Meeting Data Integrity Requirements

Q: Given the current focus on the subject of data integrity in regulatory inspections, we have performed an internal assessment. We found several pieces of equipment, in particular analytical instruments, which do not meet the requirements (e.g., shared user access). We are concerned whether we can continue using this equipment under these circumstances. Can you advise?

A:  Although data integrity is not a new concept, it is true that there has been an increased focus on data integrity in inspections by regulatory agencies globally, and this is very likely to continue unabated. You certainly did the right thing by assessing your current compliance level, which, it turns out, is not in substantial compliance with the regulations.

First, you must determine whether is it acceptable to continue to use these non-compliant systems for the manufacture of pharmaceutical products, and if so, under which circumstances. The regulators encourage a risk-based approach to compliance, though this must not be misinterpreted as being allowed to be non-compliant, rather, this compliance approach requires you to perform a risk assessment (i.e., you need to ascertain the risk to the patients should you continue using your out-of-compliance equipment).

Take for example, a tablet press that has been in operation for 15 years, which is in perfect working order and has no access controls. Anyone working on the machine can change the parameters and edit the stored data. This is not an acceptable situation. Preferably, one would implement technical solutions (perhaps a software upgrade), but where this is not an option or would take too long, one needs to consider procedural remedial actions. In this instance, this could include the verification of the settings by a second person, plus an amendment to the operating procedure, which would clearly define acceptable and unacceptable data handling (e.g., changing parameters). If neither technical nor procedural solutions lead to an acceptable risk level, I’m afraid, this piece of equipment must no longer be used.

Another example would be the use of a laboratory information management system (LIMS) by several operators sharing a user ID and password. If this is the case because of cost savings (purchasing a minimum number of licenses only), then this issue can be remedied almost immediately by purchasing the appropriate number of licenses and revising the operating procedure to mandate individual user IDs and passwords for all LIMS operators.

You did the right first step (i.e., assessing the as-is situation); however, you should not stop there. Now you must implement a company-wide data integrity policy and embed data integrity into your quality management system. Only by taking data integrity seriously, and implementing the appropriate processes, procedures, and systems within your company, will you be able to achieve full compliance with the data integrity requirements. This will give you peace of mind when an agency inspector calls next time. 

Article Details

BioPharm International
Vol. 31, No. 1
January 2018
Page: 54

Citation

When referring to this article, please cite it as S. Schmitt, “Meeting Data Integrity Requirements," BioPharm International 31 (1) 2018.