European Medicines Agency issues data integrity guidance

During a time when data integrity issues plague the pharmaceutical industry worldwide, international regulatory authorities have indicated that they are stepping up their enforcement oversight in this area.

The European Medicines Agency (EMA) and the Pharmaceutical Inspection Co-operation Scheme (PIC/S) has released draft guidance for pharmaceutical companies on how to maintain data integrity in the process of testing, manufacturing, packaging, distributing, and monitoring medicines. PIC/S is a non-binding, informal co-operative arrangement between regulatory authorities in the field of Good Manufacturing Practice (GMP), and presently comprises 49 participating authorities from all over the world, including Europe, Africa, America, Asia, and Australia.

Pharmaceutical companies operating in the European Union should review the draft guidance, as it provides a wealth of information on how to proactively prepare for a data integrity inspection. “Regulators rely on such data to evaluate the quality, safety, and efficacy of medicines and to monitor their benefit-risk profile throughout the lifecycle of the product,” the EMA said in a statement.

The EMA tells Compliance Week that “there have been a number of data integrity issues identified during GMP inspections in recent years, some of which have led to regulatory action being taken,” resulting in the data integrity draft guide.

The 44-page PIC/S draft guidance focuses on providing industry with “consolidated, illustrative guidance on risk-based control strategies” that enable data integrity and reliability as described in PIC/S guides for GMP and Good Distribution Practice (GDP).

According to the draft guidance, the data lifecycle refers to “how data is generated, processed, reported, checked, used for decision making, stored, and finally discarded at the end of the retention period.” Throughout the lifecycle, data may cross various boundaries, including between manual and IT systems, or both internally (e.g., between production, quality control, and quality assurance) and externally (e.g., between service providers or contract givers and acceptors), the draft guidance states.

The draft guidance also describes the role of a data governance system, which “should ensure controls over the data lifecycle commensurate with the principles of quality risk management,” the draft guidance states.

Controls may be organizational, including:

Procedures (e.g., instructions for completion of records and retention of completed paper records);

raining of staff and documented authorization for data generation and approval;

ata governance system design, taking into consideration how data is generated, how it is recorded, how it is processed, how it is retained and used, and that risks or vulnerabilities are controlled effectively;

outine data verification; and

Periodic surveillance (e.g., self-inspection processes seek to verify the effectiveness of the data governance policy).

Controls may also be technical, including computerized system control and automation. Beyond effective controls, senior management must demonstrate its understanding and commitment to effective data governance practices.

The extent of management’s knowledge and understanding of data integrity can influence the organization’s success of data integrity management,” the guidance states. “Management must know their legal and moral obligation (i.e., duty and power) to prevent data integrity lapses from occurring and to detect them, if they should occur.”

“There have been a number of data integrity issues identified during GMP inspections in recent years, some of which have led to regulatory action being taken.”


European Medicines Agency

Senior management should further communicate its expectations to employees at all levels within the company in a manner that fosters a speak-up culture to report failures and opportunities for improvement. “This reduces the incentive to falsify, alter, or delete data,” the guidance states.

Risk management

The draft guidance also describes what risk management approach companies should take to data governance. “Management is responsible for the implementation of systems and procedures to minimize the potential risk to data integrity,” the guidance states. “Contract givers should perform a similar review as part of their vendor assurance program.”

Because not all data or processing steps have the same level of importance to product quality and patient safety, a risk management approach should be taken to determine the importance of each data or processing step. Such a risk management approach to data governance will consider the following two factors:

Data criticality. Both data influences and the impact of the data to a decision may differ in importance. Thus, one point to consider regarding data criticality is which decision the data will influence. For example: When making a batch release decision, data determining compliance with critical quality attributes is of greater importance than warehouse cleaning records.

Another important point to consider regarding data criticality is the impact of the data on product quality or safety. For example, the data determining the ingredients and quality of an oral tablet has a greater impact on product quality and safety than tablet friability data, the draft guidance states.

Data risk. “Data risk assessment should consider the vulnerability of data to involuntary or deliberate alteration, falsification, deletion, loss, or re-creation, and the likelihood of detection of such actions,” the draft states. “Consideration should also be given to ensuring complete data recovery in the event of a disaster.”

Control measures that prevent unauthorized activity, and increase detectability can be used as risk mitigating actions. Examples of factors that can increase risk of data integrity failures, on the other hand, include complex, inconsistent processes with open-ended and subjective outcomes. “Simple tasks which are consistent, well-defined, and objective lead to reduced risk.”

