23.07.2018 | LOGFILE Feature 29/2018

Data Integrity in the Pharmaceutical Industry

14 min. reading time | by Gary Bird


Data integrity has become the most recent inspectional “buzz word” in the pharmaceutical industry. Over the last 6 to 8 years, the focus on data reliability has hit an all-time high with regulatory authorities across the globe. This has resulted in numerous regulatory actions.

The First International Conference on Data Integrity in Pharmaceuticals was hosted in London on 2 March 2018 by PharmaConsult Global and PriceWaterhouseCoopers. Although the issues being addressed by the conference were critical, the speakers agreed that the new focus on data integrity was highlighting old issues in new ways, particularly with respect to personnel issues, process execution, system controls and interactions with regulatory authorities.

The keynote

Keynote speaker David Cockburn (former European Medicines Agency (EMA) Good Manufacturing Practice (GMP) lead reported on the status of the 2017 European Union (EU)-USA mutual recognition agreement (MRA) and data integrity. He noted that the MRA was meeting its established goals, which required an assessment of capability of the EU membership with a completion of eight Member States in the originally published agreement and four more by 1 March 2018, and all Member States should be recognised by July 2019 according to the agreement. Noting that the MRA was really in its infancy, he discussed the areas of potential information sharing between the two international regulatory authorities (the Food and Drug Administration (FDA) and the EMA).

  • A potential, future extension to include pre-approval inspections (PAIs) and routine GMP inspections.
  • Exchange of GMP compliance information for non-compliance and quality defects.
  • Issuance of GMP compliance-related certifications/documents.

Mr. Cockburn focused on the nature of the information sharing. While the EU inspector issues a report and notes the conclusions drawn during the inspection, FDA investigators only make observations and the conclusions are determined by FDA management. Consequently, this will require the EU to rely more on the actual FDA observations and database information to draw their own conclusions. The FDA will be informed by the EMA prior to uploading any GMP non-compliance statements.

What does this mean to “data Integrity”? The FDA tends to be more proactively transparent and data integrity is currently a “topical concern on both sides of the Atlantic”. Because the USA and EU activities have been viewed as equivalent, the data may be discussed within the framework of the MRA, confirming that the EU will conduct inspections on behalf of the FDA, or jointly. It is expected that the FDA and EMA will exchange audit reports and information with each other.

Personnel issues and data integrity

The importance of properly motivated and managed personnel to prevent data integrity issues was highlighted by Medicines and Healthcare Products Regulatory Agency (MHRA) expert, Inspector Stephen Grayson, who noted that “personnel behaviour is a fundamental issue” for companies attempting to confirm the integrity of their data. He observed that “fear of failure” is often the cause of “bad behaviour” because it drives the wrong actions in both management and operational staff. Frequently, this fear leads to panic when mistakes are made and disproportionate management action follows, which often results in “zero tolerance” and inappropriate responses.

Fear for loss of job, reward and prestige within the companies often overwhelm those individuals responsible for evaluating and remediating the very issues observed, and negatively impact objective responses to address the issues. The opportunity for proper responses is often missed due to unrealistic expectations for personnel actions, particularly in the midst of significant challenges. He noted that the desire for “perfection is a barrier to progress”.

While the inordinate pressures exerted by management are often fundamental to data integrity issues, simple mistakes are not always the root cause of actual data integrity concerns documented by the authorities. Occasionally, Mr. Grayson explained, management engages in actual attempts to deceive and manipulate the truth. He cited the presence of shadow facilities, hidden but functional manufacturing areas, misrepresentation of facilities, and knowingly providing incorrect and fraudulent responses which have been observed and documented by regulatory authorities.

Management interactions and leadership
A healthy company should have a management group that recognises that data integrity issues, regardless of the causal agent, “can happen here” and leadership should communicate realistic expectations, valid reporting mechanisms and proportional investigation of errors and data integrity failures to all personnel throughout the company. He noted that data governance systems must be implemented into a company’s present quality management system. The accountability and responsibility of GMP-relevant data (data ownership) over its entire lifecycle must be specified in the data governance system.He noted that following a 2-year consultation period, the final draft of the MHRA ‘GXP’ Data Integrity Guidance and Definitions was published on 9 March.

Continuing with the theme of renewed management concern for data integrity, Dr Geoff Williams (Executive Director, Regulatory Affairs Operations International at Merck Sharp & Dohme) discussed senior management-driven efforts to assess the status of data protection within the Merck Research Labs. The company’s effort resulted in a restatement of activities related to data protection in the Division and saw a significant emphasis on high data standards. The updated Quality Manual includes a strong emphasis on data integrity, quality governance, and implementation of the ALCOA (attributable, legible, contemporaneous, original and accurate) principles for documentation. The refocused emphasis includes annual training requirements, including an online component directly connected with maintaining data integrity.

