Data Integrity: A Structural Approach for Sustainable Outcomes

Transcription

1 Data Integrity: A Structural Approach for Sustainable Outcomes John C. (Jack) Garvey, Esq. Founder / Chief Executive Officer Compliance Architects LLC 2017 Pharmaceutical Quality Congress

2 Speaker Introduction Experience Summary: Thirty years of experience in FDA-regulated operations, quality, compliance, regulatory & law Founder, CEO, Compliance Architects LLC Principal, The Garvey Law Firm Education / Credentials: Chemical Engineer / Attorney Admitted to practice law in NY and NJ 2 Companies worked in and for: Johnson & Johnson (Corporate, Consumer, Neutrogena, OCD, Ethicon-Endo, JDx, Lifescan) Bayer Merck Ciba-Geigy (Novartis) BASF Corporation CR Bard Accenture/BMS Ayerst (Wyeth) Aventis-Behring Philips Healthcare Sample Focus areas: Enforcement remediation (483s, WLs, Import Detention, etc.) Inspection readiness and preparation Quality System development Regulatory / submissions Corporate Compliance HACCP / Process mapping & risk analysis CAPA program development & drafting Computer-based systems, enterprise risk management & quality operations Writing for Compliance

3 FREE STUFF! Regulations in ebook format! Throw out your old paper-based GMP regulation books and bring compliance into the 21 st Century! 3 Visit: compliancearchitects.com/resources/

4 What is Data Integrity? A characterization of the reliability, credibility, validity, authenticity, and trustworthiness of a state of data and/or information encompassing multiple foundational dimensions including attributability, legibility, contemporaneous recording, originality and accuracy. ALCOA: FDA s Data Integrity Focus Contemporaneous Legible Original Attributable Data Integrity Accurate 4

5 What is Data (and Information)? Examples: Chart recorders Lab notebooks (paper & electronic) Product release / approval data Batch release documentation C of As Raw data Instrument printouts Computer-based data Etc., etc., etc. 5

6 Our Industry Problem Raw materials, intermediates, and finished API analytical results found to be failing specifications or otherwise suspect (e.g. OOT) are retested until acceptable results are obtained. These failing or otherwise suspect results are not reported. Failure to prevent unauthorized access or changes to data and to provide adequate controls to prevent omission of data. Appropriate controls are not exercised over computers or related systems to assure that changes in master production and control records or other records are instituted only by authorized personnel. Failure to maintain complete data derived from all testing, and to ensure compliance with established specifications and standards. 6

7 Obstacles to Reliable Data & Information Unintentional / Negligent Conduct Lack of awareness Lack of defined expectations Lack of procedural / positive controls Lack of adequate supervision / oversight Failure to prioritize importance of data integrity Tolerance for sloppy / unprofessional work Lack of periodic checks on performance Lack of technology controls Pressure on personnel to achieve outcomes Whatever it takes culture Purposeful / Knowing Conduct Substantial opportunity for monetary gain stock options, bonuses, etc. Opportunity for personal / professional gain Risk from non-performance greater than risk of wrongful conduct Management direction to fudge or make up numbers driven by customer service requirements, greed or significant financial gain Management creates a culture that data manipulation is victimless and that conduct can t create harm 7

8 What do we know about our data integrity gaps? Documented & Known Gaps Undocumented but Known Gaps Overall Data Integrity Compliance Risk Profile Undocumented & Unknown Gaps 8

9 Data Integrity is critically important because to FDA and other regulators, because it doesn t matter whether the conduct is un-intentional / negligent or purposeful / knowing. They can t rely on the data and therefore, ramifications need to be significant and are often severe. 9

10 Seven Program Elements for Data Integrity Success Governance Policy, Expectation, Culture, Incentives & Punishment Regulations, Enforcement, Guidance, Industry Standards Building Data Integrity DI Focus Areas Data Lifecycle Management Controls Quality System / Positive Compliance Controls Proactive Challenges 10

