Addressing Information Integrity
Recent FDA enforcement actions around Ranbaxy in India centered on data integrity and quality. Data reliability is a theme that FDA inspectors are increasingly hitting across the board, from the GLPs, GCPs, and GMPs to the QSRs.
So what is your firm doing to ensure FDA records reliability and information integrity expectations?
Over the past three years, FDA officials have reiterated five expectations when it comes to the reliability of data from a company. Data needs to be “attributable, legible, contemporaneous, original, and accurate.” The FDA uses the acronym ALCOA to capture this.
Easily remembered acronyms are good and well but ultimately, before executives can go forth and figure out what solutions fit best within the company, the following needs to be determined:
- Since making everyone accountable for data integrity means no one is accountable, who is accountable?
- Since perfect data reliability is unlikely, what is a reasonable level of data integrity?
- Since you don’t just gather data one time, what are your plans for maintaining this reasonable level of data integrity as your business grows and evolves?
With my clients who take advantage of my lean FDA compliance, Part 11 IT compliance, or cost-effective records management & retention advice, I recommend a practical approach to information integrity using four key themes:
- Clarify accountabilities
- Expectation clarity
- Incorporate risk assessments
- Transparency and forethought
As company leaders, executives are in charge of setting out the accountabilities of each department within their firm. Set down these accountabilities in writing. These do not need to be like detailed job descriptions one might write for Personnel / Human Resources, but rather, brief statements on who is accountable for what aspects of capturing, maintaining and archiving information.
At a minimum, make sure to include departments such as information technology (IT/ICT), regulatory compliance teams (quality and regulatory affairs), and legal.
As simple as this sounds, I’ve repeatedly found that companies struggle with this basic operational aspect of clarifying accountability. Continue to check-in with teams to ensure mutual agreement on accountabilities and expectations; and if nothing else, make sure information integrity accountabilities and trending are reviewed in your periodic quality systems management review.
Hand in hand with an understanding of accountability, executives—with their teams—need to lay out expectations for their company’s level of confidence when it comes to data quality. I recommend adopting, at minimum, the same standards of confidence the FDA expects from your product, whether that’s 95% accuracy and reliability, 98% accuracy and reliability, etc. In essence, make information your 21st century medicinal product.
FDA inspectors will cite firms for failure to translate a quality policy into actionable strategies and operational objectives. Taking this “standard of confidence” approach is one way to show inspectors that a quality policy is not just a motto on the wall. Define the levels of quality expected and support them with activities, plans, and documentation.
Incorporate Risk Assessments
One lean compliance challenge is not to “dumb down” a firm’s risk management methods, but rather to identify those elements applicable to each group’s set of information accountabilities. Each functional team (and their individual members) should know enough to recognize a potential risk when an unknown unknown (or “unk-unk” as they are called in product development) arises. At that point, a firm’s documented risk assessment and control policies start.
For instance, consider incorporating a basic risk assessment in every standard operating procedures (SOP) that cover data handling. This is not a full-blown failure modes and effects analyses (FMEA) but a simple, “preliminary risk assessment” done by the person actually carrying out the SOP. That individual should know enough about the tasks at hand to recognize when something has a risk associated with it. Ideally, that risk can be quickly and easily eliminate within the context of the process (e.g., think about when an IT/ICT person is setting the schedule for company data to be backed up on a nightly basis – often there is a checkbox in the backup application for a byte-checking routine to be run to make sure that all the data was backed up – that’s an example of a simple, built-in risk control step you need not set out as a separate SOP or escalate to an FMEA board). If that risk cannot be easily and quickly eliminated or otherwise controlled within the basic process, or if the process carries with it a direct potential of patient harm, then the preliminary risk is escalated up the chain for a more robust set of controls to be put on the data.
The key is to use this type of incorporated preliminary risk assessment to identify, document, and justify specific data integrity controls.
Transparency and Forethought
There are two challenges with this theme:
- first, ensuring you have data and accountability transparency; and
- second, ensuring that each of member of your company has the know-how to recognize and tackle new situations as your business evolves
Data and accountability transparency can be addressed by combining the concepts of flowcharts and organizational charts, tracing the proof of patient safety and product efficacy through various levels of management and personnel (for accountability) and through system levels for data. Then, correlate the two charts so that a lined can be drawn that clarifies the relationships; the goal is to identify, at any time in the information’s life, who in the organization is accountable for the information.
Ensuring functional teams have the know-how to recognize and tackle new situations as a business and marketplace evolve is a long-term commitment that comes with maintaining information’s long lifespan. Tactics to handle this will depend upon each group’s accountability, but several principles apply. Training may be an obvious one, but so is continued awareness of industry trends and best practices.
If you are running lean and cannot devote the time constantly assessing industry trends and best practices, consider asking a third-party for a summary document of items that might be applicable to your company and the information you guard, or subscribe to a monthly regulatory intelligence newsletter that goes beyond the usual “here’s what Congress is up to and here’s what enforcement actions that FDA took.” You need advice on keeping ahead of regulators when it comes to data integrity expectations, particularly around clinical trials, regulatory submissions, and long-term data and records retention.
For companies whose entry of new products into the regulated marketplace hinges upon a review of information proving product safety and efficacy, data integrity is the quiet elephant lurking in the corner.
Are you ready?Adapted from an article published in Pharmaceutical Processing, September 2009