05.09.2017 |

LOGFILE No. 33/2017 – Data Integrity – Old Wine in New Skins? – Part 1

Data Integrity – Old Wine in New Skins?

GMP-Talk Between GMP Inspector Dr. Petra Rempe and Thomas Peither – Part 1

7 minutes reading time

by Sabine Paris, PhD

Data integrity is currently in the global focus of health authorities and the pharmaceutical industry and is a must for everyone who works in the GMP realm. It is a mandatory requirement for justifiable decisions in many quality processes. Furthermore, verifiable data integrity improves the required trust between inspecting agencies and the drug manufacturer. At the LOUNGES 2017 conferences in Stuttgart, executive editor Thomas Peither spoke with GMP inspector Dr. Petra Rempe from the regional government in Münster (Germany) during a GMP Talk about this highly topical subject.

For all of those who couldn’t be there live in person, this two-part article provides the opportunity to read the interesting questions and answers.

In the WHO Guidance on good data and record management it is written:
“Data integrity is the degree to which data are complete, consistent, accurate, trustworthy and reliable and that these characteristics of the data are maintained throughout the data life cycle. The data should be collected and maintained in a secure manner, such that they are attributable, legible, contemporaneously recorded, original or a true copy and accurate.”

What is odd is that IT is not mentioned at all in this text. Yet most people talk about data integrity in connection with computers and computer systems. Was this forgotten?

No, the thing is that GMP inspectors have been checking data integrity for many years. The documentation of manufacturing is checked regardless of whether it is paper based or electronic. Data integrity has to be ensured in every case for both media.

Does this mean that this is just a case of pouring old wind into new skins? We’ve always had this topic and now we’ve finally found a new name for it?

Yes, you could say so. The topic has come more into focus since the discovery of falsified clinical trials in India. But the requirement for data integrity is nothing new. For example §3 of the German ordinance for the manufacture of medicinal products and active pharmaceutical ingredients (AMWHV) requires that all processes must be traceable in the documentation. Similar requirements are covered in Chapter 4 and in Annex 11 for Computerized Systems according to the EU GMP Guidelines.

Also, data integrity is now being named explicitly and required in the updates of numerous chapters and annexes of the EU GMP Guidelines which are currently being revised, for example in Annex 15, too.


Thomas Peither holding a discussion with Dr. Petra Rempe

If something has not been documented or if failures occur then we have so-called “Data Integrity Issues”, right?

Yes, that’s very correct. I can give you an example of this: for instance, a wholesaler who provides documentation of the returned goods but then only retains the documents for half a year is non-compliant with the data integrity requirements.

I’d like to take a look at a few terms from the WHO definition, such as “throughout the lifecycle.” Where does the lifecycle begin, where does it end?

From my perspective there are two aspects to consider for this concept. On the one hand there is the lifecycle of the data. There are the aspects of where the data are created, where they are buffered, where they are stored if they are transformed for electronical storage, if they are evaluated. This is all part of the lifecycle, also including the archiving of data and making it readable during the storage period.

The second lifecycle to consider is the medicine’s lifecycle, during which data is gathered in all functions. This begins with development, continuing with routine production and extending to the discontinuation of marketing the drug product.

The WHO also mentions the trustworthiness of the data. What does this mean, is there a way to measure this?

Data must be trustworthy in every case. During a review of 8000 datasets in a laboratory inspection, the U.S. FDA discovered that there had been retrospective manipulation of some of the data. The reason was that the systems used were not fit for purpose. It was not trustworthy.

Trustworthiness is also essential for the customer-client relationship and the relationship to the regulatory agencies. The German agencies begin from a perspective of trust unless they have had negative experience. It is our expectation that risk management processes and assessments are science-based and are made for the company’s use, not for the agency.

Which criteria are used to decide when the GMP inspector takes a closer look? Where is the boundary of trustworthiness that may be crossed?

We get perturbed when forms are found that have been filled out or signed in advance or when the chronological order of documents does not match (keyword: backdating).

In the WHO Guideline on Data Integrity there are specific requirements: Data must be documented in a secure manner. What is secure today in the IT sector if elections are being manipulated by hostile forces?

