Post on 10-Jun-2018
transcript
Indice della presentazione
1. Il recente «boom» del data integrity nel contesto regolatorio internazionale
2. Data integrity e i princìpi ALCOA
3. Panoramica sui documenti di riferimento (data integrity)
4. «Low hanging fruits»
5. Esempi di non conformità (ispezioni ufficio 5 DGSAF)
2015
• MHRA - Data Integrity Definitions and Guidance for Industry• WHO - Guidance on good data and record management
practices
2016
• EMA - Questions and answers: Good manufacturing practice
• FDA - Data integrity and compliance with CGMP (già comunque presente nel 21 CFR part 11)
• PICS - Good practices for data management and integrity in regulated GMP/GDP environments
Il recente «boom» del data integrity
nel contesto regolatorio internazionale
Data integrity: novità 2017
ISPE:
Good automated manufacturing practice (GAMP) is both a
technical subcommittee of the International Society for
pharmaceutical Engineering (ISPE) and a set of guidelines for
manufacturers and users of automated systems in the
pharmaceutical industry.[
MHRA - Data Integrity Definitions and Guidance for Industry:
“The extent to which all data are complete, consistent and accurate throughout the data lifecycle.”
WHO - guidance on good data and record management practices:
“Data integrity is the degree to which a collection of data is complete, consistent and accurate throughout the data lifecycle. The collected data should be attributable, legible, contemporaneously recorded, original or a true copy, and accurate”.
Data integrity : definizioni
FDA – Data integrity and compliance with CGMP:
• For the purposes of this guidance, data integrity refers to the completeness,consistency, and accuracy of data.
• Complete, consistent, and accurate data should be attributable, legible,contemporaneously recorded, original and accurate (ALCOA)
PICS – good practices for data management and integrity in regulated GMP/GDP environments:
• Data Integrity is defined as “the extent to which all data are complete, consistent and accurate, throughout the data lifecycle” .
• Data integrity applies to all elements of the Quality Management System and the principles herein apply equally to data generated by electronic and paper-based systems.
Data integrity: definizioni
Data governance Data governance is the sum total of arrangements
which provide assurance of data integrity. These
arrangements ensure that data, irrespective of the
process, format or technology in which it is generated,
recorded, processed, retained, retrieved and used will
ensure a complete, consistent and accurate record
throughout the data lifecycle.
Data lifecycle Data lifecycle refers to how data is generated,
processed, reported, checked, used for decision-
making, stored and finally discarded at the end of the
retention period.
(2016 PICS - Good practices for data management and
integrity in regulated GMP/GDP environments)
Data integrity: concetti correlati
Data
Lifecycle
Attributable
Legible
Contemporaneous
Original
Accurate
• Tra i primi sostenitori del principio: Stan Woollen – FDA
• Definito dalla linea guida WHO come : A commonly used acronym short
for “accurate, legible, contemporaneous, original and attributable.
• Principio ripreso in (esempi): Concept paper on clinical trials – EMA
Allegati alle GAMP (ALCOA+)
EMA Q&A on good manufacturing practices
Data integrity e i princìpi ALCOA
http://www.ema.europa.eu/ema/index.jsp?curl=pages/regulation/q_and_a/q_and_a_detail_000027.jsp#section18
EMA - Good manufacturing practice - (Agosto 2016)
The main regulatory expectation for data
integrity is to comply with the requirement of
ALCOA principles. The table below provides
for each ALCOA principle the link to EU GMP
references (Part I, Part II and Annex 11)
EMA
12.4 Management systems for data and for documents should be designed to
record the identity of operators entering , changing, confirming or deleting
data including date and time
7.1 Data should be secured by both physical and electronic means against damage.
Stored data should be checked for accessibility, readability and accuracy. Access
to data should be ensured throughout the retention period.
EMA
Senior management should ensure that data integrity risk is
assessed, mitigated and communicated in accordance with
the principles of quality risk management. The effort and
resource assigned to data integrity measures should be
commensurate with the risk to product quality, and balanced
with other quality assurance resource demands.
Data risk assessment should consider the vulnerability of data
to involuntary or deliberate amendment, deletion or
recreation. Control measures which prevent unauthorised
activity and increase visibility / detectability can be used as
risk mitigating actions
EMA
The decision which data influences may differ in importance, and theimpact of the data to a decision may also vary. Points to consider regardingdata criticality include:
• What decision does the data influence?
