• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer
  • Blog
  • News & Events
  • Videos
  • Resources
main-logo-small

Compliance Architects

Consulting Technology Outsourcing

  • About Us
    • Senior Staff
    • Why Us
    • Mission And Vision
    • Clients
    • Partners
    • Career Opportunities
  • Services
    • Inspection Readiness & Enforcement
      • FDA Inspection Readiness
      • Audits & Assessments
      • FDA Enforcement Response/Remediation
    • FDA Quality Consulting
      • Quality System & Compliance Turnarounds / Restructuring
      • Training / Coaching
      • Quality & Compliance Computer-Based Systems
      • External Supply Chain Compliance
      • Part 11 & Computer Systems Validation
      • Turnkey Quality Systems
    • Quality Assurance and Engineering
      • CRPN Quality Roadmap®
      • Quality Culture Assessment
      • Product Quality Consulting
      • Operational Efficiency/Compliance Effectiveness
      • Project/Program Management
    • Corporate Compliance and Litigation
      • Corporate Compliance Programs
      • Interactions With Department Of Justice And The Courts
    • FDA Regulatory Consultants
      • Product Development / Submissions / Commercialization
      • REMS (Risk Evaluation And Mitigation Strategies)
      • Mergers / Acquisitions / Licensing
    • Quality, Compliance, Regulatory & Operations’ Staffing
      • Staffing
      • Talent Management
      • Rapid Turnaround
  • Innovative Solutions
    • Writing for Compliance®
    • CRPN Quality Roadmap®
    • Quality Pulse®
    • IEEP
    • REMS
  • Success Stories
  • Industries
    • Biopharmaceuticals
    • Cannabis/CBD
    • Cell & Gene Therapies
    • Combination Products
    • Cosmetics
    • Dietary Supplements
    • Medical Devices and Diagnostics
    • Pharmaceuticals
  • Contact Us
|

Systems, Controls, Challenges and Governance for Sustainable Data Integrity Outcomes

Being able to present data that the FDA believes it can trust is critical to making it through an inspection unscathed. Medical product manufacturers must provide myriad data to agency investigators, which expect that data to meet its standards for being attributable, legible, contemporaneous, original and accurate (ALCOA) — characteristics that add up to data integrity. Despite the agency’s well-known and ongoing emphasis of this topic, including finalization of guidance in December 2018, data integrity concerns continue to show up regularly in warning letters.

What can companies do to avoid FDA enforcement actions around data integrity? The secret is to integrate data integrity into all aspects of their over-arching quality systems. This begins with the broader corporate culture, which should emphasize data integrity as a core part of all development, clinical, manufacturing and quality operations. The second of the seven key elements to a strong, sustainable data integrity program (see call-out box) involves developing the internal culture, policies, expectations and, relatedly, incentives for good data practices, and punishment for failure to adhere to data integrity principles.

This means that in any company, from the C-suite down through directors to site managers and supervisors, the company must speak on this topic with a single voice. This second element to data integrity success envisions a formal policy (or policies) that clearly states that data integrity is a primary requirement for all operations. It is absolutely critical that the message about data integrity is the same from the top to the bottom of the corporate hierarchy.

In addition to establishing top-down policies that emphasize the importance of data integrity, companies need to identify any weak areas and develop a long-term cultural improvement plan, e.g., rewarding candor about issues that arise. Companies should also look at periodic objectives—financial, operational, cost, and outcome—to ensure that they are aligned and do not encourage “do what you have to do” decisions, which could quash efforts to improve data integrity. In addition, company policies must establish zero-tolerance for misrepresentation and fraud, possibly including immediate termination as a penalty. The corporate compliance office must be fully supportive of quality assurance program elements that encompass data integrity considerations.

Also important is the concept of data-associated risk identification, quantification and management, to be discussed in more detail in a future article.

To ensure adoption of a data integrity focus throughout the company, the emphasis on data integrity must permeate training programs for both new and existing employees. Training should emphasize data integrity by covering such topics as good documentation practices and data life cycle management. Specialized data integrity training should also be included. Updates to training programs should include greater focus on fraud, misrepresentation and data integrity. Training can include, for instance, lessons learned from real-life examples of good and bad data integrity practices.

Creating Compliance Controls

With clear data integrity polic(ies) in place and communicated throughout all operations, from the top of the corporate hierarchy to the bottom, companies must then ensure that they have positive controls in place to ensure compliance (Item 3 in the box above). The term “positive controls” encompasses the quality system control framework plus discrete controls over key activities and functions.

