Here are a set of questions that should be evaluated in any data integrity risk assessment/evaluation.
- Do you have a list of all GxP activities performed in your organization?
- Do you know which GxP activities involve intensive data handling tasks?
- Do you know the automation status of each GxP activity?
- Have you identified a list of GxP records that will be created by each GxP activity?
- Have you determined the format in which the official GxP records will be maintained?
- Have you determined if a signature is required for each GxP record?
- Do you have controls to ensure that observed, measured or processed GxP data is accurate?
- Do you have controls to ensure that GxP data is maintained in full without being omitted, discarded or deleted?
- Do you have controls to ensure that naming, measurement units, and value limits are defined and applied consistently during GxP data handling?
- Do you have controls to ensure that GxP data is recorded at the same time as the observation/measurement is made or shortly thereafter?
- Do you have controls to ensure that GxP data is recorded in a clear and human readable form?
- Do you have controls to ensure that data values represent the first recording of the GxP data or an exact copy of an original data?
- Do you have SOP(s) addressing management of GxP documents and records and good documentation practices?
- Do you have SOP(s) addressing the escalation of quality events that also cover data integrity breaches?
- Do you have SOP(s) addressing self-inspections/audits with provisions for data integrity?
- Do you have SOP(s) addressing management of third parties with provisions for the protection of data integrity?
- Do you have SOP(s) for Computerized Systems Compliance?
- Do you have SOP(s) for training and does it include training on data integrity for employees handling GxP data?
- For GxP activities that generate data essential for product quality, product supply or patient safety, do you have controls to prevent or minimize:
- Process execution errors due to human inability, negligence or inadequate procedures?
- Non-compliance due to unethical practices such as falsification?
- Do you have controls to ensure that only authorized employees are granted access to GxP data based on the requirements of their job role?
- Do you have controls to ensure that only the GxP activity owner or delegate can grant access to the GxP data?
- Do you have controls to eliminate or reduce audiovisual distractions for GxP activities with intensive data handling tasks?
- Do you assess the design and configuration of your computerized GxP activity to minimize manual interventions where possible?
- Do you have controls for review of audit trail data at relevant points in the process to support important GxP actions or decisions?
- Do you have controls, supervision or decision support aids to help employees who perform error-prone data handling activities?
- Do you have controls to ensure business continuity if a GxP record essential for product quality, product supply, or patient safety is not available? Both for when there is a temporary interruption to GxP activity or during a disaster scenario?
- Do you have a process for ensuring that data integrity requirements are included in the design and configuration of GxP facilities where data handling activities take place?
- Have you assessed the compliance status of computerized systems used to automate GxP activities?
- Do you have controls to prevent data capture and data handling errors during GxP data creation?
- Do you have controls to ensure the accuracy of date and time applied to GxP data, records and documents?
- Do you have controls to ensure that changes to GxP data are traceable to who did what, when and if relevant why during the lifecycle of the GxP data?
- Do you have controls to ensure that – when required – legally binding signatures can be applied to GxP records and its integrity are ensured during the retention period of the GxP record?
- Do you have controls to ensure that GxP computerized systems managing GxP data can:
- Allow access only to employees with proper authorization?
- Identify each authorized employee uniquely?
- Do you have controls to ensure that GxP data can be protected against accidental or willful harm?
- Do you have controls to keep GxP data in a human readable form for the duration of the retention period?
- Do you have controls to ensure that the process for offline retention and retrievals is fit for its intended purpose?
While these questions are very pharma/biotech specific in places, they should serve as thought process for your own system checkup.
- Is there a written SOP covering the change control program that has been approved by the Quality Unit?
- Do procedures in place describe the actions to be taken if a change is proposed to a starting material, product component, process equipment, process environment (or site), method of production or testing or any other change that may affect product quality or reproducibility/robustness of the process?
- Does the SOP ensure that all GMP changes are reviewed and approved by the Quality Unit?
- If changes are classified as “major” or “minor,” do procedures clearly define the differences?
- Does your change management system include criteria for determining if changes are justified?
- Are proposed changes evaluated by expert teams (e.g. HSE, Regulatory, Quality…)?
