Data Integrity and Data Governance - IFFiff.nu/_files/karen2016/dataintegrity1.pdf · Data...
Transcript of Data Integrity and Data Governance - IFFiff.nu/_files/karen2016/dataintegrity1.pdf · Data...
Data Integrity and Data Governance
Karen S Ginsbury
PCI Pharmaceutical Consulting Israel Ltd
We LIKE Problems!
Where are you likely to find data
integrity issues
Culture / VALUES
We don’t have data integrity issues here !!!
3
Have you ever…
Back dated a document
Filled in missing data
Replaced a page in a controlled document to correct a typo without changing the version number…BECAUSE YOU CAN and not because you are a wicked person – unconscious…or conscious incompetence?
Write down three elements of a
data governance plan
Who would you say is…
The most dangerous department in your company wrt DI?
What is the role of the QU
What is the role of the rest of the company especially VPs in DI
Data Integrity
Types of data fraud
‘Tidying’ Wilful falsification
8
What is your overarching value?
What is your most important moral principle and why?
What is your CEO’s / Chairman of the Board of Director’s most important moral principle and why?
Are you “scared” of your boss?
Or can you tell her / him anything – open line of communication?
Definitions
True / truthin accordance with fact
or realityaccurate or exact
synonyms: correct, accurate, right, verifiable, in accordance with the facts, what actually / really happened, well-documented
Liea false or inaccurate
statement made withdeliberate intent to deceive
an intentional untruth
a falsehood
Synonyms: prevarication, falsification
Before… and After
Truth / Lie
Good/Bad
The obscuring of
intended meaning in
communication, making
the message confusing,
willfully ambiguous, or
harder to understand.
(Genuine? Measureable)Value / Values
• Worth, merit, esteem
• A worthy moral position or principle
Integrity?Honesty?
Transparency?
BUZZWORD?
Truth?
Integrity
the quality of being honest and having strong moral principles; moral uprightness
the state of being whole and undivided
synonyms: honesty, probity, rectitude, honor, good character, principle(s), ethics, morals, righteousness, morality, virtue, decency, fairness, scrupulousness, sincerity, truthfulness, trustworthiness
Objective (of a person or their
judgment)
not influenced by personal feelings or opinions in considering and representing facts.
synonyms: impartial, unbiased, unprejudiced, nonpartisan, disinterested, neutral, uninvolved, even-handed, equitable, fair, fair-minded, just, open-minded, dispassionate, detached, neutral
Antonym: subjective
How many opportunities for cheating?
Karen Ginsbury, MSc, BPharm (MRPharms????)
CEO, PCI Pharmaceutical Consulting Israel Ltd
Karen Ginsbury is a London, UK trained pharmacist with a second degree in
Microbiology. With close to 30 years’ experience in the pharmaceutical industry, Karen is
a quality practitioner with a passion for doing things right and once only. She runs a
boutique quality systems consultancy offering services to companies who want to set-up,
maintain and constantly improve their quality management systems. Regularly lecturing
in Israel and around the world, Karen also serves on international professional
committees and is co-chair of PDA’s pharmacopoeial interest group. In these and other
capacities Karen benchmarks best practices around the globe in order to share them
with her audiences. Double space or single space? Cherry picking???
