The review of data is the basis of everything that we do in the industry. It is the foundation of regulatory filings, controls in manufacturing, the checks in laboratory analysis, assurance of product release and so on. We continue to discuss DI issues as they continue to appear in US FDA Warning Letters, EU non-compliance Reports and in WHO Notices.
The key issues of DI were discussed at the ISPE DI Integrity Workshop in Bethesda. These topics included Data Governance, Culture and Human Factors as well as issues within the Laboratory and also Manufacturing.
Sion Wyn provided a snapshot of the ISPE GAMP® Guidance on Electronic Records and Data Integrity. A draft of this document is soon to be released for review. The Guide will include aspects such as Key DI Risks & Controls, QRM processes for DI, a Data Governance Framework, and using a Maturity Model, combined with an Executive Dashboard as part of the Data Lifecycle:
Data Governance Framework
Data Governance should be built into the pharmaceutical quality system. Its goal is to ensure that data meets the ALCOA+ principles, and as the MHRA guide states, “the effort put in to data governance should be commensurate with the risk to product quality and should also be balanced with other quality assurance resource demands”.
So what should the Data Governance do?
The key points from Sion included:
- Defining who is responsible or who owns the data through the lifecycle.
- How to design, build, operate and manage the systems and processes that “handle” the data.
- How changes to the data, whether intentional or not, will be controlled.
- Training of staff on DI principles.
- Having a work environment that allows for reporting DI issues.
- Having systems in place to identify and minimise potential DI risk.
The key parts of ensuring that data is integral is effectively managing the people that run the facilities, the technology that they use and the processes that they perform. This requires behavioural controls for the people, procedural controls for the processes and technical controls for the technology. When combined together and managed correctly, should result in a robust data governance system.
Mark Newton spoke about the three factors to look out for when assessing the reasons for falsifying data. There should not be a motive (e.g. money, recognition, power, pressure, culture) for an employee to falsify data, they should not have the means to do it (e.g. have full access, data unsecured, no review) and must not have the opportunity to do it (e.g. have time and access). Marks take-home message for me was that the means and opportunity can be somewhat controlled, but the motive is the one factor that can be fully controlled by the leaders in the organisation. Controlling the motive can be accomplished by leaders “walking the talk”, awarding proper conduct and punishing those who do not follow the code of ethics.
What are behavioural controls?
These include how the organisation is structured and how ownership is assigned. Leaders must lead the way. These controls also include policies, procedures and training programs that make up a necessary part of the DI program and the code of ethics. After all, people are usually the failure point!
What are the procedural controls?
These control the data lifecycle and include processes such as the management of data, quality risks, access/security and issues.
What are the technical controls?
These include controls to the IT infrastructure/platform and can be supported by categorisation, qualification/validation, and audits, with supporting metrics.
Another of Mark Newton’s suggestions was having a “Body of Knowledge” approach that involves looking at inspection findings and Warning Letters. Then assess the findings and investigate your quality system could prevent the same issues or apply the findings to your organisation. This approach ties in with the Executive Dashboard, which is discussed below.
The new ISPE Guide will also suggest an approach of how to assess the maturity level of an organisation in relation to DI, and like GAMP 5, will have 5 levels. Level 1 will indicate that the organisation is not under control when it comes to DI, and Level 5 will indicate that the organisation is proactive and has a program of continuous improvement for DI. This type of assessment will help to define where the organisation is and what it needs to do to improve its approaches to DI.
The Executive Dashboard
The output of an assessment of maturity and also the DI program may result in the identification of critical areas of concern. A dashboard will allow the management of critical issues and is a proactive way of dealing with them. One of the key points of Sarah Barkow from the US FDA was that the Agency would rather hear from organisations that had themselves identified DI issues than find them during an inspection.
So DI is a fundamental part of a quality system as it assists in ensuring that the product that is supplied to patients is of the correct quality. DI must be addressed through the entire lifecycle and we must have procedures in place that assist us in focussing on detecting DI issues, preventing DI issues, and have a process for dealing with DI issues if/when they occur.