Identifying and Preventing Common Data Integrity Issues

Data integrity is important to the 
quality control laboratory because poor
practices can allow for substandard 
product to reach patients.

Because of the multitude of problems being found in regulatory agency inspections, data integrity is a hot issue for regulators around the world today.  Data integrity is critically important to regulators for a variety of reasons, including patient safety, process and product quality.  The integrity and trustworthiness of the data provides a baseline for the regulators opinion of the personnel and the company as a whole.

Data integrity is of particular interest in relation to the quality control laboratory and the handling of OOS results, because poor practices can allow for substandard product to be put into the hands of patients.  But the same holds true for any other area that generates or controls data – including IT, R&D, manufacturing – any data integrity failures from these areas can also impact patient safety, product and process quality effects.
Expectations have been communicated from the regulatory agencies in a variety of forms, including regulations and guidance documents from the US FDA, MHRA, EMA, PIC/S and WHO.  (See Figure 1) And yet, with all this guidance available, problems are still found in many companies during regulatory inspections. Using the US FDA as evidence, searching warning letters for the phrase “laboratory data integrity” brought up 119 warning letters (WLs), ranging from 2005-2016, and covering pharma, biotech, device, blood, GLP & GCP – both in the US and internationally. Searching for “OOS” brought up 137 WLs in the same time period.

This article is related to the White Paper: 
Noncompliance to FDA Quality Standards: What's the Risk to Executives?
To get the full details, please download your free white paper.

Worse, I ask my webinar attendees to gauge their level of confidence in the integrity of their data and data handling practices – and the most common response is that people are only somewhat confident in their company’s practices. 
So let’s explore some of the common areas cited in regulatory inspections, and look at ways to prevent some of these issues.
A Summary of Common Inspection Observations
In reviewing FDA warning letters and 483s for a laboratory data integrity and OOS handling course, I compiled a summary of common inspection observations, which seemed to align into two categories: Data collection (including data capture, interpretation and review) and data maintenance/archiving.
Common data collection activity citings included:
  • Mishandling of OOS results and deviations, including failing to record or report these occurrences, or covering up OOS results, and discarding failing results
  • Failing to investigate OOS results
  • Inadequate investigations, including not identifying root cause and/or CAPAs
  • Documenting work that wasn’t done (including by personnel not present when the work was documented as being performed)
  • Manipulation of generated data (integration parameters, etc.) without explanation
  • Reviewers lacking the background to, or failing to detect data-related issues
  • Using unvalidated analytical methods, or changing validated methods without justification/approval
  • Failing to follow procedure, including running “trial” samples, not completing or pre-completing documentation, and mislabeling or not labeling samples, materials and/or processing equipment
Common data maintenance and archiving citings included:
  • Access and control issues, including password/access sharing, and individuals having the ability to edit/delete methods/data
  • Failing to protect data from loss, including failing to retain raw data, altering or electronically writing over failing data, incomplete records of data acquired/generated, not performing backups or allowing backups to write over earlier data
  • Issues with hybrid systems and the processes for management/maintenance of both paper and electronic records
  • Audit trails do not exist or have been disabled

