How To Control Data Integrity Issues In The Pharmaceutical Industry
For the last five years, a lot of commotion and struggle have been continuing in the pharmaceutical industry. The owners of all pharmaceutical companies, experiencing sleepless nights every day. All this is because of only two words 'data integrity'. The helplessness to bring a magic wand to control this outgrowing issue, making the senior management very mad. There are many reasons for this hard situation. Among them, the cultural issue was exposed profoundly by regulatory agencies.
The success of a pharmaceutical company depends upon making of quality medicines at cheaper rates. Quality is built on the foundation of transparency and accuracy of the processes used in the manufacture of medicinal drugs.
Processes may be of computer technology or manufacturing method, whatever it may be, they generate data. Data stands as an evidence of the work being carried out.
This data is the main basis for the regulatory agencies in the inspection of the quality of the products. Hence the sanctity of the data is very very important.
The pharmaceutical industry generates data in two ways; manually on paper and electronically on a hard disk. This data contains details of all the activities performed during the manufacture of medicinal drugs. It includes people, equipment, software and the method executed.
Recording of data starts from the very beginning of the manufacturing process and ends with the delivery of the final product.
Details of all deviations, failures and incidents must be recorded as and when they occur. These records should be readily available for the regulatory inspections.
What Type of Data Generates in The Pharmaceutical Industry?
Pharmaceutical industry produces life-saving drugs for the treatment of various ailments. As part of the manufacturing process, the industry needs to perform various activities to bring the medicinal drugs into the market. The process starts with the procurement of raw materials and ends with the distribution of the drug into the market.
During this period, many paper and electronic records will generate. Data that generate in each and every step of this process is subject to regulatory scrutiny. It will make no difference whether the data is from finance, marketing, warehouse, production or a laboratory. Data of all departments will be treated equally and regulations will apply to all in the same degree.
Here are some examples of data.
1. The quantity of raw material received | 17. Employee attendance records |
2. The quantity of raw material utilized | 18. Employee health records |
3. The quantity of raw material discarded | 19. Employee access control records of restricted areas |
4. Laboratory test records of products | 20. Job responsibilities of employees |
5. Batch processing records | 21. Plant layouts |
6. Instrument calibration records | 22. Vendor qualification records |
7. Humidity and temperature control records | 23. Equipment qualification records |
8. Software validation reports | 24. Process validation reports |
9. Out of specification investigations | 25. Analytical method validation reports |
10. Deviations from the process | 26. Complaint investigation reports |
11. Incidents that happened during the execution of a process | 27. Reports of return goods |
12. Internal inspection reports from QA department | 28. Investigation reports from process R&D |
13. Document distribution and archival records | 29. The product's in and out movement records in warehouse |
14. Document/records destruction logs | 30. Customer audit reports and implementation of CAPAs |
15. Equipment usage logs | 31. Investigation reports of out of trend result |
16. Employee training records | 32. Product stability study reports |
What Governs Data Integrity?
Data integrity always depends on the transparent culture and employees' (right from casual labor to CEO/MD/Chairman) moral behavior in the company. There should be freedom to the employee, to follow the written procedures exactly and to report all the events as and when they occur, without hesitation and fear.
Employees should not wait for his superior's instruction to record a batch failure, an incident and a deviation. A strong quality system should be in place and it has to work independently not falling under the influence of problem hiders or avoiders.
Higher management should have high-quality consciousness and should establish the quality systems taking the patient as a core object and not the greedy profits. The company's management should never encourage people directly or indirectly, by pushing the employees in a pressurized environment, to conceal the things from the notice of the quality system.
In my experience, what I observed and understood that the lack of strong science-based investigation teams, incompetent human resources (at all work levels), tight competition in global sales, and non-availability of funds for the investment in new technologies (software and equipment) are dragging back the industry from its desired position.
The moral integrity of employees and management's commitment to the quality products, both are very important qualities required in the whole process of data integrity protection. Cost control of manufacturing should be through the better processes improved by R&D, but not by affecting the implementation of quality systems.
The major responsibility of the company's management, to protect the data integrity, is to develop a tamper-proof data generation system in all processes and methods. Instead of doing investigations after observing intentional or unintentional breaches to data integrity, it’s a wise thing to identify the places which are vulnerable and close the ways of data tampering.
How to Control Data Integrity Issues of Paper Records?
Paper records may be generated by a person or an automated instrument. Some paper records, generate as an output of the electronic image, from an instrument used for the measurement.
This type of instrument doesn't save any data to generate an electronic record. Only the electronic image will be printed directly on the paper through a printer when it is triggered to print.
