For example, during inspection of the sterile manufacturing and QC microbiology areas, our investigators observed:
Deletion of at least six [redacted] and [redacted]tests in the audit trails for two instruments used to test sterile [redacted]. Your systems allowed operators to delete files. You had no procedure to control this practice or to ensure a backup file was maintained. When you reviewed the audit trail data further, you identified a total of 25 deleted [redacted] test results. In your response, you state that the production staff now only have “view and print” privileges. However, your response is inadequate because it lacks details of how appropriate oversight will be exercised over data backup to ensure it is appropriately retained.
No restricted access to the microbial identification instrument. Further, you lacked restricted access to the external hard drive used for backup of this instrument. All users could delete or modify files. In your response, you commit to limit access to the system and external hard drive. However, your response is inadequate because you did not provide a retrospective risk assessment of the impact and scope of inadequate system controls at your firm.
Our investigators reviewed audit trails from various stand-alone pieces of laboratory equipment you used to perform high performance liquid chromatography (HPLC) and gas chromatography (GC) analyses. Our investigators found that you had deleted entire chromatographic sequences and individual injections from your stand-alone computers.
For example, your written system suitability procedure for [redacted] requires only six injections. However, your records showed that on January 5, 2016, you injected seven system suitability standards when performing system suitability for batch [redacted]. The audit trail showed that the final standard injection was permanently deleted from the instrument’s computer. Your analyst told our investigator that it is laboratory practice to perform more injections than are required by the procedure, and then delete any undesirable result to ensure passing system suitability results.
Without providing scientific justification, you repeated analyses until you obtained acceptable results. You failed to investigate original out-of-specification or otherwise undesirable test results, and you only documented passing test results in logbooks and preparation notebooks. You relied on these manipulated test results and incomplete records to support batch release decisions.
For multiple sterile drug product lots, your original data showed failing results, but data you reported showed passing results. This discrepancy was not adequately explained.
You stored original data in an “unofficial” and uncontrolled electronic spreadsheet on a shared computer network drive. Your analyst stated that original data was first recorded in this “unofficial” spreadsheet and transcribed later to an “official” form. This spreadsheet showed failing results above the limits you established in your procedure, PCH 035 Visible Particle Determination in use prior to September 1, 2014.
Failure to maintain complete data derived from all laboratory tests conducted to ensure compliance with established specifications and standards.
Our investigators observed systemic data manipulation across your facility. They documented unexplained deletions of laboratory test results. They discovered that you repeated tests until you obtained acceptable results and that you failed to investigate out-of-specification or otherwise undesirable test results. Your firm relied on these falsified and manipulated test results to support batch release and stability data. Your firm routinely re-tested high performance liquid chromatography (HPLC) samples and deleted previous chromatograms without justification. Your management acknowledged that employees in your quality control laboratory have access, authority, and the ability to delete and repeat HPLC injections when undesirable results were encountered prior to reporting final results.
Your response states repeated testing was due to quality control operators continuously injecting solvents until a stable baseline was achieved. The response also states the results of repeated tests were deleted to decrease the number of saved chromatograms on your hard drives. Any data created as part of a CGMP record must be evaluated by the quality unit as part of release criteria and maintained for CGMP purposes. In order to exclude data from the release criteria decision-making process, you must have valid, documented, scientific justification for its exclusion.
Reducing the number of records on your hard drives is not a sufficient justification for excluding data. Your response is inadequate because you have not shown how you will correct the data manipulation and falsification practices discussed above, nor have you demonstrated how you will ensure that all CGMP test results are retained and considered by your quality unit as a part of batch release…
On November 16, 2015, you told our investigators that you had stopped manufacturing [redacted] API in September 2015. However, during our inspection, our investigators reviewed HPLC and gas chromatogram electronic audit trails that indicated you conducted multiple HPLC and GC analyses on [redacted] batches of [redacted] API from November 5 to 6, 2015 (batch numbers [redacted] to [redacted]).
