Professional Documents
Culture Documents
Paul Smith
Agilent Technologies
paul_smith@agilent.com
Paper is a commodity,
purchased by procurement…..
[and they change suppliers – different 2017 Paper 2014 Paper
quality / aging properties……]
“Equally important are the procedure to audit data and programs and the process for correcting errors.”
FDA 1993 Laboratory Inspection Guide
“Data integrity in computer-based information systems is a concern because of damages that can be done by
unauthorized manipulation or modification of data.”
Does Anyone Disagree With these Statements ?
“The emphasis on controlling access to data has served to mask the issue of data integrity.”
Data
Complexity
Data Data
(e.g. Balance Print Out) (e.g. Chromatograms)
Simple Meta Data Complex Meta Data
See Appendix
✓ FDA Level 2
Guidance
Presentations from the MHRA event are normally only for delegates (crown copyright). However, following a request
/ e-mail exchange with Jason, a PDF of this presentations has been made available to this GAMP meeting.
Ongoing
1st May GSK Stevenage
10
Links to • 1993 Inspection Guide 12 pages
• 2016 Data Governance and Data Integrity for GMP Contact Bob McDowall 71 pages
ECA
• 2018 Data Governance and Data Integrity for GMP or Margarita Sabater 89 pages
[extended to include manufacturing]
External Hyperlink • 2017 China Translation Available from Barbra Unger (Rx – 360 Working Group) 12 pages
• 2018 PDA TR80 https://store.pda.org/TableOfContents/TR80_TOC.pdf (PDA - € 325 – PDA Book Store) 63 pages
• 2018 Book – Data Integrity & Data Governance (Purchased from RSC) 600 pages
1st May GSK Stevenage 11
Guidance Documents…… A Lot of Guidance
Pages: 136
FDA MHRA WHO PIC/S
Word Count: ~50,000
Pages: 17 21 46 52
12
1st May GSK Stevenage
Different Guidance Interpretation
Data Integrity Guidance If a Guidance Document Includes
Guidance
the word “must”
Documents - Do you need to comply with the requirement ?
Need to be
Interpreted !
(“what, but not how”) Manufacturing / R&D May Interpret
These Questions Differently ?
46
Which Guidance
FDA 16 Includes:
Data Integrity Guidance
130
MHRA SMALLEST
17
number of MUST
statements ?
225
WHO 6
LARGEST
395
number of
PIC/S 57 SHOULD
statements ?
0 100 200 300 400
Number of Times Cited
14
1st May GSK Stevenage Should Must
FDA DATA INTEGRITY GUIDANCE
Time
Draft Final
Was: ucm495891
(Final)
(Dec. 2018)
15
1st May GSK Stevenage
Press Statement (Data Integrity Guidance)
December 12th 2018
“The guidance covers the design, operation, and monitoring
of systems and controls to maintain data integrity.”
I Introduction
II Background
Question & Answer 2 – 18
Stronger alignment with Out of Specification (OOS) requirements….. (limits “testing into compliance”)
% Change =
110 – 41
x 100 = 168 %
41
% Change
Across The Guidance
% Change =
110 – 41
x 100 = 168 %
41
Sections with
the Largest %
Change
% Change =
110 – 41
x 100 = 168 %
41
Sections With
the Greatest Change 17. Is FDA allowed to look
at electronic records ?
Q13 Answers
2016 (3) 2018 (9 new)
CFR References….
Q13 Answers
2016 (3) 2018 (9 new)
CFR References….
Sections with
the Largest No of
CFR Changes
Q13 Answers
2016 (3) 2018 (9 new) 1c. What is an “audit trail” 13. Why has FDA cited use of
actual samples during
“system suitability” tests….
CFR References….
2016 2. When is it
permissible to
invalidate…..etc.
2018
• Expanded Wording…. (What is Data Integrity ? Q1a, How often should audit trails be reviewed Q8, and Is the FDA
Allowed to Look at Electronic Records ? Q17)
• Potential Expansion – Inspection Authority (e.g. “including electronic communications that support CGMP
activities”, e-mail Q17 +168 %)
• Invalid Data Criteria Clarified (OOS) (“Exclude data…” all data must be evaluated, even invalidated data Q2)
• Enhanced Audit Train Review (audit train must be reviewed.. Etc, Q7, Q8 (“Review” mentioned 38 times,
19 for Q7&8. Ctrl F of guidance – See footnote p8….)
