Data Integrity
Data Integrity
Session 1
•Introduction to the MHRA, the Inspectorate and inspections
Session 2
•Requirements for Data Integrity - Chapter 4
(Documentation)
•........as well as a little bit of Chapter 1 and Chapter 6
Session 3
•Requirements for Annex 11 - Computerised Systems
•Examples of typical deficiencies
2
Data integrity from IEEE*
3
Data integrity from Wikipedia!
5
Conscious Competence
Learning matrix
UNCONSCIOUS
CONSCIOUS
CONSCIOUS
UNCONSCIOUS
INCOMPETENCE
INCOMPETENCE
COMPETENCE
COMPETENCE
Unaware of the
Aware of the skill
Able to use the
Performing the
6
Corporate Consciousness –
Data Integrity
UNCONSCIOUS
CONSCIOUS
CONSCIOUS
UNCONSCIOUS
INCOMPETENCE
INCOMPETENCE
COMPETENCE
COMPETENCE
7
Corporate Consciousness –
Data Integrity
UNCONSCIOUS
deficiency in the area concerned
INCOMPETENCE
Company might deny the relevance or usefulness of
gap begin
Management and if necessary Regulators must move
8
Corporate Consciousness –
Data Integrity
9
Corporate Consciousness –
Data Integrity
10
Corporate Consciousness –
Data Integrity
COMPETENCE
Staff might now be able to teach others in the skill
Good practice
concerned, although after some time of being
becomes
unconsciously competent the person might actually
automatic have difficulty in explaining exactly how they do it - the
skill has become largely instinctual
11
Corporate Consciousness –
Data Integrity
UNCONSCIOUS
CONSCIOUS
CONSCIOUS
UNCONSCIOUS
INCOMPETENCE
INCOMPETENCE
COMPETENCE
COMPETENCE
12
Session 1
Executive Agency
Government Trading Fund and an Executive Agency of the
Size
Around 1270 staff, with a total budget of approximately £150 million
Location
Head office at 151 Buckingham Palace Road, London
NIBSC based at South Mimms, Hertfordshire
A regional office in York
British Pharmacopoeia and MHRA laboratories based at the
laboratories of the Laboratory of the Government Chemist in
Teddington
MHRA – Our Vision
CPRD Centre
Communications
Policy
Management of
Devices
Medicines
Operations &
Finance
MHRA Centre
Human
Resources
Inspection,
Licensing
Enforcement &
Standards
NIBSC Centre
Information
Management
The Agency - Organisation
• MHRA
-Regulates medicines and medical devices, ensuring that they work, and
Statutory role under the Medicines Act 1968 (now Human Medicines
Regulations 2012), and other EU legislation for the regulation of:
Medicines
Clinical trials of medicines
Advanced therapies (gene, stem cell, tissue-engineered)
Medical devices
Blood safety and quality
Herbal medicines
Council of Europe
European Directorate for the Quality of Medicines and Healthcare
(EDQM)
Worldwide Interfaces (GMP)
Kosovo China
Japan
Singapore
Brazil
Australia
Ghana
New Zealand
Confidentiality agreement
Memorandum of Understanding
24
The Importance Of India to UK
• 38% of UK Product
Licences name an Indian
API source
Active Substance supply sites
IND
600
CHN
USA
500 JPN
CHE
KOR
400
ISR
No. sites
MEX
300 BRA
CAN
200 TWA
ARG
TUR
100
MYS
SGP
0 PRI
Director
Mr Gerald Heddell
Personal Assistant:
Ms Janet Rickards
Group Manager
Unit Manager
MHRA
Group Manager
Group Manager
BP & Laboratory Services
Unit Manager
Regulatory Quality Standards
Laboratories and
Regulatory Advice
Agency Quality
QMS
Inspectorate Enforcement Pharmaceutical
Systems Manager
Divisional Quality
Computer Support
Mr Mark Birse
Tel: 020 3080 6036
Business Support Executive
Beverley Malin-Smith
020 3080 7029
Unit Manager
Unit Manager
Unit Manager
Unit Manager
Inspectorate Operations
Inspectorate Operations
Inspectorate Strategy Inspectorate Risk, Control and
Richard Andrews
Andy Gray 020 3080 6058 Vacancy
020 3080 6032 020 3080 7510
maternity leave
Inspectorate
General contact:
Operations Manager GMP Operations Manager GMP Operations Manager GMP Operations Manager GPvP
Ian Jackson Mark Ellison Michelle Rowson Mandeep Rai
Tel: 020 3080 6982 Tel: 020 3080 7717 Tel: 020 3080 6140 020 3080 6656
Senior GMDP Inspectors Senior GMDP Inspectors Senior GMDP Inspectors Senior Inspectors
John Clarke Richard Funnell Saima Ahmad * Jonathan Rowell
Norman Gray
Ian Holloway Andrew Hopkins Rebecca Webb
Graeme McKilligan Des Makohon
Kevin Page
Malcolm Olver Inspectors
GMDP Inspectors Roisin Cinneide
Ewan Norton
Vivian Leung Christina Uriarte
Inspectorate
Acting Unit Manager, Inspectorate (GCP,
GDP/GLP )
Andy Gray
Tel: 020 3080 7510