Here, three things will play a critical role in the maintenance of data integrity.
            1. Time and date of data generation
            2. The authenticity of data generator
            3. The originality of the data.
Let us try to understand this with a simple example.
Activity: Operator has to record the temperature of the finished product storage room at 12:00 p.m. in a log book manually. The room has no data logger to record the temperature automatically. The limit for temperature is 25ºC (±2ºC). If it is out of the limit, an investigation has to be initiated to decide the fate of the products stored there.
What are the possibilities for the breach of data integrity in this case?
            a. The operator can record the temperature reading:
                  - Before or later of the predefined time.
                  - From a non-calibrated thermometer.
                  - Within the acceptable range even though it has crossed the predefined limit.
            b. May be untrained operator executing the task. This leads to an incorrect record of temperature readings.
You cannot dismiss easily the chances to happen all these kinds of things if you are really worried about the practical scenario. This type of situations is fully evident in the warning letters issued by various regulatory agencies.
The operator might have engaged in other work in some other area at the same time that reserved for the temperature recording. He comes back there at 2:00 p.m and records the temperature reading and signs with back time. Who knows?
Or else, he records 25ºC intentionally, even though the actual temperature is 30ºC, to avoid further investigations. Then, what about the originality of data?
If the operator is an untrained person, then he records the reading without knowing the impact of temperature, for the sake record keeping, since it is defined in the standard operating procedure (SOP). He won't bother about the science behind the recording of temperature.
That is why the authenticity of the "data generator" is very crucial. Non-calibrated instrument and untrained person both belong to the same category. The data generated by these two have no integrity and validity. The results recorded by them are unreliable and subject to regulatory action.
Then, what is the way to overcome this type of issues?
The above-mentioned illustration is only one of the many existing situations. There are numerous situations like this in the drug manufacturing industry. If you want to come out of this kind of undesired and noncompliant activities, you need to take a comprehensive approach to mitigate the issue. Prepare an action plan and implement the solutions.
Action plan :
1 | Identify and list out all the works/activities that are dependent on paper records. | 2 | Try to install CC cameras to monitor the person's activity in critical areas. | 3 | Identify the risk factors and estimate the risk involved in the activity and document it. Define the immediate steps to follow to control the situation in case any undesired thing or serious non-compliance occurs. | 4 | Create a de-risk system, based on a risk assessment study, to protect the integrity of the data. | 5 | Establish a competent second person review system, for the review of the records. The second person's review should happen immediately after the task completion by the employee. The review system should work 24X7, i.e., round the clock. | 6 | A Checklist should be in place for the daily verification of critical things. Define the list of items to be checked based on the criticality of the activity. | 7 | Train the employee and conduct a test whether he is fit or not to execute the job. Document the training and test details as a piece of evidence. | 8 | Display the calibration details near the instrument for the ready review of the employee. | 9 | Define the process to be followed in case of deviations, incidents or failures. | 10 | Establish access controls into the areas, where manual recordings are performed, to ensure the person's presence at the time activity. |
The following exhibit is a model fomat which can work in controlling of the above-said case.
Control of Blank Forms
As the industry is not yet fully automated, it is quite natural to use the printed blank forms for various manufacturing activities to save time. The control of these blank forms is very crucial and a critical factor. The level of control you enforced, determines the integrity of the data, generated in a paper.
The integrity of a paper record is not only linked to the data entered on it, but it also includes the whole process of printing, storage and distribution of blank forms. The entire process must be transparent and in control. Control of blank forms has a lot of regulatory attention. Because uncontrolled blank forms give scope to falsify the data which further may lead to the entry of adulterated drugs into the market.
Blank forms can be procured from a printing press or directly printed from a computer at the location. You must have control of both sources.
1. Control of Blank Forms procured from a printing press.
Quality Assurance (QA) department is responsible for the control of blank forms. Except for QA, no other function should have authority to procure or distribute the forms.
The designed blank form must come into effect through the Change Control (CC) system. The blank form must have version control to identify the series of changes has been done to it.
If a blank form is reissued for task completion, for any reason, the justification must be documented and the initial form shall be kept as a permanent record along with the reissued ones.
The following process may ensure the control of blank forms from a printing press.
- QA department shall Generate the purchase order (PO) for the required quantity. |
- QA department receives the ordered quantity and documents it along with the PO. |
- QA verifies the received forms to identify whether there are any incomplete items, legibility problems or damages. |
- If any discrepancy is observed in the forms, it has to be documented, i.e., the number of damaged/incomplete/ illegible forms. |
- All non-usable forms shall be retained and placed in a secured place for the future verification of regulatory agencies. |
- QA should maintain a log for the distribution of blank forms and reconcile after the completion of all issued forms. |
2. Control of Blank Forms printed from a computer
The master copy of the blank form shall be stored in the computer which is in absolute control of the Quality Assurance department. Nowhere a copy of it should available in the company except in the QA department.
