I recently attended the A3P International Congress in Biarritz, France, comprised of the major players in the pharmaceutical and biotechnology industries in Europe, where I had the opportunity to participate in a workshop on data integrity. This workshop brought together many life sciences professionals.
Since the U.K.’s Medical and Healthcare product Regulatory Agency (MHRA) (1) and the U.S.’s Food and Drug Administration (FDA) (2), published on this subject in 2015 and 2016, respectively, data integrity continues to gain importance as an issue. Some workshop participants wondered if this is simply a new trending topic that will quickly fade. I firmly believe that it is not.
Between January 2015 and May 2016, 21 out of 28 FDA warning letters involved data integrity issues in drug manufacturing. What have we missed? Because the industry has mainly focused on the “systems” part of information systems, to manage quality and compliance, one has neglected the information itself.
Is data integrity a return to basics of good practice?
Let's go back 40 years and take a look at the development of information systems. Yes, we must go back at the beginning of the 1980s, when an event changed the world of computing as we knew it—the invention of microcomputing. This advancement allowed everyone to access a computer, at work or at home. While this innovation promoted the democratization of technology, it also signalled the emergence of the “software industry” with the likes of SAP, Microsoft, Google, and others.
Yet it was during this innovative expansion of interfaces that the word “information” became neglected, as it was preferred by the industry to focus on systems. Today, the major emphasis of data integrity is on “information.”
And yet, the regulations were there ...
Here we must pay tribute to the legislators, the European and American texts that had already shown the way. The EU (European Union) Annex 11 (3) provides several incentives for data protection. For example, there are requirements for maintaining the durability of the data (§ 7.1), backups (§ 7.2), the audit trail (§ 9), or the justified modification of the data (§ 9 and 10). Data traceability should include the date and time of changes, detailed information about the person who modified it, and the source of the data (§ 8.2). Data should be protected against damage by both physical and electronic means (§ 7.1). Via a computerized system, logical security should require user identifier to limit access to authorized persons (§ 12.1, 12.2, 12.3). Also, electronic records imply that data is signed by the individual making the entry. Electronic signatures are considered as reliable as handwritten signatures (§ 14). Principles, such as archiving (§ 17), separation of duties (§ 6), and inventory maps of the “data flow” (§ 4.3), are also suggested.
In the same extent, CFR21 part 11 points out identical data security measures.
Thus, what has changed or remained among data integrity issues? Why did the MHRA need to change/update its regulations, or something else? What are the new principles?
What’s driving the moment?
Data integrity issues take source in fraud practices which clearly showed that certain companies could directly modify the data when one it did not correspond to their wishes. The integrity of the data is not safeguarded. Thus, the past few years have seen a significant increase in data integrity violations (4), such as falsification, resulting in the number of FDA 483 warning letters being issued to pharmaceutical companies.
Open systems and data flow
For many years, with concern concentrated on the validation of computerized and automated systems, we almost forgot the data that goes with it.
The focus is now on the data. Thus, the monolithic vision of the information system concentrated in a single closed tool and communicating with nothing (upstream or downstream) is obsolete. Even within the context of a massive implementation of Enterprise Resource Planning (ERP) on a global scope, we will always find connections with laboratory equipment, Laboratory Information Management System (LIMS), production equipment, and tools of extraction. The data circulates from one system to another, evolves, and changes. It is therefore necessary to control data, to verify that the initial semantic is not altered, also referred to as a “semantic attack”.
Take control of the data
Data integrity control is essential in ensuring the overall consistency of the data. How could one prove that the data has not been modified or altered since its origin, especially when the data is involving patient safety? Or, once a modification has been done and justified, is the traceability of this modification available? Is the initial entry preserved and accessible? An audit trail is a way to track all changes to data. Electronic management systems provide such a tool to perform an audit trail. It allows tracking back from a current value, through all data changes, and back to the original value. The sequence of changes to data can be therefore reconstructed. Restricting the values to certain users of the system should be considered so change is attributable to the person making the change.
A move toward new principles
New security measures also contribute to the developing vision of the concept of data integrity. Principles like ALCOA (Attributable, Legible, Contemporaneous, Original, and Accurate), various practices around date management, review of audit trails have emerged. All these topics are now part of data integrity assurance.
Life sciences manufacturers are under the microscope
The concept of data integrity should take root company wide. Initially limited to the laboratory, we are now talking about industrial data. We will soon talk about all the data that is directly or indirectly involved in the safety of the patient or the quality of the product.
It is therefore that we arrived at a crucial turning point where one has to return to the fundamental value of ensuring that your company's data is accurate and reliable. And this is for good. As the agency states: “Data integrity is an important component of industry’s responsibility to ensure the safety, efficacy, and quality of drugs, and of FDA’s ability to protect the public health.”
Philippe Charbon is the CEO of Apsalys, a value-added partner reseller of MasterControl for French-speaking Europe. He has been working for more than two decades in Life Sciences companies and is an expert in information systems (IS) within the pharmaceutical industry. His specific knowledge about a company’s environment and regulatory compliance, combined with his considerable IT skills, make Philippe a top qualified consultant and IS integrator. Concerned about data integrity issues, he provides his clients access to consulting and data integrity services to fulfill their needs.
See what they do at Apsalys: www.apsalys.com