Security is very individual and very dependent upon the individual company. That means that it is relevant for security measures what the company is producing, how it is situated and whether the data are archived purely electronically, purely on paper or in a mixed manner. How do you define “secure”? How sensitive are the data? How well are they protected? Do I have a firewall? These are all questions which need to be answered.

Another important term is the true copy. What is a true copy of a paper document? And what defines a true copy for dealing with electronic data?

In paper form a true copy is one which has been authenticated. For the electronic copy it is not just the pure data values which have to be copied but also the metadata. Metadata are those data which provide the context in which the data were gathered. It includes above all the further information defining the dataset. These are also associated with a time and date stamp. For example, the number 20 may be a raw dataset. The associated metadata would be, for example °C, percent or rounds per minute.

Furthermore, the copying process also needs to be validated. Inspectors are known to test this randomly.

What is considered the raw data for recordings on paper?

That covers everything that I first write down. In the batch record that can be the speed of the mixer (e.g. 20 rpm). In the Quality Control laboratory a chromatogram is considered the raw dataset. Raw data includes the data which occur during production and have not yet been analyzed.

To ensure proper documentation it is important to ensure that proper data archiving is practiced. If the data are at first recorded on scratch paper, this paper also must be archived, even if the data was transferred to the batch record later. This transfer of the data would already be a copy! So this is why adequate space should be left in forms for manual entries. The employees should also be motivated to document copiously in the actual batch record and not make ad hoc notes on Post-its, scratch paper, etc.

Which pens are permitted for use during documentation?

Most companies have taken the step to proscribe which color is used: black pens are not allowed so that the original can be differentiated from the copy.

Let us consider that I want to prepare electronic data for an inspection. The data are often printed out and are then presented on paper. What is the original now? Is a print-out of the electronic data acceptable?

In a case like this the manufacturer has to ask itself: how are my data organized? Are they static or dynamic? Static data can be printed out or transformed into a PDF document. This does not work with dynamic data, since the information is lost as soon as it is put on paper.

During the GMP inspection at first the inspector just wants to see the data set, perhaps the audit trail too. In this case a certified copy is required. A “normal” copy may be adequate at first before digging deeper into the system.

How do we maintain the long-term ability to read the data? What is the state of the art on long-term archiving of paper-based and electronic data?

The purpose of an archive is to maintain and protect the archived data both for paper-based and for electronic data. The contracts with the involved service providers are important. Confidentiality agreements and assurances of rapid access to the data must be given in all cases.

For the storage of paper documents, access controls as well as adequate protection from water, fire, mold and pests needs to be secured. Alternatively, the data can be scanned and stored electronically. In this case the completeness of the scanning must be ensured.

Archiving electronic data brings up the issue of system aging. The data have to be readable over a long period of time. One possibility is to keep a functioning computer available for every computer generation.

Cloud Computing: What are the agencies’ positions on this?

The GMP guidelines do not proscribe the individual methods of archiving which are allowed, and thus archiving in the cloud is in principle possible. Of course, it goes without saying that security measures and access control must be ensured in this case as well.

The location of the archive is also listed in the manufacturing permit. How can this be done if cloud computing is used?

The AMWHV (German GMP ordinance) states that the document archive is to be listed as part of the manufacturing license for a company. In the expert groups of the German GMP inspectorates we are currently working together to define standard agency requirements.

Data has to be changed sometimes. Who is allowed to change data?

Only authorized persons may change data. The system needs to have an access and authorisation concept for this reason. Who is permitted to generate process and analyse the data? There are different levels involved: user, super-user, supervisor and administrator. It is important to exercise caution with administrator access, that is, out of seven employees you can’t have five of them with administrator access, for example.




Next week in part two of the summary of the GMP Talk with Dr. Petra Rempe you will read about the correlation between data integrity and quality culture, about the ALCOA principles, as well as about the definition of an audit trail.



Sabine Paris, PhD
Maas & Peither AG – GMP Publishing
Schopfheim, Germany
E-Mail: sabine.paris@gmp-publishing.com