DATA INTEGRITY IN THE GLOBALPHARMACEUTICAL INDUSTRY

CONTENTS

Data Integrity and Global Regulatory Status?

Consideration of National Cultures

Generalised Root Causes and Examples

Solutions-Governance Systems

3WHAT DO YOU THINK?

Examples occurring in same facility: Raw materials specifications set up by IT within MRP system

“writes” to a word document in QC and printed out. (Nothing validated, not in QMS)

QC uses specification and performs HPLC assay and other tests. No printouts from balances/ autotitrator, HPLC raw data deleted after 1 month after Chromatograms printed out.

All QC testing results calculations recorded on note paper, sticky notes and thrown away after a final “neat” report is typed in MS Word for release.

All QC testing records are therefore “pristine”?

4CURRENT STATUS

Data integrity issues now regularly show up as critical observations in:

FDA 483 Warning letters WHO “Notices of Concern” Based

on Annex 2 Ch 17 EU Non-Compliance Reports FDA now Specifically targeting

Current and New Draft Guidelines PICS Good Practices For Data

Management And Integrity In Regulated GMP/GDP Environments (Aug 2016)

Data Integrity and Compliance With cGMP Guidance (Apr 2016)

MHRA GxP Data Integrity Definitions and Guidance for Industry (July 2016)

5

WHO DOES IT APPLY TO?EXTRACT FROM PDA POINTS TO CONSIDER ELEMENTS OF A CODE OF CONDUCT FOR DATA INTEGRITY:

Companies that conduct clinical trials in support of new drug applications including, but not limited to: Investigational New Drug (IND), Clinical Trial Application (CTA), Investigational Medicinal Product Dossier (IMPD), Biologics License Application (BLA), Marketing Authorization Application (MAA), New Drug Application (NDA), and Abbreviated New Drug Application (ANDA)

Laboratories that develop methods or formulations intended to support new drug applications or laboratories that analyze samples generated from clinical trials

Manufacturers of excipients, intermediates, or active pharmaceutical ingredients (APIs)

Contract manufacturing & research organizations (CMOs/CROs)

Contract testing laboratories

Contractors, consultants, suppliers and vendors that provide services and data that support the production and control of APIs, drug or biological products

Basically most parties involved from Clinical phase 2 to Post launch Phase 4

GLOBAL DI METRICS

17

33

7

8

Major Global Regulatory DI Citations 2002_14*

USA India China Other*Source: PDA J Pharm Sci and Tech 2015, 69 762-770 Nader Shafiei, Regis De Montardy and Edwin Rivera-Martinez

GLOBAL DI METRICSThe FDA has been rapidly increasing foreign inspection across the board (F D & C).This is in response to the rapid rise in exports from India, China and Asia in general. So the increase in DI observations has some relationship to overall focus as domestic pressure on “foreign import quality” increased.The national cultures play a key part in the compliance issues detected (see later)Source-Susan and Ann Marie-Foreign Inspection Process Overview -FDA

8WHAT IS DATA?

The IT definition is that DATA are the RAW FACTs that describe the characteristic of and event.

Information is DATA converted into meaningful and useful context.

Wisdom (or fact based decision making ability) is what we have then, when we have both.

It follows that if you do not have the DATA how do you prove your decisions were not simply based upon opinion and not fact based drivers?

9INFORMATION SYSTEMS

Executive

Manager

Analysts

Coarse DataAnalytical decision making

Fine DataTransactional Processing

The Raw Data Evidence

We will come back to this in the context of problem areas later….

DI TERMS AND DEFINITIONS

MHRS Definitions*: Data-Facts and statistics collected together for reference or analysis Raw Data-Original records, retained in the format in which they were

originally generated (i.e. paper or electronic), or as a ‘true copy’. Raw data must be contemporaneously and accurately recorded by permanent means.

Metadata- is data that describe the attributes of other data, and provide context and meaning. Typically, these are data that describe the structure, data elements, inter-relationships and other characteristics of data. It also permits data to be attributable to an individual (or if automatically generated, to the original data source).

