Data integrity is a recurring theme in noncompliance and whistleblowing cases.

Long after a drug has gone off patent, the data associated with that drug show how well its manufacturer controlled its processes, ran its operations, and met FDA’s regulations. Today, of course, all data are computerized. Yet, ever since FDA soft-pedaled its enforcement of its electronic recordkeeping requirements as set out in 21 CFR Part 11, some drug company managers have viewed electronic data management as less of an enforcement priority.

As a result, especially during economically challenging times, some firms have been devoting fewer resources to improving compliance and data management strategies. They continue to do so at their own risk, experts suggest.

Poor data management is cited in an increasing number of 483’s and inspection reports, and figures prominently in recent Consent Decrees. As more inspections reveal disconnects or discrepancies between everyday plant realities and the way they are documented, regulators are emphasizing data integrity in their enforcement efforts.

Within the past few years, on the R&D side, FDA has tightened clinical data requirements, and invoked its Application Integrity Policy (AIP), effectively stopping all review of new or pending drug applications from a company, a move that can cost a manufacturer roughly $8,100 per day (not including potential loss of income from the new drug), says record integrity and FDA expert John Avellanet. This year, FDA has promised to devote more time in its cGMP plant inspections to verifying compliance with 21 CFR Part 11, and to scrutinizing electronic data management practices.

Mr. Avellanet traces data integrity problems to ignorance and sloppiness, generally caused by the following common mistakes, all of which occur from clinical through manufacturing through CAPA through adverse event reporting and handling:

  • Not having a plan in place with regular, reasonable data/document integrity controls
  • Not maintaining the links/traceability between source documents (original data) and the stored record (such as in a database format or in a PDF version)
  • Not keeping complete and accurate records

Examples of the latter issue include forms with missing signature fields or backdated signatures, and databases with fields missing information in them. More subtle examples: not keeping data or document sets or linkages together, such as documents associated with a CAPA, investigating an adverse event, or training.

Questions of Fraud

Fraud, says Avellanet, takes the following forms regardless of the type of data (QC, QA, manufacturing, CAPA, etc.):

  • faking data
  • substituting data (like copying over data points from a successful batch record into a failed batch record)
  • omitting negative data (like OOS or, in trending graphs, eliminating outliers); or
  • hiding/obscuring SOP or protocol deviations.

To ensure data integrity, Cerulean’s managing director suggests, “You have to have a plan, and it should cover items such as a records retention schedule and associated policies and procedures, training for personal and regular records reviews, plus regular data audits.” SOPs are an important part of this plan, he says. “As part of crafting each SOP in your quality system or your regulatory affairs program, make sure your SOPs capture and document various decision points, actions and responsibilities.”

John Avellanet suggests looking at complaint handling as an example:  “For instance, when examining a complaint handling SOP, all decisions on any follow-up actions need to be documented with supervisory review and approval,” he says. “Second, the SOP should lay out basic criteria to prioritize complaints as high or low priority.” The quality department will want to audit the prioritization results. Finally, he says, a due date should be assigned for any investigation, and again, a supervisor should be involved in reviewing and signing off on the results.

The receipt of the complaint, the follow-up and any actions taken—all generate data points with dates, review signatures or approvals, and opportunities for independent verifications. “In fact,” Avellanet adds, “consider a case where all complaint handling documentation is written down first on paper and then input into a database with some scanned copies of signatures. The key would be to have a review of the input process to verify that the transferred info is all correct.”

Quality professionals (and FDA inspectors) can still go back and plow through all the information to reconstruct the decisions and actions and responsible individuals associated with any specific complaint, Avellanet says. “Thus the data is said to have integrity—it’s attributable, legible, complete, original, and accurate.” He refers to the acronym ALCOA to stand for ideal data characteristics. Nothing is missing. The same holds for all such critical processes that generate records—batch review, QC inspection, adverse event handling, and CAPAs.

But as Cerulean’s Avellanet says, it all starts with a practical plan. “If you don’t know that you need to keep various records together, you don’t know how long you are required to retain documents for FDA and other agencies, you don’t know that you need to have documented records review and approval points, and you don’t know that you should be doing regular data and record audits, all you’re doing is setting yourself up for failure. And a costly failure at that,” he says.

Originally published March 2011 in Pharmaceutical Manufacturing

Contact John Avellanet for more advice on practical data integrity controls