How Important is Data Integrity to Regulatory Bodies?

March 1, 2016
BioPharm International, BioPharm International-03-01-2016, Volume 29, Issue 3
Page Number: 42–44, 48

Data integrity is a widespread, global problem that must be addressed.

Data integrity is a major regulatory topic in GMP-regulated laboratories. The problem is widespread, as cases of non-compliance have also been observed in laboratories regulated by good laboratory practice (GLP) and good clinical practice (GCP), not just GMP. Non-compliances from the European Medicines Agency (EMA) or warning letters from FDA show examples from companies in the United States, Canada, the United Kingdom, and Italy, as well as China and India. So, it is not just a problem for Asia-it is a global issue.

The non-compliances are not confined to falsification and fraud. In fact, in the majority of labs, the main data integrity issues concern poor data management, which account for 95% of non-compliance cases; only 5% are a result of falsification or fraud. Problems arise from basic errors such as relying on paper as raw data and failing to protect electronic records, rather than deliberate manipulation of data. It is the latter, however, that gets the major headlines. In July 2014, FDA issued a stern warning that data integrity was a key focus of its enforcement efforts (1).

Regulatory guidance on data integrity
In January 2015, the UK Medicines and Healthcare products Regulatory Agency (MHRA) went further and issued Guidance for Industry on Data Integrity (revised in March 2015) (2). This guidance consists of descriptions, definitions, and expectations based around those definitions, which include raw data, original records, file structures, and audit trail. The regulatory expectations presented in this guidance are useful. However, the definitions are simply presented as a shopping list; a diagram explaining and linking key definitions would be more beneficial.

The guidance presents data integrity as the extent to which all data are “complete, consistent, and accurate” throughout the data lifecycle, which covers the period from data acquisition through to interpretation, reporting, and archiving and then destruction after the record retention period. There are similarities in the US regulations; a 20-year-old FDA definition of data integrity describes the degree to which a collection of data is complete, consistent, and accurate (3).

In European GMP regulations, documentation constitutes a key part of quality assurance and, therefore, compliance with GMP (4). An organization must have good documentation, follow standard operating procedures (SOPs), and demonstrate compliance with the applicable regulations. Several requirements focus on data integrity for computerized systems (5). If critical data are entered into a data system, a second check is required, which can either be a second person or can be automated using the computer system itself.

In the US, the regulations for laboratory records focus on the concept of complete data (6).

A review of data integrity warning letters reveals several citations for failure to have complete data including a failure to have a complete procedure (7), a failure to fully document the work that is carried out (8), or being selective in reporting data (e.g., using test samples to “check” if an instrument is working correctly) (9). Complete data includes the actual observation, which can be visual or by computerized system. Contextual metadata, which puts the data or result in context, is also required. Examples of metadata include operator ID, units of measurement, sample information, identity, batch number, instrument suitability, and readiness. Audit trail events are also part of the metadata. If a hybrid system or a fully electronic system is used, FDA and European regulatory agencies require companies to review and evaluate audit trail events to see if data have been manipulated without authorization.

FDA guidance comprises a list of commonly asked questions and answers that are crucial for maintaining data integrity (10). Detailed explanations are given for:

  • Why paper records from a hybrid system should not be defined as raw data-instead it should be the underlying electronic records; Although the reasoning focuses on chromatography, it is applicable to any computerized system.

  • Why sharing of user identities in a computerized system is not allowed-as it makes it impossible to attribute the work carried out to a single individual.

  • Why actual samples should not be used as system suitability tests to see whether a batch passes or not. FDA warning letters reveal many citations for this transgression.

 

 

Data integrity criteria
The criteria for data integrity are defined by the acronyms ALCOA and ALCOA+. ALCOA, which stands for attributable, legible, contemporaneous, original, and accurate, was developed by an FDA GMP inspector in the late 1980s. ALCOA has been used in many areas that are regulated both by FDA and other regulatory agencies worldwide. In 2010, EMA published a paper on electronic source data for clinical records, in which another four requirements relating to electronic data were added: complete, consistent, enduring, and available (11). The Good Automated Manufacturing Practice (GAMP) Data Integrity Special Interest Group (SIG) now refers to ALCOA+, which includes the nine attributes or criteria for data integrity (see Table I).

Inspection trends
In the past, an inspector would review piles of paper; to view a computer system, he would be shown print-outs of the screen. Now, the focus is on the computerized systems and the electronic records within; the paper output is secondary. Inspectors will focus on the electronic records, looking at how they were generated and manipulated within the application. In the light of these changes, consideration needs to be given to the person who will manage the system during an inspection. How is the system configured to protect the electronic records? Are electronic signatures being used in the application, ensuring that the configuration of the application is documented and reflects the settings within the software?