Data integrity in computerised systems

The focus on data integrity automatically causes one to consider the impact of computer-based systems in the pharmaceutical industry. Dr Guy Wingate, Vice President and Compliance Officer for Global Manufacturing & Supply at GlaxoSmithKline, reflected on the most common challenges noted by regulatory authorities in their inspections.

  • Referencing the recommendations in the International Society for Pharmaceutical Engineering/Good Automated Manufacturing Practice (ISPE/GAMP) Records and Data Integrity Guide, Dr Wingate noted that the overall process for confirming computerised systems and processes are properly controlled should be built on a risk-based approach which requires the following.Lack of basic access control and security measures allowing unauthorised changes.
  • Shared user logins.
  • Missing or disabled audit trails.
  • Lack of contemporaneous recording of activities.
  • Failure to investigate data discrepancies.
  • Testing into compliance.
  • Incomplete collection, retention and review of data for quality decisions.
  • Overwriting or deletion of original data.
  • Data falsification.
  • Perform initial risk assessment and determine system impact.
  • Identify functions with impact on patient safety, product quality and data integrity.
  • Perform functional risk assessments and identify controls.
  • Implement and verify appropriate controls.
  • Review risks and monitor controls.

External attacks

Simon Borwick of PriceWaterhouseCoopers noted that, especially with computerised systems, anything that can be monetised is a likely target for third-party attacks, including areas such as supply chains and manufacturing but also areas not conventionally considered in the data integrity discussion, including patient data, research and development, cash and supply chains. Noting that there is an increasingly active market in health data, he focused on the many sophisticated attacks which have rocked companies in the last few years; many of which are coordinated cyber espionage and theft activities connected to organised crime and even governments. Cyber sabotage and extortion through uncontrolled or unprotected connected devices and facilities have been directed at supply chains and have resulted in substantial company losses.

Emphasising that cyber security is not an information technology (IT) issue but a business issue, Mr. Borwick focused on the need for companies to properly map their processes, systems, and networks to identify potential faults and weaknesses. He encouraged companies to recognise that each lifecycle phase can have an impact on data integrity and has its own unique challenges. Because the use of data to drive business processes is an ever-changing environment, Mr. Borwick encouraged companies to confirm that all business processes with data flows are understood and that those systems supporting business processes must be identified and assessed in terms of data integrity risks. Without doing so, companies are likely to leave themselves open to external attack. The potential for data associated with a product or process to cross various boundaries and interfaces throughout the data lifecycle demands that such transfer processes be considered and appropriate controls established to prevent loss or modification. Mr. Borwick suggested companies go to a simple question and answer process to create an ongoing assessment.

  • What data are important to you?
  • Where are your important data?
  • Who has access to it?
  • Is cyber risk considered in key business decisions?
  • Do your suppliers treat your data like their own?
  • Are you monitoring your key assets?
  • Would you know if you have been attacked?
  • Will your knowledge of the attack be too late?
  • Are our people your first line of defence?
  • Do they know how to be secure?
  • Do they care?
  • Have you planned how you will deal what the specific issues?

Data integrity and routine business practices

Novartis Technical Operations Quality Assurance Regional Data Integrity Head EU, Steven Brown, focused his comments on challenges to data integrity arising from routine business practices. Noting that the aim of any data integrity assessment is to ensure accurate, complete, consistent and secure data sets upon which to base decisions, particularly release activities, Mr. Brown asked the question “Why is data integrity so hard to get right?”.

Commenting on the complexity of numerous processes, he elaborated on performance and business pressures which frequently lead to inappropriate decision-making activities within a company. He noted that a lack of awareness and capability among employees is also a frequent observation. Inadequate processes and technology may lead to inappropriate decision-making processes for specific data activities. Novartis specifically developed a programme which relies on four key elements to address their routine concerns.

  • Education and communication.
  • Detection and mitigation of risk.
  • Technology and IT systems.
  • Governance of data integrity.

Implemented as a component of their routine quality system, each of these items are focal points in their complementary assessment of data integrity and related activities. By reviewing regulatory authority issued documents, specifically FDA warning letters and European statements of non-compliance, Novartis has created a system that focuses on specific elements of data intelligence. These include evaluation of audit trails, electronic security, good documentation practices, and quality control practices.

The Novartis team noted that regulatory authorities have frequently indicated that audit trails are not available, properly enabled, or not properly reviewed as a component of investigations and routine activities. With respect to electronic security, internal administrative levels, data manipulation and backups are common observations within any regulatory action.

Most frequently found within document practices are concerns related to contemporaneous data recording, record management, and the use of unofficial records upon which companies base decisions and determinations. Quality control practices, while frequently observed, included such actions as making trial injections of actual samples and analysis and ignoring out-of-specification results. Mr. Brown stated “these areas have the potential for significant challenges within technical operation and business processes”. By creating specific work processes relating to each of them, Novartis has been able to identify additional, frequently abused areas of data integrity confirmation. By asking questions related to these significant areas, gaps have been identified in current work processes that are resolved in new, improved work processes. This continuous improvement builds upon a solid framework without having to “reinvent the wheel”.

