OR WAIT null SECS
Blue whales have a gestation of 12 months, whereas elephants take 22 months; in contrast, the gestation period for the Pharmaceutical Inspection Co-operation Scheme (PIC/S) PI-041 data integrity guidance has been five years. The first draft was issued in April 2016; draft 3 was issued for public comment in November 2018, with the final version issued in July 2021. The formal title is Good Practices for Data Management and Integrity in Regulated GMP/GDP Environments, with a document number PI-041 (1), but the focus is data integrity. The document scope covers all activities under the remits of good manufacturing practice (GMP) and good distribution practice (GDP) regulations. This column only focuses on laboratories working to GMP regulations. The review of this guidance document will be in two parts:
The rationale for another regulatory guidance document on data integrity is the continued focus of health authorities on numerous issues of data falsification and poor data management practices, and the basic inability of companies globally to comply with GMP regulations. The PIC/S guidance joins other data integrity guidances from other regulatory authorities, such as the World Health Organization (WHO) (2), the U.K. Medicines and Healthcare Products Regulatory Agency (MHRA) (3,4), and the U.S. Food and Drug Administration (FDA) (5), who have issued guidance documents on the topic. Recently, the Organization of Economic Cooperation and Development (OECD) also issued a good laboratory practice (GLP) data integrity guidance (6).
In addition, there are data integrity publications from scientific societies and industry bodies such as the GAMP Forum (7–9), the Parenteral Drug Association (10), and the Active Pharmaceutical Ingredient Committee (APIC) (11).
You may be forgiven for asking: Do we really need another data integrity guidance document, and who or what is PIC/S anyway? Let’s start with the second part of the question first: Who or what is PIC/S?
Originally called the Pharmaceutical Inspection Convention, PIC/S has evolved into the Pharmaceutical Inspection Co-operation Scheme, but documents still have both names on them—hence the abbreviation of both to PIC/S. PIC/S is a global organization that is essentially a club of GMP inspectors from more than 50 regulatory authorities, from Europe, the United States, Canada, Japan, Australia, South Korea, and Singapore. A regulatory authority applies to join the scheme, and, after an assessment by other PIC/S members, the authority is admitted if it meets the organization’s criteria. PIC/S has its own GMP regulations, which are adopted by most of their members, the exception being the U.S. FDA, which still use 21 CFR 211.
In addition, PIC/S publishes regulatory guidance available on its website (www.picscheme.org) for both regulators and industry to download. When a document is to be written, an expert circle is convened, consisting of inspectors with expertise in the subject, who work on the various drafts. Document naming is important:
PIC/S PI-041 has been written to help with onsite inspections of GMP facilities; however, in this two-part article, we focus on analytical development and quality control laboratories. The overall structure of the new data integrity document is shown in Figure 1, and it shows the scope of the guidance for data integrity within a regulated organization:
I’ll not bother you with Sections I–4, as they only cover the document history, introduction, purpose and scope.
The only other regulatory guidance with equivalent breadth is the WHO guide issued in 2016 (2). Although there are common sections between the PIC/S and WHO guidances, the best discussion of the ALCOA (attributable, legible, contemporaneous, original, and accurate) criteria for data integrity is found in Appendix 1 of the WHO guidance. Although the PIC/S guidance discusses all nine ALCOA+ criteria (the “+” refers to “complete, consistent, enduring, and available”), it does not provide the in-depth coverage that is found in WHO guidance.
The final version of PI-041 guidance document is now 63 pages, compared with 53 of the 2018 draft. It is easily the longest regulatory data integrity guidance. We examine below whether the wait for the final version was worth it.
If you read any recent FDA guidance for industry, you will see the definition of the word “should”:
In general, FDA’s guidance documents do not establish legally enforceable responsibilities. Instead, guidances describe the Agency’s current thinking on a topic, and should be viewed only as recommendations, unless specific regulatory or statutory requirements are cited. The use of the word “should” in Agency guidances means that something is suggested or recommended, but not required (5).
