Classification of data integrity deficiencies
Data integrity to aid consistency in reporting and classification of data integrity deficiencies.
Deficiencies relating to data integrity failure may have varying impacts on product quality. Prevalence of the failure may also vary between the actions of a single employee to an endemic failure throughout the inspected organization.
Data integrity -the PIC/S guidance on the classification of deficiencies states:
“A critical deficiency is a practice or process that has produced or leads to a significant risk of producing either a product which is harmful to the human or veterinary patient or a product which could result in a harmful residue in a food-producing animal.
A critical deficiency also occurs when it is observed that the manufacturer has engaged in fraud, misrepresentation, or falsification of products or data”.
“critical” classification of deficiencies relating to fraud, misrepresentation, or falsification, it is understood that data integrity deficiencies can also relate to:
- Data integrity failure resulting from bad practice.
- Opportunity for failure (without evidence of actual failure) due to absence of the required data control measures.
It may be appropriate to assign a classification of deficiencies by considering the following points-
Critical deficiency: Impact on the product with actual or potential risk to patient health.
- Product failing to meet Marketing Authorisation specification at release or within shelf life.
- Reporting of a ‘desired’ result rather than an actual out-of-specification result when reporting QC tests, critical product, or process parameters.
- Wide-ranging misrepresentation or falsification of data, with or without the knowledge and assistance of senior management, the extent of which critically undermines the reliability of the Pharmaceutical Quality System and erodes all confidence in the quality and safety of medicines manufactured or handled by the site.
Major deficiency: Impact on the product with no risk to patient health.
- Data being misreported, e.g. original results ‘in specification’, but altered to give a more favorable trend.
- Reporting of a ‘desired’ result rather than an actual out-of-specification result when reporting data that does not relate to QC tests, critical product, or process parameters.
- Failures arising from poorly designed data capture systems (e.g. using scraps of paper to record info for later transcription).
Major deficiency: No impact on the product; evidence of moderate failure.
Bad practices and poorly designed systems may result in opportunities for data integrity issues or loss of traceability across a limited number of functional areas (QA, production, QC, etc.). Each in its own right has no direct impact on product quality.
Other deficiency: No impact on product limited evidence of failure.
- Bad practices or poorly designed systems result in opportunities for data integrity issues or loss of traceability in a discrete area.
- Limited failure in an otherwise acceptable system, e.g. manipulation of non-critical data by an individual.
It is important to build an overall picture of the adequacy of the key elements to make a robust assessment as to whether there is a company-wide failure or a deficiency of limited scope/ impact.
Key elements
- Data governance process.
- Design of systems to facilitate compliant data recording
- Use and verification of audit trails and
- IT user access etc.
Individual circumstances (exacerbating/mitigating factors) may also affect the final classification or regulatory action.
Indicators of improvement
An on-site inspection is recommended to verify the effectiveness of actions taken to address serious data integrity issues. Alternative approaches to verify effective remediation may be considered by risk management principles. Some indicators of improvement are:
- Evidence of a thorough and open evaluation of the identified issue and timely implementation of effective corrective and preventive actions, including appropriate implementation of corrective and preventive actions at an organizational level.
- Evidence of open communication of issues with clients and other regulators. Transparent communication should be maintained throughout the investigation and remediation stages. Regulators should be aware that further data integrity failures may be reported as a result of the detailed investigation. Any additional reaction to these notifications should be proportionate to public health risks, to encourage continued reporting;
- Evidence of communication of data integrity expectations across the organization, incorporating and encouraging processes for open reporting of potential issues and opportunities for improvement;
- The regulated user should ensure that an appropriate evaluation of the vulnerability of electronic systems to data manipulation takes place to ensure that follow-up actions have fully resolved all the violations. For this evaluation, the services of a qualified third-party consultant with relevant expertise may be required;
- Implementation of data integrity policies in line with the principles of this guide;
- Implementation of routine data verification practices.
