Warning letter / Medgel / July 2023 /Lapses in Quality oversight, Data integrity

Observation 2

Failure of Quality Unit to exercise its responsibilities, adequate oversight over drug manufacturing operations to ensure cGMP compliance. Inadequate controls in:

• Access to master batch records; issuance of batch records
• Correction and disposal of cGMP documentation
• Contemporaneous documentation – Microbiological plates discarded before recording of data
• Ensuring Data Integrity. User name and password in analytical instruments (shared username/passwords)
• Procedure for review of raw data and audit trails

The CAPAs proposed in the Firm’s response are not comprehensive and were specific to issues FDA noted. The observation of non-contemporaneous documentation of microbiological data is a repeat observation, showing CAPAs are inadequate, not comprehensive and ineffective.

The Firm is asked to do a comprehensive assessment of extent of data integrity issues, risk to patients due to data integrity issues on products distributed, analyse risks to ongoing operations and provide a global strategy and CAPA plan to ensure the reliability and completeness of all data generated by the Firm. 

Control of documents and electronic data is fundamental to GMP, crucial to data integrity and compliance with regulatory requirements. Data integrity is not only about manipulation or falsification of data, it encompasses a broader spectrum of issues. Situations and system inadequacies that can result in loss of data, uncontrolled access to documents and data with scope for documents to be replaced, discarded without traceability, inadequate data traceability and authenticity, non-contemporaneous documentation, absence of audit trail and review of audit trail, inadequate control of electronic data, sharing of username and passwords, inadequate review of raw data all fall under the umbrella of data integrity.

ICH Q7A guideline, Section VI, defines requirements for control of documents and records in detail – System-procedure driving all documentation, Version and Revision control, identification & traceability, retention of records, authenticity, indelible recording of data. USFDA Part 11 and Eudralex (EUGMP) Annexure 11 details the requirements for control over electronic data and computer systems – user access controls, password controls,  data review and audit trails, data archival and back up, data loss /deletion (Refer, Computer systems validation (CSV), Electronic Data Controls in Guidelines page @ https://qvents.in/guidelines/ for comprehensive list of guidelines on electronic data controls)

• Access to master batch records; issuance of batch records: Access to master batch records (and all masters – SOPs, Forms) should be controlled to only authorised persons. System shall be in place for issuance of batch records (and other working documents and forms) with controls to prevent loss of document authenticity, duplication and copying of documents
  • e.g. each page of the issued batch record to carry a issuance signature, or seal or pages with different colour /texture than commonly available,
  • retrieval and reconciliation (including regular retrieval of nonexecuted batch records and reconciliation to prevent misuse).
• Correction and disposal of cGMP documentation: Regulatory expectations and QMS requirements for correction of entries in cGMP documents is very clear “Corrections to entries should be dated and signed and leave the original entry still legible” (ICH Q7A, Section VI). What is being corrected is also important – transposition errors, e.g.: correcting an entry of 252.2 to 25.22 or error in writing a date as 02/07/2022 instead of 02/08/2022 for an activity performed on 2 Aug 2022 are understandable. But if there is a correction of weight from say 51.25mg to 50.25mg in an analytical worksheet when former value result in OOS in assay, correcting a time entry as 12.05hrs from 12.55 hrs, raise obvious concerns. Desist from suspicious corrections and if it is a genuine correction, it should be fully justified and supported by other evidences. Establish procedures addressing good documentation practices including correction of records, Dos and Don’ts and train employees regularly.

Disposal of cGMP documents should be a controlled activity. Firms use paper shredders, access to these shredders should be controlled and limited to authorised persons. All shredding activity shall be logged in a shredder machine logbook with recording what is being shredded. If an auditor picks a piece of GMP document or paper from anywhere in the site – waste bins, scrap yard, table drawers or cupboards site team should be able to fully explain the presence of the paper with its traceability. We know Data Integrity is the most severe of all types of observations. It’s about trust – trust in the site personnel, trust in the Firm….Why take any chance!!!

