How to Use This Book and an Introduction to Data Integrity

Data Integrity is the hottest topic in the pharmaceutical industry now and will continue to be in the future. Regulatory authorities around the world have issued a number of guidance documents on the data integrity and data governance since the start of 2015 as well as two industry guidance documents. However, all documents are vague and most do not contain detailed examples or advice to help regulated laboratories to implement policies, procedures and processes to ensure integrity: they outline what needs to be done but there is often insufficient detail for effective implementation. From an analytical perspective there has not been a detailed focus on data integrity in a regulated analytical laboratory. Hence, the rationale for writing this book.

1.1 Aims and Objectives

The aim of this book is to provide practical and detailed advice on how to implement data integrity and data governance for regulated analytical laboratories working in the pharmaceutical and allied industries. Although the main thrust of the book is for chemical laboratories some microbiological analysis will also be discussed.

This book is written for analytical scientists, laboratory managers and supervisors and quality assurance personnel working in regulated laboratories in and for the pharmaceutical industry and who are involved with data integrity and data governance programmes. Where networked systems are discussed IT professionals may also find useful information here.

1.2 Structure of This Book

This book is comprised of 24 chapters that are divided into five sections of this book, as follows:

1. How to Use this Book is covered in this chapter.

2. The Regulatory Environment is discussed in Chapters 2 and 3.

3. Data Governance is presented and explained in Chapters 4 to 10 as well as Chapter 19.

4. Data Integrity is covered in Chapters 11 to 18.

5. Quality Assurance Oversight and Outsourcing are discussed in Chapters 20–24.

The detailed structure of the book and the constituent chapters are shown in Figure 1.1 and discussed in more detail in the following sections of this chapter. It is important to understand that data integrity and data governance is a complex subject that is not just focused on the accuracy, completeness and correctness of numbers generated in a regulated laboratory.

1.2.1 Chapter Structure

The majority of chapters in this book are structured and written in the same way:

• A chapter starts with a brief overview why the chapter is important within the overall context of data integrity and data governance.

• This is followed by a section on regulatory requirements or regulatory guidance that are relevant to the chapter; thereby positioning the regulatory rationale for the topic of the chapter.

• Where appropriate, there is also the business rationale for the tasks contained in the chapter.

• Then there is a discussion of how to achieve the objective of each chapter. For example, if you are assessing a process or a computerised system the chapter discusses how this can be achieved and how to avoid some of the common pitfalls.

• Each chapter finishes with a list of the references used.

1.2.2 You Do Not Read the Regulations!

As many people working in the pharmaceutical industry do not read the applicable regulations or applicable guidance documents, the intention of this approach is to put the regulatory and business rationale for performing a task at the reader's fingertips. It also allows an individual chapter to stand alone if a quick reference to a specific data integrity or data governance topic is all that is required. Overall, the aim is to give any reader the practical basis and confidence to implement or perform any of the topics covered by this book.

1.2.3 The Regulatory Environment

This topic is covered in two introductory chapters.

• Chapter 2, entitled How Did We Get Here?, provides the background to data integrity in regulated laboratories of the pharmaceutical industry over the past quarter of a century. The story starts with the Barr Laboratories court case and ruling in 1993 and then moves on to the Able Laboratories fraud case in 2005. The latter case triggered regulatory authorities to change their inspection focus from paper to electronic records and consequently they discovered many more cases of data falsification and poor data management practices in companies throughout the world. The key compliance issues, derived mainly from FDA warning letters for paper records and computerised systems, are used to highlight areas of regulatory concern for laboratory operations.

• Chapter 3 is The Regulators' Responses and outlines the response to the increased occurrence of data falsification and poor data integrity practices by the various regulatory agencies by issuing guidance documents and where necessary updating regulations. This chapter looks at the various guidance documents issued. The first was the FDA's Inspection of Pharmaceutical Quality Control Laboratories issued in 1993 following the Barr Laboratories case. Since 2015 there have been a many data integrity guidance documents issued from regulatory agencies and industry bodies.

1.2.4 Data Governance

Data governance is a relatively new concept to the pharmaceutical industry and the term comprises several interlinked topics that are discussed over the course of eight chapters.