Paul Smith has performed an analysis of the four main regulatory authority data integrity guidance documents comparing the use of must and should, as shown in Figure 2. First, there are very few instances of must; and the majority of them are in the FDA and MHRA guidances. Second, the clear winner is the PIC/S guidance with over 500 times where should is used, and there are no instances of the word must. One reason the word should appears so many times is simply the length of the document, which is nearly twice that of the WHO and three times that of the MHRA and FDA guidance documents. This, of course, contrasts with the use of the word should in regulations, which can be interpreted simply as “Do it, or you’re toast.”
Data governance (DG) has been a regulatory expectation since the MHRA presented the UK pharmaceutical industry with an early Christmas present in December 2013. The agency posted on its website the requirement for internal audits to cover data governance, and, by the way, added that it would start inspections for this in January 2014 (so have a Happy New Year)! The requirement for data governance has been reiterated in both the MHRA GMP and GXP guidance documents (3,4). In contrast, PI-041 states in 5.1.1 that there is no current GMP regulation to implement a data governance system, but offers help to a laboratory to define, prioritize, and communicate DG risk management activities (1).
The problem with the guidance is that it can appear paranoid; the title of the section is “DG System,” but the heading of section 5.2 refers to “DG Systems” in plural (1). This situation is also repeated in individual clauses in section 5.2, where the clauses flip between singular and plural. Which is it, especially, given that there is no regulatory requirement for DG? Also, the definition of DG (no system and apparently singular) in the glossary refers simply to all arrangements to ensure the integrity of any GMP records throughout the data lifecycle (1).
The main plank of data governance is to use computerized systems to automate processes and enable technical controls to ensure and enforce the integrity of data, coupled with validation to demonstrate that the system works as expected. However, data governance does not forget the role an organization has to play, through procedures, training, data review, and quality oversight, as shown in my data integrity model that has been presented in several publications of mine over the past few years (12–15).
We must wait until clauses 5.2.4 and 5.3.1 before we mention the key group accountable for data integrity in an organization—senior management (1). When earlier sections of the guide discuss the pharmaceutical quality system (PQS), they do not mention senior management. We must wait until Section 6 , which delves into organizational influences on successful data integrity management, including a detailed discussion on the role of senior management. For example (1):
If you look at the structure of Sections 5 and 6 of PI-041, shown in Figure 3, there is no subsection specifically dealing with senior management and its role in ensuring data integrity. This is surprising, given that ICH Q10 (16) and EU GMP Chapter 1 (17) for pharmaceutical quality systems (PQS) both hold senior management accountable for the PQS in any GMP organization, and for all work carried out under it. From the regulations, and in my view, there should be a specific section early in the document focused on senior management, rather than dispersing it in different sections of the guidance. A similar situation occurred where senior management was omitted from the draft of the FDA data integrity guidance (18), and added as an afterthought in the background section of the final document (5).
Risk management and its role in data integrity and data governance is covered in Sections 5.3 through 5.5. As that well known data integrity expert, George Orwell, noted, “All data are created equal, but some are more equal than others.” Therefore, it is the role of risk management to identify systems and processes that create and manage data that are more critical, so that they can be assessed first to identify data vulnerabilities and mitigate them.
Candidates at the front of the queue are processes that are complex, inconsistent, or open ended, and generate data used in product submissions or batch release. Also, manual, paper based processes can be problematic, as we shall see later in this article. Ideally, short-term remediation (mainly procedural with some simple technical fixes) should be applied for quick fixes, with longer-term solutions implemented (automation with technical controls) to have a process or system to ensure data integrity.
The scope of Section 6, shown in Figure 3, covers some critical areas for data integrity (1). These include the following:
This subhead is the title of Section 7 of the PIC/S guidance, and it emphasizes good documentation practices (GDocP) and discusses the nine ALCOA+ criteria (1). Section 7.5 is essentially a table covering the criteria, and the requirements for each one.
