Data Governance and Data Integrity -...
66
Data Governance and Data Integrity Karen S Ginsbury PCI Pharmaceutical Consulting Israel Ltd We LIKE Problems!
Transcript of Data Governance and Data Integrity -...
Data Governance and Data Integrity
Karen S GinsburyPCI Pharmaceutical Consulting Israel Ltd
We LIKE Problems!
Can I delete data from a control system once I have printed out the batch record?
• (from production – if it was from the QC lab Karen thinks none of us would ask the question and we would keep the raw data.
• BUT in production, we have had this data for years, and we have never reverted e.g. once we have printed out the temperature graphs etc. if we have a query that’s sufficient – unlike a situation where you may have stability data or a customer complaint and need to reintegrate a chromatogram.
• Whatever you do, justify it in writing and capture the DATA COLLECTION PLAN i.e. why are you collecting the data in the first place, how will you analyze it and how will you use it as knowledge e.g. for a batch release decision.
Keywords
• Accuracy
• Secure
• Archive
• Traceability
• Validated / validatable
• Not new – this has been going on since time immemorial
• Hybrid – (electronic record but signature is manual and others)
• RAW DATA
• metadata
• Creation of data
• Analysis / handling of data
Special requests
• Laboratory automation development
• AUDIT TRAIL REVIW
• ELABORATE A SIMPLE CHECKLIST FOR AUDITING
• FIVE EASY QUESTIONS
ALCOA+
• Accurate
• Legible
• Contemporaneous (real time)
• Original
• Attributable
5
Accurate
Complete
Consistent
Secure
STRATEGY – DEFINE, EDUCATE, COMMUNICATE
DI Guidance
• MHRA GMP
• WHO
• FDA Q&A
• MHRA GxP
• PIC/s
• EMA Q&A
• January 2015
• September 2015
• April 2016
• July, 2016
• August 10, 2016
• August 11, 2016
Where are you likely to find data integrity issues
Culture / VALUES
• We don’t have data integrity issues here !!!
8
Have you ever…
• Back dated a document
• Filled in missing data
• Replaced a page in a controlled document to correct a typo without changing the version number…BECAUSE YOU CAN and not because you are a wicked person – unconscious…or conscious incompetence?
Write down three elements of a data governance plan
• Accountability - there are consequences to my actions
• There must be data collection plans and for any data a written policy regarding what constitutes raw data, how it is to be analyzed and what data and analyzed data is to be saved and for how long
• Training / education and confirmation of understanding on the job with ongoing coaching
• Data security
• Archiving
• Back up
• Risk management
• Change management
Who would you say is…
• The most dangerous department in your company wrt DI?• Culturally executive management• Hands on – the IT department / IT contractor / vendor support – remote
access – least motivated –(less motivated because if a system is down they need to get it going fast) so far most of the criminals are scientists, QC analysts, QA production etc.
• Global / corporate functions “trying” to run the company at one standard and not understanding or looking at local issues
• What is the role of the QU – educate, help to plan, check (audits) and act on findings (report to management and escalate issues)
• What is the role of the rest of the company especially VPs in DIset an example – behave correctly – and do not tolerate wrong behaviors / or keep them going / educate / resources / plan for technical solutions rather than grinding on with paper and people who will eventually make bad decisions and errors.
Data Integrity
Types of data fraud
‘Tidying’ Wilful falsification
13
What is your overarching value?
• What is your most important moral principle and why?
• What is your CEO’s / Chairman of the Board of Director’s most important moral principle and why?
• Are you “scared” of your boss?
• Or can you tell her / him anything – open line of communication?
Definitions
• True / truth• in accordance with fact or
reality
• accurate or exact
synonyms: correct, accurate, right, verifiable, in accordance with the facts, what actually / really happened, well-documented
• Lie• a false or inaccurate
statement made withdeliberate intent to deceive
• an intentional untruth
• a falsehood
Synonyms: prevarication, falsification
Before… and AfterTruth / Lie Good/Bad
The obscuring of
intended meaning in
communication, making
the message confusing,
willfully ambiguous, or harder to understand.
(Genuine? Measureable)Value / Values
• Worth, merit, esteem• A worthy moral position or principle
Integrity?Honesty?
Transparency?
BUZZWORD?
Truth?
Integrity
• the quality of being honest and having strong moral principles; moral uprightness
• the state of being whole and undivided
synonyms: honesty, probity, rectitude, honor, good character, principle(s), ethics, morals, righteousness, morality, virtue, decency, fairness, scrupulousness, sincerity, truthfulness, trustworthiness
Objective (of a person or their judgment)
• not influenced by personal feelings or opinions in considering and representing facts.
synonyms: impartial, unbiased, unprejudiced, nonpartisan, disinterested, neutral, uninvolved, even-handed, equitable, fair, fair-minded, just, open-minded, dispassionate, detached, neutral
Antonym: subjective
How many opportunities for cheating?