Data Integrity-The extent to which all data are complete, consistent and accurate throughout the data lifecycle.

MHRA GxP Data Integrity Definitions and Guidance for Industry: Draft for consultation July 2016

MHRS Definitions*: Data Governance-The sum total of arrangements to ensure that data, irrespective of the

format in which it is generated, is recorded, processed, retained and used to ensure a complete, consistent and accurate record throughout the data lifecycle.

Data Lifecycle-All phases in the life of the data (including raw data) from initial generation and recording through processing (including analysis, transformation or migration), use, data retention, archive / retrieval and destruction.

Data Transfer-Is the process of transferring data and metadata between storage media types or computer systems. Data migration changes the format of data to make it usable or visible on an alternative computerised system.

Data Processing-A sequence of operations performed on data in order to extract, present or obtain information in a defined format. Examples might include: statistical analysis of individual patient data to present trends or conversion of a raw electronic signal to a chromatogram and subsequently a calculated numerical result.

The FDA also distinguishes between “static” and “dynamic” data, the former being an image or paper record but of importance regarding dynamic data is that it can be re-used to recreate the processing as in for example HPLC integration.For this reasons the original raw data must be kept as it can be used to recreate the original event and through audit it can be ascertained if there has been any undesirable post processing and manipulation.(*Note the lifecycle approach is consistent with the principles of ICH Q10 Pharmaceutical Quality Systems)

MHRA GxP Data Integrity Definitions and Guidance for Industry: Draft for consultation July 2016

12

DEFINITION OF RAW DATA IN OUR INDUSTRY ?(FDA CFR 58 - GLPS)

Raw data means any laboratory worksheets, records, memoranda, notes, or exact copies thereof, that are the result of original observations and activities of a nonclinical laboratory study and are necessary for the reconstruction and evaluation of the report of that study.

In the event that exact transcripts of raw data have been prepared (e.g., tapes which have been transcribed verbatim, dated, and verified accurate by signature), the exact copy or exact transcript may be substituted for the original source as raw data. (EMAILS!)

Raw data may include photographs, microfilm or microfiche copies, computer printouts, magnetic media, including dictated observations, and recorded data from automated instruments. (EMAILS!)

13

LIFECYCLE APPROACH

Risk

Phase 1 Phase 2/3 Phase 3/4

Validation/Tech Transfer

Increase in Patient Safety RiskWith Respect to Data Integrity

PAI

Low Data Integrity RouteFailure

So Data integrity covers the whole drug development to launch lifecycle- clinical trials data through to final release for sale Certificate of Analysis.

14GLOBAL REGULATORY VIEWS

CFR 211 indirectly addresses Data for example:1. Any Calculations must be verified 211.68(b)2. Methods must be documented and approved 211.160 (a)3. Data generated and transformed must meet criteria of scientific soundness 211.160(a)But more specifically under 211.194 Laboratory Controls(a) Laboratory records shall include complete data derived from all tests necessary to assure compliance with established

specifications and standards, including examinations and assays, as follows: (1) A description of the sample received for testing with identification of source (that is, location from where sample was

obtained), quantity, lot number or other distinctive code, date sample was taken, and date sample was received for testing. (2) A statement of each method used in the testing of the sample. The statement shall indicate the location of data that

establish that the methods used in the testing of the sample meet proper standards of accuracy and reliability as applied to the product tested………….. The suitability of all testing methods used shall be verified under actual conditions of use.

(3) A statement of the weight or measure of sample used for each test, where appropriate. (4) A complete record of all data secured in the course of each test, including all graphs, charts, and spectra from laboratory

instrumentation, properly identified to show the specific component, drug product container, closure, in-process material, or drug product, and lot tested.

(5) A record of all calculations performed in connection with the test, including units of measure, conversion factors, and equivalency factors.