The following process may ensure the control of blank forms printed from a computer.
- QA has to prepare a list of authorized persons who are allowed to take the printout and distribute the blank forms. |
- The printout of the blank form should contain the details of the person who has printed it along with date&time and copy number. |
- QA shall maintain a log for the distribution of blank forms printed from a computer and to reconcile after the completion of all issued forms. |
- If there are issues with the printouts such as damage, partial printing and illegibility, the same has to be documented. |
- All non-usable forms shall be retained and placed in a secured place for the future verification of regulatory agencies. |
From the above discussion, you might have understood by this time that how much critical, complicate and complex thing it is to control the paper documents. In fact, the assurance of the data integrity of paper records is the greatest challenge for the companies. This issue often puts them at higher risk in regulatory point of view.
How to Control Data Integrity Issues of Electronic Records?
Electronic records play a vital role in the manufacturing of medicinal drugs. Since you can control and decontrol at your will, it is essential to ensure the reliability and accuracy of the data available in the electronic records.
So ISO established international standards and requirements for electronic records management.
The design of all software and programs that used in the manufacturing of medicinal drugs must comply with these standards.
Some of the ISO standards are:
      1. ISO 15489: Records management
      2. ISO 30300: Management Systems for Records - Fundamentals and Vocabulary
      3. ISO 30301: Management Systems for Records - Requirements
      4. ISO 23081-1: 2006 Metadata for records - Part 1: Principles
      5. ISO 23081-2: 2009 Managing metadata for records - Part 2: Conceptual and implementation issues
      6. ISO 23081-3: 2011 Managing metadata for records - Part 3: Self assessment method
      7. ISO 16175: Principles and functional requirements for records in electronic office environments
The generation of electronic records is happening in two ways in the pharmaceutical industry.
       Example: Electronic Record of temperature and humidity generated using data loggers
                         Electronic Record of pH and conductivity generated using simple software
The second one is by automated complex processes which run through highly configurable computerized systems.
       Example: Batch execution using electronic batch processing record (eBPR).
                         HPLC data generated by chromatography software in the QC laboratory.
All governments of the globe set forth some rules and regulations, to control the electronic data manipulation in the pharmaceutical industry. Every pharmaceutical company must meet the requirements put forth by the law.
The common requirements in all the countries may be:
       Data should be:
              Attributable
              Legible
              Contemporaneous
              Original
              Accurate
   2. Governance of Electronic Data
      Data should be:
              Complete: the data must be whole; a complete set
              Consistent: the data must be self-consistent
              Enduring: durable; lasting throughout the data lifecycle
              Available: readily available for review or inspection purposes
Refer the below websites for more details:
Data Integrity – An international regulatory perspective
MHRA-‘GXP’ Data Integrity Guidance and Definitions
Data Integrity and Compliance With Drug CGMP
Pharmaceutical Companies must comply with the above requirements. Absolute control of the electronic data will save the firm from many adversities and regulatory actions. Hence, it is essential to evaluate the existing situation in the company and to identify the risk.
How to identify the gaps in electronic data management?
At first, make a list of electronic data generation sources in the cGMP workflow. Then start the verification of your existing electronic data generation and governance systems. Identify the gaps between your practices and regulatory requirements. Estimate the risk and its effect on the process, product and patient. Make an action plan to eliminate the risk. Explore the solutions to mitigate or eliminate the risk.
Prepare a checklist, based on the below checkpoints, for the verification and identification of the risk.