• Chapter 4, entitled What is Data Governance?, sets out the strands of data governance that are discussed in more detail in the rest of the book. Data governance is not new and has been used outside the pharmaceutical industry for at least 15 years. We will compare and contrast DG definitions from inside and outside the industry. From the data governance definitions and input from the various regulatory and industry guidance documents we will draw out the key features of a programme of work: roles and responsibilities, DI policy and training, culture and ethics, open and honest approach to work as examples of a corporate DI policy. Are there areas in an organisation, e.g. research, where data integrity should not apply?

• Chapter 5 presents a Data Integrity Model consisting of four layers that describes data integrity within a pharmaceutical company from a GMP perspective: production, quality control and quality assurance, however, this book will focus on an analytical laboratory with quality assurance oversight. The four layers of the Data Integrity Model comprise:

* Foundation: data governance and setting right culture and ethos for data integrity.

* Level 1: Ensuring the right system and right instrument for the job.

* Level 2: Developing and validating the right analytical procedure for the job.

* Level 3: Allying all lower layers of the model to ensure the right approach for the right reportable result.

The Data Integrity Model will be used throughout this book to demonstrate how the layers of the model interact together.

In addition, there is a comparison of the Data Management Maturity (DMM) Model from CMMI Institute and Data Integrity Maturity Model from GAMP Guide on Records and Data Integrity.

• Chapter 6 focuses on all those involved with data governance and outlines the key Roles and Responsibilities of a Data Governance Programme. Here, the various roles, from the boardroom to the laboratory bench, are presented and the responsibilities of each one discussed. The roles of process owner and system owner presented in EU GMP Annex 11? will be mapped to the data governance roles so that the roles are aligned with the regulations. We will also see how a corporate data integrity programme impacts a regulated laboratory.

• Chapter 7 discusses Data Integrity Policies, Procedures and Training. Data integrity policies and associated procedures must be present throughout an organisation. These will vary from an overall data integrity policy, good documentation practices for paper and computerised systems, interpretation of laboratory data and second person review. Coupled with the policies and procedures there must be effective staff training and where necessary evidence of the effectiveness of training. Typical poor documentation practices and record keeping failures are highlighted.

• Chapter 8 covers the necessity for Establishing and Maintaining an Open Culture for Data Integrity. It will explore what is open culture as well as the role of senior and laboratory management in setting expectations and maintaining a culture to ensure data integrity. This will include ways of balancing the pressure of work that could result in staff cutting corners due to management pressure that could compromise data integrity. This is the most difficult part of the Data Integrity Model as it requires management leadership and will require constant nurturing.

• Chapter 9 presents An Analytical Data Life Cycle from acquisition through processing, retention and finally destruction at the end of the retention period. The currently published data life cycles are inadequate as they do notcover analytical procedures in any detail as they are generic. Presented here is a flexible analytical data life cycle from sampling to reporting that can adapt to any analysis from simple to complex. There are potential problems as some analyses do not generate objective evidence that is essential to demonstrate that an activity took place and for second person review. Key phases of the life cycle are sampling, sample preparation, acquisition and interpretation and these are where poor practices and falsification can occur, often without detection. Reiterating, an analytical data life cycle model needs to be flexible as not all analytical procedures require all phases.

• Chapter 10 concerns the Assessment and Remediation of Laboratory Processes and Systems. Management needs to have inventories of computerised systems and paper processes available and have them assessed for data integrity risks. The priority of assessment should be based on the criticality of the process and the records produced in it. Data process mapping is one methodology for assessing a process or system that will highlight the data generated and the record vulnerabilities for paper process and hybrid and electronic systems. From this will come short term quick wins for immediate implementation and also the development of long-term solutions options offering business benefit.

• Chapter 19 focuses on Quality Metrics for Data Integrity. Although placed towards the back of the book, this is a data governance topic as the metrics are a major input into the management review of the data governance of an organisation. It is important to understand the data integrity issues before developing metrics to monitor the programmes. There are two main areas for quality metrics, the first is to assess the progress of the overall data integrity assessment and remediation programme as well as the metrics for day to day routine analysis to identify areas of concern for monitoring, setting key performance indicators (KPIs) that may trigger further investigation of a process or system.

1.2.5 Data Integrity

Moving from the data governance umbrella, we come down into the detail of data integrity with eight chapters looking at the three top layers of the data integrity model.

