The time-to-market of blooming Asian pharmaceutical companies, especially from India and China, are being slowed by the increasing concerns of global and local regulators over data integrity. How can they meet regulators’ audit expectation on data integrity and provide assurance of acceptable product quality, purity, safety, identity and effectiveness through data governance systems with compliance in mind (e.g. unauthorised access control, missing or disabled audit trails, or even data falsification)?
Asia’s pharmaceutical manufacturers have seen huge growth in recent years. India, for example, is now the world’s third largest supplier of generic drugs by volume while its domestic market is expected to grow at 15 per cent to 20 per cent CAGR to reach US$50 to US$74 billion in the next decade according to PwC1 . India currently supplies 40 per cent2 of over-the-counter and generic prescription drugs consumed in the US.
China is another emerging pharma manufacturing powerhouse. China accounts for over 50 per cent of the global Active Pharmaceutical Ingredients (API) market and the US Department of Commerce forecasts China’s own market to grow from US$640 billion in 2015 to US$1.1 trillion by 2020.
However, as profit margins decline over time, any delay in time to market begins to erode the strategic positioning and profitability of pharmaceutical manufacturers. The natural response is to double efforts to speed up the time to deliver new products and that can lead to a raft of new problems. Rushing new products to market can place drug quality, purity, and safety in question – and put pharma manufacturers at odds with government regulatory bodies.
Despite the rising influence of pharmaceutical manufacturers in India and China, their time-to-market is being slowed by regulatory concerns over data integrity. Regulators see data integrity as an assurance of acceptable product quality, purity, safety, identity and effectiveness. Any data integrity failures can lead to safety alerts, warning letters, or even a multi-market withdrawal -– the worst possible nightmare for the concerned company, and perhaps even worse, for patients using the drug.
To put it in perspective, the US Food and Drug Administration (FDA) issued 1023 drug GMP warning letters last year, compared to 42 such warnings in FY2015. Last year, data integrity deficiencies accounted for approximately 80 per cent of all warnings issued to firms outside the U.S (OUS) -– a significant increase compared to the previous year. What is most concerning to the Asian pharmaceutical industry is that when we look into regional breakdown, India and China received approximately 71 per cent of the warning letters issued to OUS.
One warning letter comment stands out to best describe the gravity of data integrity violations on a global level: “…demonstrates a general lack of reliability and accuracy of data generated by the laboratory –- a serious Current Good Manufacturing Practice (CGMP) deficiency that raises concerns about the integrity of all data generated by your firm.”
Unauthorised access control, missing or disabled audit trails, or even data falsification are among many of the data integrity deficiencies regulators pinpointed in audit trails. To make it easier for pharmaceuticals to follow, we have classified them in four key areas:
1. Lack of basic access control and security measures which easily allow unauthorised changes
2. Shared use of logins - authentication of individual and attribute ability of action
3. Lack of disabled audit trails
4. Lack of contemporaneous recording of activities
The most common questions regulated companies receive are: Is it the hard copy report which is printed from the instrument at the end of an analysis? Are the source electronic files on the instrument only a back-up copy of the printed data? Or is there more to it? Is information available in the electronic source files that may never be printed, yet may implicate data integrity or reliability? Do your laboratory supervisors and QA unit know how to access this information? Or are they only looking at printouts? These all lead to an increase in the level of risks requiring additional controls to be put in place. Worse, it not only complicates and slows down the audit processes of regulating agencies, it also makes your audit trails more susceptible to data integrity scrutiny.
Before we dive into some tricky data integrity issues, it is important to understand what regulating agencies mean by audit trails. Audit trails refer to a secure, computer-generated, time-stamped electronic record that allows for reconstruction of the course of events relating to the creation, modification, or deletion of an electronic record. An audit trail is the chronology of the “who, what, when, and why” of a record.
For instance, the audit trail for an HPLC in a laboratory run could include the username, date and time of the run, integration parameters used, and details of reprocessing, if any, including change justification for the reprocessing. Electronic audit trails include those that track creation, modification, or deletion of data such as processing parameters and results, and those that track actions at the record or system level such as attempts to access the system or rename or delete a file.
From our perspective, audit trails that capture changes to critical data should be reviewed with each record and before final approval of the record. Audit trails that should be subject to regular review should include, but are not limited to, the following: the change history of finished product test results, changes to sample run sequences, changes to sample identification, and changes to critical process parameters. It is recommended that routine scheduled audit trail review be based on the complexity of the system and its intended use.
The spirit of CGMP-compliant record-keeping practices prevent data from being lost or obscured. In some extreme cases, regulated companies may even attempt to move away from the computerised system. The reason why they go back to manual or paper-based systems is because they are concerned about their ability to apply appropriate technical controls. Although paper-based systems may be permissible, these pharmaceutical companies incur more potential human risk.
