New GAMP® Data

Integrity Good

Practice Guidance

and Experience from

the Field

Connecting Pharmaceutical Knowledge ispe.org 2

Speakers

Sion Wyn Director, Conformity Ltd.

Sion Wyn is a well-known and internationally

acknowledged specialist in computer systems

validation and compliance and life-science

regulations in this field. He is the Editor of the ISPE

GAMP® 5 Guide: A Risk-Based Approach to

Compliant GxP Computerized Systems and received

the 2006 ISPE Professional Achievement Award for

his work.

Sion assisted the US Food and Drug Administration

(FDA) as a consultant with its re-examination of the

21 CFR Part 11 regulation on electronic records and

signatures and was a member of the core team that

produced the FDA Guidance on 21 CFR Part 11

Scope and Application.

Paul Moody Director, Supplier Quality, Alexion

Pharmaceuticals, Inc.

Paul is a well-known and respected specialist in life-

science regulations. He (ex HPRA) has over 20

years’ experience within the pharmaceutical and

medical device sectors with expertise in the area of

pharmaceutical regulation including data integrity.

New GAMP® Data Integrity Good Practice GuidanceSion WynDirector, Conformity Ltd

Connecting Pharmaceutical Knowledge ispe.org

Background and context - ISPE GAMP® Guidance on DI

Update on published and planned guidance

Some highlights and selected topics

4

Overview

Connecting Pharmaceutical Knowledge ispe.org 5

GAMP® Guide: Records & Data Integrity

Published March 2017

Stand-alone Guide, aligned to GAMP 5

Connecting Pharmaceutical Knowledge ispe.org 6

ISPE GAMP Leitfaden zur

Aufzeichnungs-und

Datenintegrität

ISPE GAMP Japanese translation

published October 2018

記録とデータのインテグリティガイド

Translations

Connecting Pharmaceutical Knowledge ispe.org

• … to encourage innovation and technological advance

while avoiding unacceptable risk to product quality, patient

safety, and public health

• … technological advance can improve data integrity and

promote better use of data for the benefit of the patient and

the public

7

Objective

Connecting Pharmaceutical Knowledge ispe.org 13

Key Concepts

Connecting Pharmaceutical Knowledge ispe.org

Application of appropriate controls to manage identified risks within

the context of the regulated process

Effort required to assess and manage risk should be commensurate

to the level of risk

Requires a full understanding of the regulated process to be

supported, including the intended use of data within the process

9

Applying GAMP® 5 Quality Risk Management, following ICH Q9…

14

Risk Management Approach

Connecting Pharmaceutical Knowledge ispe.org 10

Governance topics including:

• Leadership

• Culture

• Human Factors

• Roles and Responsibilities

• Policies, Standards, and

Procedures

• Maturity

Governance

Connecting Pharmaceutical Knowledge ispe.org

Maturity Model

11

Process Areas define the areas to be assessed, and for each

area defines the Maturity Factors to be assessed against

Maturity Level Characterization gives examples of possible or

typical states related to the levels

Example

Process Area

Example Maturity

FactorExample

Maturity Level Characterizations

Level 1 Level 2 Level 3 Level 4 Level 5

Data

Ownership

Clear ownership of

data and data-

related

responsibilities

Process,

system, and

data owners

not defined

Process,

system,

and data

owners

identified

in few

areas.

Process,

system, and

data owners

typically

defined in

many, but

not all cases,

and

responsibiliti

es not

always clear

Process,

system, and

data owners

are well

defined and

documented.

Process,

system,

and data

owner

responsibili

ties

considered

and

clarified

during

manageme

nt review.