For example: when making a batch release decision, data which determinescompliance with critical quality attributes is of greater importance thanwarehouse cleaning records.
• What is the impact of the data to product quality or safety?
For example: for an oral tablet, active substance assay data is of greaterimpact to product quality and safety than tablet dimensions’ data
It may be beneficial to provide a summary document which outlines theorganization’s total approach to data governance
EMA
Computerised systems should be
designed in a way that ensures
compliance with the principles of data
integrity. The system design should make
provisions such that original data cannot
be deleted and for the retention of audit
trails reflecting changes made to original
data
EMA
Data integrity - Electronic
The following expectations should be considered
where appropriate, based on data risk and criticality:
• enable traceability for issuance of the blank form by
using a bound logbook with numbered pages or other
appropriate system. For loose leaf template forms,
the distribution date, a sequential issuing number, the
number of the copies distributed, the department
name where the blank forms are distributed, etc.
should be known
• Distributed copies should be designed to avoid
photocoping either by using a secure stamp, or by
the use of paper colour code not available in the
working areas or another appropriate system
EMA
Data integrity - Paper
Designing systems to assure data quality and integrity (1/2)
Systems and processes should be designed in a way that encouragescompliance with the principles of data integrity. Consideration shouldbe given to ease of access, usability and location whilst ensuringappropriate control of the activity guided by the criticality of the data.
Examples include:
• Access to appropriately controlled / synchronised clocks for recording timed events.
• Accessibility of records at locations where activities take place so that ad hoc data recording and later transcription to official records is not necessary.
• User access rights that prevent (or audit trail) unauthorised data amendments
• Automated data capture or printers attached to equipment such as balances (or double check?)
MHRA - Data Integrity Definitions and Guidance for Industry
Designing systems to assure data quality and integrity (2/2)
• The use of scribes to record activity on behalf of another operator should be considered ‘exceptional’, and only take place where the act of contemporaneous recording compromises the product or activity e.g. documenting line interventions by sterile operators.
• …..the supervisory recording should be contemporaneous with the task being performed, and should identify both the person performing the task and the person completing the record. The person performing the task should countersign the record wherever possible, although it is accepted that this countersigning step will be retrospective.
MHRA - Data Integrity Definitions and Guidance for Industry
Risk assessments should focus on a business process
(e.g. production, QC), evaluate data flows and the
methods of generating data, and not just consider IT
system functionality or complexity. Factors to consider
include:
• Process complexity;
• Methods of generating, storing and retiring data and
their ability to ensure data accuracy, legibility,
indelibility;
• Process consistency and degree of automation /
human interaction;
• For computerised systems, manual interfaces with IT
systems should be considered in the risk assessment
process. Computerised system validation in isolation
may not result in low data integrity risk, in particular
when the user is able to influence the reporting of
data from the validated system.
PICS - Good practices for data management and integrity in regulated GMP/GDP environments
Data governance system review
• The effectiveness of data integrity control measures should
be assessed periodically as part of self-inspection (internal
audit) or other periodic review processes. This should ensure
that controls over the data lifecycle are operating as
intended.
• In addition to routine data verification checks, self-inspection
activities should be extended to a wider review of control
measures, including a check of continued personnel
understanding of data integrity …………. e.g. by review of
continued training in data integrity principles and
expectations.
PICS - Good practices for data management and integrity in regulated GMP/GDP environments
What is an “audit trail”?
• Audit trail means a secure, computer-generated, time-stamped electronic record that allows
for reconstruction of the course of events relating to the creation, modification, deletion of an
electronic record.
• For example, the audit trail for a high performance liquid chromatography (HPLC) run could
include the username, date/time of the run, the integration parameters used, and details of a
reprocessing, if any, including change justification for the reprocessing.
• Electronic audit trails include those that track creation, modification, or deletion of data (such
as processing parameters and results) and those that track actions at the record or system level
(such as attempts to access the system or rename or delete a file).
FDA – Data integrity and compliance with CGMP
FDA – Data integrity and compliance with CGMP
How often should audit trails be reviewed?
FDA recommends that audit trails that capture changes to critical data be
reviewed with each record and before final approval of the record. FDA
recommends routine scheduled audit trail review based on the complexity of
the system and its intended use.
Who should review audit trails?
……… all production and control records, which includes audit trails, must
be reviewed and approved by the quality unit .
