Pharma Industry & Data Integrity: How to Ensure Compliance Without Going Bust

Verifying that all your computer systems are compliant with data integrity guidance and regulations is an epic task. It can also be expensive.

Conducting gap analyses, writing procedures, creating action plans, training staff and making changes to IT systems takes time, money and resources. And that’s assuming no worst-case scenario where you need to ditch the old and buy new IT systems instead.

A rise in industry-wide data manipulation and violation of current good manufacturing practice (cGMP) regulations for drugs lies at the heart of this challenge. But that doesn’t make data integrity any easier or cheaper to maintain for the good guys.

Here’s how you can take control of meeting your data integrity requirements. And without breaking the bank. By adopting a realistic approach to assessing your systems, you can identify gaps and correct them before problems occur.

What are the goals of data integrity?

The primary aim of data integrity is to protect patients. Regulatory agencies and the pharmaceutical industry need accurate and reliable data to ensure the safety, efficacy and quality of products. This makes avoiding modification, duplication, deletion and falsification of electronic and other data vital for all concerned.

The second goal is to guarantee trust between the industry and regulatory agencies. These agencies include the World Health Organization (WHO), the US Food and Drug Administration (FDA), the European Medicines Agency (EMA) and the Medicines and Healthcare products Regulatory Agency (MHRA) in the UK.

Why does trust matter? In a nutshell, pharma firms can’t afford to abuse it, as trust is implicit in the assessment and review process of drugs. Here’s how:

• First, regulatory agencies can’t constantly audit and inspect every behavior, procedure and technical aspect of every pharma company’s production processes.
• This makes data integrity the only way that firms can prove that they are meeting regulators’ guidelines and expectations.
• So, drug companies need to be able to show their records and data as accurate, available, complete, consistent and secure throughout their life cycle.
• Pharma firms that can’t demonstrate this are flirting with facility shutdown, product recalls, import and/or distribution bans, delayed or blocked drug approvals, and damage to their brand and corporate reputation.
• What’s more, having lost the trust of the regulator, such firms may face closer scrutiny and more frequent inspections in the future.

Is lack of data integrity still an issue?

In short, yes. This is why global regulatory agencies are keen to prevent accidental data integrity lapses. It also explains their continued efforts to root out offenders whose pants are on fire and who doctor their records and data on purpose.

Irregular practices identified in manufacturing plants by the FDA’s global inspectors and then noted as observations in recent warning letters include:

• Falsifying test results, destroying data or omitting the data necessary to support test results.
• Sampling or retesting to achieve a specific result or to overcome an unacceptable result.
• Failing to implement effective controls to ensure only authorized individuals have access to technical systems.
• Backdating record entries.
• Disabling audit trails.
• Changing the setpoints of testing equipment to minimize data that would likely cause an out-of-specification result.
• Using the names of people who no longer work for the company to sign off approvals and authorizations.

This list of infractions is not a comfortable read. So, it’s worth underlining that most pharma companies are doing their utmost to follow current regulations and guidance.

The difficulty is advances in the science and processes around drug manufacturing. These are evolving to embrace ever-more sophisticated instrumentation and technologies. So, it’s no surprise that documenting, recording and auditing such activities and procedures is becoming more complex too.

This situation is compounded by greater reliance on outsourcing and cloud-based information architectures, automation and mobile technologies within the pharma industry.

Data integrity can be hard to maintain

Without first focusing on human elements, data integrity can be hard to achieve and difficult to maintain. But think of your bank. No doubt you expect that the people who work there won’t steal your money, or at least, not on purpose. The same goes for pharma companies and maintaining data integrity – the deliberate manipulation of data simply shouldn’t happen.

When it does, the first step is for management to take responsibility and invest in staff awareness and training. All employees at all levels should understand the importance of data integrity. They should also be aware of the influence they have on data according to the authorizations assigned to their job roles.

Those with direct responsibility for ensuring data integrity need more detailed training. These people include:

• Process and data owners
• System owners
• System developers, maintainers, and users
• Quality assurance and quality control personnel
• Clinical, manufacturing, and laboratory professionals
• Validation and compliance specialists
• Suppliers of systems and services
• IT and engineering personnel

Above all, companies need to be clear about accountability and the consequences of accidental or intentional data breaches. The bottom line should be that people who tinker with data or don’t follow the rules won’t be tolerated.

Don’t let data integrity demands break you

Dealing with cultural and human factors around data integrity can be challenging but ultimately manageable. It’s taking care of the physical computer systems that’s the more laborious, intrusive and costly task. Why?

1. Because it’s a long-term and all-encompassing commitment. From measurement systems to analytics, the drug development and manufacturing process runs end to end on technology. This gives rise to mountains of data.
2. It requires validating your computer systems and business processes – to ensure the accuracy of generated or recorded data.
3. You need to address access management and critical authorizations – to protect data and avoid integrity breaches during operation.
4. The audit trail for each system needs regular review – to ensure that it creates a secure, time-stamped electronic record of data activity and a record of the activity of each system user.

This process can be time-consuming and disruptive, as it involves hundreds, if not thousands, of systems. All these systems have to be checked and verified individually.

Put simply, you need to ensure that the right procedures are in place, access permissions are correctly configured, and all works as expected. Plus, you want to avoid interfering in people’s day-to-day work and impeding the operations of your company.

Taking a risk-based approach helps manage costs

Implementing quality measures and new technologies to meet data integrity regulatory requirements can be pricey. Sometimes, the latest guidance also means there’s no choice but to upgrade and replace the old with new equipment.

Performing a thorough risk assessment is the first and most important step in keeping a firm grip on the purse strings. That way, you know which systems and problems to address first. Some things can’t be delayed; other smaller issues are of limited impact and can wait. It also helps you understand the level of remediation and costs that may be required.

Of course, the likes of the FDA and EMA also expect a risk-based approach. Indeed, regulators want to see the application of flexible risk-based strategies behind every decision that pharma companies take to prevent and detect data integrity issues.

Prevention is better than cure – it’s also cheaper

Receiving a warning letter citing data integrity violations and/or failing a regulatory inspection is a huge financial burden. Even more costly is that there’s nowhere to hide. So, the best strategy is to identify data integrity gaps early yourself. This involves your quality assurance team conducting regular and rigorous internal audits.

These inspections should verify people, processes and systems. This includes all your cGMP records and the audit trails that track the creation, modification or deletion of all data. Indeed, FDA guidance recommends routinely scheduled audit trail reviews based on the complexity of each system and its intended use.

You’ll also want to conduct periodic reviews of individual systems to identify risk factors within your systems and user management and authorization processes. Imagine forgetting to update permissions on a particular system when someone leaves your employ, for example, or developing a problem with generating proper backup data.

By developing a strategy and plan to monitor and remediate any high-risk activities, you can prevent them from escalating and avoid data integrity breaches.

Key takeaways

If you have hundreds of systems, verifying that they all meet data integrity requirements and then assessing and closing any gaps can be hard work and hugely disruptive. This process can also be daunting and bust your budget.

You want data integrity methodologies that let you deal with the size of the task and still sleep well at night. This demands nuanced strategies that are not overly aggressive yet acceptable to the regulator, so not too limited in scope or speed.

Qualitest can help you take a realistic approach to achieving data integrity compliance. With over 20 years’ experience in the pharma industry, we have in-depth knowledge of regulatory requirements. Our experts provide solutions that balance your risk against your available resources and budget. Want to know more? Get in touch.