Are You Ready for the Latest Data Integrity Guidance? Part 1: Scope, Data Governance, and Paper Records

Spectroscopy, November 2021, Volume 36, Issue 11
Pages: 18–23

Blue whales have a gestation of 12 months, whereas elephants take 22 months; in contrast, the gestation period for the Pharmaceutical Inspection Co-operation Scheme (PIC/S) PI-041 data integrity guidance has been five years. The first draft was issued in April 2016; draft 3 was issued for public comment in November 2018, with the final version issued in July 2021. The formal title is Good Practices for Data Management and Integrity in Regulated GMP/GDP Environments, with a document number PI-041 (1), but the focus is data integrity. The document scope covers all activities under the remits of good manufacturing practice (GMP) and good distribution practice (GDP) regulations. This column only focuses on laboratories working to GMP regulations. The review of this guidance document will be in two parts:

  • Part 1, here, discusses the scope of the guidance, data governance, and paper records
  • Part 2 will focus on computerized systems, outsourcing, and regulatory and quality oversight.

Another DI Guidance? You Cannot Be Serious!

The rationale for another regulatory guidance document on data integrity is the continued focus of health authorities on numerous issues of data falsification and poor data management practices, and the basic inability of companies globally to comply with GMP regulations. The PIC/S guidance joins other data integrity guidances from other regulatory authorities, such as the World Health Organization (WHO) (2), the U.K. Medicines and Healthcare Products Regulatory Agency (MHRA) (3,4), and the U.S. Food and Drug Administration (FDA) (5), who have issued guidance documents on the topic. Recently, the Organization of Economic Cooperation and Development (OECD) also issued a good laboratory practice (GLP) data integrity guidance (6).

In addition, there are data integrity publications from scientific societies and industry bodies such as the GAMP Forum (7–9), the Parenteral Drug Association (10), and the Active Pharmaceutical Ingredient Committee (APIC) (11).

You may be forgiven for asking: Do we really need another data integrity guidance document, and who or what is PIC/S anyway? Let’s start with the second part of the question first: Who or what is PIC/S?

PIC/S Explained

Originally called the Pharmaceutical Inspection Convention, PIC/S has evolved into the Pharmaceutical Inspection Co-operation Scheme, but documents still have both names on them—hence the abbreviation of both to PIC/S. PIC/S is a global organization that is essentially a club of GMP inspectors from more than 50 regulatory authorities, from Europe, the United States, Canada, Japan, Australia, South Korea, and Singapore. A regulatory authority applies to join the scheme, and, after an assessment by other PIC/S members, the authority is admitted if it meets the organization’s criteria. PIC/S has its own GMP regulations, which are adopted by most of their members, the exception being the U.S. FDA, which still use 21 CFR 211.

In addition, PIC/S publishes regulatory guidance available on its website (www.picscheme.org) for both regulators and industry to download. When a document is to be written, an expert circle is convened, consisting of inspectors with expertise in the subject, who work on the various drafts. Document naming is important:

  • PIC/S External (PE) documents written by inspectors for industry.
  • PIC/S Internal (PI) documents written for inspectors, some of which are made available for industry, one of which is PI-041 on data integrity.

PIC/S PI-041: Good Practices for Data Management and Integrity

PIC/S PI-041 has been written to help with onsite inspections of GMP facilities; however, in this two-part article, we focus on analytical development and quality control laboratories. The overall structure of the new data integrity document is shown in Figure 1, and it shows the scope of the guidance for data integrity within a regulated organization:

  • Section 5: Data Governance within a Pharmaceutical Quality System.
  • Section 6: Organization Issues, such as staff values, quality, ethics, and conduct.
  • Section 7: General data integrity principles.
  • Section 8: Considerations for paper records, including the control of blank forms and master templates.
  • Section 9: Considerations for computerized systems, including hybrid systems.
  • Section 10: Outsourcing and data integrity.
  • Section 11: Regulatory actions in response to data integrity findings.
  • Section 12: Remediation of data integrity failures.

I’ll not bother you with Sections I–4, as they only cover the document history, introduction, purpose and scope.

