Almost every process in pharmaceutical and biotechnology manufacturing uses some sort of computerized system. With this increasing use of computerized systems comes the increase in the amount of data generated by those systems. Over the past decade, these changes have turned regulatory scrutiny to data integrity, specifically the practices that ensure, or degrade it.
The increasing awareness among global regulators of the problems inherent to data collection and storage has revealed serious gaps between industry practice and technologies for data management. This explains the creation of several new documents that serve to interpret and extrapolate on the regulations at the core of the use of computerized systems: the FDA’s Title 21 CFR Part 11 and the EU’s GMP Eudralex Volume 4, Chapter 4 and Annex 11.
Definitions & diagnosis
Data integrity entails that all data collected and stored be correct, traceable and reliable. In the UK, the Medicines and Healthcare Products Regulatory Agency defined data integrity as, “complete, consistent and accurate throughout the data lifecycle.”
The FDA defines it as, “…the completeness, consistency, and accuracy of data. Complete, consistent, and accurate data should be attributable, legible, contemporaneously recorded, original or a true copy, and accurate (ALCOA).”
The acronym ALCOA is used by the FDA, MHRA, and the WHO to describe regulatory expectations on recorded data, including paper-based, electronic, and hybrid. ALCOA is a useful guide to remembering key tenets of data management for GxP compliance.
ALCOA stands for:
A = Attributable to person generating the data
L = Legible and permanent
C = Contemporaneously recorded
O = Original or a true copy
A = Accurate
After the FDA also started using ALCOA, the WHO expanded the acronym into ALCOA+ with the “+” signifying the attributes of data that are complete, consistent, enduring and available. Those added values have now fallen into wide use, with the ISPE’s GAMP Data Integrity Special Interest Group also using ALCOA+.
If poor data integrity and quality is the disease, ALCOA+ is the “apple a day.” ALCOA+ is now the standard for every piece of information that can impact the purity, efficacy and safety of products. In practice, it means that companies must maintain control over intentional and unintentional changes to data, including the prevention of data loss or corruption.
Understanding your data
Few pharmaceutical professionals come to their careers from an Information Technology (IT) background. It’s therefore not surprising that industry is rife with misunderstandings about how to align system usage with the regulations that involve data integrity. For non-IT fluent professionals in GxP applications, it’s important to understand that, regardless of the methods of gathering and storing data — manual, automatic or a combination — there are opportunities in every process for corruption of data, unintentional or otherwise.
While regulatory agencies have described the expectations for manual and automated methods in their documents, a review of public enforcement action records proves that many companies are misinterpreting guidance.
Some common observations include:
• Failure to exercise sufficient controls over computerized systems to prevent unauthorized access or changes to data, and to provide controls to prevent omission of data.
• The computerized system lacked access controls and audit trail capabilities.
• All employees had administrator rights and shared one user name.
• Electronic data could have been manipulated or deleted without traceability.
• Raw data were copied to a CD and then deleted from the hard drive. Data copied were selected manually without assurance that all raw data was copied before being deleted.
For each error, there is a technological, procedural or combination solution that would have mitigated the problem, such as:
• Unique usernames and passwords
• An inerasable audit trail or event log
• Separate administrator and user access rights
• Good standard operating procedures (SOPs)
• Oversight and regular review of processes
Seven ways to ensure data integrity
The following recommendations give an overview of how to maintain data integrity for computerized systems. Although developed over the past decade of working with environmental monitoring system customers, these methods can be applied to any computerized system.
Perform risk-based validation
• Validate only systems involved in GxP-compliance. Ensure protocols address data quality and reliability.
• If cost-effective, have the system vendor perform system validation upon install.
• Use the ISPE’s GAMP5 categorizations to determine the system’s validation complexity.
• Account for all electronic data storage locations, including printouts and PDF reports.
• Ensure your quality management system defines the frequency, roles and responsibilities.
• Your validation master plan must outline the approach to reviewing metadata, including audit trails, etc.
• Schedule periodic re-evaluations.
Audit your audit trails
• An audit trail must include any changes that have been made to a database or file.
• To be useful, an audit trail must answer: Who? What? When? Why?
• Define the data relevant to GxP and ensure it’s included in an audit trail.
• Assign roles and schedules for testing the audit trail functionality.
• The depth of an audit trail review should be based on the complexity of the system.
• Understand what audit trails comprise: discrete event logs, history files, database queries, reports or other mechanisms that display events related to the system, electronic records or raw data contained within the record.
Plan for business continuity
• Have a disaster recovery plan.
• Your plan must state how quickly functions can be restored, as well as the impact of any data lost.
• Implement systems that backup data during power outages or network downtime.
• Employ solutions such as UPS (Uninterrupted Power Source), battery-powered, standalone devices that can switch to an alternate power source when required.
• Verify system inputs.
• Calibrate measurement devices regularly, according to the needs of the sensors and operating/process environments.
• Validate networks. I.E. Test that data are coming from the right location.
• Select systems with alarming functionality for communication failure, device problems, or data tampering.
Select appropriate providers
• Ask for proof that systems are fit-for-purpose.
• Learn about your providers’ quality culture.
• Ensure providers are fluent in the regulations; especially Part 11 & Annex 11.
• Ensure system software updates comply with regulations, especially when implementing new features.
• Collaborate with providers to stay informed about changes and update your systems.
• Select systems that are easy to update upon expansion or the addition of new system inputs.
Qualify IT & validate systems
• Validated systems require an IT environment that has been qualified.
• Backup electronic data on a pre-set schedule to a secure location, including metadata.
• Verify the retrieval of all of data during internal audits.
• Electronic archives should be validated, secured and maintained in a state of control throughout the data life cycle.
Getting data you (and your auditors) can trust
For many systems in GxP-regulated applications, there are common scenarios with expensive risks. An undetected compressor failure on a weekend could destroy the entire contents of a chamber storing samples from research in a crucial stage of development.
In GxP applications, data represents significant investments in development, clinical trials, donated tissue, and the hopes of patients for a new therapy or drug. System devices, software, infrastructure, processes and operating procedures must all ensure that data are complete, consistent, accurate, and exemplifying the characteristics of ALCOA+.
Piritta Maunu is a Life Science Industry Expert for Vaisala. She has worked as a Quality Manager in R&D and GMP production. Piritta holds a M.Sc. in Cell Biology and is an instructor of General Biology. https://web.vaisala.com/en/industries-innovation/life-science