(6) A statement of the results of tests and how the results compare with established standards of identity, strength, quality, and purity for the component, drug product container, closure, in-process material, or drug product tested.

AND SO ON AND SO ON

15GLOBAL REGULATORY VIEWS

CFR 211 Part 11 Electronic Records and Signatures. PIC/S GUIDANCE PI 011-3 25 Sept 2007 Good Practices for

Computerised Systems in Regulated “GXP” Environments. Both cover in detail the requirements for computerised

systems- but this is not the topic of this presentation. A more pointed DI document is the FDA’s Compliance

Program Guidance Manual 7346.832 NDA- Pre Approval Inspections

GLOBAL REGULATORY VIEWS

Compliance Program Guidance CPG 7345.832 has specific directive to FDA PAI inspectors regarding auditing of Data Integrity:

“There are three primary inspectional objectives of this PAI program, all of which require an informed strategy and careful on-site evaluation. These objectives are:

Objective 1: Readiness for Commercial Manufacturing. Objective 2: Conformance to Application

Objective 3: “Data Integrity Audit”

GLOBAL REGULATORY VIEWS

Objective 3: Data Integrity Audit

“Audit the raw data, hardcopy or electronic, to authenticate the data submitted in the CMC section of the application. Verify that all relevant data (e.g., stability, biobatch data) were submitted in the CMC section such that CDER product reviewers can rely on the submitted data as complete and accurate.”

“The inspection strategy may select key data sets or randomly select data……... Generally, data on finished product stability, dissolution, content uniformity, and API impurity are good candidates for this audit.”

“ During the inspection, compare raw data, hardcopy or electronic, such as chromatograms, spectrograms, laboratory analyst notebooks, and additional information from the laboratory with summary data filed in the CMC section”

“Raw data files should support a conclusion that the data/information……”

GLOBAL REGULATORY VIEWS

Objective 3: Data Integrity Audit

“Examples of a lack of contextual integrity include the failure by the applicant to scientifically justify non-submission of relevant data, such as aberrant test results or absences in a submitted chromatographic sequence, suggesting that the application does not fully or accurately represent the components, process, and finished product.”

Remember DATA-INFORMATION WISDOM (decisions, justifications, rationales..)

Inspectors are expected now to sit at the computer terminal and have you “replay” the raw data, and so basically if you no longer have the actual original raw data when an audit inspector says “SHOW ME” they will consider all decisions made downstream are suspect and possibly fraudulent/fake.

THE WHO IS ALSO ONTO DI ISSUES!

WHO Expert Committee on Specifications for Pharmaceutical Preparations Forty-eighth report:“15.9 Data (and records for storage) may be recorded by electronic data processing systems or by photographic or other reliable means. Master formulae and detailed SOPs relating to the system in use should be available and the accuracy of the records should be checked.If documentation is handled by electronic data-processing methods, only authorized persons should be able to enter or modify data in the computer system, and there should be a record of changes and deletions; access should be restricted by passwords or other means and the entry of critical data should be independently checked. Batch records stored electronically should be protected by back-up transfer on magnetic tape, microfilm, electronic discs, paper printouts or other means. It is particularly important that, during the period of retention, the data are readily available.” Also mentioned in 15.1 and 17.3d

DATA INTEGRITY IS A GLOBAL CONCERN, AND SHOULD BE

SEEN ALSO THROUGH THE LENS OF NATIONAL CULTURE TRAITS

CULTURAL CONSIDERATIONSOne of the key Drivers in DI Compliance is Behavioural “Culture” The PICs guidance touches upon this as

follows: “An effective ‘quality culture’ and data

governance may be different in its implementation from one location to another. Depending on culture, an organisation’s control measures may be: “

“open” (where hierarchy can be challenged by subordinates, and full reporting of a systemic or individual failure is a business expectation).

“closed” (where reporting failure or challenging a hierarchy is culturally more difficult).