Annex 11 now requires audit trail entries to be reviewed, and FDA considers these entries as part of the complete data. Many findings of non-compliance during inspection have been discovered by looking at audit trail entries, therefore, an approach to reviewing audit trail events is needed. Citations have noted when audit trails were been turned off, the audit trail had not been reviewed, or user identities were shared, which is not allowed under the regulations. Additional citations can be found in the September 2014 issue of LCGC (12).

The ten compliance commandments
The 10 compliance commandments for computerized laboratory systems described in Table II should be considered (12).

Where should the electronic data transfer begin?
Let’s consider preparation of standards by way of example. In an analytical lab, standards are usually prepared using an analytical balance. The actual weight is typically printed on a strip printer and pasted into a lab journal. Afterwards, the standards are widely used for analytical methods, such as high-performance liquid chromatography (HPLC), gas chromatography (GC), titration, etc. Data management and documentation for analytical instruments are usually managed by dedicated software or a laboratory information management system (LIMS). This procedure is currently allowed by regulatory bodies, which state that print-outs representing original data for simple devices (such as balances) are acceptable (2) but is not the case for more complex devices. Nevertheless, it is important that reference standards are accurate and traceable because they represent the starting point of many analyses. Warning letters have cited “no details available on the preparation of standards or solutions, especially of analytical reference standards” (13, 14). Independent of process, it is important to ensure that all the data are available.

This then begs the question: Where should the electronic transfer begin? In the process described above, there is a gap in the data transfer between the “simple instrument” (the balance) and the “complex instrument” (e.g., the HPLC). Clearly, this is not recommended because it introduces an additional level of risk; it is obvious why no gaps should occur.

Capturing the data at the point of origin and transferring the data electronically throughout the whole workflow is a much lower risk approach and reduces the risk of errors during the early stages of a process, giving additional confidence in the compliance of a workflow or laboratory.

What data should be transferred?
The next question then becomes:  What data need to be transferred? It is essential to associate results with metadata to build context around the values collected. Although integrating even a simple instrument can be tricky, the advantages of an integrated solution are obvious. When electronic data transfer starts from the beginning of the process, each piece of information needs to be input only once for it to be available throughout the whole system. This allows seamless movement of data and other information from the start of a process to the end, without the need for manual effort, such as manual transcription, creating an efficient work environment.

This transfer of data is achievable using a laboratory execution system (LES), such as LabX, which enables a variety of instruments to be directly connected (balances, titrators, density meters, refractometers, thermal analysis instruments, and pH meters). Useful features such as SOP-user guidance on the instrument terminal, automatic results capture in a database, and real-time data access support traceability of data and compliance with the GAMP data integrity criteria in ALCOA+.

As regulators continue to tighten their inspection approaches, it is crucial for managers and scientists in regulated GXP laboratories to understand these criteria for data integrity and to assess and improve laboratory data management processes to ensure compliance with current regulations. Only after all these points have been addressed can data integrity truly be achieved.

References
1. C. Rosa, “Current Regulatory/Inspection Issues Related to Supply Chain,” Food and Drug Law Institute (FDLI), Conference Understanding cGMPS-What Attorneys Need to Know, Washington DC, July 15, 2014.
2. MHRA, Guidance for Industry on Data Integrity (MHRA, March 2015).
3. FDA, “Glossary of Computer System Software Development Terminology,” 1995.
4. European Commission, EudraLex, The Rules Governing Medicinal Products in the European Union, Volume 4, Good Manufacturing Practice, Chapter 4 Documentation (June 2011).
5. European Commission,EudraLex, The Rules Governing Medicinal Products in the European Union, Volume 4, Good Manufacturing Practice, Annex 11 Computerised Systems (January 2011).
6. US Electronic Code of Federal Regulations, 21 CFR 211.194(a).
7. FDA, FDA Warning Letter to Trifarma S.p.A, July 2014.
8. FDA, FDA Warning Letter to Ipca Laboratories Ltd., January 2016.
9. FDA, FDA Warning Letter to Micro Laboratories Ltd., January 2015.
10. FDA, Questions and Answers on Current Good Manufacturing Practices, Good Guidance Practices, Level 2 Guidance-Records and Reports,
11. EMA, GCP Inspectors Working Group publication, Reflection paper on expectations for electronic source data and data transcribed to electronic data collection tools in clinical trials (London, June 2010).
12. R.D. McDowall, LCGC 27 (9) (September 2014).
13. FDA, FDA Warning Letter to RPG Life Sciences Ltd., May 2013.
14. FDA, FDA Warning Letter to Wockhardt Ltd., July 2013.

Article DetailsBioPharm International
Vol. 29, No. 3
Pages: 42–44, 48

Citation
When referring to this article, please cite as B. McDowall and J. Ratcliff, "How Important is Data Integrity to Regulatory Bodies?" BioPharm International 29 (3) 2016.