Top Ten Tips for Data Compliance

How to Guide 1 Top Ten Tips for Data Compliance Bob McDowall, PhD Data compliance in both regulated and non-regulated laboratories includes data integrity (can you trust the numbers) and data quality (can you make a decision). Implicitly it also includes compliance with applicable regulations or quality standards.1-3 Although there are others, these are my “Top Ten Tips” for data compliance, as shown in Figure 1, which illustrates the relationships and interactions between them. Figure 1: Interaction of the Top Ten Tips for Data Compliance. Artwork credit: Technology Networks. TOP TEN TIPS FOR DATA COMPLIANCE Data Compliance Starts at Managing the the Top Human Factor OOS Investigations Complete Data Means Complete Data Implement Technical Controls Know Your Data Lifecycles Proble Processes & Procedures Validated Analytical Procedures Qualified Instruments & Validated Software Data Integrity and Compliance Is Everyone's Job 10 9 8 7 6 5 4 3 2 1 TOP TEN TIPS FOR DATA COMPLIANCE 2 How to Guide 1. Data compliance starts at the top Any organization’s senior management is responsible for the quality management system (QMS)1–6 and therefore data compliance. Lack of senior management involvement in the QMS will directly impact the overall approach required by an organization – e.g., quality culture and ethos, the ability to admit mistakes without blame, compliance procedures and training as well as Gemba walks by senior management. Senior management is also responsible for ensuring that systems are current and comply with applicable regulations and standards, non-compliant systems need to be assessed and remediated. 2. Data integrity and compliance is everybody’s job Following on from Tip 1 is the message that data compliance is everybody’s job. It’s an ongoing task that demands constant attention. To keep data compliance at the forefront, senior management, laboratory management and supervisors need to reinforce it. One way to do this is a Gemba walk, where managers talk with staff directly to understand their challenges and emphasize the importance of data compliance. Part of the Gemba walk involves talking with analysts who work with analytical processes regularly, this can help management understand where there are compliance issues; which can be raised as improvement ideas. Linked to Tip 1 is the ability to own up to mistakes and then understand the root cause – perhaps there is a problem with an SOP or workflow that is too complex and needs to be modified. 3. Have you qualified the instruments and validated application software? Analytical instruments and systems must be qualified and/or validated for the intended use against operating parameters defined in a laboratory user requirements specification (URS) to show they meet their intended use.7 Coupled with point of use or system suitability test checks performed on the day of analysis (e.g., analytical balance or pH meter). This means that the laboratory can rely on the data generated by the instrument. Many instruments are controlled by an application installed on a separate computer that acquires, processes, stores and reports results. This software needs to be validated for intended use requiring a URS and configuration of the software before testing against the user requirements. Documenting software configuration is important and will cover: System settings: Use electronic signatures and include the reason for a change in audit trail entries Workflows: Define workflows that enforce procedures rather than relying on procedural controls. This is discussed in more detail in Tip 7 User roles: Confirm who can do what by defining different user roles and their access privileges Account management: Ensure users are allocated to roles with no conflicts of interest (e.g., users with administrator privileges) Both the URS and the configuration specification must be placed under change control and updated when the application is updated. An earlier article on how to handle software updates is available.8 TOP TEN TIPS FOR DATA COMPLIANCE 3 How to Guide 4. Validated analytical procedures under actual conditions of use With trained staff using qualified and validated analytical instruments and systems, analytical procedures must be developed and validated under actual conditions of use.1,9,10 This includes procedures transferred from another laboratory or pharmacopoeial procedure. Ideally, experimental design software should define the design space and identify critical parameters that need to be controlled. The procedure is then validated and used to deliver reliable results in operational use. 5. Problem processes and procedures? Are your business processes, both manual and computerized, overly complex and difficult? Are your computer systems hybrid (electronic records with signed paper printouts)? Are calculations performed in spreadsheets