Connecting Pharmaceutical Knowledge ispe.org12 26

Data Life Cycle

Connecting Pharmaceutical Knowledge ispe.org 13

Just Published!And Japanese translation…

Topics also in development

include:

• DI for medical devices

• Data life cycle including

archival and retention

• DI for clinical systems

2017

2018 2019

GAMP® Data Integrity Guidance

Connecting Pharmaceutical Knowledge ispe.org

Further Good Practice Guidance in four core areas:

• Data Governance

• Data Life Cycle

• Risk Management Approaches

• Critical Thinking

Supplemented by appendices: checklists, examples and case studies

14

Data Integrity GPG - Key Concepts

Connecting Pharmaceutical Knowledge ispe.org

Culture and Leadership

Interfaces

Tools, Checklists, and Examples

15

Aligned with the ISPE Cultural

Excellence Report (April 2017)

Building on approaches and principles from GAMP 5

and the GAMP Record and Data Integrity Guide

Building on GAMP® 5, the GAMP Record and Data

Integrity Guide, and the Cultural Excellence Report

Selected Topics and Highlights…

Connecting Pharmaceutical Knowledge ispe.org

“…a shift from reliance solely on regulatory compliance to an emphasis on continuous improvement in which

there is deep understanding throughout an organization of the elements critical to product quality.”

Culture and Organizational Maturity…

A move away from the traditional

‘culture of compliance’ towards a

‘culture of excellence’

Six

Dim

ensio

ns o

f C

ultura

l E

xcelle

nce

ISPE Cultural Excellence Report

Connecting Pharmaceutical Knowledge ispe.org

• Often custom (GAMP® Category 5) software components

– Requiring a well-planned specification, design, and verification

process

• Sample Structure of an Interface Requirements Specification

• Typical Data Integrity Issues Related to Data Interfaces

17

Risk / Lack / Issue Possible Causes Possible Mitigations or Controls

xxx xxx xxx

yyy yyy yyy

Interface Requirements

Specification

Section Descriptionxxx xxxyyy yyy

System Interfaces

Connecting Pharmaceutical Knowledge ispe.org

• Data Integrity Gemba Checklist for the Lab

• IMPACT* Tool Applied to Data Integrity

• Case Study Example Systems

– Clinical Trials, Medical Device Manufacture, Laboratory,

Spreadsheet, Process Control, Business Application

• Process and Data Mapping examples

– Use Cases, Flow Diagrams, Data Modelling, Data Flow Diagrams

• Example Data Classification System

18

*IMPACT: Identify goal, select the Measure,

Pinpoint the behaviour, Activate the

Consequences, Transfer knowledge…

Tools, Checklists, and Examples

Connecting Pharmaceutical Knowledge ispe.org

Terminology (including Data Audit Trails)

Data Flows and Data Lifecycles

Detecting and Managing DI Risks

19

Aligned with, and expanding on, the GAMP® Record and

Data Integrity Guide, as well as existing PCS and MES

GPGs

Building on approaches and principles from GAMP 5,

existing GAMP GPGs, and the GAMP Record and Data

Integrity Guide

Building on GAMP 5, the GAMP Record and Data

Integrity Guide, and The GAMP DI Key Concepts GPG

Selected Topics and Highlights

Connecting Pharmaceutical Knowledge ispe.org 20

Connecting Pharmaceutical Knowledge ispe.org 21

And Japanese translation…

Topics also in development

include:

• DI for medical devices

• Data life cycle including

archival and retention

• DI for clinical systems

2017

2018 2019

Recap – GAMP® Data Integrity Guidance

Just Published!

Connecting Pharmaceutical Knowledge ispe.org

Pragmatic interpretation of regulatory requirements

Identification and definition of real-world good practice

Support for new and innovative technologies

22

#1

What GAMP® Continues to Aim For!

Connecting Pharmaceutical Knowledge ispe.org

• … continue to encourage innovation and technological

advance while managing risk to product quality, patient

safety, and public health

• … continue to encourage technological advance to promote

better use of data for the benefit of the patient and the

public

23

Conclusions

Connecting Pharmaceutical Knowledge ispe.org

Poll Question

At what stage of the maturity model is your organization?

1. Level 1

2. Level 2

3. Level 3

4. Level 4

5. Level 5

24

Data Integrity:Some ObservationsPaul Moody

30 May 2019

Connecting Pharmaceutical Knowledge ISPE.org

Content

What is PIC/S?

Data Integrity: The Business Process

Some Observations: Small Chains

Some Observations: Connecting the Chains

Some Observations: Case Studies

26

All sample observations used in this presentation are publicly available

Connecting Pharmaceutical Knowledge ISPE.org

What is PIC/S?