11 Our Agenda Regulations, Enforcement, Guidance, Industry Standards Policy, Expectation, Culture, Incentives & Punishment Quality System / Positive Compliance Controls DI Focus Areas Data Lifecycle Management Controls Proactive Challenges Governance Path Forward / Next Steps 11

12 How It Fits Together A Structural Approach Company Governance Proactive Challenges DI Focus Areas DI Focus Areas Data Lifecycle Management Controls Quality System / Positive Compliance Controls DI Focus Areas DI Focus Areas Proactive Challenges Company Policy, Expectation, Culture, Incentives & Punishment Regulations, Enforcement, Guidance, Industry Standards 12

13 Those who remove mountains begin by carrying away small stones. Ancient Chinese Proverb 13

14 Governance Policy, Expectation, Culture, Incentives & Punishment Regulations, Enforcement, Guidance, Industry Standards Building Data Integrity DI Focus Areas Data Lifecycle Management Controls Quality System / Positive Compliance Controls Proactive Challenges 14

15 Program Element 1: Regulations, Enforcement, Guidance, Industry Standards Objective: To understand and harmonize external requirements and expectations to ensure establishment of sound internal standards, systems and practices that will enable compliance CFR 211 (Also, 820, 111, etc.) 21 CFR 11 FDA April 2016 Guidance Definitions / Q & A FDA 483s / Warning Letters ISPE GAMP Approach to Data Integrity Workshops on Data Integrity PDA Elements of a Code of Conduct for Data Integrity in the Pharmaceutical Industry Assuring Data Integrity for Life Sciences 2016 Workshop (9/14-15) (Also London, San Diego, Berlin) WHO Final Guidance on Good Data and Record Management Practices (Annex 5) (2016) MHRA Definitions & Draft Guidance, March & July 2016 EMA Guidance, August 2016 PIC/S, Good Practices for Data Management, 10 August 2016

16 Current & Notable FDA Data Integrity Enforcement ( ) TEVA Warning Letter, Hungary Site, October 2016 Wockhardt Limited Warning Letter, India Site, December 2016 Megafine Pharma Warning Letter, India Site, February 2017 Jinan Jinda Pharmaceutical Chemistry, Warning Letter, India Site, February 2017 USV Private Limited Warning Letter, India Site, March 2017 Mylan Pharmaceuticals, Inc., India Site, April 2017 Divi Laboratories Ltd., India Site, April 2017 Your quality system does not adequately ensure the accuracy and integrity of data to support the safety, effectiveness, and quality of the drugs you manufacture. All Warning Letters contained the same detailed request for a comprehensive response including investigation, risk assessment, and management strategy. 16

17 Standard Data Integrity Warning Letter Response Demand 1. A comprehensive investigation into the extent of the inaccuracies in data records and reporting. Your investigation should include: A detailed investigation protocol and methodology; a summary of all laboratories, manufacturing operations, and systems to be covered by the assessment; and a justification for any part of your operation that you propose to exclude. Interviews of current and former employees to identify the nature, scope, and root cause of data inaccuracies. We recommend that these interviews be conducted by a qualified third party. An assessment of the extent of data integrity deficiencies at your facility. Identify omissions, alterations, deletions, record destruction, non-contemporaneous record completion, and other deficiencies. Describe all parts of your facility s operations in which you discovered data integrity lapses. A comprehensive retrospective evaluation of the nature of the testing data integrity deficiencies. We recommend that a qualified third party with specific expertise in the area where potential breaches were identified should evaluate all data integrity lapses. 2. A current risk assessment of the potential effects of the observed failures on the quality of your drugs. Your assessment should include analyses of the risks to patients caused by the release of drugs affected by a lapse of data integrity, and risks posed by ongoing operations. 3. A management strategy for your firm that includes the details of your global corrective action and preventive action plan. Your strategy should include: A detailed corrective action plan that describes how you intend to ensure the reliability and completeness of all of the data you generate, including analytical data, manufacturing records, and all data submitted to FDA. A comprehensive description of the root causes of your data integrity lapses, including evidence that the scope and depth of the current action plan is commensurate with the findings of the investigation and risk assessment. Indicate whether individuals responsible for data integrity lapses remain able to influence CGMP-related or drug application data at your firm. Interim measures describing the actions you have taken or will take to protect patients and to ensure the quality of your drugs, such as notifying your customers, recalling product, conducting additional testing, adding lots to your stability programs to assure stability, drug application actions, and enhanced complaint monitoring. Long-term measures describing any remediation efforts and enhancements to procedures, processes, methods, controls, systems, management oversight, and human resources (e.g., training, staffing improvements) designed to ensure the integrity of your company s data. A status report for any of the above activities already underway or completed. From Diva Laboratories Warning Letter, April

