Data Integrity and Compliance: A Primer for Medical Product Manufacturers

By José Rodríguez-Pérez

Data integrity is a global mandatory requirement for the regulated healthcare industry. It is more than a mere expectation-it's a basic element of good documentation practices, one of the most fundamental pillars of a quality management system. Robustness and accuracy of the data submitted by manufacturers to regulatory authorities when bringing a medical product to market are crucial.
The purpose of this book is to consolidate existing data integrity principles and expectations from several regulatory sources-including the U.S. Food and Drug Administration, World Health Organization, and European Medicines Agency-into a single and handy document that provides detailed, illustrative implementation guidance. It serves as a means of understanding regulatory agencies' position on good data management and the minimum expectation for how medical product manufacturers can achieve compliance.

• Language: English
• Publisher: ASQ Quality Press
• Release date: May 8, 2019
• ISBN: 9781951058487

José Rodríguez-Pérez

Dr. José (Pepe) Rodríguez-Pérez is the president of Business Excellence Consulting Inc. (BEC), a Puerto Rico-based global consultant, training, and remediation firm in the areas of regulatory compliance, risk management, and regulatory training in the FDA-regulated sector. He’s also president of BEC Spain. Dr. Rodríguez-Pérez is a biologist and earned his doctoral degree in biology from the University of Granada (Spain). He served as professor and director of the Microbiology Department at one of the Puerto Rico schools of medicine, and he also served as Technical Services manager at a manufacturing plant of Abbott Laboratories in Puerto Rico. From 2003 to 2012, he was professor for graduate studies of the Polytechnic University of Puerto Rico, and he served as a Science Advisor for the FDA from 2009 to 2011. Dr. Rodríguez-Pérez is a senior member of ASQ, as well as a member of AAMI, ISPE, PDA, and RAPS. He is an ASQ-certified Six Sigma Black Belt, Quality Manager, Quality Engineer, Quality Auditor, Quality HACCP Auditor, Biomedical Auditor, and Pharmaceutical GMP Professional. He is also the author of the best-selling books CAPA for the FDA-Regulated Industry, Quality Risk Management in the FDA-Regulated Industry, The FDA and Worldwide Current Good Manufacturing Practices and Quality System Requirements Guidebook for Finished Pharmaceuticals, Human Error Reduction in Manufacturing, and Data Integrity and Compliance, all available from ASQ Quality Press. Contact Dr. Rodríguez-Pérez at pepe.rodriguez@bec-global.com.

Book preview

Preface

In recent years, there has been a dramatic increase in the number of U.S. Food and Drug Administration (FDA) warning letters, World Health Organization (WHO) notices of concern, and European Medicines Agency (EMA) statements of noncompliance in which false or misleading information has been identified during regulatory inspections. Failure to properly manage data integrity in regulated healthcare industries applies equally to paper and electronic data. It can arise either from poor systematic control of the data management systems due to a lack of knowledge, careless work, or intentionally hidden, falsified, or misleading data. This is troubling because ensuring data integrity is a critical component of the industry’s responsibility to ensure the safety, efficacy, and quality of medical products, and of regulators’ ability to protect the public health. In the case of the U.S. FDA, these data integrity–related current good manufacturing practice (cGMP) violations have led to numerous regulatory actions, including warning letters, import alerts, and consent decrees.

In the medical product manufacturing field, data integrity lapses are not limited to fraud or falsification. They can be totally unintentional and still pose risk. Therefore, any potential for compromising the reliability of data is a risk that must be identified and understood in order to place appropriate controls to manage them.

Data integrity is a global mandatory requirement for the regulated healthcare industry. It is more than a mere expectation. It is also a basic element of good documentation practices, one of the most fundamental pillars of quality management systems (QMSs), including cGMP. Developing and bringing a medical product to market involves different players and activities; therefore, robustness and accuracy of the data submitted by manufacturers to regulatory authorities is crucial. The data must be comprehensive, complete, accurate, and true to ensure the quality of studies supporting applications for medical products to be placed on the market.