The only other regulatory guidance with equivalent breadth is the WHO guide issued in 2016 (2). Although there are common sections between the PIC/S and WHO guidances, the best discussion of the ALCOA (attributable, legible, contemporaneous, original, and accurate) criteria for data integrity is found in Appendix 1 of the WHO guidance. Although the PIC/S guidance discusses all nine ALCOA+ criteria (the “+” refers to “complete, consistent, enduring, and available”), it does not provide the in-depth coverage that is found in WHO guidance.

The final version of PI-041 guidance document is now 63 pages, compared with 53 of the 2018 draft. It is easily the longest regulatory data integrity guidance. We examine below whether the wait for the final version was worth it.

Must vs. Should

If you read any recent FDA guidance for industry, you will see the definition of the word “should”:

In general, FDA’s guidance documents do not establish legally enforceable responsibilities. Instead, guidances describe the Agency’s current thinking on a topic, and should be viewed only as recommendations, unless specific regulatory or statutory requirements are cited. The use of the word “should” in Agency guidances means that something is suggested or recommended, but not required (5).

Paul Smith has performed an analysis of the four main regulatory authority data integrity guidance documents comparing the use of must and should, as shown in Figure 2. First, there are very few instances of must; and the majority of them are in the FDA and MHRA guidances. Second, the clear winner is the PIC/S guidance with over 500 times where should is used, and there are no instances of the word must. One reason the word should appears so many times is simply the length of the document, which is nearly twice that of the WHO and three times that of the MHRA and FDA guidance documents. This, of course, contrasts with the use of the word should in regulations, which can be interpreted simply as “Do it, or you’re toast.”

Data Governance

Data governance (DG) has been a regulatory expectation since the MHRA presented the UK pharmaceutical industry with an early Christmas present in December 2013. The agency posted on its website the requirement for internal audits to cover data governance, and, by the way, added that it would start inspections for this in January 2014 (so have a Happy New Year)! The requirement for data governance has been reiterated in both the MHRA GMP and GXP guidance documents (3,4). In contrast, PI-041 states in 5.1.1 that there is no current GMP regulation to implement a data governance system, but offers help to a laboratory to define, prioritize, and communicate DG risk management activities (1).

The problem with the guidance is that it can appear paranoid; the title of the section is “DG System,” but the heading of section 5.2 refers to “DG Systems” in plural (1). This situation is also repeated in individual clauses in section 5.2, where the clauses flip between singular and plural. Which is it, especially, given that there is no regulatory requirement for DG? Also, the definition of DG (no system and apparently singular) in the glossary refers simply to all arrangements to ensure the integrity of any GMP records throughout the data lifecycle (1).

The main plank of data governance is to use computerized systems to automate processes and enable technical controls to ensure and enforce the integrity of data, coupled with validation to demonstrate that the system works as expected. However, data governance does not forget the role an organization has to play, through procedures, training, data review, and quality oversight, as shown in my data integrity model that has been presented in several publications of mine over the past few years (12–15).

Senior Management Missing in Action?

We must wait until clauses 5.2.4 and 5.3.1 before we mention the key group accountable for data integrity in an organization—senior management (1). When earlier sections of the guide discuss the pharmaceutical quality system (PQS), they do not mention senior management. We must wait until Section 6 , which delves into organizational influences on successful data integrity management, including a detailed discussion on the role of senior management. For example (1):

  • Leading, resourcing, and funding the data integrity and data governance initiative in an organization. This is a program that will take more than an email from the CEO stating that from now on the company will ensure data integrity; rather, it requires a concerted and prolonged effort over time. Data integrity is a journey, not an event.
  • Ensuring that there is a culture and ethos for honesty, and allowing people to admit mistakes.
  • Establishing an open culture with employee empowerment to raise integrity issues through the PQS. The guide does not acknowledge that there may be cultural issues that may make this difficult to achieve, and that there will be reliance on quality oversight to achieve the goal.
  • Establishing and maintaining a quality culture.
  • Setting and maintaining the ethos and values for data integrity.
  • Establishing policies and procedures with associated training for all aspects of data integrity.
  • Ensuring assessments of processes and systems are carried out to identify and classify data vulnerabilities. Carry out both short term remediation (quick fixes) as well as implementing long term solutions providing business benefit.
  • Setting up metrics for various data integrity activities and management review.
  • Conducting regular and meaningful review (this is not a once-a-year, box ticking exercise) of data integrity projects.
  • Setting up of a protected whistleblower process to raise data integrity issues to senior management for their attention.

