In June 2020, the U.S. Food and Drug Administration (FDA) issued a warning letter to a drug manufacturing facility, citing a number of infractions, including these common data integrity issues: 1
- Missing raw data files associated with recovered solvent testing were observed in folders on the local hard drive of the operating system connected to the gas chromatography (GC) instrument. Your firm indicated that the files appear to have been deleted.
- [Employees] shared the same username and password for the operating system on each workstation and the analytical software for the GC.
- Recovered solvent data on the stand-alone computerized system for the GC were not backed up as required per your approved procedure.
- Failure to have a procedure governing the audit trail or its retention.
- Failure to include a comprehensive, systematic plan for evaluating your practices and procedures to ensure data integrity controls are applied throughout your firm.
- Failure to conduct a risk assessment addressing potential impacts to product as a result of the inadequate data integrity controls.
Current good manufacturing practices (CGMPs) are minimum requirements that companies must meet in developing health care-related products. Data integrity plays a key role in all areas of CGMP compliance, and the FDA expects all data to be reliable and accurate. According to the FDA guidance “Data Integrity and Compliance With Drug CGMP,” pharmaceutical manufacturing companies should implement meaningful and effective strategies for managing their data integrity risks based on their process understanding and knowledge management of technologies and business models. 2
Regulatory guidelines regarding data integrity have been in place for many years. Still, during fiscal year 2018, the FDA issued 85 CGMP warning letters to drug manufacturers — 42 of which had data integrity components. 3
Data Integrity Compliance
Data integrity is established by ensuring data is stored and managed properly in its original form. This is challenging due to evolving data management technologies, best practices, and regulatory guidelines. Nevertheless, taking steps to resolve data integrity issues is far more advantageous and cost effective than recovering from them. A good approach to achieving and maintaining data integrity compliance is to develop a practical data management strategy that involves employees, IT data management processes, and company policies.
Employees can be your front line of defense against data integrity violations. To ensure the integrity of the data generated and used in the organization, employees should be trained and have the appropriate knowledge and skills to function in a CGMP environment, including knowledge of:
- 21 CFR Part 11 requirements and expectations.
- Company code of conduct, ethics, and fraud policies.
- Data management standard operating procedures (SOPs).
- Validation and change control.
- Use of audit trails.
IT Data Management Processes
Continuously changing technologies for gathering, storing, and migrating data have made maintaining data integrity a bit unwieldy. For example, as data storage infrastructures evolve, data stored for 10 years or longer may not be readable on newer versions of operating systems or applications. Still, data integrity guidelines require that all original data remain intact throughout its retention period. Data archiving practices should maintain and protect data from corruption and loss. Below are some of the guidelines for proper data management:
- Complete frequent backups of electronic data per CGMP requirements.
- Do not overwrite pre-existing data during its retention period.
- Securely store data and backups during their retention periods — including using off site storage as warranted.
- Limit access to data, including rights to change, edit, or delete data or operational parameters to only authorized roles and security levels.
- Set up password controls, including expiration dates, lockouts after a set number of failed attempts, secure reset processes, etc.
- Frequently audit/crosscheck employee accounts, permissions, and credentials.
Regulatory guidelines for data integrity advise companies to be proactive with detecting and mitigating potential data integrity issues. One way to develop and uphold the cultural elements supporting data integrity in the organization is to establish and document organizational policies for activities involving data. Follow up with the policies by mandating routine training for all personnel. It’s also important to perform internal data integrity audits to catch potential issues or questionable practices. Use these audits to:
- Identify anything questionable in data and records, including where they are generated and stored, i.e., paper records in banker’s boxes, notebooks or binders, around equipment in the lab, etc.
- Evaluate electronic systems and paper records to verify controls are working appropriately and no inaccuracies exist.
- Check production areas during operations/testing to verify that people are following procedures documented in the policies and SOPs.
- Assess employees’ qualifications and ability to perform the tasks required for their roles.
If your data is lost, corrupted, or breached, you will fall out of compliance with data integrity requirements. Creating a well-structured, fully documented data management plan can be invaluable in your efforts to preserve the integrity of your data. The ability to automate data collection, storage, and analysis can prevent opportunities for data integrity issues to occur in the first place. By digitizing your quality management system (QMS), all your quality and data processes share a common infrastructure and data architecture, which helps ensure compliance.
- “Vega Life Sciences Private Limited,” Warning Letter, U.S. Food and Drug Administration (FDA), July 7, 2020.
- “Data Integrity and Compliance With Drug CGMP Questions and Answers,” U.S. Food and Drug Administration (FDA), Dec. 2018.
- “An Analysis of 2018 FDA Warning Letters Citing Data Integrity Failures,” Barbara Unger, Pharmaceutical Online, June 12, 2019.
David Jensen is a content marketing specialist at MasterControl, where he is responsible for researching and writing content for web pages, white papers, brochures, emails, blog posts, presentation materials and social media. He has over 25 years of experience producing instructional, marketing and public relations content for various technology-related industries and audiences. Jensen writes extensively about cybersecurity, data integrity, cloud computing and medical device manufacturing. He has published articles in various industry publications such as Medical Product Outsourcing (MPO) and Bio Utah. Jensen holds a bachelor’s degree in communications from Weber State University and a master’s degree in professional communication from Westminster College.
Originally published at https://www.mastercontrol.com.