ו"ל–ה "ל: ט"ויקרא י Leviticus 19:35 – 36
calibrate your decision making process
35 Do no unrighteousness in judgment, in weight, or in measure.
36 You shall have just balances, just weights..
פט תעשו -לאלה ש דהעול במ קל במ ש שורהבמ ובמ
ני צדק לו נימאז ין צדק -אב ה יה לכםצדקאיפת צדק ו ה י
The behaviors, beliefs and values characteristic of a particular group
Culture is:
Transmitted actively by defining:
Mission
Goals
Metrics – need to measure / check if goals are understood and met
Transmitted passively and often subconsciously by behavior, body language, facial expressions and other actions
Culture, Integrity, Metrics…
18
Responsibility Authority
Responsibility vs Authority
Responsibility Authority
Having the duty to perform a task
Being accountable for performing that task
Having control over the performance of the task
Without “additional” authorization
The power or right to give orders, make decisions, and enforce obedience
Within the framework of a company or organization which includes the values of that company
Responsibility Authority
YOUR duty to:
Keep management informed
Request and insist on appropriate resources
Take action if authority is not granted
must be granted by:
Your manager
AND they must allow you to perform your responsibilities without interference and with appropriate resources
Data Governance – Policy and
Metrics
Establish a policy
Measure its implementation
Improve the policy
Measure its effectiveness
Data Governance Policy
Values:The Officers of this company expect every employee to provide accurate, complete and contemporaneous (real-time) records of activities and to perform all tasks with integrity when no one is looking
Tools:Managers are expected to provide staff with the means to allow them to perform their tasks with integrity, to collect, analyze and report data accurately, completely and on real-time including but not limited to:
Tools to be provided:
Access to accurate clocks for recording timed events
Accessibility of batch records / laboratory worksheets / notebooks at locations where activities take place so that ad hoc data recording and later transcription to official records is not necessary
Control over blank paper templates for data recording
User access rights which prevent (or audit trail) data amendments
Automated data capture or printers attached to equipment such as balances
Proximity of printers to relevant activities
Access to raw data for staff performing data checking activities
Data Governance
Should address data ownership throughout the lifecycle, and consider the design, operation and monitoring of processes / systems in order to comply with the principles of data integrity including control over intentional and unintentional changes to information
Data Governance
Systems should include:staff training in the importance of data integrity
principles
the creation of a working environment that encourages an open reporting culture for errors, omissions and aberrant results
Data integrity audits by objective experts
Reporting to and correction of data integrity audit findings by MOST senior management, including assessment regarding need for notification of regulators / product recall? Other mitigation
Data Governance
Senior management is responsible for the implementation of systems and procedures to minimise the potential risk to data integrity, and for identifying the residual risk
Contract Givers should perform a similar review as part of their vendor assurance program
How to Leverage Culture?
Take out the good
Reshape the not so good
Talk – open communication channels and educate rather than audit
Discuss rather than impose
How do you educate senior management
29
WE ARE ALL SUBJECTIVE
Data Integrity Code of Conduct
Currently being developed by FDA
Annual signature of all employees that they are aware of it and followed it…what about MOST senior management / officers of the company???
Culture?
What is data integrity
a true representation of the process or measurement that occurred made on “real time” (contemporaneous), accurate, legible and complete
Integrity in data:
capture: manual recording/ printout / LIMs / ERP…
accuracy: number of digits after decimal place, legibility, space on form and clarity of form
selection / inclusion / exclusion criteria
analysis e.g. statistical method
representation e.g. summaries, tables, graphs and charts, reports, conclusions
MHRA Data Integrity Guidance
Systems designed to encourage compliance with principles of data integrity:
Access to clocks for recording timed events
Accessibility of batch records at locations where activities take place so that ad hoc data recording and later transcription to official records is not necessary
Control over blank paper templates for data recording
User access rights which prevent (or audit trail) data amendments
Automated data capture or printers attached to equipment such as balances
Proximity of printers to relevant activities
Access to raw data for staff performing data checking activities
Ignorant, Sloppy or Just BAD? Nature or Nurture? Motive: Intent to deceive?
Warning letters
1. Failure to record all quality activities at the time they are performed.
a. a production employee had recorded the final packed quantity of the batch in
Step 5.7, even though the quantity was not yet known because the operator had not
yet weighed the batch. Immediately after observing the incident, the investigator
requested a copy of page 6 containing Step 5.7 and was given a photocopy. A full
batch record provided later that day did not include the original page 6. Instead it
included a new version of page 6.
b. The investigator observed at least two examples when a manufacturing step was
recorded in the batch record before it occurred:
i. The production operator recorded the start time for step 6.2 as 12:15 on October
26, 2012, although it was still 11:00 when our investigator noticed this situation.
ii. at approximately 11:00 on the same date, a production officer had already
recorded the material used for the API although the step had not yet
occurred. The material had not yet been weighed.