If you look at the structure of Sections 5 and 6 of PI-041, shown in Figure 3, there is no subsection specifically dealing with senior management and its role in ensuring data integrity. This is surprising, given that ICH Q10 (16) and EU GMP Chapter 1 (17) for pharmaceutical quality systems (PQS) both hold senior management accountable for the PQS in any GMP organization, and for all work carried out under it. From the regulations, and in my view, there should be a specific section early in the document focused on senior management, rather than dispersing it in different sections of the guidance. A similar situation occurred where senior management was omitted from the draft of the FDA data integrity guidance (18), and added as an afterthought in the background section of the final document (5).

Role of Risk Management

Risk management and its role in data integrity and data governance is covered in Sections 5.3 through 5.5. As that well known data integrity expert, George Orwell, noted, “All data are created equal, but some are more equal than others.” Therefore, it is the role of risk management to identify systems and processes that create and manage data that are more critical, so that they can be assessed first to identify data vulnerabilities and mitigate them.

Candidates at the front of the queue are processes that are complex, inconsistent, or open ended, and generate data used in product submissions or batch release. Also, manual, paper based processes can be problematic, as we shall see later in this article. Ideally, short-term remediation (mainly procedural with some simple technical fixes) should be applied for quick fixes, with longer-term solutions implemented (automation with technical controls) to have a process or system to ensure data integrity.

Organizational Influences on Data Integrity

The scope of Section 6, shown in Figure 3, covers some critical areas for data integrity (1). These include the following:

  • Expectations are set for staff ethics and behavior with respect to recording, interpreting, calculating, and reporting data that are clearly communicated to all.
  • Management needs to ensure that staff are aware that breaching ethics and behaviors could result in disciplinary procedures.
  • Unacceptable behaviors must be identified, documented in policies, and communicated clearly to staff, along with the range of company actions if they commit unacceptable behavior.
  • Quality culture is the responsibility of management to establish and foster. In my view, this is the most difficult part of any data integrity program, and requires management to lead by example
  • Section 6.4 deals with modernizing the PQS so that it is able to detect and correct weaknesses that could lead to data integrity lapses. Particular areas for a laboratory are second-person review, quality oversight, and the purchase of instrumentation and systems to ensure data integrity. This latter topic will be covered in Part 2 of this review of PI-041.

General DI Principles and Enablers

This subhead is the title of Section 7 of the PIC/S guidance, and it emphasizes good documentation practices (GDocP) and discusses the nine ALCOA+ criteria (1). Section 7.5 is essentially a table covering the criteria, and the requirements for each one.

Appendix 1 of the WHO guidance (2) provides more comprehensive coverage of ALCOA principles with:

  • a definition of each of the five terms
  • a table showing the expectations of paper and electronic records side by side for each term
  • a presentation of special risk factors for each term.

However, later sections of the PIC/S document provide further information on ALCOA+, but it is not highlighted. My suggestion is to use the definitions of ALCOA+ in section 7.5 of PIC/S PI-041 as an overview (1), but to use Appendix 1 of the WHO guidance (2) for more detailed reference and in your data integrity program.

Section 7 finishes with guidance on how to create a true copy of a record, and the limitation of remote review of data in summary reports.

  • Section 7.7.2 states that it is conceivable for raw data (later we will discuss the fact that the definition of raw data in this document is wrong) generated by electronic means to be retained in an acceptable paper or PDF format. It then mentions that, as well as the data, all direct and in- direct metadata also need to be printed (1). Having the option for companies to justify printing to paper in a guidance document is wrong, as most will ignore the caveats in this section and just do it. My opinion is to ignore this section.
  • PI-041 notes in section 7.8 that analytical summary reports from contract laboratories are limited, and that supporting data and associated metadata are often not included, as the original data cannot be reviewed (1). Thus, the outsourcing laboratory must conduct due diligence and assess the contract facility’s PQS and data integrity program, as well as being able to conduct on-site audits when appropriate.

