How would your company fare in your next regulatory audit when it comes to data integrity?

If that question makes you cringe or you’re unsure how you would perform, then it’s time to give data integrity more attention.

I’ve had the opportunity to discuss recent FDA inspections with staff at multiple pharmaceutical companies, most of which operate on a primarily paper-based data and documentation system. You might expect that a paper-based organization wouldn’t have much to consider in the electronic data integrity realm of the inspection, but that’s simply not the case.

In Hybrid Paper/Electronic Systems, What is the Source of Truth?

Most pharma manufacturers operate with a hybrid of paper and electronic documentation. Even if you have application-based software, you likely create printouts from that system and have instruments that generate printed data.

While you may consider the printed and signed paper documentation as your source of truth, FDA inspections have revealed that the agency does not always agree.

An Example: Filter Integrity Test

The Filter Integrity Test (FIT) is a common procedure in biopharma manufacturing. Let’s explore a hypothetical but typical use case.

The Situation: You define generic user accounts in the system (e.g., operator or supervisor) and assume the actual individual operator or supervisor will sign the printout indicating that they performed the test.

The Problem: Depending upon the software used and whether the system stores data, 21 CFR Part 11, Annex 11, and data integrity rules may or may not apply. Because the original data was electronic, how do you know the printout is an exact match to the electronic data? Even if the printed data had been validated, how do you know the printout contains all the original data?

What if an operator performs an action that creates or modifies a GxP record, but does not generate a printout? The FDA would consider this information to be part of the audit trail, and the agency would expect it to be reviewed with the test to ensure compliance and acceptability.

Bottom Line: When data is stored electronically, the FDA considers the electronic information to be the original data source, and accordingly, expects the electronic data to be backed up and stored securely.

An FIT is one specific example, but this logic applies to each computerized system that stores data or records.

Any system that allows changes by end users has the potential for a breach of data integrity and falsification of information, whether intentional or not.

What Can You Do to Prevent Data Integrity Issues?

Unfortunately, many manufacturers do not meet industry standards for assessing data integrity and compliance, partly due to older instruments and electronic systems not designed to today’s specifications and partly due to outdated processes.

To help, use this quick checklist to identify your general position on 21 CFR Part 11, Annex 11, and data integrity expectations that apply to all electronic systems.

12 Questions to Assess Data Integrity Compliance in Biopharma Manufacturing

  1. If the system stores data, does each user of the system have a unique username and password?
  2. Does the system lock-out the user after a defined number of unsuccessful login attempts?
  3. Does the system time out after a defined period of user inactivity?
  4. Are there procedures in place to identify current users and their level of access to electronic systems?
  5. Is user access reviewed regularly?
  6. Are there procedures for granting access to computerized systems?
  7. Does the “administrator” of the system perform or review data?
  8. Are the electronic records routinely backed-up to a secure location on a defined schedule?
  9. Is the retrieval and integrity of the backed up data periodically reviewed? And have the backup and restore functionality been validated?
  10. Are unauthorized users prevented from altering electronic data or records? And are authorized modifications captured in an audit trail?
  11. Are you reviewing the audit trail as part of process acceptance and performing periodic reviews?
  12. Does the system create an audit trail with the following features?
    • Name of the user who created the event
    • Date and time of the event
    • The previous and current value of the data
    • A meaning or reason for a change

How Did You Do?

If you answered ‘no’ to any of these questions, you should consider a robust internal audit to boost your data integrity practices. These are the types of things the FDA will assess in your next audit.

Be proactive and create a project plan to tighten your organization’s grip on data integrity. Need help deciding where to start?