Data integrity in the drug industry is a vital element to ensure the safety, efficacy, and quality of drugs. Data integrity has remained an industry buzzword for many years, but the experience the industry has gained from shortened timelines of COVID-19 vaccine development and manufacturing has further strengthened its importance.
The improvements in manufacturing efficiency can be directly correlated to the advances in technology that support those processes. Manufacturers who previously were considering partial digitalization of processes are now going full speed ahead with full-scale digitalization efforts in the areas of manufacturing execution systems (MES), quality management systems (QMS), laboratory information management (LIMS), and electronic batch record (EBR) management. The release of the 2020 International Society for Pharmaceutical Engineering’s (ISPE) Good Practice Guide: Data Integrity by Design highlights that building data integrity into the core of any process will ensure that quality and efficiency will be an output. This will naturally occur as more critical thinking will be required during the planning and requirements phase of any digitalization effort.
There are an abundant number of laboratory and manufacturing instrumentation available to the industry, but there is no one data management/security solution to accommodate all applications. No matter what the selected solution may be, key elements of data integrity must be prioritized.
Various regulatory agencies and industry consortiums have established guidelines for data management and security. Below is a list of data integrity-relevant agency and industry-related references:
Although regulations and guidelines are in place, the formula to ensure data integrity remains through people, processes, and technology. These key tenets must be aligned through training and validation. The behavioral controls to create a culture of quality can be implemented in many fashions that coincide with other motivational workplace programs. This article highlights the data management and technology aspects of ensuring data integrity.
The most recent PIC/S Good Practices for Data Management guidance expands on the the definition of data integrity from the 2018 MHRA definition:
Data Integrity is defined as “the degree to which data are complete, consistent, accurate, trustworthy, and reliable and that these characteristics of the data are maintained throughout the data life cycle.”
The data should be collected and maintained in a secure manner, so that they are attributable, legible, contemporaneously recorded, original (or a true copy), and accurate (ALCOA). Assuring data integrity requires appropriate quality and risk management systems, including adherence to sound scientific principles and good documentation practices..
Additionally, data management was expanded to bolster the importance of ALCOA+ principles as shown below:
Data management refers to all those activities performed during the handling of data including but not limited to data policy, documentation, quality and security. Good data management practices influence the quality of all data generated and recorded by a manufacturer. These practices should ensure that data is attributable, legible, contemporaneous, original, accurate, complete, consistent, enduring, and available. While the main focus of this document is in relation to GMP/GDP expectations, the principles herein should also be considered in the wider context of good data management such as data included in the registration dossier based on which API and drug product control strategies and specifications are set.
The MHRA stated in its guidance that, “The data governance should be integral to the pharmaceutical quality system.” The approach to managing data should be commensurate with risks to patient safety and product quality in the event of a data integrity lapse. In order to manage data effectively, companies will need to develop and implement policies, procedures, training curricula, and validation guidelines surrounding data management and security.
Data storage locations must be secured to prevent data from being saved to unauthorized file storage locations, including removable devices. One way of securing data is to implement local security groups or active directory groups to the data storage folder where only users in certain security groups have permissions to access the folder. It is good data integrity practice for system administrators to remove or delete modification permissions from folders containing original CGMP/GLP raw data. In certain software applications, the removal of delete and modification permissions through the operating system will prevent the application from saving data to the folder. In such cases, third-party software applications or windows scripting can provide solutions for restricting access to the folder without modifying Windows New Technology File System (NTFS) permissions.
Audit trails are a key element to permit detection and prevent manipulation of records. Sound data integrity practice involves retaining audit trail and all relevant metadata that support GMP/GLP processes and data reporting. Ideally, software applications for GMP and GLP environments should be 21 CFR Part 11 compliant as well as Annex 11 compliant.
The following examples explain common and unique situations for handling data storage and backup/archiving for data retention.
Standalone systems generally are instruments that either have built-in firmware or computer workstations which are not connected to a network. Some of the advantages of implementing standalone systems is they are inherently protected from network hacking or intrusion. For such systems, data is stored in the instrument firmware or the local hard drive of the computer workstation.
To support the backup of data from the local hard drive, there are numerous products on the market that can create full system backup images of the local hard drive. For example, data can be transferred from a non-networked PC to a networked pc utilizing a bridged USB cable or crossover network cable.
A network server can be used as a central data repository system for instrument workstations that are networked. In a network server, data is directly saved from the application installed on a local workstation to secure directories in the server environment. It is critical to ensure that the network server is secured with appropriate access controls that are managed by company policies. A secondary backup of the network server should be in place. A risk assessment should be implemented to assess the frequency of backups.
If using a cloud storage solution, service level agreements (SLAs) and verification of Service Organization Controls (SOC) 1/2 certifications must be verified to ensure proper controls are in place. Additional controls for data security can be followed by researching the recommendations from Center for Internet Security (CIS) and its tools for benchmarks, controls, and standards.
A networked database server is a database management system (DBMS), which controls access to data, defines data types and allows searching of information and computing-derived information. Applicable software applications are designed to store proprietary and non-proprietary data using database management languages. DBMS systems provide framework for enforcement of data privacy and security. Multiple systems can store data to one database or multiple instances of the database on the same server. This solution is ideal when storing vast amount of data and effectively helps end users share data fast and efficiently. Administration of database servers it vital to the security of the data; authorized administrators should manage these databases. It is essential to back up the primary database for the system. The database backup will duplicate or copy the database instance. This will ensure a backup solution in case of primary database crash, corruption or loss. The backed-up instance can be restored on the database server with appropriate company procedures and guidelines.
In cases of application software that only have the capability to store data to the local hard drive or local databases, solutions can be implemented to provide migration solutions. If using Visual Basic Scripts (VBScripts), Windows Task Scheduler can be utilized to automatically execute the scripts to move data from the local hard drive to the network server to back up data. It is good practice to implement secondary backup solutions for all GMP/GLP data.