WIXLIB

Preparing for a Data Integrity (DI) AuditGarry WrightEuropean Laboratory Compliance SpecialistApollo Hotel, Breda – 2nd February 2016garry.wright@agilent.com

Agenda Data Integrity / Data Life Cycle?Data Integrity Statistics.Example Data Integrity Warning Letter.Quality Culture.Good Documentation Practice (GDP - ALCOA).New approach to audit.Data Integrity - Audit Preparation.Data Integrity - Risk Assessment.Data Integrity - Procedures / SOP’s.IT Infrastructure.Administration.Data Management.Data Processing.Data Review (Internal / External).Anti-Fraud auditing.EMEAI LSAGPage 2

Data Integrity / Data Life Cycle?

Data Integrity / Data Life Cycle?Data IntegrityThe extent to which all data are complete, consistent andaccurate throughout the data life cycle.CompleteConsistentAccurateData Life CycleThe data life cycle covers data generation, processing,reporting, archival, retrieval and destruction.GenerationSource :EMEAI LSAGProcessingArchivalRetrievalDestructionData Integrity Definition Guidance (Mar 2015)Page 4

Data Integrity Statistics

Data Integrity StatisticsData integrity210 WL’s2005 - 2015Source: www.fda.govEMEAI LSAGPage 6

Data Integrity Statistics2015Total ?FDA Data Integrity Warning Letters31262215161613How many DataIntegrity observationsare still to be publishedfrom 2015 320142015 Based on Warning Letter issue date. Majority of 2015 WL’s from audits performed in 2014.EMEAI LSAGPage 7

Example Data Integrity Warning Letter

Example Data Integrity Warning LetterWarning letter took 8months to issue due to 18observations and high levelof detail included based onseverity of findings! FDA Warning Letter issued 5 Nov2015. Generics Pharma company. 3 sites in India audited between Nov2014 and Mar 2015.“No user specific passwordsfor HPLC systems”.“No audit trail”.“Users have full access”.“Ability to change / deleteelectronic raw data”.“Failure to maintain completedata”.EMEAI LSAG“Data not documentedin real-time”.“Results recorded on unofficial documents”.Page 9

Quality Culture

Quality Culture Data integrity issuesoccur and are identifiedby auditors as a directresult of poor qualityculture withinorganisations.Quality culture needs tobe promoted throughoutthe whole organisation!EMEAI equateProceduresPage 11

Good Documentation Practice (GDP – ALCOA)

Good Documentation Practice(GDP – ALCOA)DOES the recordaccurately reflectthe events thattook place?IS it the original record?IS it the electronicrecord?IS it Meta data?EMEAI LSAGWHO performed theanalysis?CAN the data beread andunderstood?WHEN and WHEREwas the data created /recorded?Page 13

New Approach to Audit

New approach to Audit Focus - Potential for fraudulent activitywithin your quality systems. Assumptions: Will assume fraudulent activity is takingplace if they identify weaknesses in yourquality systems. “Guilty until proven innocent” approachto auditing! “Data to good to be true!”.EMEAI LSAGPage 15

New approach to Audit Electronic data (Meta data) is - preferred choice for regulatoryauthorities as this is the original (“official”) data. Meta data data about data. Meta data is dynamic and can be queried / searched / trended. There is a much higher probability of identifying fraudulent activitywithin an organisation if Meta data is reviewed. Hard copy (Flat data – printed, pdf, photocopy) is no longerconsidered to be acceptable by regulatory authorities as this datais not complete and not original. If you state that paper is your original raw data in your internalprocedures this will alert an auditor that you are probably notmanaging and reviewing electronic (meta) data.EMEAI LSAGPage 16

New approach to audit - Flat data vs. hrom Analyst can reprocess data many time and chooses when to print, pdf or copythe final chromatogram / result from CDS. DOES NOT PROVIDE FULL TRACEABILITY AS NO SUPPORTING DATA!Datafile AuditAcqProc Chromtrailmethodmethod Provides full traceability as supporting data provides evidence how finalchromatogram / result has been generated!EMEAI LSAGPage 17

New approach to Audit 5 key Data Integrity (DI) questions: Is electronic data available? Is electronic data reviewed? Is meta data (audit trails) reviewed regularly? Are there clear segregation of duties? Has the system been validated for its intended use? The answers to the above questions will determine whether companiesare in compliance with 21 CFR part 11 (Electronic records andsignatures). Leave the Original Meta data in the CDS and review / approvalelectronically to avoid increased Data Integrity risk (the paperless lab).EMEAI LSAGPage 18

Data Integrity – Audit Preparation

Data Integrity – Audit Preparation Audit Strategy: Starts with a specific result (or record). Re-create the sequence of events that occurred at the time the result(or record) was generated using the electronic (meta) data. The auditor will want to know: WHO performed the analysis? WHAT equipment was used to perform the analysis? WHEN the analysis was performed? WHY the analysis was performed? WHERE the electronic (meta) data is stored? Answers to the above may lead to more detailed questioning /inspection.EMEAI LSAGPage 20

Data Integrity – Risk Assessment

Data Integrity – Risk AssessmentUSP 1058 (AIQ)BCEMEAI LSAGEquipment thatgenerates results butdoes not need specialistcalibration.Equipment thatgenerates results andneeds specialistcalibration.Increasing Data Integrity RiskBasic equipment thatdoes not generateresults or needcalibrated.GAMP 512345Instrumentation with firmware.Instrumentation with firmwareand pre-defined programs.Instrumentation with nonconfigurable, commercial offthe-shelf software.Instrumentation withconfigurable, commercial offthe-shelf-software.Instrumentation with bespokesoftware.Page 22