Cultural MisunderstandingsMost recognised cultural analysis tool was developed by G. Hofstede who described the following dimensions: Power distance Individualism Uncertainty avoidance Gender- masculinity Vs femineity Time orientation- long versus short All these aspects come together with the

local nuances to form the work culture, and how well systems like GMP are integrated.

National cultures are “different” and not “deficient”!

22

FACTORS LEADING TO FORMATION OF A CULTURE

History ReligionEnvironmentClimate

Language

Mind SetWorld View

PhysiologySecurity

Reaction

LeadershipOrganisation:NormsRules Structure

StatusValuesThese will determine

how hard it is to maintain cGMP

Successes

Failures

CULTURAL CONSIDERATIONS

What the following slides indicate quite clearly is the differences in national culture in “Power Distance”, “Individualism and “Time Orientation”. These are the more specific element of what the PICs guide calls Open and

Closed cultures. Power Distance is defined as the extent to which the less powerful

members of institutions and organisations within a country expect and accept that power is distributed unequally.

This is the element that will be a potential barriers to reporting “bad news” in general including DI issues. In some cultures reporting “bad news” to the boss is an overall “losing face” experience.

The fundamental issue addressed by this individualism is the degree of interdependence a society maintains among its members.  Hence for example the USA is highly individualistic whereas China, India and Japan are much more collectivist in how they work together.

A high power distance and collectivist cultures will see reluctance to report issues and for departments to close ranks much more naturally that in a US company for example.

USA VS UK AND USA VS INDIA

USA VS CHINA AND USA VS JAPANEach country therefore cannot be treated the same- yet the regulations require that in the end they enact the same GMP

26

HOW NATIONAL CULTURE EFFECTS STRUCTURE

structured individualism, speed, drive

USA

French

autocratic

Swedish/Danish

primus inter pares (first among equals)

Asian

consensus with leadership group

FDA “Law” Driven

Can explain why cGMP expectations Vs actual vary Globally

Australia

27

APPROACHES TO DIFFERENT CULTURES

It is important to note that it is impossible to “change” a national culture.

Companies who intent to export product to the USA or PICS countries must comply with the recipient countries regulations.

Companies should factor national cultural differences when evaluating their supply chain and associated risks- strong case for site audits.

Companies and regulatory agencies should consider formal cultural awareness training to best understand how the perceptions of both parties can greatly effect the audit outcome. What may be judged as fraud maybe in fact a cultural habit of a desire for a “pristine set of documents”.

28

PRACTICAL WAYS OF AVOIDING CULTURAL “ERRORS”

Companies should develop and promote an overall code of conduct or ethics, set by the executive.

The code of conduct/ethics should be translated down to the functional levels such as Quality, Production, Engineering etc.

The QMS system should include agreed and structured reporting lines of communication that make it less onerous on the reporter and recognises power distance effects.

Many companies have introduced “whistle-blower” policies in response to changing regulations, but this should always be a last resort:

The Companies Act 2013 (India) has made it mandatory for listed companies to have in place vigilance mechanism for directors and employees.

Under the Dodd-Frank Wall Street and the False Claims Act, an individual with knowledge of fraud may blow the whistle to defined regulatory bodies and potentially be eligible for a reward.

29GENERALISED ROOT CAUSES

Examples Ignorance Lack of, or ineffectual training Basic company IT ignorance on data

base management Organisational culture Awareness of the risks Human error/mistakes Wilful falsification Manipulation post acquisition

Examples Leadership (walk the talk) Lack of understanding of information

systems Actual hardware issues, data

transmission. Software errors, lack of change control Obsolescence of hardware/recording

media Poor controls over database

management systems DBMS Technophobia of key staff

30

CAUSATION BY CATEGORYPeople

• Inadvertent errors• Ignorance

• Work arounds• Lack of Training• Time Pressure

• Culture• Personality• Resources

• Organisational friction IT/QA/QC

• Lack of understanding of DI vulnerabilities

Method/System• Lack of Policies• Lack of QMS• No internal

Audit/Oversight• Database manipulation

practices• Cross-functional

DBM accountabilities

poor• Company management information

systems review and monitoring

Hardware• Lack of CSV

• Lack of IT policies• Inadequate IQ

• Lack of security, backup, authorities

• Lifecycle management

• Obsolescence• IT system “not up

to the task”

31SHORT INDUSTRY EXAMPLES

Company Observation P/S/H?