Warning letters
a. The inspection documented that HPLC processing methods (including
integration parameters) and re-integrations are executed without a pre-defined,
scientifically valid procedure. Your analytical methods are not locked to ensure
that the same integration parameters are used on each analysis. A QC operator
interviewed during the inspection stated that integrations are performed and re-
performed until the chromatographic peaks are “good”, but was unable to provide
an explanation for the manner in which integration is performed. Moreover, your
firm does not have a procedure for the saving of processing methods used for
integration.
Your response did not include a description of the method by which
chromatograph integrations are to be performed (e.g., what constitutes a
chromatographic peak, how shoulder peaks are to be handled, etc.). In addition,
your response did not include an audit of past chromatographic data to determine
whether data used to support release and stability studies originated from
appropriately integrated chromatograms.
Warning letters
a QC analyst had recorded completion times of
laboratory analyses that had not yet
occurred. Specifically, a Loss on Drying (LOD) analysis
was performed at approximately 10:55 AM. The
investigator noted that the analyst had already
recorded the completion time for three samples
although the step was not yet completed. Our
investigator asked the analyst why he recorded the
completion time for each of the three samples if the
step was still in progress. The analyst did not offer an
explanation. Moreover, our investigator also found that
weights for these three samples were recorded on
blank pieces of paper and not directly onto the test
data sheets.
Warning letters
Your response stated that a new SOP has been created to address
this issue and that training on this SOP has occurred. Your response
did not address the extent of this practice, the impact on the
quality of the product and why your laboratory management
failed to detect this practice. Your response also provided no
actions to improve oversight by your quality unit (e.g.,
independence, authority, resources). The above practices raise concerns regarding the reliability and accuracy of the data
generated at your firm, including any other inappropriate data-
related practices permitted by your firm when an inspection is not
in progress.
In response to this letter, provide a summary of your full assessment
of all the raw data recorded on each of the batch production and QC laboratory analytical records for the APIs intended for the US market to ensure their reliability.
Warning letters
• The audit trail function for the chromatographic systems was disabled
at the time of the inspection; therefore, there is no record for the
acquisition of data or modifications to laboratory data. Your response
to this deficiency did not discuss how you will ensure that data audit
trails will not be disrupted in the future.
• your firm failed to have adequate procedures for the use of
computerized systems used in the QC laboratory. At the time of the
inspections, your QC laboratory personnel shared the same username
and password for the operating systems and analytical software on
each workstation in the QC laboratory. In addition, no computer lock
mechanism had been configured to prevent unauthorized access to
the operating system. The investigator noticed that the current QC
computer users are able to delete data. In addition, the investigator
found that there is no audit trail or trace in the operating system to
document deletions.
Warning letters
• the use of the Excel® spreadsheets in analytical calculations are
neither controlled nor protected from modifications or deletion. The
investigator noticed that the calculation for residual solvent uses an
Excel spreadsheet that has not been qualified. We are concerned
about the data generated by your QC laboratory from non-qualified
and uncontrolled Excel spreadsheets.
In response to this letter, provide a retrospective evaluation of the
analytical values reported where such Excel spreadsheets have been
used.
Warning letters…You are
responsible!
Unofficial Testing
b. Your firm frequently performs “unofficial testing” of samples, disregards the results, and reports results from additional tests. For example, during stability testing, your firm tested a batch sample six times and subsequently deleted this data.
You performed “trial” sample HPLC analyses prior to acquiring the “official” analyses. The “trial” results were subsequently discarded. “Trial” HPLC analyses were apparently run as part of the 12-month long-term stability studies on batch #15069 for related substances. Your employee ran an HPLC analysis sequence and subsequently deleted the raw data files. Your quality control staff named the samples using the last three digits of the batch numbers to link the "trial" injections with the official assay analyses. Your Senior Quality Control (QC) Officer confirmed these were analyses of batch samples. Furthermore, we found that this batch was analyzed for unknown impurities and results reported as within specifications. However, the data showed that the "trial" injection for this batch failed the unknown impurities specification in several test runs.