The purpose of this book is to consolidate existing principles and expectations from several regulatory sources into a single and handy document providing detailed illustrative implementation guidance. It must be considered as a means of understanding comprehensive regulatory agencies’ position on good data management/data integrity and the minimum expectation on how medical product’s manufacturers can achieve compliance.

Sources of principles and expectations for data integrity used in this book were the following: EMA Questions and Answers: Good Manufacturing Practice-Data Integrity (2016), WHO Guidance on Good Data Management and Record Management Practices (2016), U.S. FDA Guidance for Industry on Data Integrity and Compliance with cGMP (2018), Pharmaceutical Inspection Co-operation Scheme (PIC/S) Draft Guidance Good Practices for Data Management and Integrity in Regulated GMP/GDP Environments (2018), and the UK Medicines and Healthcare Products Regulatory Agency (MHRA) GXP Data Integrity Definitions and Guidance (2018).

I would like to acknowledge the tremendous job performed by authors and reviewers from above-mentioned FDA, EMA, MHRA, PIC/S, and WHO guidance documents. All of you are doing a terrific job developing meaningful expectations and requirements that contributes to the availability of safer medical products.

Although above-mentioned guidance documents used the word should (as they contain mostly nonbinding recommendations rather than regulations) when referring to good data management and data integrity expectations, I used the much stronger word must to denote the obligation to perform such activity in order to establish effective data management controls and to avoid problems during regulatory inspections.

Regulatory expectations are that all data be reliable and accurate and good data management practices apply to all elements of the medical product manufacturing quality systems. Table 4.1 depicts the U.S. FDA § 21 Code of Federal Regulations (CFR) part 211cGMP requirements for attributable, legible, contemporaneous, original, and accurate (ALCOA) data. While some of the requirements are fully explicit (for example, § 211.110 or § 211.160 requirements for contemporaneous recording of data), others are more implicit. But all of them are requirements. Table 4.2 includes similar EU EudraLex Volume 4 cGMP requirements.

This book focuses on the application of data management principles and procedures to the manufacturing of medical products, covering the whole supply chain, from suppliers of raw materials and components to the distribution of finished products and pharmacovigilance activities. The focus is on those principles that are implicit in existing guidance documents and regulations and that, if not robustly implemented, can impact reliability and completeness of data and undermine the robustness of decision making based upon those data. Illustrative examples are provided as to how these principles may be applied to current situations. Additionally, it gives explanations as to what these high-level requirements mean in practice and what must be demonstrably implemented to achieve compliance.

The scope of this book is designated as GXP in that everything contained here is good practice (GXP) unless stated otherwise. The same good documentation practices (GDocPs) apply to manufacturing (GMP), clinical (GCP), laboratory (GLP), distribution (GDP), pharmacovigilance, and so on.

The recommendations contained in this book apply equally to all type of data (paper, electronic, hybrid, and so on) and to all type of regulated products (pharmaceutical, medical devices, veterinary, cosmetics, food, and dietary supplements). All of them must abide by the same rules regarding completeness, consistency, and accuracy of data. Other activities such as clinical trials must also adhere to those rules.

This book aims to promote a risk-based approach to data management that includes data risk, criticality, and life cycle. Readers of this book need to understand their data processes (as a life cycle) to identify data with the greatest GXP impact. From that, the identification of the most effective and efficient risk-based control and review of the data can be determined and implemented.

The introductory content of Chapter 1 presents the basic principles and expectation of good documentation practices and data integrity, including definitions of key terms and the introduction to the ALCOA and ALCOA+ principles.

Chapter 2 includes a very comprehensive primer on good documentation practices/data integrity for paper records, with most of the concepts equally applicable to electronic documentation.

Chapter 3 covers the expectations and examples of risk management considerations for the implementation of ALCOA principles in paper-based and electronic systems.