Karen Ginsbury, MSc, BPharm (MRPharms????)
CEO, PCI Pharmaceutical Consulting Israel Ltd
• Karen Ginsbury is a London, UK trained pharmacist with a second degree in Microbiology.
With close to 30 years’ experience in the pharmaceutical industry, Karen is a quality
practitioner with a passion for doing things right and once only. She runs a boutique
quality systems consultancy offering services to companies who want to set-up, maintain
and constantly improve their quality management systems. Regularly lecturing in Israel
and around the world, Karen also serves on international professional committees and is
co-chair of PDA’s pharmacopoeial interest group. In these and other capacities Karen
benchmarks best practices around the globe in order to share them with her audiences.
Double space or single space? Cherry picking???
ו"ל–ה "ל: ט"ויקרא י Leviticus 19:35 – 36 calibrate your decision making process
35 Do no unrighteousness in judgment, in weight, or in measure.
36 You shall have just balances, just weights..
פט תעשו -לאלה ש דהעול במ קל במ ש שורהבמ ובמ
ני צדק לו נימאז ין צדק -אב ה יה לכםצדקאיפת צדק ו ה י
What is the difference between
• Performed by – the person who performs the action and signs and dates the record at the time of taking the action/immediately after to indicate that she / he did it
• Verified by – a person who is standing next to the performer so that they can verify the action was (correctly) taken by the performer at that time and then sign and date the record to indicate that they independently verified the correct performance of the action
• Checking / control – a person who inspects the work place at e.g. line clearance (might be other actions) to make sure all items actually have been removed and you would have two independent checks
• Approved by – is a second person who did not take the actions who performs a record based review and approval / rejection
• The behaviors, beliefs and values characteristic of a particular group
• Culture is:• Transmitted actively by defining:
• Mission
• Goals
• Metrics – need to measure / check if goals are understood and met
• Transmitted passively and often subconsciously by behavior, body language, facial expressions and other actions
Culture, Integrity, Metrics…
24
Responsibility Authority
Responsibility vs Authority
Responsibility Authority
• Having the duty to perform a task
• Being accountable for performing that task
• Having control over the performance of the task
• Without “additional” authorization
• The power or right to give orders, make decisions, and enforce obedience
• Within the framework of a company or organization which includes the values of that company
Responsibility Authority
• YOUR duty to:• Keep management informed
• Request and insist on appropriate resources
• Take action if authority is not granted
• must be granted by:• Your manager
• AND they must allow you to perform your responsibilities without interference and with appropriate resources
Data Governance – Policy and Metrics
• Establish a policy
• Measure its implementation
• Improve the policy
• Measure its effectiveness
Data Governance Policy
• Values:The Officers of this company expect every employee to provide accurate, complete and contemporaneous (real-time) records of activities and to perform all tasks with integrity when no one is looking
• Tools:Managers are expected to provide staff with the means to allow them to perform their tasks with integrity, to collect, analyze and report data accurately, completely and on real-time including but not limited to:
Tools to be provided:
• Access to accurate clocks for recording timed events
• Accessibility of batch records / laboratory worksheets / notebooks at locations where activities take place so that ad hoc data recording and later transcription to official records is not necessary
• Control over blank paper templates for data recording
• User access rights which prevent (or audit trail) data amendments
• Automated data capture or printers attached to equipment such as balances
• Proximity of printers to relevant activities
• Access to raw data for staff performing data checking activities
Data Governance
• Should address data ownership throughout the lifecycle, and consider the design, operation and monitoring of processes / systems in order to comply with the principles of data integrity including control over intentional and unintentional changes to information
Data Governance
• Systems should include:• staff training in the importance of data integrity principles
• the creation of a working environment that encourages an open reporting culture for errors, omissions and aberrant results
• Data integrity audits by objective experts
• Reporting to and correction of data integrity audit findings by MOST senior management, including assessment regarding need for notification of regulators / product recall? Other mitigation
Data Governance
• Senior management is responsible for the implementation of systems and procedures to minimise the potential risk to data integrity, and for identifying the residual risk
• Contract Givers should perform a similar review as part of their vendor assurance program
How to Leverage Culture?
• Take out the good
• Reshape the not so good
• Talk – open communication channels and educate rather than audit
• Discuss rather than impose
• How do you educate senior management
35
WE ARE ALL SUBJECTIVE
Data Integrity Code of Conduct
• Annual signature of all employees that they are aware of it and followed it…what about MOST senior management / officers of the company???
• Culture?