8 TRAINING IN GOOD DATA AND RECORD
MANAGEMENT
Personnel should be trained in data integrity policies and agree to
abide by them.
Management should ensure personnel are trained to understand
and distinguish between proper and improper conduct, including
deliberate falsification and potential consequences.
In addition, key personnel, including managers, supervisors and
quality unit personnel, should be trained in measures to prevent
and detect data issues. This may require specific training in
evaluating the configuration settings and reviewing electronic data
and metadata, such as audit trails. For example, the quality unit
should learn how to evaluate configuration settings that may
intentionally or unintentionally allow data to be overwritten or
obscured through the use of hidden fields or data annotation
tools.
Management should also ensure that, at the time of hire and
periodically afterwards as needed, all personnel are trained in
procedures to ensure GDP for both paper and electronic records
WHO: guidance on good data and record management practices
Cattiva gestione degli accessi ai dati
• Passwords condivise
• Nessun controllo degli accessi ai sistemi GXP
• Mancanza di un adeguato sistema di assegnazionedei privilegi di accesso ai sistemi informatici (es. analisti con il profilo di amministratore)
• Gli operatori possono cambiare le “ricette” (produzione, cleaning) senza un adeguato controllo
• Non sono effettuati test per il recupero dati
Low hanging fruits …….
Mancata revisione dei dati elettronici e dei meta-dati critici
• I dati di laboratorio non sono sottoposti a revisione (es. (re)
integrazioni di picchi cromatografici o ripetizione di corse
cromatografiche)
• In generale le variazioni di dati analitici non sono sottoposte a
valutazione
Gli Audit trails non sono abilitati o vengono abilitati e disabilitati.Quindi:• Non è possibile garantire che tutti i dati siano disponibili per una
corretta revisione• E’ possibile mettere in discussione l’autenticità dei dati
Il controllo di data e ora non è gestito con adeguati livelli di sicurezza
Low hanging fruits …….
• Registrazioni manuali: durante la visita sono stati riscontrati documenti di
vario contenuto riportanti registrazioni manuali di difficile lettura o mancanti,
correzioni non conformi alle GMP (es. registri bilance) e registrazioni dello
stesso dato discordanti tra vari documenti (es. registro analista e scheda
prodotto XYZ)
• Le etichette che si appongono sui contenitori in magazzino per confermare
l’avvenuto campionamento non prevedono l’apposizione della firma di chi ha
eseguito il campionamento e la relativa data.
• SOP XYZ “gestione impianto acqua purificata”: ……. le specifiche di
riferimento per il test dei nitrati e per quello dei metalli pesanti, da effettuarsi
sull’acqua purificata, sono invertite tra loro
Esempi di non conformità (ispezioni ufficio 5 DGSAF)
• Laboratorio controllo qualità - registro campioni : (i) il registro contiene
l’indicazione dell’arrivo di campioni di XYZ (lotto 123) in data 13 settembre
mentre tali campioni sono stati consegnati al laboratorio in data 14
settembre
• Magazzino materie prime: il log book materie prime del magazzino riporta
dei dati inseriti a penna senza che sia identificata la persona che ha inserito
tali dati
• Dall’analisi dei dati inseriti nel sistema di gestione elettronica dei dati di
laboratorio (LIMS) è emerso che il valore del titolo di due campioni è stato
corretto dall’operatrice. Per uno dei campioni appartenenti al liofilizzatore B
è stato inserito erroneamente il valore di un campione del liofilizzatore A e la
correzione è stata tracciata e giustificata nel sistema. Per un altro campione
è stato invece inserito erroneamente ………… In questo secondo caso
l’operatrice ha omesso di inserire una nota nel relativo campo note
associato alla registrazione della variazione del dato.
Esempi di non conformità (ispezioni ufficio 5 DGSAF)
In conclusione…punti da ricordare:
Il concetto di data integrity:
• è inserito nel contesto più ampio della data governance
• è basato su criteri di gestione del rischio (cui sono associati i dati)
• è l’applicazione dei principi ALCOA (+)
• già esiste nelle GMP (parte 1, parte 2, allegato 11)
• non si applica solo alle analisi di laboratorio / ai dati elettronici ma a tutte le
tipologie di dati ed attività che prevedono la generazione di dati
• non può prescindere dalla mentalità / formazione delle persone
• può essere inizialmente approcciato «cogliendo» i low hanging fruits