Your Senior QC Officer confirmed that QC laboratory employees had frequently practiced the use of “trial” injections at your facility. Significantly, in addition to the example above, our inspection found 5,301 deleted chromatograms on a computer used to operate two HLPC instruments in your QC laboratory. Many of these files were “trial” injections of batches.
Vagueness in procedures
An opening / gap for analyst to do as they please
What is data integrity
Data Integrity: Determines whether the information being measured truly represents the desired attribute
Data Accuracy: Determines the degree to which individual or average measurements agree with an accepted standard or reference value
Data Integrity
Strive for truth
If making a measurement I want to get to the true value
What is the true value?
MHRA
Data Governance System PACA
Policy (PA)Training in the importance of data integrity
SOPs
Technical (e.g. computer system access) controls
The degree of effort and resource applied to the organisational and technical control of data lifecycle elements should be commensurate with its criticality in terms of impact to product quality attributes
Audit (look for error or distortion)may be deliberate or inadvertent (bias / subjectivity)
Improvement (CA)
Questions to ask /answer for audit
Use a process flow of the production / test process and step by step ask what is done and how it is captured accurately on real time
What are you doing
Why are you doing it
How do you do it
What are the steps and how and by whom are they documented
Who verifies the steps and how
Can raw data be changed? What evidence remains
Retained sample?
how long are EM plates kept after reading – where is this written, where are they stored and how often do you audit it?)
Case study
Head of QC laboratory approves plate counts for cleanroom. Documentation shows results for two temperatures of incubation and signature and date of microbiologist who read the results
Are there potential DI issues?
Data Integrity Audit
What questions would you ask?
Data integrity audit
Validate measurement system
Questions:
Weights – printouts? Lying around? Or immediately pasted to notebook
Media preparation – mixing time? pH?
Are there notebooks? Or loose sheets
Conform / not conform pass / fail
Counting of colonies – qualification and oversight?
Deviations – who decides if a “dropped / cracked” plate is binned?
Who incubated the plates – who read them at 22˚C and transferred to 35 – who read them at the end of the period – where is that documented
Computerized Spreadsheets
Error in / incorrect formula
Spreadsheet not protected or locked
Data loss through inadvertent or intentional deletion, errors, computer issues
Omitted, added or altered information
Entry / transcription errors
What is Culture?
What is Culture?
“DO what I DO” not “DO what I SAY” – Leadership is setting an example there is no “different” rule for the boss – it doesn’t work
Observable Actions and Behaviors
Unwritten rules – “the way we do things around here”
Culture and leadership are inseparable / interdependent. Senior leaders say, do and reward behaviorsthat create culture and allow for or derail change
Quality Culture – Do What I do
Case Study
Production Head at a contract laboratory has an audit from a customer
“Can I see the batch record for our product which was manufactured three weeks ago?”
Sorry, I haven’t reviewed them yet and we don’t show unreviewed results
Quality Culture and DI
Strive for Truth
What you do matters
It takes years to create a quality culture:“Unconscious competence”
It takes only one or two actions (sometimes unconscious) to destroy the culture and unconscious competence needs investment of energy to maintain it (for experienced and new staff)
There are some “bad sorts” but they are rare
Data integrity audits and the
role of the Quality Unit
Educate
Show others what is unacceptable
Show them how to correct bad practices
Integrate automated methods for data integrity which cannot be bypassed
In Conclusion...
In Conclusion:
Strive for Truth
Know the basic concepts of Data Integrity
Know when to conduct data integrity auditsFormal: internal audit program
On-the-spot: sometimes and whenever a problem is suspected
Recognize that data integrity audits should evaluate reliability and validity of the data collection, analysis and reportable result presentation and evaluation for pass / fail specification
PCI’ ethics policy
PCI’s data governance plan
Quick look
THANK YOU FOR
PARTICIPATING
Questions?