with manual data input? These are signs that your processes and systems are slow and inefficient. A second-person review of an analysis could likely take longer than the analysis itself. Paper printouts coupled with manual input to computer systems result in multiple transcription error checks which are slow and error prone. It is far better to have an electronic and validated process to streamline both the analysis and review. Are your SOPs and analytical procedures overly complex? This could make it difficult for an analyst to follow. On the flip side, if they’re overly simplistic an analyst might be forced to make assumptions. Don’t wait until there is a document review scheduled, get feedback from the analysts who work with the procedures and make any changes as necessary. 6. Know your data lifecycles Each analytical procedure will generate data and metadata but not all analytical procedures are created equal. Some simpler procedures are observation tests such as color, appearance or odor. Here the data would be a single observation along with the associated metadata such as analyst, date/time, batch or lot number, etc. For more complex spectroscopic and chromatographic analytical procedures, the data lifecycle is more complex with on-the-day checks of instruments, sample preparation, instrumental analysis, interpretation and generation of the reportable result. Knowing the data to be collected for each procedure is critical for ensuring that they are captured, interpreted and reported correctly.11 7. Implement technical controls As mentioned in Top Tip 2 about workflow clarity, there are two options for controlling a process: procedural controls (via an analytical procedure or SOP) or technical controls (enforcing an electronic workflow in an application). Of the two it is preferable to implement and validate technical controls. Although there may be an overarching procedure, it is the technical controls that will enforce it. Have you ever forgotten to initial and date a document or missed a signature off a record? Technical controls will ensure that after a user has logged on, all work will be attributed to them via their user identity and date/ time stamped. If a record requires a signature, then the workflow will ensure that this occurs at the correct place in the workflow. A review cannot occur until the performer of the work has electronically signed the record set, furthermore, if the correct control is enabled the performer cannot review and approve their own work. TOP TEN TIPS FOR DATA COMPLIANCE 4 How to Guide This approach, prioritizing technical over procedural controls, has been identified for inclusion in the update of EU GMP Annex 11.12 8. Complete data means complete data FDA GMP 211.194(a) requires complete data from laboratory tests1 to ensure integrity and compliance. This is simple to interpret: everything captured during an analysis including all problems, instrument failures, etc. If a procedure or data system does not specify all the data and metadata to collect during an analysis, how does a reviewer or quality assurance specialist know how the data are complete? In contrast, GLP requires raw data which is defined as original observations and activities necessary to reconstitute the study report which is the same expressed differently.2,13 It also means that analysts can’t be selective in what is being reported – e.g., if one set of results is out of specification you can’t ignore them and repeat the work until a passing result is obtained. This would require an investigation to determine the root cause, which leads us to Top Tip 9. 9. Mishandling deviations including OOS investigations Laboratories are required to document and investigate deviations,1,14 however, many laboratories label these as incidents which is not a GMP term and is a way of hiding deviations. The FDA has published two versions of the Out-of-Specification (OOS) guidance for the investigation of aberrant results15,16 that outlines the process for laboratory investigations to find an attributable root cause for the deviation. The major problem with many investigations is that they are either not scientifically sound or that the root cause is attributed to “human error”. Too many of the latter raise questions about the quality and training of analytical staff. 