18 FDA Data Integrity Enforcement Trends US vs. Ex-US Data Integrity Warning Letter Deficiencies 90% 80% Total WLs = 38 Total WLs = 22 Total WLs = 19 Total WLs = 46 70% 60% 50% 40% 30% 20% 10% 0% % US with DI Obs % OUS with DI OBS Data from Pharmaceutical Online, Guest Column, January 16, 2017, Barbara Unger, Unger Consulting 18

19 The Data Integrity Enforcement Cloud Organization / Agency Recommendations / Guidances Agency Enforcement Practice (483s / Warning Letters, Inspection Observations, etc.) Country / Region Laws / Requirements 19

20 The Requirements Blender Expectations Requirements Enforcement TRACE MATRIX Company Policy, Standards, and Systems 20

21 Program Element 1 Regulations, Enforcement, Guidances, Industry Standards Approach: 1. Review and develop a consolidated requirements document from the various guidances and model approaches that reflect external stakeholder expectations. Consolidated requirements MUST reflect local market expectations and should be consistent across the enterprise. 2. Develop Corporate policies that define your Corporate intent relative to various aspects of the external data integrity expectations. 3. Define derivative Corporate standards for quality systems, procedures, audits, and focus areas to translate requirements, expectations and policies into corporate minimum approaches for internal activities. 4. Develop and/or review internal quality system documentation to ensure alignment to Corporate standards. Ensure there s a consistent vertical cascade to operational documents. 5. Establish comprehensive Trace Matrix to link requirements, expectations, and enforcement to policies, standards, and systems 6. Ensure ALL staff, from executive management to line operations personnel are trained in appropriate requirements and expectations derived from all the input documents, standards, policies and procedures. 21

22 Governance Policy, Expectation, Culture, Incentives & Punishment Regulations, Enforcement, Guidance, Industry Standards Building Data Integrity DI Focus Areas Data Lifecycle Management Controls Quality System / Positive Compliance Controls Proactive Challenges 22

23 Program Element 2: Policy, Expectation, Culture, Incentives & Punishment Objective: To ensure all personnel understand the Corporate intent, requirements and expectations; to create positive culture and incent proper conduct; and to establish the significant ramifications from failure to adhere to Corporate principles. Corporate Culture Singularity of Voice (corporate, divisional, site, supervisor, etc.) Objectives Alignment Incentives Alignment Training Programs Compliance program onboarding training Good Documentation Practices Data lifecycle management training Specialized data integrity training Corporate Compliance Office / Officer Corporate Compliance Handbook Conflicts of Interest Internal Controls Employee Obligations Financial Interests Reporting Potentially Violative Conduct Compliance Hotline Human Resource Handbook Zero-tolerance for Violations Immediate termination for data integrity violations 23

24 Program Element 2 Policy, Expectation, Culture, Incentives & Punishment Approach: 1. Understand and, if possible, obtain independent measures of Corporate Culture Develop a long-term cultural improvement plan to enable positive cultural decisions -- Incent candor and reward actions of integrity even where difficult 2. Revise periodic objectives programs to ensure all objectives (financial, operational, cost, outcome) are aligned and do not create do what you have to do decisions Ensure positive data integrity challenge outcomes create incentives Severely punish and establish zero-tolerance for misrepresentation and fraud 3. Establish (or update) Corporate Compliance Office program elements to encompass data integrity considerations Update training programs and compliance audits to focus on fraud, data integrity, etc. Ensure Corporate Compliance programs are robust, active, and well-staffed Ensure the message is the same from top to bottom relative to policy / expectations regarding data integrity Develop lessons learned for examples of good and bad data integrity practices 4. Align Corporate, divisional and local training programs to provide consistent messaging re: culture, objectives, incentives, punishment and acceptable conduct 24