A. Computer
1 | Is the access to computer restricted through the individual user login account? |
2 | Are the date and time locked to prevent the changes by a user? |
3 | Is there an antivirus software to protect the operating system from the attack of unwanted programs? |
4 | Is there adequate protection for the computer to escape from the cyber attacks? |
5 | Is the recycle bin disabled on the computer? |
6 | Is the data organized in a systematic way on the hard disk for easy search and identification? |
7 | Are the files and folders locked to prevent access from unauthorized persons? |
8 | Are the connectivity errors being addressed and investigated (in case the computer connects with a server)? |
9 | Is the data transfer method, from computer to server, validated? |
10 | Is there an established system, to analyze the operating system errors? |
11 | Is the frequency defined for the verification of operating system errors? |
12 | Is there a policy for the upgradation of an operating system? |
13 | Is there a policy for the retirement of computers? |
B. Software
1 | Is the software validated after the installation on the hard disk? |
2 | Are there any failures in the software validation? |
3 | Are the reasons identified for the software validation failure? |
4 | Has the CAPA been implemented for the software validation failures? |
5 | Do you have a procedure to handle the re-installation requirements of the software? |
6 | Is there a defined policy for the upgradation of software? |
C. User Management
1 | Is there any shared login account in use? |
2 | Do the users have unique login accounts and passwords? |
3 | Do the user passwords have an expiry date? |
4 | Is the validity period of password defined? |
5 | Is there a procedure to remove the accounts of resigned employees? |
D. Data Controls
1 | Is the software having an audit trail function as an integrated part of it? |
2 | Is the audit trail enabled in the software? |
3 | Is the audit trail tracking - date & time of record generation, username, modification of record and deletion of records? |
4 | Is the audit trail data locked and protected from the intentional or unintentional changes/deletion by the user? |
5 | Do the data contains metadata as an integral part of it? |
6 | Are the user levels defined? |
7 | Are the user privileges defined? |
8 | Are the controls established to prevent the data deletion by the personnel accidentally or deliberately? |
9 | Is the processing and reprocessing of the data controlled? |
10 | Are the formulas used in the data analytics and calculations validated? |
11 | Is there an established system to address the discrepancies of the data? |
12 | Is there an established system to address software errors? |
13 | Is there an established system to address the firmware errors? |
14 | Is there an established system to deal with, if any corrupted file generates unexpectedly in between during the execution of the task? |
E. Data Backup
1 | Is there a defined policy for data backup? |
2 | Is the frequency of data backup defined based on the type of data? |
3 | Is the data backup procedure validated for its accuracy and consistency? |
4 | Is there a separate IT team for the data backup? |
5 | Is there a list of authorized persons to take the backup of data? |
6 | Have you defined the media for the data backup? |
7 | Have you defined the number of backup copies to be taken? |
8 | Have you defined the frequency to verify the backed up data for its accuracy and consistency? |
9 | Is there a defined a procedure to verify the backed up data for its accuracy and consistency? |
F. Data Retrieval
1 | Do you have all the required software to restore the data? |
2 | Do you have the list of software that used previously and not in use currently? |
3 | Have you retained the copies of the software that used previously and not in use currently? |
4 | Is there a procedure to handle the failures of data retrieval? |
G. Data Archival
1 | Is there a procedure for the archival of backup data? |
2 | Have you defined the custodians of media which contains the backup data? |
3 | Have you established access controls to the media that holds the backup data? |
4 | Are there sufficient safety measures to protect the backup data from the disasters? |
The above questions will help you to dive deep into your electronic data issues. Prepare a meticulous plan and form a task force to work on the war foot basis.
Action plan:
1 | Install effective antivirus software on all computers. |
2 | Install the latest operating system as far as possible. |
3 | Allow only authorized persons to access the desktop computers or computerized systems. |
4 | Use individual login accounts to access the computers. |
5 | Have a dedicated IT team to deal with all types of data problems. |
6 | Have a dedicated IT team for the data backup and archival. |
7 | Define user levels in all software. |
8 | Clearly define the privileges of the administrator and regular user. |
9 | Give administrator privileges to IT person only. |
10 | IT team should be independent of the manufacturing team. | 11 | Restrict the access of all files and folders, on the computer hard disk, based on the need. |
12 | All users should enter into the software through individual login account only. |
13 | No one person should have the data deletion privilege in the company. |
14 | Enable audit trails in all software. If there is no audit trail facility, estimate the risk and arrange alternate controls for the protection of data. |
15 | Every user should have a unique password. |
16 | All passwords should have an expiry period. Example: 90 days. |
17 | Use only validated software at all processes and operations. |
18 | Have a dedicated team for the immediate investigation of all operating system errors and data file corruptions. |
19 | Make the QA and IT departments as the joint custodians of backup data. |
20 | Validate the backup procedure and document it. |
21 | Backup the data daily if it is a standalone system and data is stored on a computer hard drive. |
22 | If possible, it's better to connect all standalone systems to one local server and store the data there. |
23 | Always disable recycle bin on the computer. |
24 | Document the verification details of backup data. Define the acceptance criteria for consistency and accuracy. Prove the data transferred to the media is consistent and accurate. |
25 | Take two copies of backup data and store each copy in a different secured place. Include this in your SOP. |
If you fulfil all the above-said things, you can easily meet all the regulatory requirements of electronic data. Create a monitoring system in such a way that no scope is left for anyone to modify or delete the data from the quality system.