Data Integrity – Risk AssessmentInstrumenttypeBalancepH meterFT-IRUVHPLCGCUSP 1058 GAMP5Datacategorisation categorisation integrity riskBBCCCC Do you have meta data for eachsystem? Implement short and long term CAPA’sEMEAI LSAG223344LOWLOWMEDIUMMEDIUMHIGHHIGHCan become high risk if older,stand-alone systems in use.Page 23

Data Integrity – Procedures / SOP’s

Data Integrity – Procedures / SOP’s The auditor will expect a suite of SOP’s to be in place to support DataIntegrity and minimise risk within your company. Examples of typical SOP’s include: IT policies. System administration (CDS access, roles and privileges). Data management and storage. Data acquisition and processing. Data review and approval. Date archiving and back-up. Anti-fraud monitoring.EMEAI LSAGPage 25

IT Infrastructure

IT Infrastructure Server room: The room is secure. IT access only. Tidy and in good workingorder. Has back-up and disasterrecovery procedures in place. Date/time functionality ofservers are correct.EMEAI LSAGPage 27

IT Infrastructure The auditor will select a number ofinstrument controlling PC’s within the laband check: Date/time functionality is correct. Date/time cannot be changed by thelab personnel.Confirm that date/time functionalityon all PC’s within the lab is lockeddown and can only be changed byIT personnel with Administrationprivileges.EMEAI LSAGPage 28

Administration

Administration The auditor will want tounderstand how access to theChromatography Data System(CDS) is authorised andcontrolled. You will need to justify theaccess levels within the CDSand the user privileges at eachlevel.EMEAI LSAGPage 30

Administration Specific user profiles and passwords required to access instrumentsoftware and provide audit trail traceability. Administration control should be independent of Analytical function toeliminate conflict of interest. Clear segregation of duties with no overlap of privileges.User: dbrownProfile: AdministratorPassword: ********User: bthompsonProfile: Data ReviewerPassword: ********EMEAI LSAGUser: cwallisProfile: Super UserPassword: ********User: asmithProfile: AnalystPassword: ********Page 31

Administration Reinforce – DO NOT SHARE PASSWORDS. Password policies - changed on a regularbasis to protect your profile. Password strength - mix of alpha numericcharacters and have a high strength. User policies - need to log-off the CDSimmediately after use to avoid profilepotentially being used by other personnel toacquire, process or manipulate data. User profiles - set to auto-lock after a period ofinactivity to protect the user profile and datawithin the CDS.EMEAI LSAGPage 32

Administration The regulatory auditor will want to confirmthat the Audit Trail functionality is switchedON within the CDS Admin console. The regulatory auditor may ask forAdministration reports:- Active users- User privileges- Administration audit trail reportEMEAI LSAGPage 33

Administration Specific privileges within theuser profile:-They will want assurancethat data cannot be deletedby a user once acquired.-They will want to know ifdata can be moved to adifferent folder to potentially“hide” it. (e.g. trial injections)EMEAI LSAGPage 34

Administration-They will want to seethat electronic data thathas been processedmust be saved before itcan be submitted forreview (or printed to hardcopy).Make sure youunderstand the privilegesapplied to each userprofile and be prepared tojustify to the regulatoryauditor.EMEAI LSAGPage 35

Data Management

Data Management The auditor will want to understand howdata is managed within the CDS andcheck that users are following theinternal procedure. Segregate GMP release data is fromResearch / Development data if youhave dual functionality within yourorganisation using the same CDS /Server.EMEAI LSAGSegregation Define a data management structurethat segregates different types of dataand enables easy retrieval during theaudit.Page 37

Data Management Data structure - Considerwhat types of data youproduce and decide howeach type of data should bestored within the CDS.Good data management - willgive the auditor confidence thatyou have control over yourelectronic (meta) data and willincrease retrieval speed duringthe audit.EMEAI LSAGPage 38

Data Management Periodic GMP data archiving – makesure that data archiving is defined inyour procedure and performedregularly. This approach minimises the amountof “live” data that can be accessed byusers and potentially reprocessed tochange previously reported results. The users should not have access toarchive folder(s) which adds anadditional layer of protection to theelectronic data.EMEAI LSAGPage 39

Data Processing

Data ProcessingCreation /AcquisitionProcessingCalculated/ ReportedResultStorage /ArchivingDestruction Data Processing Risks: Main area where results can be manipulated by humanintervention. Target area for auditors. Controlled by procedures, user access and locked methods. Avoid multiple reprocessing (if possible)!EMEAI LSAGPage 41

Data Processing All data processing should beperformed within the CDS forsystem suitability and batchresults wherever possible. Move away from using validatedexcel spreadsheets (no longermeta data). For commercial release testingthe auditor will expectprocessing methods to bevalidated and locked by theadministrator.EMEAI LSAGPage 42

Data Processing Use pre-defined integrationparameters wherever possibleto avoid manual integration ofmultiple peaks. Chromatography should bepresented on an appropriatescale so that integration isclearly visible. Disable annotation tools withinthe CDS (electronic tippex!)which could be used todeliberately alter theappearance of thechromatograms.EMEAI LSAGPage 43

Data Processing Save all changes to individualchromatograms, sequencesand processing methods beforesubmitting for review. Ensure that accurate audit trailcomments are entered into theCDS when prompted to providetraceability.EMEAI LSAGAudit Trail CommentAudit Trail CommentdhsjdhsjjsjdksdIntegration parametersupdatedPage 44

Internal Data Review