Being able to present data that the FDA believes it can trust is critical to making it through an inspection unscathed. Medical product manufacturers must provide myriad data to agency investigators, which expect that data to meet its standards for being attributable, legible, contemporaneous, original and accurate (ALCOA) — characteristics that add up to data integrity. Despite the agency’s well-known and ongoing emphasis of this topic, including finalization of guidance in December 2018, data integrity concerns continue to show up regularly in warning letters.
What can companies do to avoid FDA enforcement actions around data integrity? The secret is to integrate data integrity into all aspects of their over-arching quality systems. This begins with the broader corporate culture, which should emphasize data integrity as a core part of all development, clinical, manufacturing and quality operations. The second of the seven key elements to a strong, sustainable data integrity program (see call-out box) involves developing the internal culture, policies, expectations and, relatedly, incentives for good data practices, and punishment for failure to adhere to data integrity principles.
This means that in any company, from the C-suite down through directors to site managers and supervisors, the company must speak on this topic with a single voice. This second element to data integrity success envisions a formal policy (or policies) that clearly states that data integrity is a primary requirement for all operations. It is absolutely critical that the message about data integrity is the same from the top to the bottom of the corporate hierarchy.
In addition to establishing top-down policies that emphasize the importance of data integrity, companies need to identify any weak areas and develop a long-term cultural improvement plan, e.g., rewarding candor about issues that arise. Companies should also look at periodic objectives—financial, operational, cost, and outcome—to ensure that they are aligned and do not encourage “do what you have to do” decisions, which could quash efforts to improve data integrity. In addition, company policies must establish zero-tolerance for misrepresentation and fraud, possibly including immediate termination as a penalty. The corporate compliance office must be fully supportive of quality assurance program elements that encompass data integrity considerations.
Also important is the concept of data-associated risk identification, quantification and management, to be discussed in more detail in a future article.
To ensure adoption of a data integrity focus throughout the company, the emphasis on data integrity must permeate training programs for both new and existing employees. Training should emphasize data integrity by covering such topics as good documentation practices and data life cycle management. Specialized data integrity training should also be included. Updates to training programs should include greater focus on fraud, misrepresentation and data integrity. Training can include, for instance, lessons learned from real-life examples of good and bad data integrity practices.
Creating Compliance Controls
With clear data integrity polic(ies) in place and communicated throughout all operations, from the top of the corporate hierarchy to the bottom, companies must then ensure that they have positive controls in place to ensure compliance (Item 3 in the box above). The term “positive controls” encompasses the quality system control framework plus discrete controls over key activities and functions.
Positive controls can fall into different categories. Quality system or procedural controls will include SOPs and work instructions, for instance. These must be created under a risk-based control framework and in consideration of good documentation and good data practices. Manufacturers need to make sure that these documents define controls at critical data or information points that will make mistakes or fraud difficult.
Organizational and responsibility controls will include special training or certification for employees conducting critical data and information functions. All critical data generation or transfer points must be monitored to ensure the data is accurate at all stages of its life cycle. These controls can include routine review of critical data and releases, as well as rigorous qualification—including enhanced screening, specific certification requirements and background checks, for instance—for employees with responsibility for critical data and information.
Information technology (IT) and management controls are also central to ensuring data integrity. Computer systems used to enter and transfer data should have the most rigorous security controls available, for instance, including password and other authentication for users, encryption and non-repudiation measures. Compliance with Part 11 will help a company make strides in this area. Also important for IT security are:
- Change controls;
- Defined and compartmentalized administration access;
- Regular access reporting and reviews;
- Computer system validation;
- Rigorous lab equipment access controls; and
- Camera or other monitoring of critical areas.
There are several steps companies can take to ensure that their positive compliance controls are adequate. First and foremost should be a review of existing good document and data practices programs, with revisions and updates completed as needed. All quality systems documentation should incorporate data and information recording, use and management practices at all necessary steps. They also need to establish broad responsibilities for data integrity throughout the quality system.