Chapter 4 discusses the regulatory expectations about good data management practices. It includes U.S. FDA as well as EU, UK, and global guidance documents such as those from WHO, PIC/S, and ISO 13485.

Chapter 5 discusses the consequences of lack of integrity, with comprehensive discussions of the FDA’s debarment and disqualifications lists.

Chapter 6 covers data life cycle, one of the most critical concepts associated with good data management and data integrity.

Chapter 7 discusses some examples of how good data management and data integrity must be integrated into the quality management system to ensure that manufacturers provide safe and efficacious medical products.

Chapter 8 presents a summary of how good documentation practices and data integrity are an intrinsic component of good clinical data.

Chapter 9 is probably one of the most important parts of this book. This chapter describes the key elements to prevent data integrity problems, including the implementation of an adequate quality culture.

Chapter 10 describes the primal concept of data governance and how to self-inspect good data management/data integrity principles as part of our quality management control program.

Chapter 11 discusses training program requirements associated with good data management practices and data integrity.

Chapter 12 discusses the critical element of how to investigate data integrity issues and how and when to disclose information about this to regulatory authorities.

Chapter 13 covers the impact of data integrity on the supply chain, including the requirements of clear expectations for data management with suppliers and the strategies to assess it.

Chapter 14 covers the principles associated with maintaining data integrity when using electronic data across the entire life cycle.

The book includes three appendices. Appendix A depicts significant examples of FDA enforcement related to good data management/data integrity. Appendix B describes the content of a three-day data integrity certification course developed by our company. This course is being taught worldwide to regulated companies willing to develop an internal cadre of subject matter experts on this critical topic. Appendix C contains more than 100 ALCOA auditing/assessment questions for both paper and electronic documents and a basic guidance on how to classify those data integrity findings.

I’d like to finish this preface remembering that although most people think data integrity issues are restricted to electronic data systems, mainly within quality control (QC) laboratories, the reality is, based on personal observations, this only represent between 20% and 30% of good data management/data integrity issues within the regulated industry. The main part of data integrity situations relates to poor documentation practices, but regulators are taking very seriously any instance of lack of data integrity, regardless of the causes behind those issues.

Last but not least, I’d like to recognize and say thanks to the Quality Press reviewers for their comments and suggestions, many of which have already been incorporated into the final version of the manuscript. Thanks also to Paul O’Mara and the rest of ASQ’s Quality Press staff for your professionalism and devotion to quality.

Thanks to Guillermo Candelario for the preparation of the material included in Appendix C, and thanks to José Andrés Rodríguez-Copeland for his reviews of the manuscript and continuous support.

1

Introduction

1.1 GOOD DATA MANAGEMENT

In recent years, there has been a dramatic escalation in the number of U.S. Food and Drug Administration (FDA) warning letters, World Health Organization (WHO) notices of concern, and European Medicines Agency (EMA) statements of noncompliance in which false or misleading information has been identified during regulatory inspections. Failure to properly manage data integrity applies equally to paper and electronic data. It can arise either from poor systematic control of the data management systems due to a lack of knowledge, careless work, or intentionally hidden, falsified, or misleading data. This is troubling because ensuring data integrity is a critical component of the industry’s responsibility to ensure the safety, efficacy, and quality of medical products and of regulators’ ability to protect the public health. In the case of the U.S. FDA, these data integrity–related current good manufacturing practice (cGMP) violations have led to numerous regulatory actions, including warning letters, import alerts, and consent decrees.

Data integrity is a global mandatory requirement for the regulated healthcare industry. It is also a basic element of good documentation practices, one of the most fundamental pillars of any quality management system (QMS), including cGMP. Developing and bringing a medical product to market involves different players and activities; therefore, robustness and accuracy of the data submitted by manufacturers to regulatory authorities are crucial. The data must be comprehensive, complete, accurate, and true to ensure the quality of studies supporting applications for medical products to be placed on the market.