What Is The Comprehensive Approach To Protecting The Data Integrity?
First of all, define the data integrity policy and implement it immediately.
Make the data integrity as one of your core values of the company.
Ensure the awareness of every employee on data integrity and its importance, by conducting periodical training.
Take an oath from every employee not to breach the integrity of data intentionally; make the individual responsible for the self-generated data.
Provide freedom to an employee, to report the data integrity issues, without fear, to the higher management or CEO.
Have a permanent independent team to audit and identify the data integrity issues across the organization irrespective of departments. This team should comprise the members from the IT and regulatory backgrounds with expertise. This team must report to the CEO directly and continuously strive for the identification of data integrity issues across the organization.
Avoid business pressure, from marketing, sales team and other business heads, on the employees working in the factory. Especially the Quality Control laboratory employees face this type of pressure in great amounts. The head of the quality control department will be always under tremendous business pressure instead of compliance pressure. The position of QC head is very vulnerable and contains permanent risk.
Let them do their job, without pressure, following the quality systems as such. Recognize that their only duty is to produce the high-quality material following established quality systems. Don't mix them with business activities. Otherwise, the whole philosophy and purpose will be defeated.
Don't make the employees panic by creating the job insecurity or by blackmailing them in some other means for not obeying the indirect orders of the data manipulation. Identify the people, who are doing this kind of exercise, and eliminate them from the manufacturing activities.
Eradicate dual management system if it exists knowingly or unknowingly. Here dual management means one creates quality systems, only for the sake of regulatory agencies, but the actual governance runs through oral instructions.
If the management is serious and transparent, it is not that much difficult to avoid the data integrity issues in the pharmaceutical industry. The only thing they have to concentrate on is moral behavior of employees at all work levels in the organization and investment in tamper-proof technologies.
Summary
Pharmaceutical manufacturing is a very complex business. It contains multiple stages, different technologies, very critical processes and numerous paper and electronic records. Many hundreds of people have to work together to produce medicines. It is impossible to manufacture medicinal drugs without people's involvement.
Senior management's responsibilities are increasing day by day with the rise of new technology in the industry. Data management and protection of data integrity are throwing new challenges to the business leaders. Data integrity has become the primary responsibility of company management.
In the wake of this challenging situation, it is necessary to bring the data integrity policy into effect. Also, it is an essential requirement to control the blank forms wherever the manual data entries are unavoidable. Verification by a second competent person is must in the case of manual entry of data.
Verify all your software and firmware to identify the vulnerabilities of data. Assess the risk and derive a plan to eliminate or mitigate it. Thus, protect the electronic data from integrity issues.
The only validated software shall be used in all kinds of manufacturing processes and laboratories. Strict user controls must be in place to generate and process the data. No option shall be left to the user to delete or modify the data.
Take the backup of all electronic data periodically. Ensure that the accuracy and consistency are maintained even after the transfer of data onto the storage media. Store the backup data in a secured place.
Develop a quality culture and ethical behavior among all the employees at all work levels. Transparency and moral behavior will definitely help in controlling the data integrity issues of the pharmaceutical industry.
SHARE this article with your friends, if you feel this is helpful. It may help them if they are in need. Each one help one.
Suggested Readings
Click on the topic to read article.
Author Profile
Ram Kumar Reddy
Ram Kumar Reddy is the founder of Pharma Times Now. Helping Pharmacy and Chemistry students, along with the pharma employees, in learning pharmaceutical science. He has 24 years of rich experience in the Pharmaceutical industry and well versed in quality systems. He worked with Dr.Reddys and Sai Life Sciences. He lives in Hyderabad, India.
Very useful and informative.
ReplyDeleteThank you RK.
DeleteExcellent collection...
ReplyDeleteExcellent
ReplyDeleteThank you.
DeleteVery informative , precise and practical approach used in this article to describe Data Integrity in Pharma Industries. Lot of leanings in this article.
ReplyDeleteThanks. Dr.
DeleteAlot learning sir
ReplyDeleteThanks Gulshan
ReplyDeleteThanks ...Very informative
ReplyDeleteExcellent blog
ReplyDeleteThank you.
DeleteIt's very helpful and informative article for pharma employees or students.
ReplyDeleteImportant information sir ... thanks
ReplyDeleteThank you, very informative. I am having a Data Integrity Issue with a turbidity meter that does not have sign on and it overwrites data, nor does it have an audit trail.The data is transferred to excel, which can be manipulated. I am fairly new and am trying to figure this out.
ReplyDelete