The Pharmaceutical Inspection Co-operation Scheme (PIC/S) is an instrument to improve cooperation between health authorities in different countries which includes members such as the FDA, MHRA, HPRA, and many other regulatory bodies. In August 2016, PIC/S released a draft guidance intended to give inspectors insight on conducting quality inspections and interpreting current GMP/GDP requirements. This draft guidance is the result of collaboration between different health regulatory agencies. It combines many of the thoughts and requirements advocated by these agencies, with an emphasis on methods to ensure data integrity, the importance of having an open quality culture, and some of the different employee roles involved in maintaining good data integrity principles. This document is particularly useful for medical companies because it outlines certain areas that inspectors have been trained to check. While the guidance focuses on data integrity issues concerning both manual and computerized systems, this post will only focus here on data integrity issues concerning computerized systems.
Throughout the entirety of the data lifecycle, defined as the moment when data is generated to when it is discarded at the end of the retention period, data must be maintained using a documented data governance program. Data governance is defined in this guidance as “The sum total of arrangements to ensure that data, irrespective of the format in which it is generated, is recorded, processed, retained and used to ensure a complete, consistent and accurate record throughout the data lifecycle”. A data governance program consists of organizational controls (such as procedures for retaining completed paper records, training employees, self-auditing, scheduled data verifications) and technical controls (such as computerized system controls and automation). The purpose of a data governance plan is to provide an acceptable level of data control with documented rationale for the level of control determined by the associated data integrity risk.
When performing a risk assessment, this guidance recommends taking into account the process complexity and consistency, how data is stored and generated, the level of automation and level of human interaction, and how open to interpretation the results of the process are. When determining risk as it pertains to data integrity, take into account the impact a data integrity issue will have on product quality and decision making and how easy or difficult it is to change data and detect changes to data.
Several main user roles and the importance they play in maintaining data integrity are described, with a focus on Administrators and Managers. Administrator access must be given in a controlled manner to employees who are not invested in the outcome of the generated data. Management needs to have an understanding that they are legally and morally obligated to find data integrity issues. They are instructed to help induce a climate that encourages maintaining data integrity by staying involved, setting achievable expectations with the resources necessary to achieve these expectations, ensuring accountability and implementing consequences and rewards that are fair. By clearly communicating expectations and creating the right organizational atmosphere, the incentive to falsify or change data in some way will be reduced.
The quality culture of a company can have a huge influence on data integrity. Companies should strive to be transparent and “open”, where the hierarchy can be challenged by subordinates and any issues discovered by employees will be reported without fear of retribution. A “closed” company culture where employees cannot communicate undesirable information without fear of consequences often leads to an increase in tendencies to amend, delete, or alter data to meet expectations. A code of ethics should be established and communicated to all employees that includes data integrity policies and allows for information flow between personnel at all levels. There should also be a system in place so employees can inform management of any breaches to this code.
Companies need to have a Validation Summary Report for each computerized system with the change control including system configurations, a list of all users and their individual privileges including the identity of the system Administrator, the schedule for reviewing the audit trail and system log, how to modify a system for a user, how often the system is backed up and how to recover the system from this backup, how data is archived and where, and a statement that all data and relevant metadata is stored and that users are unable to alter audit trails. Computer systems should have documented risk assessments and validation documentation with tests that challenge areas where data integrity is at risk, such as data transfer interfaces between systems. In order to ensure systems have maintained their validated status, they should be periodically evaluated and any changes, deviations, upgrades, and maintenance should be documented. There should also be a list of all computerized systems including the name, location, purpose, and primary function of the system. Assessments of the system and its data should also be performed to determine risks, such as whether or not the system has a direct impact on GMP/GDP.
There should be established procedures for the process of restoring archived data. Backups should be stored in a physically separate location in case of disaster and they must be readable for the entirety of the data retention period. All records of data that are generated by the system must be accessible for the retention period and able to be printed in a legible form. If a new system is installed or updated, the old data must still be capable of being read; if this is not possible with the new system, then retain old software on a different computer and keep a hard copy of the old system (such as on an external drive or saved to a disk).
“The review of data-related audit trails should be part of the routine data review within the approval process”. This means that companies should review audit trails when records are being reviewed for approval. Audit trails should be reviewed more frequently for higher risk data and evidence of each review should be documented. Audit trails need to include at least the name of the user performing changes, what the change is and the reason for the change, the time and date, and the name of the individual who has approved the change. Once the system audit trail is validated for production use, it should be locked at all times. Remember: “Failure to adequately review audit trails may allow manipulated or erroneous data to be inadvertently accepted by the Quality Unit and/or Authorized Person” – reviewing audit trails is a great way to catch data integrity issues. Companies should aim to acquire software that includes electronic audit trails that captures system events and the previously listed information. Hybrid systems (paper and electronic), while permitted, must be equivalent to electronic audit trails.
Written based off the PIC/S Good Practices for Data Management and Integrity in Regulated GMP/GDP Environments