What is data integrity
• a true representation of the process or measurement that occurred made on “real time” (contemporaneous), accurate, legible and complete
• Integrity in data:• capture: manual recording/ printout / LIMs / ERP…
• accuracy: number of digits after decimal place, legibility, space on form and clarity of form
• selection / inclusion / exclusion criteria
• analysis e.g. statistical method
• representation e.g. summaries, tables, graphs and charts, reports, conclusions
MHRA Data Integrity Guidance
Systems designed to encourage compliance with principles of data integrity:
• Access to clocks for recording timed events
• Accessibility of batch records at locations where activities take place so that ad hoc data recording and later transcription to official records is not necessary
• Control over blank paper templates for data recording
• User access rights which prevent (or audit trail) data amendments
• Automated data capture or printers attached to equipment such as balances
• Proximity of printers to relevant activities
• Access to raw data for staff performing data checking activities
Ignorant, Sloppy or Just BAD? Nature or Nurture? Motive: Intent to deceive?
Warning letters1. Failure to record all quality activities at the time they are performed.
a. a production employee had recorded the final packed quantity of the batch in
Step 5.7, even though the quantity was not yet known because the operator had not
yet weighed the batch. Immediately after observing the incident, the investigator
requested a copy of page 6 containing Step 5.7 and was given a photocopy. A full
batch record provided later that day did not include the original page 6. Instead it
included a new version of page 6.
b. The investigator observed at least two examples when a manufacturing step was
recorded in the batch record before it occurred:
i. The production operator recorded the start time for step 6.2 as 12:15 on October
26, 2012, although it was still 11:00 when our investigator noticed this situation.
ii. at approximately 11:00 on the same date, a production officer had already
recorded the material used for the API although the step had not yet
occurred. The material had not yet been weighed.
Warning letters
a. The inspection documented that HPLC processing methods (including
integration parameters) and re-integrations are executed without a pre-defined,
scientifically valid procedure. Your analytical methods are not locked to ensure
that the same integration parameters are used on each analysis. A QC operator
interviewed during the inspection stated that integrations are performed and re-
performed until the chromatographic peaks are “good”, but was unable to provide
an explanation for the manner in which integration is performed. Moreover, your
firm does not have a procedure for the saving of processing methods used for
integration.
Your response did not include a description of the method by which
chromatograph integrations are to be performed (e.g., what constitutes a
chromatographic peak, how shoulder peaks are to be handled, etc.). In addition,
your response did not include an audit of past chromatographic data to determine
whether data used to support release and stability studies originated from
appropriately integrated chromatograms.
Warning lettersa QC analyst had recorded completion times of laboratory analyses that had not yet occurred. Specifically, a Loss on Drying (LOD) analysis was performed at approximately 10:55 AM. The investigator noted that the analyst had already recorded the completion time for three samples although the step was not yet completed. Our investigator asked the analyst why he recorded the completion time for each of the three samples if the step was still in progress. The analyst did not offer an explanation. Moreover, our investigator also found that weights for these three samples were recorded on blank pieces of paper and not directly onto the test data sheets.
Warning lettersYour response stated that a new SOP has been created to address this issue and that training on this SOP has occurred. Your response did not address the extent of this practice, the impact on the quality of the product and why your laboratory management failed to detect this practice. Your response also provided no actions to improve oversight by your quality unit (e.g., independence, authority, resources). The above practices raise concerns regarding the reliability and accuracy of the data generated at your firm, including any other inappropriate data-related practices permitted by your firm when an inspection is not in progress.
In response to this letter, provide a summary of your full assessment of all the raw data recorded on each of the batch production and QC laboratory analytical records for the APIs intended for the US market to ensure their reliability.
Warning letters
• The audit trail function for the chromatographic systems was disabled at the time of the inspection; therefore, there is no record for the acquisition of data or modifications to laboratory data. Your response to this deficiency did not discuss how you will ensure that data audit trails will not be disrupted in the future.
• your firm failed to have adequate procedures for the use of computerized systems used in the QC laboratory. At the time of the inspections, your QC laboratory personnel shared the same username and password for the operating systems and analytical software on each workstation in the QC laboratory. In addition, no computer lock mechanism had been configured to prevent unauthorized access to the operating system. The investigator noticed that the current QC computer users are able to delete data. In addition, the investigator found that there is no audit trail or trace in the operating system to document deletions.
Warning letters
• the use of the Excel® spreadsheets in analytical calculations are neither controlled nor protected from modifications or deletion. The investigator noticed that the calculation for residual solvent uses an Excel spreadsheet that has not been qualified. We are concerned about the data generated by your QC laboratory from non-qualified and uncontrolled Excel spreadsheets.
In response to this letter, provide a retrospective evaluation of the analytical values reported where such Excel spreadsheets have been used.
Warning letters…You are responsible!