Pharmaceutical Inspection Co-operation Scheme (PIC/S) was established in 1995

Regulators not industry with 52 participating authorities

International development, implementation and maintenance of harmonised GMP standards and quality systems of inspectorates in the field of medicinal products.

PIC/S GMP guidance adopted by some countries into their own.

(based on EU GMP Guide)

Non-binding, informal co-operative arrangement between Regulatory Authorities in the field of Good Manufacturing Practice (GMP) of medicinal products for human or veterinary use

Co-operation and networking between competent authorities, regional and international organisations, thus increasing mutual confidence

https://www.picscheme.org

Connecting Pharmaceutical Knowledge ISPE.org

PIC/S: A Repository for Regulators!

Data Integrity: The Business Process

Connecting Pharmaceutical Knowledge ISPE.org

Always Think of the Data Lifecycle…

Generation Processing Reporting CheckingDecision making

StorageRetiring

Discarding

Electronic Records Paper Records Procedures People Front & Back End

Connecting Pharmaceutical Knowledge ISPE.org

...and The Business Process

For validation a system boundary approach is typically utilised

• Equipment/instruments

• Application module

• Historian module

• Reporting module

• Archival/Back up

What is an appropriate system boundary for data?

• Computer System, Procedures, Manual Interfaces, Outsourcing etc?

• The Business Process…Production, QC?

Consider entire data lifecycle over entire business process in terms of data integrity i.e. generation to retiring

• Don’t forget back-end processes

• Data ‘chain of custody’

Tracing data through the data lifecycle – Joining the dots!

• Process complexity

• Process consistency (human/automation interfaces)

• Subjectivity of outcome/result e.g. a number or visual assessment

• Outcome of comparison between e-system and manual records

Some Observations: Small Chains

Connecting Pharmaceutical Knowledge ISPE.org

User Accounts

• It was possible for administrators to verify their own data recording in [ERP]. There were no procedural restrictions around this and was hence considered to increase the overall risk of the associated testing processes.

• The ‘system owner access level’ was not described.

• The removal of test accounts had not been considered by the company prior to the system going ‘live’.

• [ERP] access configurations for the job roles within the site was not adequately defined in that there was no documented correlation of roles to the user access elements defined by the Global SAP group.

Audit Trails

• Audit trail comments on [the CDS] were not always sufficiently detailed. For example, a number of changes were observed to have been made to the integration method utilised on [a test] on [a date] and these had a comment of ‘save’ documented.

• OS User Accounts were utilised to access the <system>. There was no periodic review of OS audit trails(logs) as appropriate and this was not justified.

Example: User Accounts & Audit Trails

33

Connecting Pharmaceutical Knowledge ISPE.org

Example: Validation

• The independent code review was not available for review during the inspection.

• The actual observed results were not always documented within the qualification records

• Electronic signatures data transfer process to the ERP system was not described in a procedure and was not qualified.

• There was no assessment of ERP database integrity.

• The documented rationale for not testing requirement [Electronic Signatures] was not considered to be justified in that the referenced documents disclaimer stated that the information should not be relied upon!

ERP system Qualification:

• not subjected to GxP assessment or qualification as appropriate.

Virtual Private Network software:

• no process for logging of media used to back up the server systems.

• maximum number of media uses for the magnetic tapes was not defined or controlled.

• All backup activities on the site were not procedurised. For example back up of the [Program] data from [Equipment] and back up of certain [Equipment] PLC code was performed on an ad-hoc basis using HDDs which were not stored in an appropriate location.

Data Back Up and Restoration

34

Some Observations…(or Connecting the Small Chains)

Connecting Pharmaceutical Knowledge ISPE.org

Example 1: Electronic Business Process

During a facility walkthrough tour it was noticed that the clock of the filter integrity tester (FIT) was 8 minutes slower than the Manufacturing Execution System (MES).