• Stricter Access Control (“PET Drug Guidance” ref. removed, system admin should be independent of record content)
• Appendix – Robert Wherry (GAMP DI SIG) (permission to share his annotated copies of FDA DI Guide)
1st May GSK Stevenage
26
MHRA DATA INTEGRITY GUIDANCE
(Final)
(Mar. 2018)
Time
Mapping (2016 to 2018)
2014 2015 2016 2017 2018 See Appendix
V1.0
V1.1
Draft
Final
27
1st May GSK Stevenage
MHRA Data Integrity Guidance
Simple… • Concept of “Primary Record” (was in 2015)
• Deletions • Line Numbers !
Figure 1
Changes • Revisions
• End of the World ! – 2017 Audit “Deadline” !
• Additions
• Introduction – opening sentence !
+ Barbra Unger Blog 1st May GSK Stevenage 28
– DI Guidance Changes
MHRA Data Integrity Guidance
15 Pages 16 Pages 14 Pages 21 Pages
3,567 Words 3,963 Words 5,407 Words 7,836 Words
Time
Jan. 2015 Mar. 2015 Jan. 2016 1,300 Comments Mar. 2018
Draft For
Ver. 1.0 Ver. 1.1
Consultation Structure Final Version
Figure 1
Simple Complex Introduction /
Paper Electronic
Data Integrity
Positioning
Principles
Diagram
(Risk Based. Ref. GMQA)
+
Definitions +
Some Integrated / Mature
Guidance Data Integrity
Reads like a set of PPT Figure 1 Guidance
training slides (Evolving…)
(e.g. “MOSTLY Definitions”)
Table No Figure 1
(more granular)
“GXP”
[more overtly GXP]
1st May GSK Stevenage
29
MHRA Data Integrity Guidance
21 Pages, 7,836 Words Final Version – Mar. 2018
Table of Contents - New
Background / Introduction
Draft Versions
Principles of DI (10)
Establishing Data
Criticality / Risk
Designing Systems…..
Definitions /
INTERPRETATION
67 % 20 Sub Sections
Audit Trail
Access / Use
True Copy
5 Largest Sub-Sections
of Section 6
1st May GSK Stevenage 31
Revisions to Guidance Comments (Abbreviated – See Guidance)
MHRA DI
Establishing Data
Integrity Risk
Guidance
Criticality and Inherent
(Section 4, p 5)
- Revisions
Substantial expansion, structure and new text / detail
Sections 4.5 & 4.6 – Risk Assessment & Remediation
Designing Systems and Processes… Substantial expansion, use of “Scribes” (e.g. GLP example, for
“Scribes” (e.g. GLP example, for
(Section 5, p 7) contemporaneous recording sterile operations by observations now included).
Data Definition (Section 6.1, p 8) Now includes the + of ALCOA+ (e.g. Complete, Consistent…. Etc.)
(e.g. Complete, Consistent…. Etc.)
Data Review & Approval (Section 6.15, p15) Periodic Audit –– might verify effectiveness of existing control measures
might verify effectiveness of existing control measures
User Access – must be used Sys. Admin….…should not …interest in the data..
Computerised System Access (Section 16, p 16) System Admin. – should not be assigned to….. direct interest in the data…
Data Processing (p 11) Now includes: “attribution of who performed the activity”.
Excluding Data (p 11) Not Applicable to GPvP
Electronic Signatures (p 14) References MHRA draft – informed consent for GCP
Data Review and Approval (p 15) Substantial Expansion - …Should meet all applicable regulatory requirements and be
risk-based.
Archive (p 18) Hybrid Systems – “…references between physical and electronic records must be
maintained…”
st
1 May GSKdata
Stevenage 33
Glossary (p 20) eCFR, ECG, quality, DIRA.... etc.
WHO DATA INTEGRITY GUIDANCE
Time
Draft
Final
34
1st May GSK Stevenage
WHO Data Integrity Guidance
Primary Focus: Education and Understanding
ALCOA
Definition
Table
Expectations Expectations
(Paper) (Electronic)
Special Risk
Management
Requirements
(Each ALCOA Term) 1st May GSK Stevenage 36
WHO Guidance – ALCOA Structure
For Each section of ALCOA Contemporaneous
Definition
Table
Expectations Expectations
(Paper) (Electronic)
Special Risk
Management
Requirements
(Each ALCOA Term) 1st May GSK Stevenage 37
PIC/S DATA INTEGRITY GUIDANCE
Time
Draft 2 Draft 3
P1041-1
(Draft 3)
(Nov. 2018)
38
1st May GSK Stevenage
PIC/S Data Integrity Guidance
Most Granular Table of Contents
14 Main Sections 59 %
Specific Data Integrity
Considerations….