Serialisation and data integrity

Turning the conference focus to the evolving area of data integrity in supply chains and traceability systems with respect to the implications of the Falsified Medicines Directive, Mark Davison, President, rfxcel, highlighted safety features on prescription medicines and tamper-evidence features on all unit-of-sale packs. Currently, before serialisation, every pack is effectively identical within a batch regardless of whether or not someone takes samples, removes, checks, destroys or replaces one or more packs during or after production. However, after serialisation, every pack is unique, that is, the batch size is effectively “one”. Consequently, a high level of control must be developed for production, release and supply chain processes to avoid data errors. Ultimately, every code must be readable at the pharmacy, for its entire shelf life. If its unique identity is compromised at any point prior to dispensing to the patient, the pack will be returned.

The systems developed for serialisation must be able to stand up to the life-cycle challenges from distribution to patient and inspections from MHRA and EU regulators who will audit these systems. Well-written procedures and training more staff on computer systems validation will be critical to the successful implementation of each programme. The systems used to control the serialisation process must be compliant with EU Guidelines to GMP Annex 11…and stay that way. This means all the processes will have to be adequate to show regulators that you maintain control over changes made, whether by you or anyone else.

Vendor audit programs for data integrity

The December 2013 announcement may have been missed by some members of the industry, but the MHRA announced their intention to begin evaluating company’s self-inspection systems as part of their inspection programme. This means that companies must review the effectiveness of their governance systems to ensure data integrity and traceability. Data integrity was covered during inspections from the start of 2014, when reviewing the adequacy of self-inspection programmes in accordance with Chapter 9 of the EU Guidelines to GMP.

David Thompson of Clarity Compliance Solutions noted that, in addition to having their own governance systems, there is an expectation that company outsourcing activities should also be able to verify the adequacy of comparable systems prior to contracting and on an ongoing basis. Simplifying what is a very complex activity, Mr. Thompson suggested that a series of five simple questions likely to be asked by MHRA inspectors can help each contract giver both create its self-inspection programme and confirm it is achieving its intended goals.

  • Do you outsource any GxP services?
  • Who to? – provide a list.
  • Have you audited them for data integrity?
  • What were the findings and how are you managing the actions?
  • When are you going back?

As a result of asking these simple questions themselves, each company should be able to confirm the adequacy of their own self-inspection system(s).

The basis of any good vendor audit programme is the auditor. Properly trained, knowledgeable and focused individuals who are aware of proper interview techniques and data analysis processes will prove invaluable in an external evaluation programme. Customised data integrity worksheets (checklist) will provide good guidance to the appropriate assessment of documentation, systems and personnel capabilities. Where necessary, technically trained individuals familiar with the technology of the specific process or activity may be required.

Consider, for example, types of person needed to assess computer system interfaces, spreadsheets and databases, network storage activities, and access systems computer networks. A single auditor will seldom possess all skill sets necessary to evaluate both the manufacturing and the computer systems without specialised training. Mr. Thompson noted that the report format utilised by many companies does not lend itself to the assessment of data integrity. Instead, he suggested that report formats be customised to include the necessary data integrity assessment areas which would allow the auditor to specifically assess the data integrity systems.

The responsibilities of the qualified person (QP) to ensure data integrity

The role of the QP in the release of drug product in EU countries is well established. EU Guidelines to GMP Annex 16 Certification by a Qualified Person and Batch Release establishes 21 points that QPs must evaluate to ensure the product is appropriate for release. According to John Jolley, Managing Director of PharmaConsult Global, Ltd, Annex 16 includes certain key changes intended to document the verification of evidence related to the integrity and identity for different batches of drug product even when they originate from the same bulk. The QP is now required to confirm storage and transportation of both bulk and finished product and ensure the following.

  • That the consignment has remained secure.
  • There is no interference or tampering during storage or transportation.
  • The correct identification of product has been clearly established.
  • The samples originally tested are representative of all subsequent batches.

All of these requirements may be compromised as a result of human error, data manipulation including selection of good or passing results or unauthorised changes, data transmission errors, software problems, hardware problems, or changes in technology where one item becomes replaced.

As a QP with more than 20 years of experience, Mr. Jolley suggested the only way for a company to remain compliant and to protect itself from both wilful and accidental data integrity issues was to develop a process specifically designed to “ferret-out” data integrity issues. He specifically suggested that such a system required more than a simple evaluation of the data provided in support of a batch for release, but that the QP should also develop a practical system of checks.