Appendix 1 of the WHO guidance (2) provides more comprehensive coverage of ALCOA principles with:
However, later sections of the PIC/S document provide further information on ALCOA+, but it is not highlighted. My suggestion is to use the definitions of ALCOA+ in section 7.5 of PIC/S PI-041 as an overview (1), but to use Appendix 1 of the WHO guidance (2) for more detailed reference and in your data integrity program.
Section 7 finishes with guidance on how to create a true copy of a record, and the limitation of remote review of data in summary reports.
Covering approximately 13 pages of the guidance, there is an in-depth treatise of data integrity considerations for paper records needed for following GDocP and meeting the ALCOA+ criteria (1), as shown in Figure 4. First up, the old chestnut of control of master templates and blank forms for which there is accountability, coupled with a discussion of the importance of controlling records. Although ignored by many laboratories, control of blank forms is not new and has been required by the FDA since 1993 (19) and reiterated in the data integrity guidance documents from WHO, MHRA, FDA (2–5), and now PIC/S PI-041(1).
If management fully implemented the requirements of this and other guidance documents on blank forms, they would realize the overall cost and fund automation projects rapidly to remove paper-based processes from the laboratory. Chris Burgess and I wrote a “Questions of Quality” column on this subject where more detail can be found (20). I also refer you to a recent article of mine on the “Hidden Factory in Your Laboratory,” whose only product was paper printouts (21).
Section 8.4 brings the first of many tables on specific subjects, in this case expectations for the generation, distribution, and control of records (1). The table presents:
This approach is very good and clear. My only concern is that I hope that analysts read and understand the whole of Section 8 to understand the requirements for paper records. Reading through this section, you find requirements that original from EU GMP Chapter 4 on documentation (22). Perhaps there should be a few more instances of must in this section of the guidance?
Sections 8.5 to 8.7 are tables of basic GDocP requirements for paper records, from control of records at point of use to how to complete a record to how to make corrections. While these sections are basic GMP requirements, the content is the basis for a good training course in GDocP; all it needs to complete the course are pictures of right and wrong examples. Second-person review of paper records is covered in Section 8.8—another good source of training material.
The last topic in Section 8.9 that I will review here is direct printouts from electronic systems, such as standalone analytical balances and pH meters, containing measurements performed by an analyst. PI-041 notes that the original record should be signed and dated by the person generating the record, and information to ensure traceability (attribution, perhaps?). These original records should be attached to batch processing or testing records (1). There are a few points that need commenting:
Then, to finish this first part review of PIC/S PI-041, “moan” mode is turned on with the volume cranked up....
There is a major inability of GMP inspectors to understand and grasp the meaning of the term raw data, and this is perpetuated in PIC/S PI-041. The term raw data is defined in the glossary as the original record (data) which can be described as the first-capture of information (1). Wrong, wrong, wrong! As we have discussed in this column previously (24,25), raw data is a GLP term that is defined in 21 CFR 58.3(k) as “the result of original observations and activities of a nonclinical laboratory study and are necessary for the reconstruction and evaluation of the report of that study. (26).” This definition is mirrored in OECD GLP regulations (27). Raw data should be considered the same as complete data as used in 21 CFR 211.194(a) (28), and means all data and records without selection, filtering, or deletion.
Interestingly, the new OECD GLP data integrity guidance, (6) which is the MHRA GXP guidance (4) fancied up for GLP, actually gets the raw data definition right!
This is the first of a two-part review of the new PIC/S PI-041 guidance on Good Practices for Data Management and Integrity in Regulated GMP/GDP Environments, and has focused on the scope, data governance, and paper records. In Part 2, we will look at what lies in store for computerized systems, and provide an overall summary of the guidance.
I would like to thank Paul Smith for Figure 2 and his analysis of data integrity guidance documents.
(1) PIC/S PI-041 Good Practices for Data Management and Integrity in Regulated GMP/GDP Environments (Pharmaceutical Inspection Convention/Pharmaceutical Inspection Cooperation Scheme, Geneva, Switzerland, 2021).