A QC Laboratory data acquisition software was not validated to ensure the re-writing, and deletion of data was prohibited

B QC records did not show who performed the analysis; raw data was not recorded contemporaneously (real time) nor by the performing analyst. Failed in injections of QC standards deleted from the sequence without explanation

C Batch records found falsified after discarding original ones to provide “clean records”

D Within the QC laboratory there was evidence of non-contemporaneous recording of lab data, using scrap papers, yellow sticky notes. Some of this raw data was also found in waste bins.

E Unofficial “trial” testing of samples for production “management information only”

32SHORT INDUSTRY EXAMPLES

Company Observation P/S/H?F OOS results found within records of QC data acquisition

system not investigated. Retesting carried out and not justified.

G QC staff routinely collected raw data on scrap paper and collated with printed off chromatograms to write a “clean report” in MS Word to present to the head of QA. A review of reports so prepared showed zero errors or natural errors normally expected within a busy QC environment- original raw data, weighing's, observations not kept. In some cases the equipment log was used to capture raw data.

H The Data acquisition systems of the HPLC and GC systems was not backup up nor part of any company back up policy or program. After Chromatograms had been printed out raw data was deleted on a monthly basis due to hard disk constraints. There was no way to re-verify results from release or stability testing. There were no QC procedure regarding management of electronic data, backup, security or strict access levels. Data and methods could be accessed by QC staff sharing passwords.

33

KEY EXPECTED ATTRIBUTES-ALCOAAttributable

•Who actually acquired the data or performed the actions and when?

•Signed and dated

Legible•The data must be legible.

•The record should be permanent.

•The record should not be obsolete and not readable i.e. microfilm.

•Corrections should be made in line with GDP signed and dated.

•No Company shorthand

•The record should be enduring and on proven storage media (beware thermoprinters)

Contemporaneous•Data must be recorded in real time as and when it occurred.

•Any practical workarounds due to clean room environments must be according to written procedure.

•Should be carried out in close proximity to it occurrence (see second point).

Original•Data must be preserved in its unaltered state according to written procedures and in agreement with record retention requirements.

•If raw data is not kept there must be solid documented justification.

•The records should not have been tampered with.

Accurate•Data must correctly reflect the actual measurement or observation made.

•There should be no editing or errors without documenting and approval of the amendments.

34

Company Observation ALCOA?I Production records revealed that the dispensary records had not

been filled out contemporaneously and nor had they been checked but completed with the theoretical amounts after the event.

J The paperless chart recorder monitoring the Purified water plant recorded the data from inline conductivity and TOC on an SD card. There was no policy or procedure for downloading this data nor any means to “replay/review” it offline should it be required; the SD card was simply formatted as and when full of data indicated by and alarm.

K The NIR used to conduct raw material ID by QC within the inwards goods store regularly recorded “fail” results or outliers of the approved data set. The investigation routinely cited “passes compendial testing” added to data set. There was no explanation or procedure for routine expansion of data sets or how such results are not investigated using the OOS procedure.

L Inspection of the HPLC data acquisition system logs and sequences revealed that several blocks of data or analysis could not be matched with product release testing records (paper) that is the batch in question had more than one data set. Both data sets passed but only one was used without explanation.

35THINGS HAVE MOVED ON…PRINTOUTS?

36RISK ANALYSIS

As part of introduction of any new hardware or software including Human Machine Interface HMI there should be an impact assessment which should be part of CSV Master Plan.

An outcome of the IA may lead to a more complex risk assessment as part of overall validation program justifications.