Includes: Validation of
Technical Control
Expectations Table
Table Format Applies
to Sub-Sections:
8.4, 8.6,
9.2 – 9.8
Instructions Table
Table Format Applies
to Sub-Sections:
8.7, 8.8, 8.10, 8.12
Details….
guidance say about 5.1 • QMS Requirement – mechanism for staff to report….
“Show and Tell” ? 12.1 • Investigation - Notify Health Authorities – material impact
19 Technical Requirements
Contents
Appendices 13. User Requirements
(107 pages) 14. Process Mapping and Interfaces
Development 15. Risk Control Measures…..
(28 Pages) 16. Data Integrity Concerns – Architecture....
17. Data Integrity for End-User Applications
Practice 9.
Company
Security Controls
Guide 10.
11.
Case Study: DBA and Security Controls for an RTSM System in a GCP
Case Study: DBA and Security Controls for an ERP System in a
Data
12.
Medical Device Manufacturing Environment
Case Study: Laboratory Computerized System
Integrity
13. Case Study: Uncontrolled Spreadsheet Risks/
14. Case Study: Process Control System
15. Case Study: Business Application System Issues
23 Appendices 16. Reviewing Laboratory Systems
(89 pages)
17.
18.
Reviewing IT Systems
Reviewing Supporting Data
What to
19. Auditing Access Controls Audit
20. Regulatory Guidance Regarding Classification of Deficiencies
Table of 21. Detecting Aberrant Results
Contents 22. References (65)
23. Glossary
51
1st May GSK Stevenage
FDA DI Guidance – ALCOA CFR References
1st May GSK Stevenage
Attributable…………………………...… A 211.101(d), 211.122, 211.188(b)(11), 212.50(c)(10)
No Changes Between 2016 (Draft) and 2018 (Final Guidance) – Above is from 2016 (Draft) 52
Changes to FDA Guidance:
Permission to share Annotated Files From - Robert Wherry - Takeda
How should access to CGMP computer
Example – Question 4 Answer systems be restricted ?
Deletions from the
2016 draft guidance:
2016 (Draft)
2018 (Final)
Mr Tor Graberg
(Former PIC/S Chair)
South Korea
Ukraine
Japan
Canada
Switzerland Israel
Chinese Taipei
Liechtenstein Hong Kong
Turkey
USA Thailand
Iran Malaysia
Indonesia
New Singapore
Mexico
Members
New
From 1 Jan’18
Zealand
Argentina Australia
4 Partners South
EDQM Africa
EMA
UNICEF
WHO
Applicants Pre–Applicants
Interested
(Up to 6 years) (Gap Analysis by PIC/S)
Colour coding for different regions Americas Asia Update Provided by – Bob Tribe
Europe Africa (Retired Chief GMP Inspector - TGA)
“Those who forget the past are condemned to repeat it” (Joanna Gallant):
1993 – Barr Ruling – Testing into compliance – Sued the FDA, “OOS”
2005 – Able Laboratories – Fraud case – “Let’s go straight to Consent Decree” Difference
FDA Page
Legal
2006 – 2009 – Repeat Violations - FDA Warning Letters – Ignored FDA Actions
2012 – Consent Decree – Application Integrity Policy (AIP)…… “Telephone System”
Consent Decree (see Page 11, X for Telephone Requirement)
FDA Page
1st May GSK Stevenage
58
FDA Remediation……
A Investigate Extent
MARCS-CMS 487471 — 06/09/2016
FDA Recommendations….. B Risk Assessment
C Management Strategy
59
1st May GSK Stevenage
60
Reliability
Detailed Corrective Action…… to Ensure
Completeness
Legible………………………….….. L
L - Clause: 7.5.2
(“…ensure that amendments to technical records can be
traced to previous versions or to original observations”)
Contemporaneous.... C
C - Clause: 7.5.1
(“Original observations, date and calculations should be
recorded at the time they are made…”)
Original……………………………. O
O - Clause: 7.5.2 (“…original and amended data shall be retained”)
Accurate……………………….… A
A - Clause: 7.11.3 c) (“….provides conditions which safeguard the
accuracy of manual recording and transcriptions”)
Complete - 7.11.3 e)
+ Consistent -
Enduring -
7.11.6
7.11.3 b)
Available - 8.4.2
1st May GSK Stevenage 63