Data Integrity Considerations for Paper Records

Covering approximately 13 pages of the guidance, there is an in-depth treatise of data integrity considerations for paper records needed for following GDocP and meeting the ALCOA+ criteria (1), as shown in Figure 4. First up, the old chestnut of control of master templates and blank forms for which there is accountability, coupled with a discussion of the importance of controlling records. Although ignored by many laboratories, control of blank forms is not new and has been required by the FDA since 1993 (19) and reiterated in the data integrity guidance documents from WHO, MHRA, FDA (2–5), and now PIC/S PI-041(1).

If management fully implemented the requirements of this and other guidance documents on blank forms, they would realize the overall cost and fund automation projects rapidly to remove paper-based processes from the laboratory. Chris Burgess and I wrote a “Questions of Quality” column on this subject where more detail can be found (20). I also refer you to a recent article of mine on the “Hidden Factory in Your Laboratory,” whose only product was paper printouts (21).

Section 8.4 brings the first of many tables on specific subjects, in this case expectations for the generation, distribution, and control of records (1). The table presents:

  • Expectation: All documents should have an unique identifier, and uncontrolled documents should be prohibited.
  • Potential risk of not meeting expectation: It is easier to falsify uncontrolled documents, and increases the potential for loss of official records by discarding or destruction.

This approach is very good and clear. My only concern is that I hope that analysts read and understand the whole of Section 8 to understand the requirements for paper records. Reading through this section, you find requirements that original from EU GMP Chapter 4 on documentation (22). Perhaps there should be a few more instances of must in this section of the guidance?

Sections 8.5 to 8.7 are tables of basic GDocP requirements for paper records, from control of records at point of use to how to complete a record to how to make corrections. While these sections are basic GMP requirements, the content is the basis for a good training course in GDocP; all it needs to complete the course are pictures of right and wrong examples. Second-person review of paper records is covered in Section 8.8—another good source of training material.

The last topic in Section 8.9 that I will review here is direct printouts from electronic systems, such as standalone analytical balances and pH meters, containing measurements performed by an analyst. PI-041 notes that the original record should be signed and dated by the person generating the record, and information to ensure traceability (attribution, perhaps?). These original records should be attached to batch processing or testing records (1). There are a few points that need commenting:

  • Older analytical balances and similar instruments may not have the function to have user accounts, and so the analyst must (not “should,” as stated in PI-041) sign or initial and date the printout.
  • Newer balances have time and date stamps, as well as individual user accounts and passwords; each printout from the instrument will have the name of the analyst, as well as the date and time on it.
  • Surprisingly, there is no mention of an instrument log that should be completed in parallel with the analysis being performed. Logs provide critical correction, and are essential for ensuring data integrity. Instrument log books were discussed in an earlier “Focus on Quality” column (23).

Then, to finish this first part review of PIC/S PI-041, “moan” mode is turned on with the volume cranked up....

The Wrong Definition of Raw Data —Again!

There is a major inability of GMP inspectors to understand and grasp the meaning of the term raw data, and this is perpetuated in PIC/S PI-041. The term raw data is defined in the glossary as the original record (data) which can be described as the first-capture of information (1). Wrong, wrong, wrong! As we have discussed in this column previously (24,25), raw data is a GLP term that is defined in 21 CFR 58.3(k) as “the result of original observations and activities of a nonclinical laboratory study and are necessary for the reconstruction and evaluation of the report of that study. (26).” This definition is mirrored in OECD GLP regulations (27). Raw data should be considered the same as complete data as used in 21 CFR 211.194(a) (28), and means all data and records without selection, filtering, or deletion.

Interestingly, the new OECD GLP data integrity guidance, (6) which is the MHRA GXP guidance (4) fancied up for GLP, actually gets the raw data definition right!

Summary

This is the first of a two-part review of the new PIC/S PI-041 guidance on Good Practices for Data Management and Integrity in Regulated GMP/GDP Environments, and has focused on the scope, data governance, and paper records. In Part 2, we will look at what lies in store for computerized systems, and provide an overall summary of the guidance.

Acknowledgment

I would like to thank Paul Smith for Figure 2 and his analysis of data integrity guidance documents.