- Is there a process for cancelling a change request prior to implementation? And Is a rationale for cancellation included?”
- Does your Change control management site procedure describe clearly the process to close a change request (After all regulatory approvals…)?
- Are any delays explained and documented?
- Is there a written requirement that change controls implemented during normal or routine maintenance activities be documented in the formal change control program?
- Is your change management system linked to other quality systems such as CAPA, validation, training?
- Does your change management system include criteria for determining if changes will require qualification/requalification, validation/revalidation and stability studies?
- Are “like for like” changes (changes where there is a direct replacement of a component with another that is exactly the same) clearly defined in all aspects (including material of construction, dimensions, functionality,,,) ? Are they adequately documented and commissioned to provide traceability and history?”
- Is there an allowance for emergency and temporary changes under described conditions in the procedures?
- Are the proposed changes evaluated relative to the marketing authorization and/or current product and process understanding?
- Does your change management system include criteria to evaluate whether changes affect a regulatory filling?
- When appropriate are regulatory experts involved? Does the regulatory affairs function evaluate and approve all changes that impact regulatory files?
- Are changes submitted/implemented in accordance with the regulatory requirements?
- Is there a defined system for the formalization, roles and responsibilities for change control follow-up?
- Is the effective date of the change (completion date) recorded and when appropriate the first batch manufactured recorded?
- Is there a periodic check of implementation of Change controls?
- Following the implementation, is there an evaluation of the change undertaken to confirm the change objectives were achieved and that there was no adverse impact on product quality?
- Is all documentation that provides evidence of change, and documentation of requirements, controlled and retained according to procedure?
- When necessary, are personnel trained before the implementation of the change?
- Are change controls defined with adequate target dates?
- If the change control goes beyond the target date, is there a new date attributed, evaluated and documented by Quality Assurance?
- Are there routine evaluations of the Change controls and trends (number, Change controls closure, trends as defined)?
- Are changes closed on due date ?
- Are the Change controls and follow-up formalized in a report and/or periodic meetings?
These sort of questions form a nice way to periodically checking up on your system performance and ensuring you are moving in the right direction.
Data integrity has been, for the last few years, one of the hot topics of regulatory agency inspections for the last few years, one that it has often been noticed seems to be, at times, a popular umbrella for a wide variety of related topics (that usually have a variety of root causes).
Data Integrity is an interesting grab bag because it involves both paper and electronic data. While some of the principles overlap, it sometimes can seem nebulous, Luckily, the MHRA recently published a final guidance on GXP Data Integrity that ties together several threads. This is a great reference document that lays out some key principles:
- Organizational culture should drive ALCOA
- Data governance is part of the management review process
- Data Risk Assessments with appropriate mitigations (full risk management approach)
I love the snarky comment about ALCOA+. More guidances should be this snarky.
The FDA so far this year has been issuing warning letters and 483s in more traditional GMP areas, such as testing and validation. It will be curious if this lessening of focus in a subtle shift in inspection, or just the result of the sites inspected. Either way, building data integrity into your quality systems is a good thing.
Processes and tools for the prevention, detection, analysis, reporting, tracking and remediation of noncompliance to data integrity principles should be integrated into the Quality Management System to:
- Prevention of data integrity issues through governance, training, organizational controls, processes, systems underlying and supporting data integrity.
- Detection of data integrity issues through leveraging existing Quality Systems, tools and personnel.
- Remediation of data integrity issues through leveraging existing Quality Systems that identify and track implementation of corrective/preventive action(s).
Some ways to integrate includes:
- Data integrity training for all employees
- Include as an aspect of audits and self-inspections
- Controls in place to ensure good documentation practices
- good validation practices
- Computer system lifecycle management (include audit trail reviews)
- Ensure your root cause investigators and CAPA people are trained on data integrity
- Data integrity as a critical decision point in change management
Data integrity, like many other aspects of a quality culture, are mindsets and tools that are applied throughout the organization. There really isn’t a single project or fix. By applying data integrity principles regularly and consistently you build and ensure. A such, data integrity is really just an affirmation of good quality principles.