50 Pharmaceutical Technology REGULATORY SOURCEBOOK MARCH 2021 P h a r mTe c h . c o m
Any steps taken to mitigate a data-integrity risk should be
assessed to determine its appropriateness in the context of
the criticality of the gap between desired and actual practice.
The UK's Medicines and Healthcare products Regulatory Agency
defines critical risks
as those that would potentially allow data
or metadata to be "deleted, amended or excluded without
authorization" (2). FDA's guidance echoes this emphasis, high-
lighting the importance of data integrity throughout the
CGMP data life cycle, from creation, through modification,
processing, maintenance, archival, and on through retrieval,
transmission, and disposition after the period required for
data retention ends (3).
A risk-assessment tool (Figure 1) developed by the GMP
Working Group features sections for system control and ac-
cess; data protection, controls, and regulatory compliance;
audit trails, metadata, and data review; archival, retrieval,
back-up, disaster recovery, and contingency plans; and elec-
tronic signatures (4).
The tool, which consists of a summary followed by a tab-
ular presentation, provides a check list to achieve harmoni-
zation in how data integrity evaluation is performed within
and across pharmaceutical industry. It also helps ensure
facilities can demonstrate compliance during inspections.
The entire tool—or selected sections—can be used by
pharmaceutical firms to evaluate instrument/software sys-
tems prior to purchasing, or by vendors to understand the
expectations of pharmaceutical companies. This evaluation
should consider any mitigations and interim actions iden-
tified in the risk assessment. The tool also may be useful in
managing third-party laboratories and vendors that service
equipment and in drafting technical quality agreements
with these organizations.
Modernization US GLP regulations
In August 2016, FDA published proposed amendments to regu-
lations for GLPs for nonclinical laboratory studies;
the stated pur-
pose was to build quality into planning, conducting, and
reporting a nonclinical laboratory study and to help ensure
data quality and integrity (5).
A GLP Working Group (WG) was formed from IQ member
companies to evaluate FDA's proposed changes, an effort that
aligns with the organization's strategic objectives to proac-
tively build consensus with global regulators on issues and
opportunities to advance innovation and quality in phar-
maceutical development. The goal of the Quality LG's work
in responding to the proposed GLP changes was to provide
broad industry perspective from member companies to FDA
to reduce any regulatory burden that may stif le innovation
in the pharmaceutical industry.
After several months of evaluation of the proposed changes,
the GLP WG concluded the proposed rule imposed undue
burden and complexity upon the pharmaceutical industry
and encouraged FDA to work in collaboration with industry
to develop a new proposed rule. Some changes proposed by
FDA were positive, including refined definitions; removing
requirement to retain empty test article containers; clarify-
ing ownership of the master schedule; quality assurance unit
(QAU) access to protocols rather than maintaining a copy;
data integrity; definition of raw data, specifically defining
signed and dated pathology report as raw data; and archiving
all study material no later than two weeks after the close of
the study. Another positive addition was the inclusion of
attributes of Organization for Economic Co-operation and
Development principals in support of conduct of multi-site
studies conducted at contract research organizations.
Challenges with proposed regulations
The IQ GLP WG evaluation of proposed changes found five
significant challenges.
Significant increase in administrative burden. The following
were determined by the WG to be significantly underesti-
mated or not considered:
• Requirements related to standard operating procedure
(SOP) development
Quality Collaboration
Summary Click here to enter text.
# Questions Responses Comments,
mitigation of risk
Yes No N/A Guidance
System control and access
1.1 Is Access to the system via individual login
credentials made up of a combination of a
unique user id and user generated
password?
☐ ☐ ☐
Use of generic passwords (when
absolutely necessary) should be
procedurally controlled.
Click here to enter
text.
1.2 Are any non-person system accounts
(generic accounts), such as those shipped
with the system, or service accounts,
disabled?
☐ ☐ ☐
Accounts should be turned off, disabled,
or have access revoked if determined to
be unnecessary for system operations.
If such accounts should be used to run
the application, then procedure should
specify that activities performed under
such account are traceable to the
individual who performed the activities
in an automated manner.
Click here to enter
text.
Figure 1. Excerpt from the data integrity tool.
FIGURE
COURTESY
OF
THE
AUTHORS.