References

(1) PIC/S PI-041 Good Practices for Data Management and Integrity in Regulated GMP/GDP Environments (Pharmaceutical Inspection Convention/Pharmaceutical Inspection Cooperation Scheme, Geneva, Switzerland, 2021).

(2) WHO Technical Report Series No. 996 Annex 5 Guidance on Good Data and Records Management Practices. (World Health Organization, Geneva, Switzerland, 2016).

(3) MHRA GMP Data Integrity Definitions and Guidance for Industry, 2nd Edition (Medicines and Healthcare Products Regulatory Agency: London, United Kingdom, 2015).

(4) MHRA GXP Data Integrity Guidance and Definitions (Medicines and Healthcare Products Regulatory Agency, London, United Kingdom, 2018)

(5) FDA Guidance for Industry Data Integrity and Compliance With Drug CGMP Questions and Answers (FDA, Silver Spring, MD, 2018).

(6) OECD Series on Principles of Good Laboratory Practice (GLP) and Compliance Monitoring, Number 22, Advisory Document of the Working Party on Good Laboratory Practice on GLP Data Integrity (Organization of Economic Cooperation and Development, Paris, France, 2021).

(7) GAMP Good Practice Guide: Data Integrity - Key Concepts (International Society for Pharmaceutical Engineering, Tampa, FL, 2018).

(8) GAMP Good Practice Guide: Data Integrity by Design (International Society for Pharmaceutical Engineering, Tampa, FL, 2020).

(9) GAMP Guide Records and Data integrity (International Society for Pharmaceutical Engineering, Tampa, FL, 2017).

(10) Technical Report 80: Data Integrity Management System for Pharmaceutical Laboratories (Parenteral Drug Association, Bethesda, MD, 2018).

(11) Practical risk-based guide for managing data integrity, version 1. 2019; Available from: https://apic.cefic.org/ pub/Data_Integrity_Best_Practices_ Guide_for_API_FINAL_March-2019.pdf.

(12) R.D. McDowall, Spectroscopy 31(4), 15–25 (2016).

(13) R.D. McDowall, Data Integrity and Data Governance: Practical Implementation in Regulated Laboratories (Royal Society of Chemistry, Cambridge, United Kingdom, 2019).

(14) R.D. McDowall, LCGC North Am. 37(1), 44–51 (2019).

(15) R.D. McDowall, Spectroscopy 35(11), 13–22 (2020).

(16) ICH Q10 Pharmaceutical Quality Systems. 2008, International Conference on Harmonization: Geneva.

(17) EudraLex, Volume 4 Good Manufacturing Practice (GMP) Guidelines, Chapter 1: Pharmaceutical Quality System (European Commission, Brussels, Belgium, 2013).

(18) U.S. Food and Drug Administration, Draft Guidance for Industry Data Integrity and Compliance with cGMP (FDA, Silver Spring, MD, 2016).

(19) Food and Drug Administration, Inspection of Pharmaceutical Quality Control Laboratories (FDA, Rockville, MD, 1993).

(20) C. Burgess and R.D. McDowall, LCGC Europe 29(9), 498–504 (2016).

(21) R.D. McDowall, LCGC Europe 34(8), 326-330 (2021).

(22) EudraLex, Volume 4 Good Manufacturing Practice (GMP) Guidelines, Chapter 4: Documentation (European Commission, Brussels, Belgium, 2011).

(23) R.D. McDowall, Spectroscopy 32(12), 8–12 (2017).

(24) R.D. McDowall, Spectroscopy 31(11), 18–21 (2016).

(25) R.D. McDowall, LCGC North Am. 37(4), 265–268 (2019).

(26) Food and Drug Administration, 21 CFR 58 Good Laboratory Practice for Non-Clinical Laboratory Studies (FDA, Washington, DC, 1978).

(27) OECD Series on Principles of Good Laboratory Practice and Compliance Monitoring Number 1: OECD Principles on Good Laboratory Practice (Organization of Economic Cooperation and Development, Paris, France, 1998).

(28) Food and Drug Administration, 21 CFR 211 Current Good Manufacturing Practice for Finished Pharmaceutical Products (FDA, Silver Spring, MD, 2008).