GOOD MANUFACTURING PRACTICES

Below are a few new questions and answers on good manufacturing practices from the European Medicines Agency.
Q: What is 'data integrity?'
A: Data integrity enables good decision-making by pharmaceutical manufacturers and regulatory authorities.It is a fundamental requirement of the pharmaceutical quality system described in EU GMP chapter 1, applying equally to manual (paper) and electronic systems.
Promotion of a quality culture together with implementation of organisational and technical measures which ensure data integrity is the responsibility of senior management. It requires participation and commitment by staff at all levels within the company, by the company’s suppliers and by its distributors.
Senior management should ensure that data integrity risk is assessed, mitigated and communicated in accordance with the principles of quality risk management. The effort and resource assigned to data integrity measures should be commensurate with the risk to product quality, and balanced with other quality assurance resource demands. Where long term measures are identified in order to achieve the desired state of control, interim measures should be implemented to mitigate risk, and should be monitored for effectiveness.
The following questions and answers describe foundational principles which facilitate successful implementation of existing guidance published by regulatory authorities participating in the PIC/S scheme. It should be read in conjunction with national guidance, medicines legislation and the GMP standards published in Eudralex Volume 4.
The importance of data integrity to quality assurance and public health protection should be included in personnel training programmes.
Q: How can data risk be assessed?
A: Data risk assessment should consider the vulnerability of data to involuntary or deliberate amendment, deletion or recreation. Control measures which prevent unauthorised activity and increase visibility / detectability can be used as risk mitigating actions.
Examples of factors which can increase risk of data integrity failure include complex, inconsistent processes with open-ended and subjective outcomes. Simple tasks which are consistent, well-defined and objective lead to reduced risk.
Risk assessment should include a business process focus (e.g. production, QC) and not just consider IT system functionality or complexity. Factors to consider include:
Process complexity
Process consistency, degree of automation /human interface
Subjectivity of outcome / result
Is the process open-ended or well defined
This ensures that manual interfaces with IT systems are considered in the risk assessment process. Computerised system validation in isolation may not result in low data integrity risk, in particular when the user is able to influence the reporting of data from the validated system.
Q: How can data criticality be assessed?
A: The decision which data influences may differ in importance, and the impact of the data to a decision may also vary. Points to consider regarding data criticality include:
What decision does the data influence?
For example: when making a batch release decision, data which determines compliance with critical quality attributes is of greater importance than warehouse cleaning records.
What is the impact of the data to product quality or safety?
For example: for an oral tablet, active substance assay data is of greater impact to product quality and safety than tablet dimensions’ data.
The decision which data influences may differ in importance, and the impact of the data to a decision may also vary. Points to consider regarding data criticality include:
What decision does the data influence?
For example: when making a batch release decision, data which determines compliance with critical quality attributes is of greater importance than warehouse cleaning records.
What is the impact of the data to product quality or safety?
For example: for an oral tablet, active substance assay data is of greater impact to product quality and safety than tablet dimensions’ data.
Source: European Medicines Agency

The draft guidance forewarns that a company that believes it has “no risk” of data integrity failures is “unlikely to have made an adequate assessment of inherent risks in the data lifecycle.” Assessing the data lifecycle, criticality, and risk in combination may indicate potential failures that may be investigated during an inspection.

Companies should periodically assess the effectiveness of data integrity controls as part of the internal audit process. Additionally, the draft guidance advises that self-inspection activities should extend to wide review of control measures, including employees’ understanding about the importance of data integrity, supported by the review of continued training in data integrity principles and expectations.

Q&A guidance

In addition to the draft guidance, the EMA issued a companion set of 23 new questions and answers on data integrity, which were developed by the EMA’s GMP/GDP Inspectors Working Group. The Q&A similarly contains advice on how to ensure data integrity and minimize risks at all stages of the data lifecycle in pharmaceutical quality systems. The advice applies to both paper-based and electronic systems.

The guidance should help senior management improve their companies’ data integrity practices. “Although there have been rare cases of deliberate falsification of data with management collusion, in most cases the underlying problems arise from weaknesses in the way that data is managed,” the EMA tells Compliance Week.

“The Q&As have been put together to build on existing GMP guidance in order to clarify what good practices are in this area,” the EMA adds. “The senior management of an organization that manufactures active substances or medicinal products has ultimate responsibility for quality, and quality depends on reliable data. Senior managers should therefore ensure that good practices are being implemented.”   

The Q&A specifically addresses:

Assessment of risks to data integrity in the collection, processing, and storage of data;

Risk management measures at various stages of the “data lifecycle”;

Design and control of both electronic and paper-based documentation systems; and

Measures to ensure data integrity for activities contracted out to another company.

“Data integrity issues can and do arise at any point in the product lifecycle.  The EMA Q&As are targeted to manufacturers where the EMA believes that deliberate and systematic falsification of data is rare,” the EMA says. “The majority of manufacturers have arrangements in place but would benefit by benchmarking these arrangements against the best practices described in the Q&As to ensure they are not vulnerable to the actions of rogue employees or experience issues arising from weak systems.”  

According to the EMA, the draft guidance and Q&A should be read in conjunction with national guidance, medicines legislation, and the GMP standards published in Eudralex Volume 4.

FDA guidance

The EMA draft guidance and Q&A align with similar draft guidance on data integrity in GMP manufacturing issued in April by the U.S. Food and Drug Administration. The FDA is one of many regulatory authorities participating in the PIC/S.

“[The] EMA and [the] FDA regularly exchange information on inspections that raise serious compliance issues and often work together in responding to them where there is a common interest,” the EMA says. “This would include serious data integrity cases.”

“The Q&As are a rapid way of communicating the expectations of, in this case, EU GMP inspectorates,” the EMA adds. “No decision has yet been taken on next steps.  From an EMA perspective, it is, however, planned that those steps will be the result of international collaboration on this topic.”

Both guidance come at a time when data integrity issues plague the industry, especially in countries like India and China. In late July, the EMA recommended suspending numerous drugs from Sandoz, Sanofi, Teva, and other companies after an investigation revealed that the Semler Research Centre, a contract research organization with an analytical and a clinical site in India, had substituted and manipulated clinical samples.

In a letter issued to Semler, the World Health Organization (WHO) also raised serious concerns regarding data integrity and manipulation of study samples following its own inspections. In December 2015, inspectors were provided with a spreadsheet file found on Semler’s server, which appeared to contain “an overview of manipulations of study samples” and “instructions useful for the purpose of manipulating samples,” WHO stated in the letter.

Regulators around the world are paying more attention to data integrity failures in the pharmaceutical industry like never before. The warning is loud and clear: Companies that have not implemented proper controls and oversight to ensure data integrity and good manufacturing practice can be sure an inspection will soon follow.

Continue the conversation at Compliance Week Europe: 7-8 November at the Crowne Plaza Brussels. Join us as we look at changes in global anti-corruption regulations, slave labour risks in your supply chain, and how to detect fraud, to name just a few topics. Learn more.