Preventing Data Integrity Issues

Integrity of any sort is difficult, if not impossible, to regain once compromised or lost.  In the case of data integrity, preventing these issues is a worthwhile investment in the company, because recovering from them, when discovered, is far worse than the costs associated with prevention. 
Data integrity failures have led to companies losing their manufacturing licenses, consent decrees, warning letters, import alerts, invocation of the application integrity policy, bad publicity when issues become newsworthy, and more.  Several companies have found these to be irrecoverable situations, while others invest several years and billions of dollars in remediation activities.  The cost of quality is significant less – and should be vastly preferable to a company.
The technical elements that insure data integrity are not difficult – the harder part is ensuring the company culture is set up to support them.  
Evaluating at least the elements presented in these 5 major areas in the process will help identify where any potential data integrity issues may exist, as well as providing ideas for improvements:
1.     Personnel preparedness
People – our analysts, operators and management staff – are the most critical element in our processes.  To ensure the integrity of the data they generate, review and approve, they must have the appropriate knowledge and skills to operate in a GMP environment and live up to the data integrity expectations, including:
  • GMP/Part 11 requirements & expectations
  • Company code of conduct, ethics & fraud policies – which should define a ZERO tolerance policy for compliance fraud
  • Validation & change control
  • Good documentation practices
  • Deviations, investigations and root cause analysis
  • Data integrity, including the Barr Decision, OOS and data integrity guidance documents
  • Task training, includes background (scientific theory, where the task fits in the process) and rationale for the task, and an assessment of competence
Training should be followed by performance expectations and ongoing performance management – without it, the training is not meaningful.  Expectations that should be set with all personnel include:
  • Data quality/integrity is a top priority
  • Document everything & keep alldocumentation
  • Communicate problems immediately
  • Take the time to do tasks right, each time, and do not document a task (including reviews) that wasn’t completed
  • Follow the SOP as written – noshortcuts/unauthorized changes
  • Expect failures on occasion, and be honest about mistakes

2.     Procedures
Assess procedures against requirements and expectations provided in relevant regulations and guidance documents (See Figure 1), and fill in any gaps that are identified in these assessments. 
Ensure your procedures:
  • Accurately define the validated process, as it should be performed, in clear, unambiguous language
  • Are executed correctly and consistently by all personnel performing the task/process, each time it’s executed 

3.     Equipment/Systems
Verify that the elements that ensure accuracy and control of equipment and systems are in place and functioning, including:
  • Alignment with GAMP 5, GAMP Good Practice Guides and/or USP expectations, as appropriate
  • Validating/qualifying equipment, test methods, computer processes & data calculation/information transfer mechanisms to ensure accuracy and correct performance prior to use
  • Testing OS updates for impact to existing systems prior to use
  • Limiting access to download software/applications from the internet and access to competing browsers for web-based applications
Ensure that at least the following security controls are in place:

  • Appropriate levels of security & user roles are defined and have been verified to function as expected
  • Audit/crosscheck accounts, permissions & credentials
  • Set password controls (expiration dates, lockouts after a set number of failed attempts, secure reset processes, etc.)
  • Limit access to change/edit/delete data or operational parameters to only authorized roles/security levels
  • Use audit trails

4.     Supplier quality
Quality agreements (with suppliers, contract labs or contract manufacturing organizations) should be in place and should:
  • Define communication process for issues, problems and/or changes
  • Define responsibilities and authorities for reviews, changes and oversight of activities
  • Specify the product owner’s authority to audit the supplier’s operation – to verify that the training, procedural and equipment/system controls listed above are in place at the supplier’s site

5.     Document control and archiving
Document control practices should include:
  • Issuing, tracking & reconciling worksheets, lab notebooks and obsolete procedures
  • Ensuring system user accounts – especially those with data alteration abilities – are not shared
  • Limiting the risks of duplication (i.e. duplicate copies of paper records, multiple copies of databases/spreadsheets, etc.) by maintaining a centralized repository
  • Auditing electronic systems, including verifying controls are in place and working
Archiving practices should maintain and protect data from loss – including ensuring that:
  • Backups for electronic data exist, are performed regularly, and are maintained per procedural/GMP requirements, and do not overwrite pre-existing data during its retention period
  • Documents, data and backups are stored securely during their retention periods – including limiting access, and using fireproof or offsite storage as warranted

Be Proactive
Be proactive about detecting potential data integrity issues – this is one way to develop and uphold the cultural elements supporting data integrity in the organization.
Regular data integrity audits should be performed and identify potential issues or questionable practices by:
  • Looking for anything questionable in data & records, and where data is generated (in recycle/trash bins, in drawers in the lab, around equipment, etc.)
  • Auditing both electronic systems and paper records, to verify controls are working appropriately, no inaccuracies exist between data systems and specification documents, and that your entire process (including reviews and decisions) can be recreated from your records
  • Performing regular, on-floor quality checks, during operations/testing to verify that people are doing what they’re supposed to, and what they’re documenting
  • Checking personnel qualification - what evidence exists of their ability to perform the task correctly?

