Are you fully prepared to audit your suppliers for data integrity compliance? Do you know if your laboratory equipment has the correct data integrity controls?
[Related: Click here to access a recording of the webinar, including the full slide presentation.]
Owing to the high volume of submitted questions, the presenters of the May 24 webinar, “Are Laboratories Perpetuating Data Integrity Problems?”, Agilent Technologies’ Paul Smith and consultant Bob McDowall, were not able to address all of them during the webinar.
The following are responses from McDowall to questions pertaining to data integrity inspections and supplier audits and data integrity considerations for equipment.
Data Integrity Audits
Question: How do you recommend preparing for FDA inspections when it comes to data integrity? What should be prioritized and what specific things does the FDA look for in the data integrity aspect, outside of the data lifecycle, e.g., content in SOPs, policies, etc.?
McDowall: Before you even begin, you should be inspection ready. From a data integrity perspective, you should have an assessment and remediation of systems already well underway along with quick fixes. You should also have a data integrity and ethics policy/procedure and training completed. Management should be leading the whole process and be actively involved with the data integrity program.
Question: How can my team detect data integrity issues during supplier audits?
McDowall: Apart from a list of the SOPs and a copy of the Site Master File; start with out-of-specification (OOS) results and their investigation. Are the outcomes scientifically sound rather than just human error?
Question: What are data integrity expectations for suppliers to the pharma industry, specifically, API, excipient, and basic raw material suppliers?
McDowall: Data integrity requirements are the same for suppliers as for pharma companies. I recommend following ICH Q7: Good manufacturing practice for active pharmaceutical ingredients or EU GMP Part II (same as ICH Q7).
Question: What can we anticipate data integrity auditors to focus on in the coming years?
McDowall: I would anticipate a greater focus on data governance and the role of senior/site management
[Related: Did you know there have been 41 secondary 483 observations issued this year that point to data integrity issues at human drug GMP sites? Contact us to learn more about how you can access these specific observations.]
Data Integrity and Your Lab Equipment
Question: What is the practical approach to performing an analysis to determine which equipment has to comply with data integrity?
McDowall: I recommend using a risk assessment. Chris Burgess and I published one in 2013 based on the current version of USP <1058> Analytical Instrument Qualification. Critical systems use data process mapping. Here the process and data generated are identified and vulnerabilities assessed.
Question: There still seems to be a gap in bridging data integrity compliance demands by pharma companies with the software providers of lab instruments. Will that gap be eventually bridged or will this be a consistent theme of assessing for risk and/or developing additional processes to combat the software deficiencies?
McDowall: You have to do due diligence before you buy a system and assess if there are adequate controls. If not, do not buy or ensure that the supplier will implement them by putting data integrity compliance requirements into a contract that also includes penalties if they fail to deliver. For example:
- Is there an audit trail and can it be turned on or off after installation?
- What is the system architecture: database or files stored in directories?
- What controls do you have for protecting records?
- Can electronic signatures be implemented?
Question: How do companies handle the storage and review of data? Do they store it locally and move it on a periodic basis? Do they directly connect to external storage such as a validated cloud? What if the system also provides printouts, how do they manage printouts, and what is their policy on what constitutes “original” data?
McDowall: All second-person reviews must be performed by the originating department including review of electronic records. Work must be performed on the system that generates the data.
For the most part, store the data on the system that created it and ensure that the data are locked (after e-signature) or cannot be accessed. I strongly recommend avoiding hybrid systems per a recent article I wrote.
As far as the original record, there can only be ONE GMP record. It is for the company to determine what this is and where it is stored.
The second installment in this post-webinar Q&A series will provide further insights on data integrity requirements for laboratory equipment.
Subscribe to Redica Insights
Get quality and compliance insights from our experts in your inbox