Data integrity is the idea of maintaining and ensuring the accuracy and consistency of data over its
lifecycle. This includes good data management practices, such as preventing data from being altered
each time it is copied or moved. Data integrity applies to both paper records and electronic records.
Processes and procedures are put in place for companies to maintain data integrity during normal
operation [1].
Data Integrity Importance
Data in its final state is the driving force behind industry decision making. Raw data must be changed
and processed to reach a more usable format. Data integrity ensures that this data is attributable,
legible, contemporaneous, original, and accurate (ALCOA). Data can easily become compromised if
proper measures are not taken to ensure data safety. Errors with data integrity commonly rise from
human error, noncompliant operating procedures, data transfers, software defects, compromised
hardware, and physical compromise to devices. Maintaining data integrity is a necessary part of the
industry’s responsibility to ensure the safety, effectiveness, and quality of their products [1].
During an inspection of your firm located at 3600 Gantz Road, Grove City, OHon various days between May 16 – June 28, 2016, an investigator from the United States Food and Drug Administration (FDA) determined that your firm is the initial importer, complaint handling unit, and repacker/relabeler of High Performance Liquid Chromatographs (HPLC) used in the measurement of hemoglobin, Automated Immunoassay Analyzers (AIA) used in the treatment of disease, and laboratory solutions, assays and test-cup reagents…
Over 15 Ticket Reports (non-routine service reports) reviewed by the FDA investigator document possible failures of AIA and HPLC analyzers. The Complaint section in your [redacted] database was not completed and Investigation Form, 10-QAG-015-2 was not initiated, as required by section 6.0 of your Complaint Handling procedure. For example: Ticket number 862-02-000256, dated 9/2/2015, states that the wrong software version was installed with the G8 analyzer; and Ticket number 001-00050034, dated 8/4/2015 states the customer was “Getting error message, and 338 as comm error” and ASM Board was replaced. No investigations were performed…
All sources of quality data are not being analyzed. Specifically…
You have not identified appropriate statistical methodology to be employed to detect recurring quality problems. Specifically…
The information entered into the Area/Category/Issue sections of your [redacted] database is not standardized and the Type is not always entered so the failure rate per part cannot be accurately calculated. As a result, you are not identifying failure rates per part that are above your thresholds for initiating a CAPA, as described in your “Trending Procedure”.
Our inspection found that analysts performed multiple gas chromatography (GC) analyses of [redacted] samples for residual solvents. Analysts performed these unofficial analyses and recorded them in separate “R&D” folders before conducting the officially reported sample analyses. The original, unofficial analyses stored in separate R&D folders were not part of the official quality control records for your API, and your firm did not consider the results of these unofficial analyses to evaluate the quality of your API or make batch release decisions for numerous batches of API.
Our investigator reviewed chromatograms found in the R&D folders and noted that some displayed large unknown peaks that were not reported in the official records for the same samples. The presence of such peaks in the chromatograms may indicate the presence of unknown and uncharacterized impurities (including potential contaminants) in your drugs.
Failure to ensure that when computers or automated data processing systems are used as part of production or the quality system, the manufacturer shall validate computer software for its intended use according to an established protocol, as required by 21 CFR 820.70(i).
Organizations have been utilizing validated computerized systems for years. However, in recent years, regulators have found that these organizations are falling short when it comes to maintaining adequate data integrity within their computerized systems. In response to the increasing number of observations related to data integrity made during inspections, a recommendation for the development of new guidance for good data management was put forth at an informal consultation held by the WHO (World Health Organization) in April 2014. Shortly after, the WHO Expert Committee on Specifications for Pharmaceutical Preparations received documents from PQT-Inspections proposing the outline of a new guidance. The goal of this was to consolidate and improve upon the existing principles ensuring data integrity from current good practices and guidance documents.
Data integrity & what it means to have ALCOA data
Attributable data must be recorded so that it can be linked to the unique individual who produced it. Every piece of data entered into the record must be capable of being traced back to the time it was taken and to the individual who entered it.
Legible data must be traceable, permanent, readable, and understandable by anyone reviewing the record. This is expanded to include any metadata pertaining to the record.
