Data Integrity for Pharmaceutical and Biotech Manufacturers

Update: This post has been updated with a link to the most recent Medicines & Healthcare products Regulatory Agency (MHRA) ‘GXP’ Data Integrity Guidance and Definitions – March 2018 document.

For pharmaceutical, biotech and other manufacturers in highly-regulated industries, the production data is as important as the product itself for release to sale. Data integrity of this production data is paramount.

Emerson's Michalle Adkins

I connected with Emerson’s Michalle Adkins about what manufacturers are doing to assure this data is accurate and timely. She shared with me some key regulatory standards and best practices.

Michalle noted that in recent years, the regulatory agencies for the Life Sciences industry, including the U.S. Food and Drug Administration (FDA), have increasingly observed Current Good Manufacturing Practices (cGMPs) data integrity issues during cGMP inspections.

Data integrity is defined as the completeness, consistency and accuracy of the data produced during the manufacturing process. The data must be attributable, legible, contemporaneous, original (or true copy), and accurate—ALCOA for short. It must also be enduring, complete, consistent and retrievable.

Global Pharmaceutical and Biotech Manufacturing Data Integrity StandardsCurrent regulatory guidance includes:

Michalle highlighted some of the key components of these global data integrity guidance documents. With respect to validation plans, procedures and processes, they should be documented including the evaluation of a system for criticality, applicability of electronic records and signatures, and system validation approach that includes the documentation and testing requirements.

A disaster recovery plan including backups, storage and retrieval should be established and tested. Procedures are established and followed and tested for backing up the system and data as well as recovering the system and data.

From a security standpoint, operators should log out for breaks, shift changes, and for periods of inactivity when they are away from the operator station. Individual users should have individual user IDs and passwords. Shared logins should not be permitted unless there are unavoidable circumstances for safety reasons in which case audit trails should be reviewed to ensure that related procedures are followed and investigated when a shared ID must be used. In some cases, Biometric and/or card reader capabilities are used.

User management procedures are established and include the following activities: managing new users, ensuring that users have the appropriate training commensurate with their assigned system privileges, performing periodic audits of active users, managing position/permission changes, suspending/deactivating users, token checks (for cases of badge readers), and periodically reviewing audit trails for suspicious activities.

For cases where an electronic signature is required or where operator actions are logged for system management and audit review purposes, a unique user ID and password should be required. This type of two token (ID and password) or Biometric reading should be required for cases where a signature is required. Signatures are only required for specific activities that are related to the quality of the product. In other instances, current user login or a single token is appropriate, as per established procedures.

From an effective alarm management perspective, developing and following an alarm strategy that is based on safety and process criticality of the alarms is pertinent. Also, the design should include establishing rules and mechanisms for dealing with alarm floods triggered by a single event. Overall, for safe and reliable operations, it is important to eliminate nuisance alarms so that operators can then be focused on the more critical alarm issues.

For electronic batch reports, in cases where portions of data or any portion of the batch reports are printed, these items should be signed, and stored with the batch record. The paper copy is a copy, not the source data, and may be a “True Copy” if all the associated meta data is included. The archived electronic data is still the source data.

This is also true for data which is captured in the system and written on the batch record. The access to the electronic data should still be available for potential audit of the data, since the paper is merely a copy and the source data/record is still the system. Ensuring that the paper batch record and the electronic batch report are managed in a way that any original source data and true copies are maintained is important.

You can read the details of the regulatory requirements in the links above or connect with the Emerson Life Sciences consultants to discuss the data integrity requirements and recommended best practices for your facility.

You can also connect and interact with other pharmaceutical and biotech industry experts in the Life Sciences group in the Emerson Exchange 365 community.

Leave a Reply