Medical product regulatory systems worldwide depend upon the knowledge of companies that develop, manufacture and package, test, distribute, and monitor medical products. Implicit in the assessment and review process is trust between the regulator and the regulated that the information submitted in dossiers and those used in day-to-day decision making is comprehensive, complete, and reliable.

Data integrity is critical throughout the cGMP data life cycle as it enables good decision making by medical product manufacturers and regulatory authorities. It is a fundamental requirement of the medical product quality systems, applying equally to manual (paper) and electronic systems. It is the responsibility of senior management to ensure data integrity through the promotion of a quality culture together with implementation of organizational and technical measures. It requires participation and commitment by staff at all levels within the company, by the company’s suppliers, and by its distributors.

Senior management must ensure that data integrity risk is assessed, mitigated, and communicated in accordance with the principles of quality risk management. The effort and resource assigned to data integrity measures must be commensurate with the risk to product quality. Where long-term measures are identified in order to achieve the desired state of control, interim measures must be implemented to mitigate risk, and must be monitored for effectiveness.

Complete, consistent, and accurate data must be attributable, legible, contemporaneous, original, and accurate (ALCOA). These basic ALCOA principles and the related good documentation practice (GDocP) expectations that oversee data reliability are not new, and much high- and mid-level normative guidance already exists. However, in recent years, the number of observations made regarding good data and record management practices during inspections of manufacturing (GMP), clinical (GCP), and laboratory (GLP) has been increasing sharply. The reasons for the increasing concern of regulatory authorities regarding data reliability are multifactorial and include increased regulatory awareness and concern regarding gaps between industry practices and appropriate control strategies.

The way regulatory data is generated has continued to evolve in line with the ongoing development of technologies, such as the increasing use of electronic data capture, automation of systems, and so on. Systems can range from manual processes with paper records to the use of fully computerized systems, but the main purpose of the regulatory requirements remains the same: that is, to have confidence in the quality and the integrity of the data generated (to ensure patient safety and quality of products) and to allow the reconstruction of activities.

Factors contributing to the lack of data integrity include failures by organizations to apply robust systems that inhibit data risks, to improve the detection of situations where data reliability may be compromised, and/or to investigate and address root causes when failures do arise. For example, companies subject to medical product good practice (GXP) requirements have been using validated computerized systems for decades, but many failed to adequately review and manage original electronic records and instead often only review and manage incomplete and/or inappropriate printouts. These observations highlight the need for the industry to modernize control strategies and apply modern quality risk management (QRM) and sound scientific principles to current business models (such as outsourcing and globalization) as well as technologies currently in use (such as computerized systems).

Examples of controls to ensure good data management strategies include, among others:

A QRM approach that effectively ensures patient safety and product quality and validity of data by ensuring that management aligns expectations with actual process capabilities.

Monitoring of processes and allocation of the necessary resources by management to ensure and enhance infrastructure, as required (for example, to continuously improve processes and methods, to ensure adequate design and maintenance of buildings, facilities, equipment, and systems; to ensure adequate, reliable power and water supplies; to provide necessary training for personnel; and to allocate the necessary resources to the oversight of contract sites and suppliers to ensure adequate quality standards are met). Active engagement of management in this manner remediates and reduces pressures and possible sources of error that may increase data integrity risks.

Adoption of a quality culture within the company that encourages personnel to be transparent about failures so that management has an accurate understanding of risks and can then provide the necessary resources to achieve expectations and meet data quality standards: a reporting mechanism independent of management hierarchy must be provided for.

Mapping of data processes and application of QRM and sound scientific principles throughout the data life cycle.

Ensuring all personnel are kept up to date about the application of GDocPs to ensure the GXP principles of ALCOA are understood and applied to electronic data in the same manner that has historically been applied to paper records.

Implementation and confirmation during validation of computerized systems and subsequent change control, so all necessary controls for GDocP for electronic data are in place and the probability of the occurrence of errors in the data is minimized.

The importance of data integrity to quality assurance and public health protection must be included in personnel training programs. Also, it is necessary to train personnel who use computerized systems and review electronic data in the basic understanding of how computerized systems work and how to efficiently review the electronic data, which includes metadata and audit trails.

