May 14, 2019
Verification of data integrity is a critical part of the FDA’s mission to ensure the safety, efficacy and quality of human and veterinary drugs, biological products, and medical devices. As such, the FDA’s expectation is that all data generated to support the quality of manufactured products is both reliable and accurate.
Compliance violations involving data integrity have led to numerous regulatory actions by the FDA in recent years, including warning letters, import alerts, and consent decrees. In 2018 alone, the FDA issued 54 warning letters that had references to data integrity and data management deficiencies in pharmaceutical companies, 10 of which were in the United States. An analysis of 2018 warning letters by FDAzilla found that 45% of GMP-related warning letters issued to pharmaceutical companies based in the United States included a data integrity deficiency.
Recently, the FDA has begun to link compliance with data integrity regulations with the specific culture of an organization. The FDA wants to see companies develop a “quality culture” or quality focus that is integrated throughout the organization. The idea is that the more mature an organization’s quality culture, the more reliable the product support data (i.e., data integrity) will be.
The business case for data integrity compliance is clear – less compliance and financial risk, less rework, fewer supply interruptions to the market, improved productivity and operational performance, etc. In many companies, however, compliance problems persist as a result of reactive rather than proactive thinking regarding efforts to maintain a reliable state of compliance and quality throughout the organization. Given the FDA’s recent interest in quality culture, let’s explore best practices for establishing an organizational quality culture that supports compliance with data integrity regulations.
Quality Culture Best Practices
Data integrity violations can be the result of many factors: employee errors, lack of awareness of regulatory requirements, poor procedures or not following procedures, insufficient training, intentional acts of falsification, software or system malfunction, poor system configuration, etc. In order to avoid risk, companies involved in developing, testing, and manufacturing APIs, intermediates, or pharmaceutical and biological products should work to establish an organizational quality culture that:
- promote an organizational culture that encourages ethical conduct
- demonstrates the company’s commitment to compliance with data integrity regulations
- requires the prevention and detection of data integrity deficiencies
Key aspects of this culture include:
Management Engagement. In its latest data integrity guidance Data Integrity and Compliance with Drug cGMP Guidance published in December 2018, the FDA states, “It is the role of management with executive responsibility to create a quality culture where employees understand that data integrity is an organizational core value and employees are encouraged to identify and promptly report data integrity issues. In the absence of management support of a quality culture, quality systems can break down and lead to cGMP noncompliance.”
The effect of management engagement and behavior on the success of a company’s data governance efforts should not be underestimated. The company’s data governance policies need to be strongly endorsed at the highest levels of the organization. For an organization to achieve optimal compliance with data integrity regulations, the focus on quality compliance must start at the top. Management must lead by example and set the tone to be emulated by individuals at all levels within the company.
Employee Training. It is critical for companies establish training programs that properly educate all employees on the fundamental principles of data integrity, company requirements for data integrity, requirements of regulatory agencies, expected employee conduct as a condition of performing GxP functions and disciplinary consequences for poor conduct. All new employees should go through this training prior to performing GxP activities, and each employee should receive an annual refresher training. At the conclusion of the annual refresher, best practice is to have each employee sign a certification statement confirming that he/she has adhered to company standards around data integrity over the past year, including reporting any violations about which they became aware.
Data Integrity training should also include education on why data integrity is so important to the company. Ultimately, in a successful quality culture, employees adopt a quality mindset, not because they have to, but because they understand the importance of data integrity to the company and the risks of noncompliance.
Open and Transparent Communication. Companies should strive to encourage personnel to be transparent about data integrity deficiencies so management has an accurate understanding of the risks and can provide necessary resources to mitigate them. An essential element of any successful quality culture is transparency in terms of open reporting by employees of any deviations, errors, omissions or aberrant results that impact data integrity. Management must set the proper tone to encourage open communication by working to create a culture where people listen to one another, and by not punishing people for honest mistakes. In addition, employees should be given the option to report issues anonymously if local laws permit.
Computer Access Controls. Computer systems need to have secure access controls in order to assure that changes to records can only be made by authorized personnel, and these controls need to be strictly enforced. Amongst other things, this means that each person accessing the computerized system must be able to be uniquely identified (username and password, or other biometric means), must not share their login information with others, and their actions within the system should be trackable via an audit trail. Additionally, rights to alter files and settings (e.g., system administrator role) in the computer system should not be assigned to those responsible for record content.
Data Integrity Investigations. As discussed in the above-mentioned FDA Guidance document, regardless of how a data integrity violation is discovered (e.g., third party audit, FDA audit, internal tip, etc.), all identified data integrity errors “must be fully investigated under the cGMP quality system to determine the effect of the event on patient safety, product quality, and data reliability.” The investigation should determine the root cause and ensure the necessary corrective actions are taken. Necessary corrective actions may include hiring a third-party auditor, removing individuals responsible from cGMP positions, improvements in quality oversight, enhanced computer systems, creation of mechanisms to prevent recurrences, etc.
Data Integrity Audits. Companies should include data integrity assessments in GxP audit programs. Audits may be conducted by internal staff in the Quality unit, or by an independent third party. If audit functions are outsourced to an external consultant, be sure to verify that auditors have appropriate training in data integrity evaluations. Utilizing a quality external consultant with expertise in data integrity evaluations for your GxP audit is best practice, as an expert with fresh eyes will likely be able to locate any data integrity issues you missed. The periodic review results, along with any gaps and corresponding remediation activities, must be documented.
The following items should be part of any audit of laboratory technology systems:
- Review of existing Software Validation Lifecycle policies, SOPs, etc.
- Identification of paper data, electronic data, raw data, and static and dynamic data
- Intended use of computer systems (e.g., SOPs, workflows, etc.)
- Use of notebooks and forms associated with computer systems
- System security and access to data (e.g., user types, groups, roles, accounts, etc.)
- Electronic signatures and audit trails
- Data retention policies and availability of data
- Data backup, archive, restore and recovery processes
- Training for support and use computer systems that collect, generate, store, analyze, and/or report regulated data
Third-Party Data Integrity Audits. Manufactures are responsible for ensuring that quality system elements have been established at each of its third-party suppliers (e.g., outsourced services, purchased raw materials) that provide products or services on behalf of or at the behest of the manufacturer. Manufacturers need to verify that suppliers operating as an extension of the manufacturer have established appropriate policies, standards, procedures, or other documents that define requirements for its employees to ensure compliance with data integrity regulations.
Ensuring data integrity means collecting, documenting, reporting, and retaining data and information in a manner that accurately, truthfully and completely represents what actually occurred. The FDA expects pharmaceutical firms to identify, manage, and minimize data integrity risks associated with their data, products, equipment, technology, processes, and people. It is therefore critical for companies to develop a quality culture that supports data integrity compliance in order to avoid unpleasant financial consequences from enforcement actions.
It is important to note that company executives and management are ultimately responsible for creating a quality culture that will support data integrity compliance. By taking assessment of the maturity of their quality culture and making intentional plans for improvement, senior management can generate significant business value by improving product quality and reducing their organization’s compliance and financial risk.