Operations Manager
Operations Manager GCP Operations Manager GLP
Operations Manager GDP Operations Manager GDP
Stakeholder Lead
Vincent Yeung Christine Gray Peter Coombs Philip Neal
Paula Walker *
020 3080 6218 01904 406088 Tel: 020 3080 6055 020 3080 6108
020 3080 6894
Inspectors
Sue Buchanan Rachel Sayer Cheryl Blake
Alan Bentley
•Seconded to Enforcement
Inspectorate
Unit Manager
Unit Manager
Inspectorate Strategy
Inspectorate Risk, Control and Governance
Ian Rees
Vacancy
020 3080 6015
Business Support Executive
Peter Brown
020 3080 7009
Expert Inspectors
Inspectorate
Inspection
Inspectorate
Training
Services
Risk Manager
GCP/PV Inspectors
Manager Executives Vacancy
Saima Ahmad Jo Milborrow
Gail Francis
Dorothy Wright
Anya Sookoo
GMP Inspectors
David Churchward
Paul Hargreaves *
Head of GLPMA
Andrew Grey
(supporting Strategy
group)
Inspections
GMP/GDP Inspection volumes
and performance
UK Inspection Programme
–GMP: over 800 sites and 350 Hospital Blood Banks
•Inspect about 400 sites per year
–GDP: over 3500 sites
•Inspect about 1000 sites per year
•Calibration SOP
qualifications etc. •PPM
•Starting at Warehouse – materials receipt and sampling
•Dispensary through manufacturing •Cleaning validation
•Packaging •Pest control
•Goods dispatch •Self Inspection
•Training
•Risk management
• On time, courteous and abide by site rules e.g. Health and Safety
• Targeted inspection around perceived risk areas
• Pragmatic approach inspecting to a minimum standard
• Systems approach against EU Good Manufacturing Practice Guidelines
• Talk to and challenge personnel at all levels - Give feedback to personnel
Non routine
•
Refer to Compliance Management Team or Inspection Action Group
• analysis of risk may have to be made by the competent authority
An
–Regulatory risk assessment includes factors such as product defect versus
product availability versus potential harm to patient
•Outcome of the inspection is the recommendation to the Licensing Authority
•For serious deficiencies potential outcomes may include:
–Revocation, suspension, variation of licence
(this may include potential action against Qualified Person)
–Issue of Statement of Serious Non-Compliance with GMP (SNC) which is
visible to all EU member states via EudraLex
Data Integrity:
Overview
Data integrity from IEEE*
39
Data integrity from Wikipedia!
Data
Data
Collection Processing
Data
Archive
Data
Data
Reporting Review
•Objective Reporting
Ref: GMQA
41
Meta Data “data about data”
Examples include the date and time you called somebody or the location
from which you last accessed your email.
The data collected generally does not contain personal or content-specific
details, but rather transactional information about the user, the device and
activities taking place.
In some cases you can limit the information that is collected – by turning off
location services on your cell phone for instance – but many times you
cannot.
42
Chromatography Data System
Data – Printed results sheet?
Ref: GMQA
43
Data Integrity Issues
44
International regulatory focus
2010 / 2011
US FDA Inspectors received
data integrity training
2012
World Health Organisation trained
2013
MHRA with guests from throughout
the EU trained
45
Causes of data integrity issues
Lack of understanding
Willingness to please
Sloppiness
Inadequate Quality Systems to
–Detect, Correct and Prevent
Ref: GM QA
46
Types of data fraud
‘Tidying’ Wilful
falsification
47
‘Tidying’
49
Data Integrity:
Impact
Impact of data integrity issues
Impact on Patients
51
Impact of data integrity issues
Impact on Industry
–Recalls
–Statement of Non-Compliance
–Additional regulatory burdens
–Costs of remediation plans
–Loss of market share & reputational damage
52
Reputational Damage
53
Reputational Damage
54
Reputational Damage
On that day
•Hundreds of people lost their jobs
•$350 million was wiped off the Sydney stock
exchange
•Scores of businesses, customers and service
providers of Pan were very badly affected
55
Impact of data integrity issues
Personal Impact
–Job loss
–Career loss
–Enforcement action
56
Personal Impact
57
Data Integrity:
Self Inspection and reporting
MHRA web alert to Industry:
• This aspect will be covered during inspections from the start of 2014, when
reviewing the adequacy of self inspection programmes in accordance with
Chapter 9 of EU GMP.