Even better, identify and remove opportunities for data integrity issues to occur in the first place – for example:
  • Implement automated processes (laboratory information management systems, electronic batch records, etc.)
  • Error-proof tasks/processes where possible
  • Identify and address areas of risk (through process risk assessments, trending recent/past deviations, etc.)
  • Resource areas and tasks appropriately, or be realistic about expectations

In Conclusion

When they occur, data integrity issues deeply impact a company.  Statements like these are common in warning letters:
  • “The lack of reliability and accuracy of data…is a serious CGMP deficiency that raises concern for all data generated by your firm”
  • “…we remain concerned about the capability of your quality unit…to detect and investigate the inaccurate data”
  • “Your company’s executive management is responsible for ensuring the quality, safety, and integrity of your products. Implementing adequate controls and systems to prevent manipulation of laboratory data is at the foundation of fulfilling this critical responsibility.”
  • “These serious CGMP deficiencies demonstrate that your quality system does not adequately ensure the accuracy and integrity of the data generated…to support the safety, effectiveness, and quality of the APIs and drug products you manufacture.”

Data integrity issues impact the entire company, bringing into the question the capability of those tasked with assuring quality and managing the operation.  Ultimately they bring the foundation of the company’s entire quality system and claims of product quality into doubt.

In simplest terms, if your data can’t be trusted, neither can you.

Figure 1: Data Integrity Regulations & Guidance Documents 
(may not be all inclusive)

US Food & Drug Administration (FDA)
·       21 CFR 11: Electronic Records & Signatures
·       21 CFR 211.68: Automatic, Mechanical & Electronic Equipment
·        21 CFR 211.194, “Laboratory Records”
·        Guidance for Industry “Investigating Out-of-Specification (OOS) Test Results for Pharmaceutical Production”
·        Guidance for Industry “Contract Manufacturing Arrangements for Drugs: Quality Agreements” (draft)
·        Guidance for Industry, “Data Integrity and Compliance With CGMP”, April 2016 (draft)
European Medicines Agency (EMA)
·        Questions and Answers: Good Manufacturing Practices – Data Integrity (2016)
UK Medicines & Healthcare Products Regulatory Agency (MHRA)
·        MHRA GMP Data Integrity Definitions and Guidance for Industry March 2015
·        MHRA GXP Data Integrity Definitions and Guidance for Industry – Draft Version for Consultation July 2016
Pharmaceutical Inspectorate Cooperative Scheme (PIC/S)
·        Draft Guidance “Good Practices for Data Management and Integrity in Regulated GMP/GDP Environments”, 10 August 2016
World Health Organization (WHO)
·        “Annex 5: Guidance on Good Data and Record Management Practices”, WHO Technical Report Series No. 996, 2016
European Commission (EC)
·        Eudralex Volume 4, Part 1, Chapter 6 “Quality Control”

Joanna Gallant is an experienced, solutions-driven quality and training professional with 23+ years in pharmaceutical, biotechnology, tissue culture and medical device development and manufacturing environments. As a training system consultant, she works with clients to design and deliver custom training and build/remediate training systems, including in support of regulatory commitments. She is passionate about engaging/interactive training, quality, compliance, problem solving and continuous improvement. Joanna has been a GMP TEA member since 2001, and now serves on the board of directors as an advisor. She writes a popular article series for Pharmaceutical Online on the people side of pharma & GMP, provides monthly interactive web courses through LifeScience Training Institute, and through her JGTA, LLC business, authored GMP Training Can Be Fun! along with an ever-expanding line of GMP training games and activities. Her website is at
[ { "key": "fid#1", "value": ["GxP Lifeline Blog"] } ]