Maintaining Data Integrity
Avoiding regulator scrutiny in the medical products industry
by José Rodríguez Pérez
In August 2015, the European Union (EU) banned the marketing of about 700 Indian-made generic drugs for alleged manipulation of clinical trials data. The largest-ever EU-wide suspension of sales and distribution of generic drugs ordered by the European Commission was applicable to all 28 member nations.1
Recently, there has been a dramatic escalation in the number of U.S. Food and Drug Administration (FDA) warning letters, World Health Organization (WHO) notices of concern, and EU statements of noncompliance in which false or misleading information has been identified during inspections. Failure to properly manage data integrity applies equally to paper and electronic data. It can arise either from poor systematic control of the data management systems due to a lack of knowledge, human error or from intentionally hidden, falsified or misleading data.
What is data integrity?
Data integrity is a global mandatory requirement for the regulated healthcare industry. Developing and bringing a medical product to market involves different players and activities; therefore, robustness and accuracy of the data submitted by manufacturers to regulatory authorities is crucial. The data must be comprehensive, complete, accurate and true to ensure the quality of studies supporting applications for medical products to be placed on the market. Complete, consistent, and accurate data must be attributable, legible, contemporaneously recorded, original or a true copy, and accurate (ALCOA).2 See Table 1.
Data integrity also must comply with good manufacturing practices (GMP), good clinical practices (GCP), and good laboratory practices (GLP). In recent years, however, data integrity issues are jeopardizing the regulatory compliance status of organizations. In many instances, data integrity problems are created by sloppy documentation practices or incidents that cause the loss of data, but regulators tend to label those situations as fraud. Moreover, it demonstrates a lack of commitment by senior management (including that of quality leaders) to a culture of quality andcompliance.
Recently, a string of FDA-issued warning letters for data integrity violations have been published on the agency’s website. Specifically, from January 2015 to May 15, 2016, 21 out of 28 warning letters given to drug manufacturers involved data integrity issues.3
Some data integrity breaches during FDA inspections are shocking. They range from backdating records in the presence of two FDA inspectors,4 to documenting microbial results on a certificate of analysis when the testing was never performed.5
Between 2015 and 2016, major regulatory bodies, such as the European Medicines Agency (EMA), the FDA, the WHO, and the Pharmaceutical Inspection Co-operation Scheme (PIC/S), published guidance documents on the topic of data integrity and data management.
In August 2016, the EMA and the PIC/S6 announced the publication of a new GMP data-integrity guidance document. Data from testing, manufacturing, packaging, distribution and monitoring of drugs are used by regulators to review the quality, safety and efficacy of drugs, so ensuring the integrity and completeness of such data is important. This document addresses the assessment of risk to data integrity, risk-management strategies, design and control of electronic and paper-based documentation systems, and ensuring data integrity of outside contractors. It appears that regulators are taking a closer look at data integrity industry wide.
The FDA released its own data integrity draft guidance document in April 2016, which relies on numerous prior guidances. It reaffirms the critical role of quality functions and quality professionals to ensure integrity of data:
- For recording data, manufacturing or testing steps, numbered and controlled forms must be issued and reconciled by qualityassurance (QA).
- Any findings of data integrity violations and "removing at all levels individuals responsible for [data integrity] problems from current GMP (CGMP) positions" must be disclosed to the FDA.
- Before batch release, QA must review the audit trail and electronic testing.
- Control strategies must be in place to ensure all original lab records (paper and electronic) are reviewed (by a person), and all test results are appropriately reported.
- Immediate and irreversible recording of electronic testing data (including after completing each high-performance liquid chromatography [HPLC] testing sequence versus recording only at the end of the day).
Commitment from all
Data integrity enables good decision-making by manufacturers and regulatory authorities. It is a fundamental mandatory requirement of the medical products quality system, applying equally to manual (paper) and electronic systems. To ensure data integrity, senior management must engage in the promotion of a quality culture along with the implementation of appropriate organizational and technical controls. It requires participation and commitment by staff at all levels within the organization, by the organization’s suppliers and by its distributors.