59
Self Inspection – where to start?
Are your systems designed to comply
Examples include:
• Access to clocks for recording timed events
• Accessibility of batch records at locations where activities take place so that ad
hoc data recording and later transcription to official records is not necessary
• Automated data capture or printers attached to equipment such as balances
• Proximity of printers
• Access to sampling points (e.g. for water systems)
60
Self Inspection – where to start?
Are your systems designed to comply
61
Self Inspection – where to start?
Electronic systems:
•Do I have all of my electronic data?
•Do I review my electronic data?
•Does my review of electronic data include a review of
meaningful metadata (such as audit trails)?
–Is this in SOPs? Is it trained?
•Is there proper Segregation of Duties in security access
permissions?
•Is my system validated for “intended use”?
Ref: GMQA
62
What if we find issues?
63
What if we find issues?
•Raise a deviation
64
What if we find issues?
65
What if we find issues?
66
Data integrity issues
67
Data integrity issues
68
Data integrity issues
69
Corrective Preventative Actions
70
Corrective Preventative Actions
71
Total Quality Management
Disparity between:
•‘changing culture’ ‘encouraging reporting’ ‘supporting staff’
‘no blame reporting’ ‘training’
and
•‘staff have been told that any data integrity issues will result
in dismissal’
72
Total Quality Management
Balanced with
“Targets” that are fully defined and appropriately
resourced Properly analysed
73
Whose responsibility?
74
Whose responsibility?
75
MHRA web alert to Industry:
• This aspect will be covered during inspections from the start of 2014, when
reviewing the adequacy of self inspection programmes in accordance with
Chapter 9 of EU GMP.
76
Agency
Understanding and Resolution
UNCONSCIOUS
CONSCIOUS
CONSCIOUS UNCONSCIOUS
INCOMPETENCE
INCOMPETENCE
COMPETENCE
COMPETENCE
80
Data Integrity:
This is not just a laboratory issue!
Data integrity issues
83
EU GMP
http://ec.europa.eu/health/documents/eudralex/vol-4/index_en.htm
•Annexes
84
EU GMP Part 1
•Chapter 2 Personnel
•Chapter 3 Premise and Equipment •Chapter
4 Documentation Jan ’11
•Chapter 5 Production
•Chapter 6 Quality Control st •Chapter 71 Jun ’06 (New due in Oct ’14)
Outsourced activities
•Chapter 8 Complaints and Product Recall
•Chapter 9 Self Inspection
86
EU GMP Part II
87
EU GMP Part III
•Chapter 2 Personnel
•Chapter 3 Premise and Equipment •Chapter
4 Documentation Jan ’11
•Chapter 5 Production
•Chapter 6 Quality Control st •Chapter 71 Jun ’06 (New due in Oct ’14)
Outsourced activities
•Chapter 8 Complaints and Product Recall
•Chapter 9 Self Inspection
91
Chapter 1 - Principle
92
Chapter 1
- 1.8 Good Manufacturing Practice
93
Data Integrity - Deficiencies
94
Chapter 1
- 1.8 Good Manufacturing Practice
95
Data Integrity - Deficiencies
Destruction of original records
Expectation “neat copy”
99
Data Integrity - Deficiencies
20th February).
Chapter 1 – 1.9 Quality Control
101
Data Integrity - Deficiencies
105
Data Integrity - Deficiencies
108
Data Integrity - Deficiencies
Principle
Principle
Principle
• Record/Report type:
Packing Report
•During the inspection tour three operators were standing in
the blister packing room where the batch was processed
but only the names of two operators were recorded. The
name of the third operator who was controlling the cutting of
the blisters was not recorded.
121
Data Integrity - Deficiencies
123
EU GMP Chapter 4
Retention of Documents
126
EU GMP Chapter 4
Testing
•4.26 There should be written procedures for testing
materials and products at different stages of
manufacture, describing the methods and
equipment to be used. The tests performed should
be recorded.
127
Data Integrity - Deficiencies
General
6.1 Adequate resources must be available to ensure
that all the Quality Control arrangements are
effectively and reliably carried out.