Unofficial Testing
• b. Your firm frequently performs “unofficial testing” of samples, disregards the results, and reports results from additional tests. For example, during stability testing, your firm tested a batch sample six times and subsequently deleted this data.
• You performed “trial” sample HPLC analyses prior to acquiring the “official” analyses. The “trial” results were subsequently discarded. “Trial” HPLC analyses were apparently run as part of the 12-month long-term stability studies on batch #15069 for related substances. Your employee ran an HPLC analysis sequence and subsequently deleted the raw data files. Your quality control staff named the samples using the last three digits of the batch numbers to link the "trial" injections with the official assay analyses. Your Senior Quality Control (QC) Officer confirmed these were analyses of batch samples. Furthermore, we found that this batch was analyzed for unknown impurities and results reported as within specifications. However, the data showed that the "trial" injection for this batch failed the unknown impurities specification in several test runs.
• Your Senior QC Officer confirmed that QC laboratory employees had frequently practiced the use of “trial” injections at your facility. Significantly, in addition to the example above, our inspection found 5,301 deleted chromatograms on a computer used to operate two HLPC instruments in your QC laboratory. Many of these files were “trial” injections of batches.
Vagueness in procedures
• An opening / gap for analyst to do as they please
What is data integrity
• Data Integrity: Determines whether the information being measured truly represents the desired attribute
• Data Accuracy: Determines the degree to which individual or average measurements agree with an accepted standard or reference value
Data IntegrityStrive for truth
• If making a measurement I want to get to the true value
• What is the true value?
Data Governance System PACA
• Policy (PA)• Training in the importance of data integrity
• SOPs
• Technical (e.g. computer system access) controls
• The degree of effort and resource applied to the organisational and technical control of data lifecycle elements should be commensurate with its criticality in terms of impact to product quality attributes
• Audit (look for error or distortion)may be deliberate or inadvertent (bias / subjectivity)
• Improvement (CA)
Questions to ask /answer for audit
• Use a process flow of the production / test process and step by step ask what is done and how it is captured accurately on real time
• What are you doing
• Why are you doing it
• How do you do it
• What are the steps and how and by whom are they documented
• Who verifies the steps and how
• Can raw data be changed? What evidence remainsRetained sample?how long are EM plates kept after reading – where is this
written, where are they stored and how often do you audit it?)
Case study
• Head of QC laboratory approves plate counts for cleanroom. Documentation shows results for two temperatures of incubation and signature and date of microbiologist who read the results
• Are there potential DI issues?
Data Integrity AuditWhat questions would you ask?
Data integrity audit
• Validate measurement system
• Questions:• Weights – printouts? Lying around? Or immediately pasted to
notebook
• Media preparation – mixing time? pH?
• Are there notebooks? Or loose sheets
• Conform / not conform pass / fail
• Counting of colonies – qualification and oversight?
• Deviations – who decides if a “dropped / cracked” plate is binned?
• Who incubated the plates – who read them at 22˚C and transferred to 35 – who read them at the end of the period –where is that documented
Computerized Spreadsheets
• Error in / incorrect formula
• Spreadsheet not protected or locked
• Data loss through inadvertent or intentional deletion, errors, computer issues
• Omitted, added or altered information
• Entry / transcription errors
What is Culture?
What is Culture?• “DO what I DO” not “DO what I SAY” – Leadership is setting an
example there is no “different” rule for the boss – it doesn’t work
• Observable Actions and Behaviors
•Unwritten rules – “the way we do things around here”
• Culture and leadership are inseparable / interdependent. Senior leaders say, do and reward behaviorsthat create culture and allow for or derail change
Quality Culture – Do What I doCase Study
• Production Head at a contract laboratory has an audit from a customer
• “Can I see the batch record for our product which was manufactured three weeks ago?”
• Sorry, I haven’t reviewed them yet and we don’t show unreviewed results
Quality Culture and DIStrive for Truth
• What you do matters
• It takes years to create a quality culture:“Unconscious competence”
• It takes only one or two actions (sometimes unconscious) to destroy the culture and unconscious competence needs investment of energy to maintain it (for experienced and new staff)
• There are some “bad sorts” but they are rare
Data integrity audits and the role of the Quality Unit
• Educate
• Show others what is unacceptable
• Show them how to correct bad practices
• Integrate automated methods for data integrity which cannot be bypassed
In Conclusion...
In Conclusion:Strive for Truth
• Know the basic concepts of Data Integrity
• Know when to conduct data integrity audits• Formal: internal audit program
• On-the-spot: sometimes and whenever a problem is suspected
• Recognize that data integrity audits should evaluate reliability and validity of the data collection, analysis and reportable result presentation and evaluation for pass / fail specification
PCI’ ethics policyPCI’s data governance plan
• Quick look
THANK YOU FOR PARTICIPATINGQuestions?