• Chapter 11 looks at the Data Integrity and Paper: Blank Forms and Instrument Log Books. The use of blank forms for documenting analytical records will be used. An analysis based on observation will be discussed and the main data integrity issue with such a process is there objective evidence available for second person review? Many manual processes in a laboratory such as sample preparation lack evidence of activities other than a trained analyst following a procedure. In addition, there are now stringent regulatory control requirements for master templates and blank forms that will be outlined to demonstrate data integrity. Instrument log books are key records for data integrity but are they completed correctly and if using an instrument data system why cannot the data system generate the log automatically?

• Chapter 12 discusses The Hybrid System Problem. A hybrid computerised system is one that creates electronic records with signed paper printouts with the problem that two incompatible record formats must be managed and synchronised. What can software suppliers do to ensure data integrity? Many software applications used in the laboratory were designed before data integrity issues became a major issue. We also discuss the most common hybrid system: spreadsheets and present what to do to ensure data integrity. The regulatory guidance from WHO is that "use of hybrid systems is discouraged" will be presented as an introduction to Chapter 13.

• Chapter 13 presents a contentious topic: Get Rid of Paper: Why Electronic Processes are Better for Data Integrity and looks at why electronic processes are better. This is a goal for long term solution to existing systems and paper based processes. If resources are used to update and validate new systems to improve data integrity, there must be substantial business benefits. This is a business opportunity that will be compared with approaches taken with two other major programmes of work for the pharmaceutical industry: Year 2000 and Part 11 remediation projects, as discussed in Section 1.9 of this chapter..

• Chapter 14 focuses on Data Integrity Centric Computer System Validation and Analytical Instrument Qualification. It compares the traditional approach to top down computer validation: improving the process and then configuring the application to match the new process. However, this can leave the records generated by the system vulnerable especially if access via to data files via the operating system is available. Therefore, a combination of top-down validation coupled with a bottom-up approach identifying the record vulnerabilities and mitigating them is essential. The integrated approach of analytical instrument qualification and computerised system validation in the 2018 version of USP <1058> will be discussed. The data integrity issues of allowing a service provider to have access to your computerised systems will be debated.

• Chapter 15 presents Validation of Analytical Procedures that discusses the new approach of a life cycle approach that has been proposed by the publication of a draft version of USP <1220> by the United States Pharmacopoeia (USP). The omission of ICH Q2(R1) is that method development is not mentioned. In contrast, the draft USP <1220> is a three-stage process looking at defining the aims of the method with an Analytical Target Profile (ATP) and the method design is based on this. When developed, the method is validated and then deployed for use with continuous monitoring of the performance.

• Chapter 16 discusses Performing the Analysis. When an analysis is performed, the lower levels of the data integrity model (Foundation, Level 1 and Level 2) must work effectively so that the work is carried out correctly at Level 3 to ensure data integrity. We will look at analytical procedures requiring observation alone, sample preparation followed by instrumental analysis, instrumental analysis with data interpretation and finally a method involving sample preparation, instrumental analysis with data interpretation and calculation of the reportable result. Data integrity requires that out of specification results are documented and will be a lead-in to the next chapter.

• Chapter 17 entitled Second Person Review. The second person review is important for ensuring data integrity and is the second line of defence (the first being the performer who does the work). A reviewer needs to ensure that all elements in the procedure have been followed and to check for falsification or hidden records. Review of paper, hybrid and electronic records will be discussed as well as risk based audit trail review including review by exception.

• Chapter 18 looks at Record Retention. It presents and discusses options for retention of records: migration, museum, virtualisation or read only database. Discussion of data standards: history and current efforts as a way forward for the future. Some data integrity guidance documents require that dynamic data is not converted to static data.

1.2.6 Quality Oversight for Data Integrity

The final five chapters present and discuss quality oversight within a regulated laboratory and also when outsourcing analysis to a Contract Manufacturing Organisation (CMO) or Contract Research Laboratory (CRO):

• Chapter 20 is entitled Raising Data Integrity Concerns and discusses how data integrity concerns can be raised by an employee. This is different from the open culture discussed in Chapter 8 and is focused on how a concern can be raised and investigated by a company that protects the confidentiality of all concerned when handling such issues. This policy includes non-retaliation against individuals either raising or being subject to the data integrity concern.