10. Managing the human factor Even if you have Top Tips 1–9 implemented effectively in a laboratory, it’s important to remember that all processes and computerized systems are operated by humans, who can make mistakes. Technical controls can reduce but not eliminate problems caused either deliberately or in error. This is where Top Tip 1 comes into play and comes full circle back to how a laboratory trains its staff for integrity and compliance. Staff must be educated on what constitutes prohibited actions (e.g., reporting selective results, deleting data, etc.) and what actions are permitted. In addition, when mistakes are made, they must be reported and documented. In a non-blame culture, the reason for the mistake must be established and looked at as an opportunity to improve. Summary As can be seen from Figure 1, data compliance is not a single item but a series of interrelated activities that is predicated by active senior management involvement. Data compliance is everybody’s job and that must be reinforced by management throughout the organization. However, it comes down to how individuals work and act, which is the key to data compliance. References 1. United States Food and Drug Administration. 21 CFR 211 - Current Good Manufacturing Practice for Finished Pharmaceuticals. Silver Spring, MD: United States Food and Drug Administration. 1978. https://www.ecfr.gov/current/title-21/chapter- I/subchapter-C/part-211. TOP TEN TIPS FOR DATA COMPLIANCE 5 How to Guide 2. United States Food and Drug Administration. 21 CFR 58 - Good Laboratory Practice for Non-Clinical Laboratory Studies. Silver Spring, MD: United States Food and Drug Administration. 1978. https://www.ecfr.gov/current/title-21/chapter-I/subchapter- A/part-58 3. International Organization for Standardization. ISO/IEC 17025:2017 - General requirements for the competence of testing and calibration laboratories. Geneva: International Organization for Standardization. 2017. https://www.iso.org/obp/ui/#iso:std: iso-iec:17025:ed-3:v1:en 4. United States Food and Drug Administration. FDA Guidance for Industry Data Integrity and Compliance With Drug CGMP Questions and Answers. Silver Spring, MD: United States Food and Drug Administration. 2018. https://www.fda.gov/regulatory- information/search-fda-guidance-documents/data-integrity-and-compliance-drug-cgmp-questions-and-answers 5. Pharmaceutical Inspection Co-operation Scheme. PIC/S PI-041 Good Practices for Data Management and Integrity in Regulated GMP / GDP Environments. Geneva: Pharmaceutical Inspection Co-operation Scheme. 2021. https://picscheme.org/ docview/4234 6. World Health Organisation. WHO Technical Report Series No.996 Annex 5 Guidance on Good Data and Records Management Practices. Geneva: World Health Organisation. 2016. http://academy.gmp-compliance.org/guidemgr/files/WHO_TRS_996_ ANNEX05.PDF 7. United States Pharmacopoeia. USP General Chapter <1058> Analytical Instrument Qualification. Rockville, MD: United States Pharmacopoeia Convention Inc. https://doi.usp.org/USPNF/USPNF_M1124_01_01.html 8. McDowall RD. How to future-proof your LIMS: handling software updates. Technology Networks. https://www.technologynetworks. com/tn/how-to-guides/how-to-future-proof-your-lims-handling-software-updates-370757. Published 2023. Accessed April 2024 9. United States Pharmacopoeia. USP General Chapter <1220> Analytical Procedure Lifecycle. Rockville, MD: United States Pharmacopoeia Convention Inc. 2022. https://www.uspnf.com/sites/default/files/usp_pdf/EN/USPNF/usp-nf-notices/gc- 1220-pre-post-20210924.pdf 10. International Council for Harmonisation of Technical Requirements for Pharmaceuticals for Human Use (ICH). ICH Q2(R2) Validation of Analytical Procedures, Step 4 Final. Geneva: ICH. 2023. 11. McDowall RD. Data Integrity and Data Governance: Practical Implementation in Regulated Laboratories. The Royal Society of Chemistry; 2018. doi: 10.1039/9781788013277 12. European Medicines Agency. Concept Paper on the Revision of Annex 11 of the Guidelines on Good Manufacturing Practice for Medicinal Products – Computerised Systems. 2022. https://www.ema.europa.eu/en/documents/regulatory-procedural- guideline/concept-paper-revision-annex-11-guidelines-good-manufacturing-practice-medicinal-products_en.pdf 13. Organisation for Economic Co-operation and Development (OECD). OECD Series on Principles of Good Laboratory Practice and Compliance Monitoring Number 1, OECD Principles on Good Laboratory Practice. Paris: OECD. 1998. 14. European Commission. EudraLex - Volume 4 Good Manufacturing Practice (GMP) Guidelines, Chapter 1 Pharmaceutical Quality System. Brussels: European Commission. 2013. https://health.ec.europa.eu/document/download/e458c423-f564-4171- b344-030a461c567f_en?filename=vol4-chap1_2013-01_en.pdf 15. United States Food and Drug Administration. FDA Guidance for Industry Out of Specification Results. Rockville, MD: US Food and Drug Administration. 2006. https://www.fda.gov/media/71001/download 16. US Food and Drug Administration. FDA Guidance for Industry, Investigating Out-of Specification (OOS) Test Results for Pharmaceutical Production. Silver Spring. MD: US Food and Drug Administration. 2022. https://www.fda.gov/media/158416/ download About the author: Bob McDowall is an analytical chemist who has been involved with specifying laboratory informatics solutions for over 40 years and has nearly 35 years’ experience of computerized system validation in regulated GXP environments.