Positive controls can fall into different categories. Quality system or procedural controls will include SOPs and work instructions, for instance. These must be created under a risk-based control framework and in consideration of good documentation and good data practices. Manufacturers need to make sure that these documents define controls at critical data or information points that will make mistakes or fraud difficult.

Organizational and responsibility controls will include special training or certification for employees conducting critical data and information functions. All critical data generation or transfer points must be monitored to ensure the data is accurate at all stages of its life cycle. These controls can include routine review of critical data and releases, as well as rigorous qualification—including enhanced screening, specific certification requirements and background checks, for instance—for employees with responsibility for critical data and information.

Information technology (IT) and management controls are also central to ensuring data integrity. Computer systems used to enter and transfer data should have the most rigorous security controls available, for instance, including password and other authentication for users, encryption and non-repudiation measures. Compliance with Part 11 will help a company make strides in this area. Also important for IT security are:

  • Change controls;
  • Defined and compartmentalized administration access;
  • Regular access reporting and reviews;
  • Computer system validation;
  • Rigorous lab equipment access controls; and
  • Camera or other monitoring of critical areas.

There are several steps companies can take to ensure that their positive compliance controls are adequate. First and foremost should be a review of existing good document and data practices programs, with revisions and updates completed as needed. All quality systems documentation should incorporate data and information recording, use and management practices at all necessary steps. They also need to establish broad responsibilities for data integrity throughout the quality system.

Companies also need to review their computer systems to ensure that they are robust enough to protect sensitive data and facilitate controlled process management. The system should include exceptional access logs and audit trails.

Personnel hiring and training requirements need to be included in this review, as well, with procedures updated as needed to ensure that data is being handled appropriately.

Challenging the System

It’s not enough to incorporate data integrity into corporate intent, culture, and quality system documentation. To ensure that the quality and accuracy of data is consistently protected, medical product manufacturers must periodically challenge their procedures and controls to make sure they are working (see Item 6 in box above). Therefore, they need to establish, as part of their control system, a program to challenge and probe data integrity-related operations, and to identify occurrences of data mishandling and fraudulent activity.

A common type of challenge is an internal or third-party quality systems audit. These are routine parts of compliance for many manufacturers and can be effective in identifying discrete problems, including issues with data integrity. Some companies may also opt for a fraud-specific review and challenge using an independent investigator. This person will bring specialized skills and training to bear in a review of corporate compliance.

Any challenge should be designed to differentiate purposeful conduct, which would likely be subject to severe penalties, such as firing, from unintentional or negligent conduct that might be addressed by additional employee training or enhanced oversight of an activity.

Purposeful data mishandling is generally considered the more severe violation. In such cases, an employee may act due to the opportunity for monetary, personal or professional gain, or because the risk of nonperformance is greater than the risk of wrongful conduct. In some cases the corporate culture may informally accept data manipulation, or even directly instruct employees to fudge numbers.

Often though, unintentional data mishandling can be even more insidious and widespread. Common reasons for this type of mishandling include insufficiently defined expectations for data handling or lack of awareness of those expectations. Insufficient proactive controls, management failure to prioritize data integrity, tolerance for unprofessional work, insufficient technology controls and a corporate culture of “doing whatever it takes.”

There are several steps companies can take to challenge its data integrity practices. Underlying any such approach must be a good relationship between the corporate compliance office and other divisions, particularly when quality audits are to be performed. The key steps of any data integrity challenge program are:

  • Review quality policies, standards, procedures and practices to ensure that they include checks on the effectiveness of data integrity controls—and a deep review of the controls themselves;
  • Develop challenge scenarios to test the effectiveness of those controls, focused on ensuring integrity throughout the complete life cycle of all data and information;
  • Establish a schedule for regular review of audit policies to ensure regular review of data integrity fraud risks and challenge of data integrity controls; and finally,
  • Ensure that all employees understand these programs, how they work and what they are intended to achieve.

Governance of Data Integrity

With a plan in place for challenging the effectiveness of data integrity controls, the final step—and last program element in the seven-element program for sustainable data integrity outcomes—is governance of the entire process. Manufacturers need to develop and implement an approach to governance that ensures regular review by management on how current data integrity assurance practices are performing. Related to the previously discussed challenges to data integrity controls, for instance, companies must develop and structure individual and coordinated challenge outcome reports, which will be reviewed by responsible individuals within the corporate governance structure.