• Contemporaneous documentation – Contemporaneous documentation, a pillar of Data Integrity, the C of ALCOA, imply events or decisions should be recorded as they take place. But many a times what is contemporaneous documentation is not well understood. Develop clear understanding and awareness of contemporaneous documentation in the team through regular workshops and training sessions with examples – e.g. documenting a time or temperature in a record after observing the same from an adjacent room or suite is not contemporaneous documentation. When a person is recording data from memory (or from chits or back of hand…)  into a formal record, it is not contemporaneous recording and prone to inaccuracies and even manipulation. Recording a rounded of reading in a document is not contemporaneous documentation – Temperature read as say 40.216⁰C but recorded as 40.22⁰C is not contemporaneous, it should be recorded as 40.216⁰C  and then may be rounded off as 40.22⁰C. All primary data shall be recorded as observed – temperature, pressure, weight, speed, flow….any raw data.  When microbiology plates are read in the lab and later updated in the raw data sheet in the office area of lab (or other areas) it is not contemporaneous documentation. Build this awareness in the team through work shop sessions – Debate each area, activity and its records, current practices of data recording  – what could be viewed as non-contemporaneous. Correct the practices, provide appropriate facilities to help contemporaneous documentation, many times it could be simple adjustment – e.g. bringing down a temperature or pressure gauge, providing a stand for reading a level indicator, providing racks / stands for document updation.
• User name and password in analytical instruments are shared: When systems allow sharing of usernames / passwords authenticity is lost – Who actually performed an activity, who reviewed, approved, whether the persons who performed the activity were authorised trained to do so. Firms should have defined procedures for password controls [individual passwords for all named users, defined expiry of passwords, password complexity (minimum length, combination of letters, numbers, symbols), non-repetition of passwords, password reset by users, defined access privileges for users consistent with user roles in all systems, procedures for activation and deactivation of users and user privileges. For any legacy computerized systems where password controls, other features of 21CFR Part 11 compliance are missing, alternate controls (for e.g. Four Eye approach {verification and authentication of data by a second person}, log books) shall be established with a documented plan for upgrading or replacing such systems
• Review of raw data and audit trails: cGMP require review of raw data – primary data recorded as an operation / event happen, calculations, conclusions of reports etc. by a second person. Review of raw data is critical to ensure the accuracy and integrity of data, preventing errors, omissions, or intentional manipulation. The raw data review should look at completeness of data, missing entries, compliance to SOPs / test methods (e.g weights of samples in an analysis, temperature and so on), changes to the recorded primary data (errors, cross outs), accuracy of data. For data pertaining to computerised systems and electronic data, there should be review of audit trail as well. Procedures for audit trail review shall be established for all GxP systems which generate electronic data (such as but not limited to) – analytical equipment, manufacturing equipment, PLC / SCADA systems, engineering & utility systems like Purified Water systems, Ventilation systems, Quality systems / Operations management software such as Laboratory Information Management system (LIMS), DMS. Audit trial review looks at changes to data, completeness of data, missing / deletion of original data, accuracy and compliance. The audit trail review shall cover System Audit Trail, Data Audit trail, Method Audit trail, Configuration settings audit trail, Access controls and trails, Events (for e.g. alarms) as applicable for each system. Develop checklists for reviewing the key elements of audit trail for each system, define frequency for review of audit trail – for equipment like QC equipment, Production equipment audit trail review shall be after completion of an activity each time -like after completion of an analysis test parameter, batch completion. For other systems like a Purified Water system, a compressed air system etc, this could be at a defined frequency – say 2 weeks, 4 weeks etc. If discrepancies are observed during audit trail review, deviations shall be logged and issue investigated.

Related posts:

• USFDA 483 / UCB, Belgium / FEI 3003909356/ USFDA Investigators: Hamet M.Toure, Alice S.Tsao / Inspection dates April 17 -21, 2023 / Observation 1 – Deficiencies in Document control
• Warning letter / Centrient India / MARCS-CMS 640196/ 320-23-06/ DECEMBER 07, 2022/ Observation 1

Observations of data integrity issues and discovery of data integrity issues during regulatory audits, lead to the auditor & agency concluding inadequate oversight of Quality unit over operations. When internal or external audits and reviews identifies such issues comprehensive remediation actions should be taken. This help in giving confidence to auditors that Firm is proactive and thorough in taking actions on issues; help to regain the trust and confidence of regulators. Investigate the issue(s) thoroughly, evaluate extent of the issues across the Firm and assess the risk and impact. There is no short cut here. When issues of data integrity are observed, rarely it is a one off / inadvertent mistake. Similar situations could exit in other areas due to lack of awareness,  inadequate procedures, inadequate equipment and facilities, lack of monitoring and oversight, quality culture. The remediation measures and corrective actions should address impact of the lapses on products distributed, identifying extent of issues across the site and corrective actions:

• Strengthen the procedures and processes for document control & and control of electronic records addressing different aspects as elaborated in previous section.
• Perform a protocol based assessment of potential for batches distributed to be impacted by the issues observed and data integrity issues. Develop a matrix of discrepancies identified, evaluate whether each batch could be affected, document the rationale, evaluate the impact of the discrepancy on affected batches for product quality, safety. Document with evaluation conclusions with rationale. Based on this identify actions to be taken with timelines. Click to see an example template (elaborate including more parameters as necessary):
• Perform a protocol based assessment of extent of inaccuracies in data records, lapses of data integrity and actions to ensure the reliability and completeness of all data generated by the firm. Perform a comprehensive assessment across all functions – Quality control, Quality assurance, Manufacturing, Engineering & Utilities, Analytical Development/ ARD, R&D, Training, Materials & Warehouse, identify gaps / improvements required and establish a plan for enhancement of the systems and procedures with timelines.
  • Assess the Document control compliance covering
    • All documents (forms, formats, logbooks, procedures, work instructions) governed by and traceable to respective control procedure / parent procedure;
    • Issue controls,
    • retrieval, reconciliation, retention
    • Disposal procedures for all documents generated in each function
    • Systems and procedures for contemporaneous recording of raw data and review of raw data.
  • Assess Electronic Data controls and compliance in line with USFDA 21 CFR Part 11 & Eudralex EUGMP Annexure 11 –
    • User Access controls, Admin controls,
    • Control of setting changes – Date, Time, Data deletion controls,
    • Password controls and policy
    • Data archival & back up, Data retrieval
    • Audit trails, review of audit trails.

It is best to perform the assessment employing third party expert consultants. Accordingly develop CAPA plan with timelines. If the corrective actions will have a lead time for system upgradations / replacement, implement interim alternate controls like Four eye approach, print outs / screen shots verification at two levels, recording activities in logbook with verification by a second person. Computer systems qualification and validation (CSV) covering all GxP systems should also be part of the plan.

• Establish a Data Integrity policy or if there is a policy in place review and enhance the policy and procedure for Data Integrity. The policy shall address control over paper documents as well as electronic data, ensuring compliance with ALOCA+ principles, computer systems, training and awareness build up, Dos and Don’ts, Whistle Blower Policy to encourage team members to report Data Integrity issues observed. (All regulatory agencies have guidelines published on Data Integrity (USFDA, EMA/Europe, WHO and others. Access the relevant guidelines @ https://qvents.in/guidelines/).
• Establish a Training and Awareness build up programme for employees. Use cases published in USFDA 483s, Warning letters, debate whether similar situations could be present in the Firm and actions to be taken. Conducting regular small group workshops with practical case studies, teams presenting cases in each function is a good tool for building awareness and ownership for actions.