Data integrity is a basic element of good documentation practices, one of the most fundamental pillars of any quality management system, including CGMP. Upper management, and especially quality leaders at every regulated organization must ensure that everyone is accountable for their actions, including having proper documentation of activities performed. Unfortunately, most regulated organizations only react to data integrity issues after regulators discover them.
An outrageous example of this can be found in a warning letter7 issued in July 2014 in which the FDA required an organization to "identify the specific managers in place who participated in, facilitated, encouraged or failed to stop subordinates from falsifying data in CGMP records, and determine the extent of top and middle management’s involvement in or awareness of data manipulation." In the same inspection, the FDA also discovered that "your firm falsified documents designed to demonstrate the effectiveness of CGMP training … That a senior manager was engaged in the falsification of documents is troubling and raises questions about validity of documents generated by your firm."
Senior management, especially those with quality management responsibilities, should ensure that data integrity risk is assessed, mitigated and communicated in accordance with the principles of quality risk management. The effort and resources assigned to data integrity measures should be commensurate with the risk to product quality, and balanced with other QA resource demands. Where long-term measures are identified to achieve the desired state of control, interim measures should be implemented to mitigate risk and should be monitored for effectiveness.
Data integrity and human error
Finally, remember that regulators do not distinguish between human error or sloppiness, and data falsifications and fraud when assessing the impact of data integrity failures, as demonstrated in the following excerpt from a 2015 FDA warning letter:8
"In correspondence with the agency, you indicate that no malicious data integrity patterns and practices were found. Also, you state that no intentional activity to disguise, misrepresent or replace failing data with passing data was identified and no evidence of file deletion or manipulation was found. Your response and comments focus primarily on the issue of intent, and do not adequately address the seriousness of the CGMP violations found during theinspection."
- "India: EU Bans 700 Generic Drugs Alleging Manipulation of Trials by GVK Biosciences, Company Denies Claim," Business and Human Rights Resource Center, http://tinyurl.com/qp-eu-hr-center.
- U.S. Food and Drug Administration (FDA), Draft Guidance for Industry "Data Integrity and Compliance With CGMP—Guidance for Industry," draft guidance, April 2016, http://tinyurl.com/qp-fda-draft-guide.
- Sarah Barkow, "Current Expectations and Guidance, Including Data Integrity and Compliance With CGMP," FDA presentation at the International Society for Pharmaceutical Engineering's Data Integrity Workshop, Bethesda, MD, June 5, 2016, http://tinyurl.com/qp-barkow-present.
- FDA, "Inspectional Observations—Form FDA 483" Ranbaxy Laboratories Ltd. example, January 2014, http://tinyurl.com/qp-fda-form.
- Alexander Gaffney, "India's Data Integrity Problems," Regulatory Affairs Professional Society, Feb. 3, 2015, http://tinyurl.com/qp-raps-data-integrity.
- Pharmaceutical Inspection Convention, "Draft PIC/S Guidance: Good Practices for Data Management and Integrity in Regulated GMP/GDP Environments," Aug. 10, 2016, www.picscheme.org/layout/document.php?id=714.
- FDA, "Marck Biosciences Ltd. Warning Letter," July 8, 2014, http://tinyurl.com/qp-fda-warn-letter.
- FDA, "Apotex Research Private Ltd. Warning Letter," Jan. 30, 2015, http://tinyurl.com/qp-fda-warn-letter2.
For more information
Parenteral Drug Association (PDA), PDA Letter, April 2015.
International Society for Pharmaceutical Engineering, "Special Report: Data Integrity," Pharmaceutical Engineering, March/April 2016, Vol. 36, No. 2, pp. 40-66.
José Rodríguez Pérez is president of Business Excellence Consulting Inc. in Guaynabo, Puerto Rico. He has a doctorate in biology from the University of Granada in Spain. A senior ASQ member, he has many ASQ certifications: auditor, biomedical auditor, hazard analysis and critical control points auditor, engineer, manager of quality/organizational excellence, pharmaceutical good manufacturing practices professional and Six Sigma Black Belt. His most recent book is Handbook of Investigation and Effective CAPA Systems (ASQ Quality Press, 2016).