Companies also need to review their computer systems to ensure that they are robust enough to protect sensitive data and facilitate controlled process management. The system should include exceptional access logs and audit trails.
Personnel hiring and training requirements need to be included in this review, as well, with procedures updated as needed to ensure that data is being handled appropriately.
Challenging the System
It’s not enough to incorporate data integrity into corporate intent, culture, and quality system documentation. To ensure that the quality and accuracy of data is consistently protected, medical product manufacturers must periodically challenge their procedures and controls to make sure they are working (see Item 6 in box above). Therefore, they need to establish, as part of their control system, a program to challenge and probe data integrity-related operations, and to identify occurrences of data mishandling and fraudulent activity.
A common type of challenge is an internal or third-party quality systems audit. These are routine parts of compliance for many manufacturers and can be effective in identifying discrete problems, including issues with data integrity. Some companies may also opt for a fraud-specific review and challenge using an independent investigator. This person will bring specialized skills and training to bear in a review of corporate compliance.
Any challenge should be designed to differentiate purposeful conduct, which would likely be subject to severe penalties, such as firing, from unintentional or negligent conduct that might be addressed by additional employee training or enhanced oversight of an activity.
Purposeful data mishandling is generally considered the more severe violation. In such cases, an employee may act due to the opportunity for monetary, personal or professional gain, or because the risk of nonperformance is greater than the risk of wrongful conduct. In some cases the corporate culture may informally accept data manipulation, or even directly instruct employees to fudge numbers.
Often though, unintentional data mishandling can be even more insidious and widespread. Common reasons for this type of mishandling include insufficiently defined expectations for data handling or lack of awareness of those expectations. Insufficient proactive controls, management failure to prioritize data integrity, tolerance for unprofessional work, insufficient technology controls and a corporate culture of “doing whatever it takes.”
There are several steps companies can take to challenge its data integrity practices. Underlying any such approach must be a good relationship between the corporate compliance office and other divisions, particularly when quality audits are to be performed. The key steps of any data integrity challenge program are:
- Review quality policies, standards, procedures and practices to ensure that they include checks on the effectiveness of data integrity controls—and a deep review of the controls themselves;
- Develop challenge scenarios to test the effectiveness of those controls, focused on ensuring integrity throughout the complete life cycle of all data and information;
- Establish a schedule for regular review of audit policies to ensure regular review of data integrity fraud risks and challenge of data integrity controls; and finally,
- Ensure that all employees understand these programs, how they work and what they are intended to achieve.
Governance of Data Integrity
With a plan in place for challenging the effectiveness of data integrity controls, the final step—and last program element in the seven-element program for sustainable data integrity outcomes—is governance of the entire process. Manufacturers need to develop and implement an approach to governance that ensures regular review by management on how current data integrity assurance practices are performing. Related to the previously discussed challenges to data integrity controls, for instance, companies must develop and structure individual and coordinated challenge outcome reports, which will be reviewed by responsible individuals within the corporate governance structure.
Such reports—or, more particularly, any shortcomings that they might identify—will provide an escalation point for deviations from directed practices. Members of management tasked with responsibility for maintaining the program will use these reports to develop top-down improvements to data integrity practices.
Review points should be developed at all appropriate organizational levels and feed into higher-levels of governance review. Procedures should include rapid review and analysis of results and rapid escalation as needed to the executive levels. To this end, it’s important that prompt senior executive review be part of the process of generating governance reports.
Equally important is establishment of clear reporting requirements and appropriate metrics at all levels of the organization. Wherever an audit or challenge identifies any failures or gaps in data integrity controls, companies will need to quickly develop a defined remediation plan, possibly incorporating the identification and remediation into CAPA, and then make necessary changes and challenge those changes to ensure their effectiveness.
Keep your eye out for the last article in our four part series — Focusing on the Critical! Coming soon.