As the UK’s Medicines and Health Products Regulatory Agency’s (MHRA) latest guideline on data integrity puts it, a paper-based audit trail could be implemented if it ‘achieves equivalence to integrated audit trail[s].’ If equivalence cannot be demonstrated, firms must ‘upgrade to an audit trailed system by the end of 2017.’ The WHO guidance takes a bit more stringent approach and states: “The use of hybrid systems is discouraged, but where legacy systems are awaiting replacement, mitigating controls should be in place.”
We would recommend adopting an electronic record-keeping system that can assist regulated companies to fulfil these CGMP requirements more easily instead of looking for alternative approaches to meet data integrity requirements.
After confirming the path to record-keeping practices, the next thing pharmaceutical companies need to cultivate is a corporate-wide culture centred on data governance. First, management must show a willingness to resolve issues once they are raised, and provide appropriate resources to meet challenges to define priorities as required. Second, when there are problems, management must adopt an open-minded approach and encourage staff at all levels to report errors, omissions, failures, abnormal results, bad practices or even falsification without fear of penalty. Only by establishing a corporate culture that stresses data integrity, openness and transparency, will drug manufacturers be more likely to mitigate data integrity risks. The data governance system should also be reviewed by management and personnel at all levels to ensure effectiveness as regulatory compliance requirements evolve.
For pharmaceutical companies, the biggest problem is how to put a quality management programme in place to prevent the company from getting a failed audit due to data integrity. The key is to thoroughly understand regulators’ audit expectations on data integrity and how to assess them for gaps.
Data integrity can be understood as the extent to which all data are complete, consistent and accurate throughout the data lifecycle from a quality perspective. Abbreviated by regulators as ‘ALCOA’, data should be Attributable, Legible, Contemporaneously recorded, Original or a true copy and Accurate (ALCOA). ALCOA refers to the capability to maintain and ensure the accuracy and consistency of their data lifecycle from data collection to process, from review to reporting and to archiving. To ensure all personnel are aware of the acute need to meet regulators’ expectations for data integrity, it is important to offer your personnel and laboratories seminars and training on the ALCOA principle.
Another key concern discussed in the MHRA guidance is for primary records where the same information might be recorded in different places, information concurrently residing in different systems should be defined as an actual primary record in case of discrepancy. It also needs to be defined if the data is used to perform regulator activity and make quality decisions. This attribute is a primary record that needs to be defined in the Quality Management System (QMS) and should not be changed on a case by case basis either for convenience or avoiding compliance.
In preparation for a regulatory audit, companies should understand the ownership as well as the actual and detailed lifecycle of all their important quality-related data. The data required for regulatory audits comes in different forms–-whether it is a set of results or instructions or in document format, record or report–scattered across different hardware, applications, platforms and systems in the laboratories of a pharmaceutical company.
This regulated data created, reviewed, and approved might be used at some stage, and it may go through archival and retention phase before it is finally disposed of or destroyed. As a result, it is of paramount importance to consider where data resides and who is responsible at each stage of the data lifecycle. These procedural controls on the data lifecycle need to be defined, communicated and understood across the organisation to ensure compliance requirements for data integrity are met.
Another reason why many pharmaceutical companies in Asia fail to meet regulatory requirements is because their quality systems are often separated from the data governance system. Instead, pharmaceutical quality systems should exist within the quality system, and be purpose-built for evolving regulatory compliance. The data governance system should be designed with electronic record regulations and compliance policies to satisfy regulatory agencies and certification organisations. The overall framework should include specific procedures, technical controls and trainings to manage and achieve data integrity through the quality system in a multi-vendor instrument systems environment.
The data governance system should also have been harmonised and extended to contracted organisations, suppliers, or even service providers along the supply chain to ensure the highest level of data integrity assurance as suggested by the MHRA.
Warning letters, safety alerts and delayed market entry could easily wipe out significant profits. In light of this, data integrity compliance plays an indispensable role in ensuring the strategic positioning, profitability and time-to-market of pharmaceuticals and ensuring companies are not being damaged by failure to deal with data integrity. To fulfil data integrity expectations, companies are required to overhaul their operations by focusing on several key regulatory concerns — Culture and Governance, the Data Lifecycle and the System Lifecycle.
We cannot stress enough the significance of data integrity in the quality management system that ensures finished medicines are of the required quality. To prevent product recall and serious reputational damage, companies should build in an integral quality system to ensure accuracy, completeness, content and meaning of the data to be retained throughout its lifecycle. More importantly, data should remain useable and available to the regulatory agencies involved in making quality decisions that can impact the drug and the patient.