Question: “I wonder how this looks on the Electronic Batch Record…”

Team followed the data and metadata (timestamp) through the business process from system to system:

▪ Data utilised for batch related GMP decisions was pushed from the FIT to the MES Historian. The Electronic Batch Record selected its data from based on MES Historian timestamp.

▪ It was noted that in some cases it was possible to re-send ‘old’ tests from the instrument log by pressing the print key on the instrument log to the data Historian and these were assigned a Historian timestamp related to the “resend” date and not the original test execution date

▪ The test result and historian timestamp (not the instrument timestamp) were displayed to the Electronic Batch Record review screen.

Connecting Pharmaceutical Knowledge ISPE.org

Example 2: Hybrid Business Process

Looking at paper records it was noticed that some entries on a training record for visual inspection on a filling line were in the same handwriting for nine operators who documented that training occurred on a particular date.

Looked at the electronic batch log for the filling line on the training date for the timeframe specified

Normal processing activities (a production batch) were in progress on the line during the time period…

Some Observations…Case Studies

Connecting Pharmaceutical Knowledge ISPE.org

Case Study 1

A composite sample for a product was tested for water content and the result was also used in a “validated” HPLC Anhydrous Assay calculation by a chromatographic data system.

The water content result reported was out of specification.

This was investigated and a root cause was determined to be a labelling error. A new composite sample was created and the test repeated. The water content results were within specification.

Investigation complete and root cause assigned ☺

The company questioned how the HPLC Assay was within specification if the water content was OOS.

A second analyst executed a manual calculation in line with the example calculation presented in the test method.

An OOS assay result was obtained which was consistent to an in spec result of a different formulation of the same product.

Connecting Pharmaceutical Knowledge ISPE.org

Case Study 1

It was determined that the HPLC system included a capability to utilise additional fields in the processing sequence as multipliers, divisors and custom calculations for secondary processing of results.

A review of the chromatographic processing conducted by the original analyst on the original laboratory composite for the affected lot indicated that the analyst had utilised a divisor field to mathematically transform what would have been an OOS HPLC assay result to one within specification.

The investigation determined a number of personnel were involved.

Connecting Pharmaceutical Knowledge ISPE.org

Case Study 1: What did they do?

Unreleased Product was held.

Notification of authorities

Determined scope of issue

Conducted Health Hazard Evaluations

Execution of risk assessment to determine risks associated and determine mitigation of the risk to the process

Requalified analysts responsible for HPLC testing

Retesting of HPLC analyses for all lots on hold

Implementation of a system utilising a data review independent of the QC laboratory operations

Connecting Pharmaceutical Knowledge ISPE.org

Case Study 2

Company had completed data integrity assessments and mitigation within the production area.

New controls were implemented for the review of periodic qualification activities.

A review of the data for periodic qualification of a piece of equipment was performed.

Similarities with data printouts associated with the reports versus previous qualification activities were identified.

Determined that the same data (albeit slightly modified) was repackaged for subsequent qualifications.

Connecting Pharmaceutical Knowledge ISPE.org

Case Study 2: What did they do?

All unreleased product on hold and investigation raised

Notified Authorities

Requalified the equipment.

Assessed the impact of the issue on the validated state of equipment, on product manufactured and ultimately the Patient

To Conclude…

Connecting Pharmaceutical Knowledge ISPE.org

In Summary…

Understand the Criticality and Risk of data

Understand the Data Lifecycle is not just the e-data & computer system

Assess data integrity across the Business Process including the backend

Always Link the Chains…

Connecting Pharmaceutical Knowledge ispe.org 46

Q&A

Contact Information

Sion Wyn

Director, Conformity Ltd.

Email: sion.wyn@conform-it.com

Phone: +44 (0) 1492 642622

Paul Moody

Director, Supplier Quality, Alexion

Pharmaceuticals, Inc.

Email: Paul.Moody@alexion.com

Phone: +353 (0)1 564 9308

Upcoming Webinars

• 25 June 2019 - GAMP® Good Practice Guide for GxP

Compliant Lab Computerized Systems

• August 2019 – ISPE Baseline Guide: Commissioning

and Qualification (Second Edition) Review

Topic Ideas or Feedback?

Send to ispeak@ispe.org