Definition and management of appropriate roles and responsibilities for quality agreements and contracts entered into by clients (contract givers) and suppliers (contract acceptors), including the need for risk-based monitoring of data generated and managed by the supplier organization on behalf of the contract giver.

Modernization of quality assurance inspection techniques and gathering of quality metrics to efficiently and effectively identify risks and opportunities to improve data processes.

Between 2015 and 2016, major regulatory bodies, such as the EMA, U.S. FDA, WHO, UK Medicines and Healthcare Products Regulatory Agency (MHRA), and Pharmaceutical Inspection Co-operation Scheme (PIC/S), published guidance documents on the topic of data integrity and data management. In the context of these guidelines, good documentation practices are those measures that collectively and individually ensure documentation, whether paper or electronic, is secure, attributable, legible, traceable, permanent, contemporaneously recorded, original, and accurate.

In August 2016, the EMA and the PIC/S¹ announced the publication of a new GMP data integrity guidance document. Data from testing, manufacturing, packaging, distribution, and monitoring of drugs are used by regulators to review the quality, safety, and efficacy of drugs, so ensuring the integrity and completeness of such data is important. This document addresses the assessment of risk to data integrity, risk management strategies, design and control of electronic and paper-based documentation systems, and ensuring data integrity of outside contractors. It appears that regulators are taking a closer look at data integrity industrywide.

The U.S. FDA released its own data integrity draft guidance document in April 2016 (updated as final guidance in December 2018), which relies on numerous prior guidance documents. It reaffirms the critical role of quality functions and quality professionals to ensure integrity of data:

For recording data, manufacturing or testing steps, numbered and controlled forms must be issued and reconciled by quality assurance (QA)

Any findings of data integrity violations and removing at all levels individuals responsible for data integrity problems from GMP positions must be disclosed to the FDA

Before batch release, QA must review the audit trail and electronic testing

Control strategies must be in place to ensure all original lab records (paper and electronic) are reviewed by a person, and all test results are appropriately reported

Immediate and irreversible recording of electronic testing data, including after completing each high-performance liquid chromatography (HPLC) testing sequence versus recording only at the end of the day

1.2 DATA INTEGRITY AND WHY IT IS SO IMPORTANT

Data integrity is the degree to which data are complete, consistent, accurate, trustworthy, and reliable and that these characteristics of the data are maintained throughout the data life cycle. The data must be collected and maintained in a secure manner, such that they are ALCOA. Ensuring data integrity requires appropriate quality and risk management systems, including adherence to sound scientific principles and GDocPs.

Good data and record management practices are the totality of organized measures that must be in place to collectively and individually ensure that data and records are secure, attributable, legible, traceable, permanent, contemporaneously recorded, original, and accurate and that, if not robustly implemented, can impact data reliability and completeness and undermine the robustness of decision making based upon those data records.

The scope of this book is designated as GXP in that everything contained here is GXP unless stated otherwise. The lack of examples specific to a GXP does not mean it is not relevant to that GXP, just that the examples given are not exhaustive.

This book aims to promote a risk-based approach to data management that includes data risk, criticality, and life cycle. Users of this book need to understand their data processes (as a life cycle) to identify data with the greatest GXP impact. From that, the identification of the most effective and efficient risk-based control and review of the data can be determined and implemented.

Every regulated company needs to take responsibility for the systems used and the data they generate. The organizational culture must ensure data are complete, consistent, and accurate in all its forms and media (paper, hybrids, and electronic systems), and senior managers must ensure that they foster the right environment to enable data integrity controls to be effective. For this reason, data governance policies must be endorsed at the highest levels of the regulated company.

Organizations must be aware that reverting from automated or computerized systems to paper-based manual systems or vice versa will not in itself remove the need for appropriate data integrity controls. Where data integrity weaknesses are identified, companies must ensure appropriate corrective