Companies should develop a DI risk register which clearly identifies risks, mitigations and residual risk levels.

It is good practice to have such IA as a mandatory part of capital expenditure forms so as to predict the actual cost of implementation/validation i.e. LIMS, ERP.

ICH Q9 methodology should be used

37RISK PROFILES

Printouts mayRepresent

original data

Printouts Cannot

Represent original data

DI GOVERNANCE PROGRAMS

Companies should create a DI policy, guidelines and code of ethics which includes regular training for those involved in handling/managing data.

Top management should support strong quality culture and lead by example- workshops should be designed with real life “inspirations” as to what is and what is not acceptable behaviour. If this is counter culture this should be overt and explained.

Specific DI audits/surveillance should be carried out by trained personnel to look at the audit trail for CQA, CPP , and quality metrics reported in an APQR for example- a sampling or matrix approach could be used. If possible the surveillance can be facilitated by IT alarm systems (i.e. attempts at bypassing audit trail flagged).

Quality metrics should also be used to target specific areas of concern. DI training should include all data handling departments including IT and it should be

specifically addressed in IT backup, security and data retention procedures. DI protection procedures should also encompass the QMS system and document controls

covering, controlled copies, forms, logs and spreadsheets wherever they concern GMP data and information as defined in written procedures.

E-QMS AND GOOD DOCUMENT PRACTICES (GDOCPS)

Whilst the discussion of e-QMS systems is beyond the scope of this presentation- DI considerations must be applied to:

Doc generation Distribution and control Doc completion- generation of records Doc corrections and verifications Doc and record maintenance Control, audit trail and numbering of “true copies” and forms. Doc retention and archiving Doc and record disposal

All should be validated according to a CSV master plan.

E-QMS AND GOOD DOCUMENT PRACTICES (GDOCPS)

Security and Managing “Hybrid systems”- For all critical DI systems, there must be user ID and Log on using passwords.

Passwords shall not be shared. (It is understood that some companies try and avoid additional cost of licenses; this is not acceptable practice).

Some companies may develop “hybrid” systems using combinations of paper and electronic signatures- this is very difficult to validate according to Annex 11 of PICs GMP due to the nature of “fuzzy” FRS and URS in this case.

System administrators should not also be “users” or at least they should have two different log on and ID’s for when they are performing different roles i.e. QA Officer or QA Admin.

*Hybrid systems where they exist should be phased out by the end of 2017 (Ref Art 23 Directive 2001/83/EC) “……..take account of scientific and technical progress and introduce any changes that may be required to enable the medicinal product to be manufactured and checked by means of generally accepted scientific methods.”

*MHRA July 2016

41

The IT group needs GMP training in respect of CSV and Data integrity (Finance usually already get audited).

Data integrity needs to be built into the Quality Management System at a Policy “Level”.

Data integrity need become a specific focus of regular internal audit programs. The PDA “Points to Consider Elements of a Code of Conduct for Data Integrity”

provides a good basis for a Data Integrity Policy with its scope covering: Good Manufacturing Practice (GMP) Good Clinical Practice (GCP) Good Pharmacovigilance Practice (GVP) Good Laboratory Practice (GLP) Good Distribution Practices (GDP) Good Tissue Practice (GTP)

42REFERENCES

https://mhrainspectorate.blog.gov.uk/2016/07/21/mhra-data-integrity-guidance-18-months-on/

http://www.fda.gov/downloads/drugs/guidancecomplianceregulatoryinformation/guidances/ucm495891.pdf

http://www.fda.gov/downloads/Drugs/DevelopmentApprovalProcess/Manufacturing/QuestionsandAnswersonCurrentGoodManufacturingPracticescGMPforDrugs/ucm071871.pdf

https://www.picscheme.org/en/publications (PI 041-1 Draft 2) PDA Code of Conduct FDA CPG M7346832S508a https://geert-hofstede.com/national-culture.html

Thank youhttp://www.delta-gmpconsulting.com/contact.htm