 483 observations, warning letters, and consent decrees. Regulatory agencies, such as the FDA, rely on data to ensure the safety and efficacy of drug products—and this data must be beyond question. Data integrity violations erode public confidence, impugn product quality, and can devastate implicated organizations. Violations undermine the very essence of the FDA’s mission of protecting public safety and can destroy public trust in the regulatory industry.

The data integrity stakes are high and it begs the question: Should not only data integrity principles and requirements, but also training regarding the detection of data integrity breaches within an organization, be a part of routine cGMP training? According to an April 2016 FDA draft guidance document, “Data Integrity and Compliance with cGMP,” the answer is yes. The draft guidance document states:

Training personnel to detect data integrity issues is consistent with the personnel requirements under sections 211.25 and 212.10, which state that personnel must have the education, training, and experience, or any combination thereof, to perform their assigned duties.

Furthermore, senior management, at the local and corporate levels, is responsible for assuring that strict corporate standards, procedures, resources, and communication processes are in place to detect and prevent breaches in data integrity and that such significant issues are identified, escalated, and addressed in a timely manner. So, in addition to staff, senior management must be trained to understand data integrity issues as well.

It is also worth noting that FDA investigators receive specialized training to detect data integrity, data manipulation, and fraud. Objectionable FDA inspection findings may result in the following:

• Recalls
• Warning letters
• Import alerts
• Application withdrawals
• Injunctions, seizures, and/or criminal prosecutions
• Civil penalties
• Debarment from participating in certain FDA-regulated activities

Data integrity nonconformance may occur intentionally and be pervasive in some organizations; however, other organizations’ quality management systems (QMS) may not be designed properly to adopt a data lifecycle approach and be able to control accordingly. Intentional or not, common data integrity issues include, but are not limited to:

• Mismanagement of electronic data allows unauthorized changes, as digital computer folders and files could be easily altered or deleted
• Data deleted or altered, with no audit trails
• Backdating (non-contemporaneous record-keeping)
• Rewriting or destroying lab notebooks
• Password sharing
• Selection of only passing results from HPLC and GC (gas chromatography) data, while failing test results are disregarded, ignored, and not investigated—this practice is likely during the testing of raw materials, finished drug release, and stability studies

To protect itself from data integrity vulnerability, the QMS must include procedures to ensure control of data over its entire lifecycle (the lifecycle consisting of data creation, active data usage, semi-active data usage, and archival). For example, in the data creation phase, an organization needs to be able to answer the following questions:

• Have personnel been trained on good documentation and good data integrity practices?
• How does the organization ensure that analysts enter ALL test data, not just the passing test results?
• For transcribed data, what verification processes are in place?
• When data is scanned, how does the firm ensure the evidentiary admissibility of the scan (e.g., “certified or true copy”)?

These questions are but a handful of those that need to be asked. Data integrity auditing should be deployed at the same or greater level (depending on risk) as any other quality system component or subsystem.

ProPharma Group has the experience and expertise to assess and, where applicable, improve your organization’s data integrity-related risk, including ensuring that personnel are effectively trained to detect the presence of data integrity issues.