129
Consideration
Control and the following details should be readily available to the Quality
Control Department:
• specifications;
• sampling procedures;
• testing procedures and records (including analytical worksheets and/or
laboratory
• notebooks);
• analytical reports and/or certificates;
• data from environmental monitoring, where required;
• validation records of test methods, where applicable;
• procedures for and records of the calibration of instruments and maintenance of
equipment.
131
EU GMP Chapter 6
132
Data Integrity - Deficiencies
133
Data Integrity - Deficiencies
approved methods.
136
Data Integrity - Deficiencies
critically examined.
All testing during the time period is impacted including batch
release testing and stability work for nine clinical trial projects.
137
EU GMP Chapter 6
6.17 The tests performed should be recorded and the records
should include at least the following data:
• a) name of the material or product and, where applicable, dosage form; b)
• batch number and, where appropriate, the manufacturer and/or
supplier;
• c) references to the relevant specifications and testing procedures;
• d) test results, including observations and calculations, and reference to
any certificates of analysis;
• e) dates of testing;
• f) initials of the persons who performed the testing;
• g) initials of the persons who verified the testing and the calculations,
where appropriate;
•
h) a clear statement of release or rejection (or other status decision) and
the dated signature of the designated responsible person.
138
EU GMP Chapter 6
139
Data Integrity - Deficiencies
Acet.@250 REP 5
17:34:07 090811-007-20110809-173718.rst
Acet.@250 REP 6
17:37:58 090811-008.rst
Acet.@250 inj acc 17:41:58 090811-009.rst
ALCOA
Paper controls Electronic Controls
Attributable Hand signatures Electronic sign in,
log-ons
Initials
Electronic signature
(where used) with
associated meaning
(Author, Reviewer)
Audit trails for
create/modify/delete
Paper vs Electronic
ALCOA
Paper controls Electronic Controls
Contemporaneous Dates on Records Time and date stamps from
un-networked systems.
Needs to be traceable to an
atomic clock. Synchronisation
of clocks between systems.
Locking of clocks on PCs if
data is captured locally (less of
an issue if the PC is just acting
as a portal).
Paper vs Electronic
ALCOA
Paper controls Electronic Controls
Original Second Person
Electronic back up, verification
Verification of exact
of the back-up should also be in
copies of original
place, either manually or by use
meaning).
150
Annex 11 – General
1. Risk Management
151
Consideration
5 Bespoke software
153
Examples of Data Integrity
issues
155
Example approach for Risk
(groups of columns):
Example approach for Risk
Section 1, Requirement Definition and Characteristics
Example approach for Risk
Section 1
Requirement Definition and Characteristics
Green and Yellow columns
Failures can be
Functional – failure to perform tasks in the way/sequence
expected by the URS/Business Process
Mechanical – functionality may seem ok, but an adverse
impact on the platform (e.g. processor overload may occur)
Example approach for Risk
GAMP Guidance (ISPE document) for Risk
Scoring and allocation of H/M/L
Impact (of a failure)
High GMP Critical /business critical – serious implications on systems availability / no viable
workaround / potential patient risk
Med GMP relevant / business impact but a viable work around could be put inplace.
Low Non GMP relevant / workaround in place / low business impact
Other factors:
•General Complexity of the Software/Functionality
•“track record” of the supplier
169
Supplier Assessment
Postal questionnaire or Audit
Green Supplier
-Audited
-Quality Manager and Quality Management System in place
-Trust the Supplier to produce properly Qualified software under their
own QMS
Amber Supplier
-Some issues may have been noted in an Audit
-Trust the Supplier to produce software under their own QMS in some
areas, but apply additional Controls vs areas of their work with issues
identified
Red Supplier
-Several serious issues/inadequacies.
-Typically require the Supplier to follow our QMS, with our Company
Quality Approvals
170
GAMP Classification
GAMP category 3
171
GAMP Classification
GAMP category 4
Software is “Configurable” the “out of the box”
software will have settings applied, from a set of
options tested by the Supplier. The software and
these configuration settings will be locked down prior
to testing and release for use by end users.
for “straightforward” Configuration, or configuration which
is very similar to previously proven configurations, the
GAMP Category 5
173
Example approach for Risk
Section 3 - Controls
Example approach for Risk
Section 3
Controls
Light Blue Columns.