(2) WHO Technical Report Series No. 996 Annex 5 Guidance on Good Data and Records Management Practices. (World Health Organization, Geneva, Switzerland, 2016).
(3) MHRA GMP Data Integrity Definitions and Guidance for Industry, 2nd Edition (Medicines and Healthcare Products Regulatory Agency: London, United Kingdom, 2015).
(4) MHRA GXP Data Integrity Guidance and Definitions (Medicines and Healthcare Products Regulatory Agency, London, United Kingdom, 2018)
(5) FDA Guidance for Industry Data Integrity and Compliance With Drug CGMP Questions and Answers (FDA, Silver Spring, MD, 2018).
(6) OECD Series on Principles of Good Laboratory Practice (GLP) and Compliance Monitoring, Number 22, Advisory Document of the Working Party on Good Laboratory Practice on GLP Data Integrity (Organization of Economic Cooperation and Development, Paris, France, 2021).
(7) GAMP Good Practice Guide: Data Integrity - Key Concepts (International Society for Pharmaceutical Engineering, Tampa, FL, 2018).
(8) GAMP Good Practice Guide: Data Integrity by Design (International Society for Pharmaceutical Engineering, Tampa, FL, 2020).
(9) GAMP Guide Records and Data integrity (International Society for Pharmaceutical Engineering, Tampa, FL, 2017).
(10) Technical Report 80: Data Integrity Management System for Pharmaceutical Laboratories (Parenteral Drug Association, Bethesda, MD, 2018).
(11) Practical risk-based guide for managing data integrity, version 1. 2019; Available from: https://apic.cefic.org/ pub/Data_Integrity_Best_Practices_ Guide_for_API_FINAL_March-2019.pdf.
(12) R.D. McDowall, Spectroscopy 31(4), 15–25 (2016).
(13) R.D. McDowall, Data Integrity and Data Governance: Practical Implementation in Regulated Laboratories (Royal Society of Chemistry, Cambridge, United Kingdom, 2019).
(14) R.D. McDowall, LCGC North Am. 37(1), 44–51 (2019).
(15) R.D. McDowall, Spectroscopy 35(11), 13–22 (2020).
(16) ICH Q10 Pharmaceutical Quality Systems. 2008, International Conference on Harmonization: Geneva.
(17) EudraLex, Volume 4 Good Manufacturing Practice (GMP) Guidelines, Chapter 1: Pharmaceutical Quality System (European Commission, Brussels, Belgium, 2013).
(18) U.S. Food and Drug Administration, Draft Guidance for Industry Data Integrity and Compliance with cGMP (FDA, Silver Spring, MD, 2016).
(19) Food and Drug Administration, Inspection of Pharmaceutical Quality Control Laboratories (FDA, Rockville, MD, 1993).
(20) C. Burgess and R.D. McDowall, LCGC Europe 29(9), 498–504 (2016).
(21) R.D. McDowall, LCGC Europe 34(8), 326-330 (2021).
(22) EudraLex, Volume 4 Good Manufacturing Practice (GMP) Guidelines, Chapter 4: Documentation (European Commission, Brussels, Belgium, 2011).
(23) R.D. McDowall, Spectroscopy 32(12), 8–12 (2017).
(24) R.D. McDowall, Spectroscopy 31(11), 18–21 (2016).
(25) R.D. McDowall, LCGC North Am. 37(4), 265–268 (2019).
(26) Food and Drug Administration, 21 CFR 58 Good Laboratory Practice for Non-Clinical Laboratory Studies (FDA, Washington, DC, 1978).
(27) OECD Series on Principles of Good Laboratory Practice and Compliance Monitoring Number 1: OECD Principles on Good Laboratory Practice (Organization of Economic Cooperation and Development, Paris, France, 1998).
(28) Food and Drug Administration, 21 CFR 211 Current Good Manufacturing Practice for Finished Pharmaceutical Products (FDA, Silver Spring, MD, 2008).