Contemporaneous data are data that are summarily entered into the record at the time they are generated.
Original data, or the source data, is the record medium in which the data was first recorded. An original data record should include the first data entered and all successive data entries required to fully detail the scope of the project.
Accurate data are correct, truthful, complete, valid, and reliable. Controls put in place to assure the accuracy of data should be implemented on a risk-based structure.
Meeting ALCOA expectations on electronic records
Attributable: The main controls needed to maintain an attributable electronic record are the use of secure and unique user logons and electronic signatures. Using generic login-IDs or sharing credentials should always be avoided. Unique user logons allow for individuals to be linked to the creation, modification or deletion of data within the record. For a signature to be legally-binding there should be a secure link between the person signing and the resulting signature. The use of digital images of hand written signatures is not often considered a secure method for electronically signing documents. These images lose their credibility when not stored in a secure location or when they appear on documents that can be easily copied by others.
Legible: In order for an electronic record to be considered legible, traceable, and permanent it must utilize controls such as writing SOPs and designing a system that promotes saving electronic data in concurrence with the execution of the activity. This is best done by prohibiting the creation or manipulation of data in temporary memory as well as immediately committing data to a permanent memory before moving on. Secure time stamped audit trails should be used to record operator actions. The system configuration should limit the enhanced security rights of users such as turning off the audit trail or overwriting data. These administrative rights should be reserved (whenever possible) for individuals who are independent of those responsible for the content of the electronic records. Improperly overwriting data or manipulating the audit trail impairs the legibility of the data by obscuring the original value of the record. This is equivalent to the use of single line cross outs in paper records to denote changes to the data. The data in these paper records are changed but the original values must still be legible beneath the cross out mark.
Contemporaneous: Contemporaneous recording of data also utilizes the controls of writing SOPs and maintaining settings that immediately commits data to a permanent memory. In order for the data to be considered contemporaneous the record must also have a secure time stamp system that cannot be altered by users. Time and date stamps should be synchronized across all systems involved in the GxP activity. These controls should be true for both the workstation OS and any relevant software application used. Data is not considered contemporaneous when recorded on an unofficial document and then later entered into the official electronic record.
Original: Original electronic records (or certified true copies) should undergo review and approval procedures. These reviews should describe the review method itself as well as any changes made to the information in the original records. These include changes documented in audit trails or any other relevant metadata. Written procedures should define the frequency, roles and responsibilities, and approach to the review of metadata. A risk-based approach to the scope of these procedures is recommended. Once reviewed, electronic data sets should be electronically signed to document their approval.
Controls should also be put in place to guarantee the retention of original electronic documents as best as possible. The original record should be routinely backed up and stored separately in a safe location in case the original record is lost. Secure storage areas should have a designated electronic archivist who is independent of the GxP operation. Tests should be carried out at times in order to verify that the copy can be retrieved and utilized from secure storage areas.
Accurate: Data accuracy should be maintained through a quality management system that is risk-based and appropriate to the scope of the operation. Routine calibration and equipment maintenance should be performed. Computer systems that generate, maintain, distribute or archive electronic records should be validated. Entry of critical data such as high priority formulas for spreadsheets should be verified by two authorized individuals. Once verified, critical data fields should be locked to prevent modification by any unauthorized individuals.
Written based off the WHO Annex 5 Draft Guidance on Data Integrity
Failure to exercise sufficient controls over computerized systems to prevent unauthorized access or changes to data, and to provide adequate controls to prevent omission of data.
Our investigator found that your [redacted] system used for [redacted] and [redacted] testing lacked access controls and audit trail capabilities. For example, all employees had administrator privileges and shared one user name, so actions could not be attributed or traced to specific individuals. This exposed your electronic data to manipulation and/or deletion without traceability.
Our investigator also noted that your firm copied raw data to a CD [redacted], and then deleted the data from the [redacted] system to free space on the hard drive. Files copied to the CD were selected manually; the selection process was not supervised. Without audit trail capabilities or supervised file selection, there was no assurance that all raw data files were copied to the CD before they were permanently deleted from the system.