Manual Control
• For Business Process steps NOT supported by software, manual steps may be required. Also applies to
activities such as e.g. approving a User to be allowed an account on the computer system. These
activities should be defined in SOPs (below) and should be tested as part of “end-to-end” System
Testing
• Standard Operating Procedures/ Application Support Model
• To support Manual Controls
• SOPs should be owned and signed off by Business Process Owner (BPO) or System Owner, and a
Production QA (if activities are GxP)
• Support Model should be backed by Service Level Agreements, and approved by IT Quality Manager
• Training
• Owned by System Owner, aligned to Roles, Approved by Business Process Owner
• System Owner must have a process to ensure that Training is delivered before User accounts are
granted
180
Data Integrity - Deficiencies
182
Data Integrity - Deficiencies
For example.
Equipment within the Building A areas were initially supplier B
systems and it is this organisation that is identified in the CSV
system.
Supplier B has gone out of business, and it is now the
responsibility of Site IT department to look after that software.
This is not formally stated within the records relating to the
system (such as within the CSV system or perhaps in the SAP
maintenance module).
Annex 11 – General
3 Suppliers and Service Providers.
185
Annex 11 – General
3 Suppliers and Service Providers.
186
Data Integrity - Deficiencies
.
Whilst tasks such as Qualification may be contracted out to Suppliers it
remains the responsibility of the User to ensure that the set up is suitable
for their requirements.
Expectation
Validation for intended purpose
purpose
191
Data Integrity - Deficiencies
193
Data Integrity - Deficiencies
195
Annex 11 – Project Phase
4. Validation
196
Data Integrity - Deficiencies
198
Annex 11 – Project Phase
4. Validation
199
Annex 11 – Project Phase
4. Validation
200
Annex 11 – Project Phase
4. Validation
201
Annex 11 – Project Phase
4. Validation
202
Annex 11 – Operational Phase
5. Data
203
Expectation
205
Data Integrity - Deficiencies
207
Annex 11 – Operational Phase
7. Data Storage
208
Expectation
Backup media
•Sites frequently use removable media (e.g. tapes / CD’s)
and store them in a fireproof safe but do not control or
monitor the temperature and Rh. The integrity of the backup
data is thus questionable.
•Removable media does have defined lifetime with specified
storage requirements, e.g. for backup / archive of tapes,
typically 5ºC to 23ºC/20%Rh to 50%Rh. This is generally
stated on the tape cover / insert.
Annex 11 – Operational Phase
8. Printouts
210
Annex 11 – Operational Phase
8. Printouts
211
Data Integrity - Deficiencies
The electronic data of the HPLCs [1] and [2] could not be
retrieved during the inspection.
trail").
For change or deletion of GMP-relevant data the reason
should be documented. Audit trails need to be available and
convertible to a generally intelligible form and regularly
reviewed.
213
Expectation
Attention
Ref: GMQA
Annex 11 – Operational Phase
10. Change and Configuration Management
215
Annex 11 – Operational Phase
11. Periodic evaluation
216
Data Integrity - Deficiencies
219
Annex 11 – Operational Phase
12. Security
220
Expectation
222
Data Integrity - Deficiencies
System [2]
•The software providers recommendation for regulated users
highlighted as ‘GxP’ had not been checked as required.
•“Disallow use of Annotation tool.” This option is not currently
enabled.
•As a consequence of this Policy failing to be enabled all
Analysts have the potential to generate paper / hard copy
reports which can be printed with original data and
information be masked or overwritten.
•Note: The soft copy will remain as was and such activities
ought to be detectable during review of the soft copy data.
Annex 11 – Operational Phase
13. Incident Management
225
Annex 11 – Operational Phase
14. Electronic Signature
226
Annex 11 – Operational Phase
15. Batch release
227
Annex 11 – Operational Phase
16. Business Continuity
229
Expectation
Session 3
231
Types of data fraud
‘Tidying’ Wilful
falsification
232
Data Integrity - Deficiencies
Acet.@250 REP 5
17:34:07 090811-007-20110809-173718.rst
Acet.@250 REP 6
17:37:58 090811-008.rst
Acet.@250 inj acc 17:41:58 090811-009.rst
234
Corporate Consciousness –
Data Integrity
UNCONSCIOUS
CONSCIOUS
CONSCIOUS
UNCONSCIOUS
INCOMPETENCE
INCOMPETENCE
COMPETENCE
COMPETENCE
235
Data Integrity – Issues:
Understanding and Resolution
The considered views of a UK GMDP Inspector
Mark Cherry
including materials featured within these MHRA presentation notes and delegate
pack, is subject to Crown copyright protection. We control the copyright to our work
(which includes all information, database rights, logos and visual images), under a
(HMSO).
The MHRA authorises you to make one free copy, by downloading to printer or to
purposes of private research, study and reference. Any other copy or use of Crown
copyright materials featured on this site, in any form or medium is subject to the