25 Governance Policy, Expectation, Culture, Incentives & Punishment Regulations, Enforcement, Guidance, Industry Standards Building Data Integrity DI Focus Areas Data Lifecycle Management Controls Quality System / Positive Compliance Controls Proactive Challenges 25

26 Program Element 3: Quality System / Positive Compliance Controls Objective: To establish a rigorous quality system and related control framework that incorporates data integrity considerations throughout all operational processes. Positive controls is an expansive term encompassing the quality system control framework and discrete, individual controls over focus activities and functions. 26 Quality System / Procedural DI-revised procedures and detailed work instructions ID Critical Data/Information Control Points Define controls to make mistakes or fraud difficult Good Documentation Practices / Good Data Practices Risk-based control framework Robust IT / IS / IM applications for process management Organizational / Responsibility Controls Special training / certifications for data/information critical functions Monitor critical data generation/transfer points Review of critical data and releases Personnel Qualifications & Background Enhanced screening / background checks for critical data and information responsibilities / roles Robust Training / Knowledge Development IT / IS / IM Controls IT / IS / IM Quality System State of the art security controls Change controls Defined / compartmentalized administration access Regular access reporting & reviews Rigorous Part 11 compliance Encryption & non-repudiation ID / PW Controls Computer Systems Validation PLC / SCADA Controls Rigorous lab equipment access controls Cameras / Monitoring of Critical Areas

27 Program Element 3 Quality System / Positive Compliance Controls Approach: 1. Update / revise or establish comprehensive Good Document / Data Practices program (procedures, training, etc.). 2. Review, revise and update all Quality System documentation to a) Incorporate data and information recording, use and management practices at all necessary steps; and b) Establish broad, general responsibilities for data integrity throughout the Quality System. 3. Establish the proper personnel requirements, background / qualifications check, and training programs to ensure qualified personnel for DI purposes 4. Incorporate robust IT / IS / IM computer-based system to facilitate / enable controlled process management 5. Establish or improve your IT / IS / IM Quality System to incorporate rigorous computer system controls, focused on non-repudiation and robust access logs and audit trails 27

28 Governance Policy, Expectation, Culture, Incentives & Punishment Regulations, Enforcement, Guidance, Industry Standards Building Data Integrity DI Focus Areas Data Lifecycle Management Controls Quality System / Positive Compliance Controls Proactive Challenges 28

29 Program Element 4: Data Integrity Focus Areas Objective: To identify those operational, quality and support activities that have particular risk for data integrity concerns, and ensure both activity execution controls and proactive challenges are implemented rigorously. Laboratory Operations Sampling RM / Incoming In-Process Product release Stability Bioanalytical Component / Product Release Operations Manual / Quasi-Manual Build Activities Compounding Assembly Rework Data/parameter recording / monitoring Batch record / DMR recording Activity execution recording Equipment Logs Maintenance / Calibration Water sampling Distribution Technical Transfer / Validation / Commercialization / Product Launch Data recording Sampling and testing Conformance to Criteria for Acceptability Clinical Studies Study centers Data / system management Reporting & analysis of raw data Physical Plant / Equipment Suitability 29

30 Focus Area Process Criticality Analysis Factors & Groupings Current Controls External Expectations Patient Risk Process Considerations 30

31 Factor-Based Analysis to Data Integrity Process Risk Differentiation / Prioritization Process Activity: equipment. Calibration of environmental monitoring CRPN Range: LOW = 0 HIGH = 100 RANGE of VALUES DI RPN 26 MEASURE Patient Risk (Weighting = 5) 7.5 Data / Information Linkage to Product Quality Outcomes 3 No linkage 0 Minor Linkage 1 Moderate Linkage 3 Major Linkage 5 Data / Information Linkage to Patient Theraputic Outcomes 0 No linkage 0 Minor Linkage 1 Moderate Linkage 3 Major Linkage 5 Current Controls (Weighting = 4) 4 Sophistication / Extent of Current Controls 1 Significant / Extensive Control Exists 0 Moderate / Normal Control Exists 1 Minimal / Insufficient Control Exists 3 No Control Exists 5 Process Considerations (Weighting = 3) 5 Importance of data/information to business / financial objectives 5-Critical 5 3-High 3 2-Normal 2 1-Low 1 1 Group Weightings: 5: Patient Risk 4: Current Controls 3: Process Considerations 2: External Expectations Volume of data/information recorded, generated or used 1 5-Significant / substantial 5 4-High 4 3-Average 3 1-Low 1 Sophistication of business process 3 1-Highly sophisticated 1 3-Normal sophistication 3 5-Unsophisticated 5 External Expectations (Weighting = 2) 2 Establishment / industry acceptance of best practice expectations 1 5-Significant 5 3-High 3 2-Normal 2 1-Low 1 Extent / amount of regulatory focus 1 5-Significant / substantial 5 4-High 4 3-Average 3 1-Low 1 31

32 Program Element 4 Data Integrity Focus Areas Approach: 1. Identify scope of system / process review and concern 2. Inventory all processes within scope 3. Apply Factor Based Analysis to individual processes 4. Sort, prioritize and group for system and control plan development and remediation (if necessary) purposes High, medium, low priority Other groupings: Computer based data risk, fraud risk, etc. 5. Develop system control map, outlining remediation focus, if necessary 6. Report regularly on plan status, changes and remediation progress (if any) to Governance group 32

33 Governance Policy, Expectation, Culture, Incentives & Punishment Regulations, Enforcement, Guidance, Industry Standards Building Data Integrity DI Focus Areas Data Lifecycle Management Controls Quality System / Positive Compliance Controls Proactive Challenges

34 Program Element 5: Data Lifecycle Management Controls Objective: To establish comprehensive data lifecycle management controls that create clear, unequivocal requirements for how to record, migrate, report, repurpose and forward-migrate data to ensure integrity of data and information. Raw Data Controls Validation of Context (metadata) Date Recorded Party Recording Unique Identifier Attribution and Non-Repudiation Signature / handwriting logs Password controls Biometric Logs Database Encryption Limits on Recording Options Numbered Log books Limited computer based tools Singularity of Entry & Data Usage Transference Validation Forward Migration Repurposing Conveyance Outside Entity 34

35 What is Data Lifecycle Management? The management of a discrete piece of data or information from to In the aggregate, the management of your company s data and information from the moment of creation, through use, re-use, re-purposing, migration, archiving & storage, obsolescence and deletion. Data lifecycle management involves a comprehensive approach to data and information management, including a focus on computer-based systems, along with traditional (paper-based) approaches to the recording, storage and use of data and information. 35

36 Controlling Data Throughout the Lifecycle < Maintenance, Storage and Retrieval Controls > CONTROLS CONTROLS CONTROLS CONTROLS CONTROLS CONTROLS Creation Use & Re-Use Re- Purposing Migration Archiving Obsolescence and Deletion Re-Purposing: Using data and information elements for a different purpose than originally intended. Important because origination/maintenance controls for one use may be insufficient for another use. (E.g., basic research vs. clinical data) Migration: Movement or duplication of data and information from one medium/format to another. (E.g., lab notebook to spreadsheet or LIMS system) 36

37 Computer Based Tools Inventory & Risk Assessment Similar in approach to process inventory and risk assessment Basic process: 1. Identify / inventory 2. Assess / score 3. Sort / rank 4. Prioritize remediation Control rigor should align to priority Remediation, if necessary, should be aligned to priority Source: Public Presentation on Data Integrity 37

38 Program Element 5 Data Lifecycle Management Controls Approach: 1. Identify critical data / information control points (DI CCPs) and establish appropriate, robust controls for each. 2. Ensure DI CCPs are called out in execution documentation, forms or computerbased systems to flag personnel criticality for data and information recording or use. 3. Clarify individual responsibilities for all data / information recording and transference steps to ensure no questions relative to routine and non-routine activities. 4. Incorporate specific control elements of a Good Document / Data Practices program into individual control activities. 38

39 Governance Policy, Expectation, Culture, Incentives & Punishment Regulations, Enforcement, Guidance, Industry Standards Building Data Integrity DI Focus Areas Data Lifecycle Management Controls Quality System / Positive Compliance Controls Proactive Challenges 39

40 Program Element 6: Proactive Challenges Objective: To establish a program that regularly challenge, probe and identify occurrences of data mishandling and that will seek out and identify, to the extend possible, possibly fraudulent activity. Quality Systems Control & Challenge Internal Audit Third-Party Audit Fraud Review & Challenge Independent investigator Corporate Compliance Special Skills 40

41 Program Element 6 Proactive Challenges Approach: 1. Establish relationship between Corporate/Divisional/Site Quality Audit function and Corporate Compliance Office. 2. Review Quality Audit policies, standards, procedures and practices to ensure that data integrity control effectiveness checks are incorporated. Develop challenge scenarios. Ensure that checks focus on the complete lifecycle of data integrity for all data and information, and that checks quantitatively establish control effectiveness across the lifecycle. 3. Review Corporate Compliance internal audit and investigation policies, standards, procedures and practices to ensure that data integrity fraud risks are regularly reviewed, in detail, by a formal challenge program. 4. Coordinate Quality Audit program activities with Corporate Compliance internal audit and investigation activities ensure all employees know that the programs are intended to provide an integrated, coordinated approach to data integrity. 5. Develop / structure individual and coordinated challenge outcome reports for review by Corporate Governance structure. 41

42 Governance Policy, Expectation, Culture, Incentives & Punishment Regulations, Enforcement, Guidance, Industry Standards Building Data Integrity DI Focus Areas Data Lifecycle Management Controls Quality System / Positive Compliance Controls Proactive Challenges 42

43 43 Program Element 7: Governance Objective: To develop and implement an appropriate governance approach that ensures regular reporting of data integrity assurance practices performance, and that serves as an escalation point for deviations from directed practices, and is responsible for maintaining the contemporary value of the overall program. Approach: 1. Develop at appropriate organizational levels and ensure rapid roll-up and review of results at Executive levels 2. Ensure Senior Executive review of Corporate governance reports 3. Establish appropriate metrics & reporting requirements at all levels of the organization 4. Where systems or controls are ineffective, or where audits identify failures/gaps, develop remediation plans (CAPA?) and make changes 5. Keep all program elements vibrant and appropriate for the business Site Division / Region Site TPM / Supplier Corporate Site Division /Region Site

44 How It Fits Together A Structural Approach Governance Proactive Challenges DI Focus Areas DI Focus Areas Data Lifecycle Management Controls Quality System / Positive Compliance Controls DI Focus Areas DI Focus Areas Proactive Challenges Policy, Expectation, Culture, Incentives & Punishment Regulations, Enforcement, Guidance, Industry Standards 44

45 Path Forward Review this approach and these principles with Executive Management stakeholders Review regulations, enforcement, guidances, and industry standards to understand the scope and breadth of what is expected Consider your business model and evaluate / adapt this approach to specific business model elements Develop an long-term DI Assurance Program framework to capture all analysis, decisions, rationales, findings, remediation plans, remediation activities and future state controls to convey to regulators when requested Develop regular DI Assurance Program status reports appropriate for review with interested regulators Obtain expert assistance with assessments, planning, remediation activities, governance, etc. as necessary to ensure a complete and objective program Lather, rinse, repeat 45

46 For further information, contact: John C. (Jack) Garvey, Esq. Chief Executive Officer Compliance Architects LLC REG-XPRT ( ) 46