  • Increase the frequency of review.
  • Do surprise/spot checks.
  • Have a procedure and check list for review mechanism.
  • Compare hand writing styles/signatures.
  • Verify attendance/presence of the person.
  • Verify the traceability and log book entries.
  • Internal/external audits.
  • Trend the observations and provide the training.

Correcting FDA-identified data integrity issues

In what forms an excellent model for conducting internal investigations, especially for data integrity investigations, the USA FDA has developed a specific set of requirements for companies responding to 483 observations and warning letters. Dr. Gary Bird, PharmaConsult Global, noted that the FDA is focusing its efforts on confirming remediation activities are adequate and then deliver the expected improvements.

The FDA is primarily focusing on comprehensive investigations related to the reasons for the inaccuracies in the data records observed during inspections. They specifically request detailed investigation protocols and methodologies which will involve a summary of all manufacturing operations in the systems to be covered by the assessment. Whenever any system or area is not included as part of the assessment, the FDA requires the justification for its exclusion be included in the investigation protocol. A significant component of the investigation is interviews of both current and former employees to identify the nature, scope, and root cause of data inaccuracies. The FDA has requested that these interviews be conducted by a qualified third party.

The investigation should include an in-depth assessment to identify the extent of any data integrity deficiencies at the facility. The extent of the investigation, while dependent upon the nature of the observed observations, should evaluate the potential for omissions, alterations, deletions, record destruction, non-contemporaneous record completion, and other deficiencies. The FDA is asking that all of these assessments be related to the areas in which they were discovered and documented. This would lead companies to evaluate how widespread the practices are for which the observations were made. Further, a comprehensive, retrospective evaluation of the nature of the testing of data integrity deficiencies is also required. The Agency again requested a qualified third party with specific expertise in the area where potential breaches were identified should conduct the evaluation in all areas in which data integrity lapses were observed.

The FDA is requesting submission of risk assessment of the potential effects of the observed failures on the quality of the company’s drugs. They expect the assessment to include analyses of the risks to patients caused by the release of drugs affected by a lapse of data integrity and risks posed by ongoing operations. The Agency is also requesting details of a management strategy that includes the details of a company’s will and global corrective action and preventive action plan which will include the following.

  • A detailed corrective action plan.
  • A comprehensive description of the root causes of data integrity lapses.
  • Interim measures describing the actions to be taken in the event that long-term actions require an excessive amount of time to complete.
  • Long-term measures describing any remediation efforts and enhancements to procedures, processes, methods, controls, systems, management oversight, and human resources (e.g. training, staffing improvements).
  • A status report for any of the above activities already underway or completed.


It is clear that a new era in complementary and relational regulatory affairs is developing. The new MRA was intended to provide a forum for USA and European regulatory authorities to create a mutual basis upon which to consider a unified direction to protect their citizens. Each of the areas related to data integrity were also related to some other area. By considering all elements of the company’s manufacturing capabilities, including personnel, processes, and procedures, the regulatory authorities are suggesting that our approach to quality must be modified to adequately address the developing areas of concern. Even though the issues may be old, it is obvious that the solutions must be innovative so that we no longer have the same problems facing the industry from inspection to inspection and year after year. It may be called data integrity today, but it is still “Compliance 101”.

Billed as the most significant changes to medical device legislation in decades, these new regulations seek to increase the safety and effectiveness of medical devices available in the EU market and address weaknesses in the regulations revealed in several high-profile incidents. Medical device and in vitro diagnostic device manufacturers large and small who supply product to the EU market will be impacted and need to start planning now on how to transition to the new requirements.



Dr Thomas Gary Bird is President, PharmaConsult-US, LLC, and Managing Partner, PharmaConsult Global, Ltd., an international cooperative supplying GXP quality consulting services.

E-Mail: enquiries@be4ward.com

The article was first published in gmp review Vol.17 No.1 April 2018 and is reprinted in our LOGFILE Newsletter by courtesy of gmp review.

gmp review

gmp review

This article, ‘Data Integrity in the Pharmaceutical Industry’ is reproduced from a recent issue of gmp review, a quarterly journal researched and edited by an expert team experienced in all aspects of pharmaceutical manufacturing and control.

gmp review provides in-depth analyses of international pharmaceutical manufacturing regulations.

gmp review keeps readers up to date on the latest Directives, Regulations and Guidelines applicable to the pharmaceutical industry from the FDA, EU, CPMP and ICH positions. Each item comes with analysis and comment on its effect on your company. The dry legal jargon is made understandable to you and your colleagues in manufacturing and quality. As such gmp review is the perfect companion to the GMP Compliance Adviser and will help provide further useful commentary on the new regulations.

If you are involved in any aspect of GMP then gmp review will provide much needed information and analysis in a convenient quarterly journal format. gmp review subscribers will also receive gmp-review news a monthly news service to keep you up-to-date on new developments in GMP and associated regulations.

> More information and order