Such reports—or, more particularly, any shortcomings that they might identify—will provide an escalation point for deviations from directed practices. Members of management tasked with responsibility for maintaining the program will use these reports to develop top-down improvements to data integrity practices.

Review points should be developed at all appropriate organizational levels and feed into higher-levels of governance review. Procedures should include rapid review and analysis of results and rapid escalation as needed to the executive levels. To this end, it’s important that prompt senior executive review be part of the process of generating governance reports.

Equally important is establishment of clear reporting requirements and appropriate metrics at all levels of the organization. Wherever an audit or challenge identifies any failures or gaps in data integrity controls, companies will need to quickly develop a defined remediation plan, possibly incorporating the identification and remediation into CAPA, and then make necessary changes and challenge those changes to ensure their effectiveness.

Keep your eye out for the last article in our four part series — Focusing on the Critical! Coming soon.

Filed Under: Achieving Compliance, data integrity

Primary Sidebar

Sign Up To Our Newsletter

You May Also Like

Sue Soderholm to be a Featured Speaker at the 1st Annual Quality Management vSummit – “Optimizing Your Quality Management Program to Be Both World Class and FDA-Compliant” | Tuesday, October 11, 2022 – Wednesday, October 12, 2022

Achieve True Quality Culture and Stay Compliant If your quality management system (QMS) isn’t world class, you may be falling behind. You need the 1st Annual
life sciences staffing

Talk to us about current talent trends, and what the industry will need in the next 5 to 10 years?

Transcript taken from 2022 PMWS by Executive Platforms The talent crisis as it has been called is certainly not something that has gone away or

Preparing for an FDA Pre-Approval Inspection (PAI) – “Begin with the End in Mind.”

Presented by: Teresa Gorecki, Practice Lead, Compliance Architects What is it Steven Covey said in “The 7 Habits of Highly Effective People?” “Begin with the

Footer

Compliance Architects®

  • Contact Us
  • (888) 734-9778
  • info@compliancearchitects.com

Quick Links

  • About Us
    • Senior Staff
    • Why Us
    • Mission And Vision
    • Clients
    • Partners
    • Career Opportunities
  • Services
    • Inspection Readiness & Enforcement
      • FDA Inspection Readiness
      • Audits & Assessments
      • FDA Enforcement Response/Remediation
    • FDA Quality Consulting
      • Quality System & Compliance Turnarounds / Restructuring
      • Training / Coaching
      • Quality & Compliance Computer-Based Systems
      • External Supply Chain Compliance
      • Part 11 & Computer Systems Validation
      • Turnkey Quality Systems
    • Quality Assurance and Engineering
      • CRPN Quality Roadmap®
      • Quality Culture Assessment
      • Product Quality Consulting
      • Operational Efficiency/Compliance Effectiveness
      • Project/Program Management
    • Corporate Compliance and Litigation
      • Corporate Compliance Programs
      • Interactions With Department Of Justice And The Courts
    • FDA Regulatory Consultants
      • Product Development / Submissions / Commercialization
      • REMS (Risk Evaluation And Mitigation Strategies)
      • Mergers / Acquisitions / Licensing
    • Quality, Compliance, Regulatory & Operations’ Staffing
      • Staffing
      • Talent Management
      • Rapid Turnaround
  • Innovative Solutions
    • Writing for Compliance®
    • CRPN Quality Roadmap®
    • Quality Pulse®
    • IEEP
    • REMS
  • Success Stories
  • Industries
    • Biopharmaceuticals
    • Cannabis/CBD
    • Cell & Gene Therapies
    • Combination Products
    • Cosmetics
    • Dietary Supplements
    • Medical Devices and Diagnostics
    • Pharmaceuticals
  • Contact Us

Our Services

  • Inspection Readiness & Enforcement
  • FDA Quality Consulting – Systems and Training
  • Quality Assurance and Engineering
  • Corporate Compliance and Litigation Services
  • FDA Regulatory Consultants – Due Diligence
  • Quality, Compliance, Regulatory & Operations’ Staffing Services

Proprietary Solutions

  • Writing for Compliance®
  • Quality Pulse®
  • CRPN Quality Roadmap®

© 2009-2023 Compliance Architects Holdings LLC – used by permission. All copyrights, trademarks and other intellectual property are the property of Compliance Architects Holdings LLC and are used by permission.

  • Debarment Certification Statement
  • Privacy Policy
  • Terms of Use

Contact Us Today

We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept”, you consent to the use of ALL the cookies.
Do not sell my personal information.
Cookie SettingsAccept
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checkbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT