Data integrity issues are regularly cited by global regulatory agencies in inspection reports. National cultures can influence compliance with data integrity standards due to differences in power distance, individualism, and time orientation. Regulators now specifically target data integrity during inspections and audit raw data to verify submitted information. Companies must consider cultural factors when ensuring global compliance and promote quality cultures through codes of conduct.

1. DATA INTEGRITY IN THE GLOBAL
PHARMACEUTICAL INDUSTRY

2. CONTENTS
Data Integrity and Global Regulatory Status?
Consideration of National Cultures
Generalised Root Causes and Examples
Solutions-Governance Systems

3. WHAT DO YOU THINK?
Examples occurring in same facility:
 Raw materials specifications set up by IT within MRP system “writes” to a word
document in QC and printed out. (Nothing validated, not in QMS)
 QC uses specification and performs HPLC assay and other tests. No printouts from
balances/ autotitrator, HPLC raw data deleted after 1 month after Chromatograms
printed out.
 All QC testing results calculations recorded on note paper, sticky notes and thrown
away after a final “neat” report is typed in MS Word for release.
 All QC testing records are therefore “pristine”?
3

4. CURRENT STATUS
Data integrity issues now regularly show up
as critical observations in:
 FDA 483 Warning letters
 WHO “Notices of Concern” Based on Annex 2
Ch 17
 EU Non-Compliance Reports
 FDA now Specifically targeting
Current and New Draft Guidelines
 PICS Good Practices For Data Management
And Integrity In Regulated GMP/GDP
Environments (Aug 2016)
 Data Integrity and Compliance With cGMP
Guidance (Apr 2016)
 MHRA GxP Data Integrity Definitions and
Guidance for Industry (July 2016)
4

5. WHO DOES IT APPLY TO?
EXTRACT FROM PDA POINTS TO CONSIDER ELEMENTS OF A CODE OF CONDUCT FOR
DATA INTEGRITY:
 Companies that conduct clinical trials in support of new drug applications including, but not limited to:
Investigational New Drug (IND), Clinical Trial Application (CTA), Investigational Medicinal Product Dossier
(IMPD), Biologics License Application (BLA), Marketing Authorization Application (MAA), New Drug Application
(NDA), and Abbreviated New Drug Application (ANDA)
 Laboratories that develop methods or formulations intended to support new drug applications or laboratories
that analyze samples generated from clinical trials
 Manufacturers of excipients, intermediates, or active pharmaceutical ingredients (APIs)
 Contract manufacturing & research organizations (CMOs/CROs)
 Contract testing laboratories
 Contractors, consultants, suppliers and vendors that provide services and data that support the production
and control of APIs, drug or biological products
5
Basically most parties
involved from Clinical
phase 2 to Post launch
Phase 4

6. GLOBAL DI METRICS
17
33
7
8
Major Global Regulatory DI Citations 2002_14*
USA India China Other
*Source: PDA J Pharm Sci and Tech 2015, 69 762-770
Nader Shafiei, Regis De Montardyand Edwin Rivera-Martinez

7. GLOBAL DI METRICS
The FDA has been rapidly increasing foreign
inspection across the board (F D & C).
This is in response to the rapid rise in exports
from India, China and Asia in general. So the
increase in DI observations has some
relationship to overall focus as domestic
pressure on “foreign import quality” increased.
The national cultures play a key part in the
compliance issues detected (see later)
Source-Susan and Ann Marie-
Foreign Inspection Process
Overview -FDA

8. WHAT IS DATA?
 The IT definition is that DATA are the RAW FACTs that describe the characteristic of
and event.
 Information is DATA converted into meaningful and useful context.
 Wisdom (or fact based decision making ability) is what we have then, when we have
both.
 It follows that if you do not have the DATA how do you prove your decisions were not
simply based upon opinion and not fact based drivers?
8

9. INFORMATION SYSTEMS
9
Executive
Manager
Analysts
Coarse
Data
Analytical
decision
making
Fine Data
Transactional
Processing
We will come back to this in the context of problem
areas later….

10. DI TERMS AND DEFINITIONS
MHRS Definitions*:
 Data-Facts and statistics collected together for reference or analysis
 Raw Data-Original records, retained in the format in which they were originally generated (i.e.
paper or electronic), or as a ‘true copy’. Raw data must be contemporaneously and accurately
recorded by permanent means.
 Metadata- is data that describe the attributes of other data, and provide context and meaning.
Typically, these are data that describe the structure, data elements, inter-relationships and other
characteristics of data. It also permits data to be attributable to an individual (or if automatically
generated, to the original data source).
 Data Integrity-The extent to which all data are complete, consistent and accurate throughout the
data lifecycle.
MHRA GxP Data
Integrity
Definitions and
Guidance for
Industry: Draft
for consultation
July 2016

11. MHRS Definitions*:
 Data Governance-The sum total of arrangements to ensure that data, irrespective of the format in
which it is generated, is recorded, processed, retained and used to ensure a complete, consistent
the data lifecycle.
 Data Lifecycle-All phases in the life of the data (including raw data) from initial generation and
recording through processing (including analysis, transformation or migration), use, data
 Data Transfer-Is the process of transferring data and metadata between storage media types or
computer systems. Data migration changes the format of data to make it usable or visible on an
 Data Processing-A sequence of operations performed on data in order to extract, present or obtain
information in a defined format. Examples might include: statistical analysis of individual patient
of a raw electronic signal to a chromatogram and subsequently a calculated numerical result.
The FDA also distinguishes between “static” and “dynamic” data, the former being an image or paper
dynamic data is that it can be re-used to recreate the processing as in for example HPLC integration.
For this reasons the original raw data must be kept as it can be used to recreate the original event and
ascertained if there has been any undesirable post processing and manipulation.
(*Note the lifecycle approach is consistent with the principles of ICH Q10 Pharmaceutical Quality
MHRA GxP Data
Integrity
Definitions and
Guidance for
Industry: Draft
for consultation
July 2016

12. DEFINITION OF RAW DATA IN OUR INDUSTRY ?
(FDA CFR 58 - GLPS)
 Raw data means any laboratory worksheets, records, memoranda, notes, or exact copies
thereof, that are the result of original observations and activities of a nonclinical laboratory study
and are necessary for the reconstruction and evaluation of the report of that study.
 In the event that exact transcripts of raw data have been prepared (e.g., tapes which have been
transcribed verbatim, dated, and verified accurate by signature), the exact copy or exact
transcript may be substituted for the original source as raw data. (EMAILS!)
 Raw data may include photographs, microfilm or microfiche copies, computer printouts, magnetic
media, including dictated observations, and recorded data from automated instruments.
(EMAILS!)
12

13. LIFECYCLE APPROACH
13
Risk
Phase 1 Phase 2/3 Phase 3/4
Validation/Tech Transfer
Increase in Patient Safety Risk
With Respect to Data Integrity
PAI
Low Data Integrity Route
Failure
So Data integrity
covers the whole
drug development
to launch lifecycle-
clinical trials data
through to final
release for sale
Certificate of
Analysis.

14. GLOBAL REGULATORY VIEWS
CFR 211 indirectly addresses Data for example:
1. Any Calculations must be verified 211.68(b)
2. Methods must be documented and approved 211.160 (a)
3. Data generated and transformed must meet criteria of scientific soundness 211.160(a)
But more specifically under 211.194 Laboratory Controls
(a) Laboratory records shall include complete data derived from all tests necessary to assure compliance with established specifications and
standards, including examinations and assays, as follows:
 (1) A description of the sample received for testing with identification of source (that is, location from where sample was obtained), quantity,
lot number or other distinctive code, date sample was taken, and date sample was received for testing.
 (2) A statement of each method used in the testing of the sample. The statement shall indicate the location of data that establish that the
methods used in the testing of the sample meet proper standards of accuracy and reliability as applied to the product tested………….. The
suitability of all testing methods used shall be verified under actual conditions of use.
 (3) A statement of the weight or measure of sample used for each test, where appropriate.
 (4) A complete record of all data secured in the course of each test, including all graphs, charts, and spectra from laboratory instrumentation,
properly identified to show the specific component, drug product container, closure, in-process material, or drug product, and lot tested.
 (5) A record of all calculations performed in connection with the test, including units of measure, conversion factors, and equivalency factors.
 (6) A statement of the results of tests and how the results compare with established standards of identity, strength, quality, and purity for the
component, drug product container, closure, in-process material, or drug product tested.
14
AND SO
ON AND
SO ON

15. GLOBAL REGULATORY VIEWS
 CFR 211 Part 11 Electronic Records and Signatures.
 PIC/S GUIDANCE PI 011-3 25 Sept 2007 Good Practices for Computerised Systems in
Regulated “GXP” Environments.
 Both cover in detail the requirements for computerised systems- but this is not the topic
of this presentation.
 A more pointed DI document is the FDA’s Compliance Program Guidance Manual
7346.832 NDA- Pre Approval Inspections
15

16. GLOBAL REGULATORY VIEWS
Compliance Program Guidance CPG 7345.832 has specific directive to FDA PAI
inspectors regarding auditing of Data Integrity:
 “There are three primary inspectional objectives of this PAI program, all of which
require an informed strategy and careful on-site evaluation. These objectives are:
 Objective 1: Readiness for Commercial Manufacturing.
 Objective 2: Conformance to Application
Objective 3: “Data Integrity Audit”

17. GLOBAL REGULATORY VIEWS
Objective 3: Data Integrity Audit
 “Audit the raw data, hardcopy or electronic, to authenticate the data submitted in the CMC section of the application.
Verify that all relevant data (e.g., stability, biobatch data) were submitted in the CMC section such that CDER product
reviewers can rely on the submitted data as complete and accurate.”
 “The inspection strategy may select key data sets or randomly select data……... Generally, data on finished product
stability, dissolution, content uniformity, and API impurity are good candidates for this audit.”
 “ During the inspection, compare raw data, hardcopy or electronic, such as chromatograms, spectrograms, laboratory
analyst notebooks, and additional information from the laboratory with summary data filed in the CMC section”
 “Raw data files should support a conclusion that the data/information……”

18. GLOBAL REGULATORY VIEWS
Objective 3: Data Integrity Audit
 “Examples of a lack of contextual integrity include the failure by the applicant to scientifically justify non-
submission of relevant data, such as aberrant test results or absences in a submitted chromatographic
sequence, suggesting that the application does not fully or accurately represent the components, process,
and finished product.”
 Remember DATA-INFORMATION WISDOM (decisions, justifications, rationales..)
 Inspectors are expected now to sit at the computer terminal and have you “replay” the raw data, and so
basically if you no longer have the actual original raw data when an audit inspector says “SHOW ME” they
will consider all decisions made downstream are suspect and possibly fraudulent/fake.

19. THE WHO IS ALSO ONTO DI ISSUES!
WHO Expert Committeeon Specifications for Pharmaceutical Preparations Forty-eighth report:
“15.9 Data (and records for storage) may be recorded by electronic data processing systems or by
photographic or other reliable means. Master formulae and detailed SOPs relating to the
system in use should be available and the accuracy of the records should be checked.
If documentation is handled by electronic data-processing methods, only authorized persons
should be able to enter or modify data in the computer system, and there should be a record of
changes and deletions; access should be restricted by passwords or other means and the entry
of critical data should be independently checked. Batch records stored electronically should be
protected by back-up transfer on magnetic tape, microfilm, electronic discs, paper printouts or
other means. It is particularly important that, during the period of retention, the data are readily
available.”
 Also mentioned in 15.1 and 17.3d

20. DATA INTEGRITY IS A GLOBAL
CONCERN, AND SHOULD BE SEEN ALSO
THROUGH THE LENS OF NATIONAL
CULTURE TRAITS

21. CULTURAL CONSIDERATIONS
One of the key Drivers in DI Compliance is
Behavioural “Culture”
 The PICs guidance touches upon this as follows:
 “An effective ‘quality culture’ and data governance may
be different in its implementation from one location to
another. Depending on culture, an organisation’s control
measures may be: “
 “open” (where hierarchy can be challenged by
subordinates, and full reporting of a systemic or individual
failure is a business expectation).
 “closed” (where reporting failure or challenging a hierarchy
is culturally more difficult).
Cultural Misunderstandings
Most recognised cultural analysis tool was developed by
G. Hofstede who described the following dimensions:
 Power distance
 Individualism
 Uncertainty avoidance
 Gender- masculinity Vs femineity
 Time orientation- long versus short
 All these aspects come together with the local nuances
to form the work culture, and how well systems like
GMP are integrated.
 National cultures are “different”and not
“deficient”!

22. FACTORS LEADING TO FORMATION OF A CULTURE
22
History Religion
Environment
Climate
Language
Mind Set
World View
Physiology
Security
Reaction
Leadership
Organisation:
Norms
Rules
Structure
Status
Values
These will determine
how hard it is to
maintain cGMP
Success
es
Failures

23. CULTURAL CONSIDERATIONS
What the following slides indicate quite clearly is the differences in national culture in
“Power Distance”, “Individualism and “Time Orientation”.
 These are the more specific element of what the PICs guide calls Open and Closed cultures.
 Power Distance is defined as the extentto which the less powerfulmembersof institutionsand
organisationswithina countryexpectand acceptthatpower is distributedunequally.
 This is the element that will be a potential barriers to reporting “bad news” in general including DI issues. In some
cultures reporting “bad news” to the boss is an overall “losing face” experience.
 The fundamental issue addressed by this individualism is the degreeof interdependencea society
maintainsamongits members. Hence for example the USA is highly individualistic whereas China,
India and Japan are much more collectivist in how they work together.
 A high power distance and collectivist cultures will see reluctance to report issues and for departments to close
ranks much more naturally that in a US company for example.

24. USA VS UK AND USA VS INDIA

25. USA VS CHINA AND USA VS JAPAN
Each country therefore cannot
be treated the same- yet the
regulations require that in the
end they enact the same GMP

26. HOW NATIONAL CULTURE EFFECTS STRUCTURE
26
structured individualism,
speed, drive
USA
French
autocratic
Swedish/Danish
primus inter pares
(first among equals)
Asian
consensus with leadership group
FDA “Law”
Driven
Can explain
why cGMP
expectations
Vs actual
vary Globally
Australia

27. APPROACHES TO DIFFERENT CULTURES
 It is important to note that it is impossible to “change” a national culture.
 Companies who intent to export product to the USA or PICS countries must comply with the
recipient countries regulations.
 Companies should factor national cultural differences when evaluating their supply chain
and associated risks- strong case for site audits.
 Companies and regulatory agencies should consider formal cultural awareness training to
best understand how the perceptions of both parties can greatly effect the audit outcome.
What may be judged as fraud maybe in fact a cultural habit of a desire for a “pristine set of
documents”.
27

28. PRACTICAL WAYS OF AVOIDING CULTURAL
“ERRORS”
 Companies should develop and promote an overall code of conduct or ethics, set by the executive.
 The code of conduct/ethics should be translated down to the functional levels such as Quality,
Production, Engineering etc.
 The QMS system should include agreed and structured reporting lines of communication that make it
less onerous on the reporter and recognises power distance effects.
 Many companies have introduced “whistle-blower” policies in response to changing regulations, but
this should always be a last resort:
 The Companies Act 2013 (India) has made it mandatory for listed companies to have in place vigilance
mechanism for directors and employees.
 Under the Dodd-Frank Wall Street and the False Claims Act, an individual with knowledge of fraud may blow
the whistle to defined regulatory bodies and potentially be eligible for a reward.
28

29. GENERALISED ROOT CAUSES
Examples
 Ignorance
 Lack of, or ineffectual training
 Basic company IT ignorance on data base management
 Organisational culture
 Awareness of the risks
 Human error/mistakes
 Wilful falsification
 Manipulation post acquisition
Examples
 Leadership (walk the talk)
 Lack of understanding of information systems
 Actual hardware issues, data transmission.
 Software errors, lack of change control
 Obsolescence of hardware/recording media
 Poor controls over database management systems
DBMS
 Technophobia of key staff
29

30. 30
CAUSATION BY CATEGORY
People
• Inadvertent errors
• Ignorance
• Work arounds
• Lack of Training
• Time Pressure
• Culture
• Personality
• Resources
• Organisational
friction IT/QA/QC
• Lack of
understanding of DI
vulnerabilities
Method/System
• Lack of Policies
• Lack of QMS
• No internal
Audit/Oversight
• Database
manipulation
practices
• Cross-functional
DBM accountabilities
poor
• Company
management
information systems
review and
monitoring
Hardware
• Lack of CSV
• Lack of IT policies
• Inadequate IQ
• Lack of security,
backup, authorities
• Lifecycle
management
• Obsolescence
• IT system “not up to
the task”

31. SHORT INDUSTRY EXAMPLES
31
Company Observation P/S/H?
A QC Laboratory data acquisition software was not validated to ensure the re-
writing, and deletion of data was prohibited
B QC records did not show who performed the analysis; raw data was not
recorded contemporaneously (real time) nor by the performing analyst.
Failed in injections of QC standards deleted from the sequence without
explanation
C Batch records found falsified after discarding original ones to provide
“clean records”
D Within the QC laboratory there was evidence of non-contemporaneous
recording of lab data, using scrap papers, yellow sticky notes. Some of this
raw data was also found in waste bins.
E Unofficial “trial” testing of samples for production “management
information only”

32. SHORT INDUSTRY EXAMPLES 32
Company Observation P/S/H?
F OOS results found within records of QC data acquisition system not
investigated. Retesting carried out and not justified.
G QC staff routinely collected raw data on scrap paper and collated with
printed off chromatograms to write a “clean report” in MS Word to
present to the head of QA. A review of reports so prepared showed zero
errors or natural errors normally expected within a busy QC
environment- original raw data, weighing's, observations not kept. In
some cases the equipment log was used to capture raw data.
H The Data acquisition systems of the HPLC and GC systems was not
backup up nor part of any company back up policy or program. After
Chromatograms had been printed out raw data was deleted on a
monthly basis due to hard disk constraints. There was no way to re-
verify results from release or stability testing. There were no QC
procedure regarding management of electronic data, backup, security
or strict access levels. Data and methods could be accessed by QC staff
sharing passwords.

33. KEY EXPECTED ATTRIBUTES-ALCOA
33
Attributable
• Who actually
acquired the data
or performed the
actions and
when?
• Signed and dated
Legible
• The data must be
legible.
• The record
should be
permanent.
• The record
should not be
obsolete and not
readable i.e.
microfilm.
• Corrections
should be made
in line with GDP
signed and dated.
• No Company
shorthand
• The record
should be
enduring and on
proven storage
media (beware
thermoprinters)
Contemporaneous
• Data must be
recorded in real
time as and when
it occurred.
• Any practical
workarounds due
to clean room
environments
must be
according to
written
procedure.
• Should be carried
out in close
proximity to it
occurrence(see
second point).
Original
• Data must be
preservedin its
unaltered state
accordingto
written
procedures and
in agreement
with record
retention
requirements.
• If raw data is not
kept there must
be solid
documented
justification.
• The records
should not have
been tampered
with.
Accurate
• Data must
correctly reflect
the actual
measurementor
observation
made.
• There should be
no editing or
errors without
documenting and
approval of the
amendments.

34. 34
Company Observation ALCOA?
I Production records revealed that the dispensary records had not been filled
out contemporaneously and nor had they been checked but completed with
the theoretical amounts after the event.
J The paperless chart recorder monitoring the Purified water plant recorded the
data from inline conductivity and TOC on an SD card. There was no policy or
procedure for downloading this data nor any means to “replay/review” it
offline should it be required; the SD card was simply formatted as and when full
of data indicated by and alarm.
K The NIR used to conduct raw material ID by QC within the inwards goods store
regularly recorded “fail” results or outliers of the approved data set. The
investigation routinely cited “passes compendial testing” added to data set.
There was no explanation or procedure for routine expansion of data sets or
how such results are not investigated using the OOS procedure.
L Inspection of the HPLC data acquisition system logs and sequences revealed
that several blocks of data or analysis could not be matched with product
release testing records (paper) that is the batch in question had more than one
data set. Both data sets passed but only one was used without explanation.

35. THINGS HAVE MOVED ON…PRINTOUTS?
35

36. RISK ANALYSIS
 As part of introduction of any new hardware or software including Human Machine Interface HMI there should
be an impact assessment which should be part of CSV Master Plan.
 An outcome of the IA may lead to a more complex risk assessment as part of overall validation program
justifications.
 Companies should develop a DI risk register which clearly identifies risks, mitigations and residual risk levels.
 It is good practice to have such IA as a mandatory part of capital expenditure forms so as to predict the
actual cost of implementation/validation i.e. LIMS, ERP.
 ICH Q9 methodology should be used
36

37. RISK PROFILES
37
Printouts may
Represent
original data
Printouts Cannot
Represent
original data

38. DI GOVERNANCE PROGRAMS
 Companies should create a DI policy, guidelines and code of ethics which includes regular training for those involved in
handling/managing data.
 Top management should support strong quality culture and lead by example- workshops should be designed with real life
“inspirations” as to what is and what is not acceptable behaviour. If this is counter culture this should be overt and explained.
 Specific DI audits/surveillance should be carried out by trained personnel to look at the audit trail for CQA, CPP , and quality metrics
reported in an APQR for example- a sampling or matrix approach could be used. If possible the surveillance can be facilitated by IT
alarm systems (i.e. attempts at bypassing audit trail flagged).
 Quality metrics should also be used to target specific areas of concern.
 DI training should include all data handling departments including IT and it should be specifically addressed in IT backup, security
and data retention procedures.
 DI protection procedures should also encompass the QMS system and document controls covering, controlled copies, forms, logs
and spreadsheets wherever they concern GMP data and information as defined in written procedures.

39. E-QMS AND GOOD DOCUMENT PRACTICES
(GDOCPS)
Whilst the discussion of e-QMS systems is beyond the scope of this presentation-
 DI considerations must be applied to:
 Doc generation
 Distribution and control
 Doc completion- generation of records
 Doc corrections and verifications
 Doc and record maintenance
 Control, audit trail and numbering of “true copies” and forms.
 Doc retention and archiving
 Doc and record disposal
 All should be validated according to a CSV master plan.

40. E-QMS AND GOOD DOCUMENT PRACTICES
(GDOCPS)
Security and Managing “Hybrid systems”-
 For all critical DI systems, there must be user ID and Log on using passwords. Passwords shall not be
shared. (It is understood that some companies try and avoid additional cost of licenses; this is not
acceptable practice).
 Some companies may develop “hybrid” systems using combinations of paper and electronic
signatures- this is very difficult to validate according to Annex 11 of PICs GMP due to the nature of
“fuzzy” FRS and URS in this case.
 System administrators should not also be “users” or at least they should have two different log on and ID’s for
when they are performing different roles i.e. QA Officer or QAAdmin.
 *Hybrid systems where they exist should be phased out by the end of 2017 (Ref Art 23 Directive
2001/83/EC) “……..take account of scientific and technical progress and introduce any changes that may
be required to enable the medicinal product to be manufactured and checked by means of generally accepted
scientific methods.”
*MHRA July 2016

41.  The IT group needs GMP training in respect of CSV and Data integrity (Finance usually already get audited).
 Data integrity needs to be built into the Quality Management System at a Policy “Level”.
 Data integrity need become a specific focus of regular internal audit programs.
 The PDA “Points to Consider Elements of a Code of Conduct for Data Integrity” provides a good basis for a Data
Integrity Policy with its scope covering:
 Good Manufacturing Practice (GMP)
 Good Clinical Practice (GCP)
 Good Pharmacovigilance Practice (GVP)
 Good Laboratory Practice (GLP)
 Good Distribution Practices (GDP)
 Good Tissue Practice (GTP)
41

42. REFERENCES
 https://mhrainspectorate.blog.gov.uk/2016/07/21/mhra-data-integrity-guidance-18-
months-on/
 http://www.fda.gov/downloads/drugs/guidancecomplianceregulatoryinformation/guidances/ucm495891.
pdf
 http://www.fda.gov/downloads/Drugs/DevelopmentApprovalProcess/Manufacturing/QuestionsandAnsw
ersonCurrentGoodManufacturingPracticescGMPforDrugs/ucm071871.pdf
 https://www.picscheme.org/en/publications (PI 041-1 Draft 2)
 PDA Code of Conduct
 FDA CPG M7346832S508a
 https://geert-hofstede.com/national-culture.html
42

43. Thank you
http://www.delta-gmpconsulting.com/contact.htm