PIC/S finalizes GMP data integrity guidance

This week, the Pharmaceutical Inspection Co-operation Scheme (PIC/S) announced that its new guidance on good practices for data management and integrity for pharmaceutical manufacturers and distributors has come into effect.
 
When authorities inspect facilities of manufacturers and distributors of active pharmaceutical ingredients to ensure good manufacturing practice and good distribution practice (GMP/GDP) compliance, “The effectiveness of these inspection processes is determined by the reliability of the evidence provided to the inspector and ultimately the integrity of the underlying data,” notes the introduction to the final version of a draft document originally introduced in 2016 and re-issued as a draft in 2018. (RELATED: Data integrity: New draft guidance and Q&A,” Regulatory Focus 11 August 2016; PIC/S drafts guidance on good practices for data management and integrity, Regulatory Focus 07 December 2018)
 
Defining data integrity as “the degree to which data are complete, consistent, accurate, trustworthy, and reliable and that these characteristics of the data are maintained throughout the data life cycle,” the guidance notes that manufacturers and distributors have a duty to seek out vulnerabilities in data systems, and to “design and implement good data governance practices to ensure data integrity is maintained.”
 
The final document is meant to guide inspectorates in “planning a risk-based inspection relating to good data management practices,” without imposing an additional regulatory burden. Rather, the final guidance is meant to help regulators clarify how current GMP/GDP requirements relate to “current industry data management practices.”
 
The scope of the guidance includes all activities pertaining to the handling of data, “including but not limited to data policy, documentation, quality and security.” The primary focus of the guidance is on data management as it related to GMP/GDP considerations, but the general principles also apply to data in the registration dossier, for example.
 
Both on-site and remote, or desktop, inspections are included within the scope of the guidance. Subsequent inspections conducted for cause, to probe vulnerabilities found on first inspection, are excluded from the scope of the document.
 
The guidance’s discussion of data governance principles introduces the concept of the data lifecycle, referring to “how data is generated, processed, reported, checked, used for decision-making, stored and finally discarded at the end of the retention period.” The guidance acknowledges, however, that data do not follow a linear path through the lifecycle, but rather will cross boundaries and reappear in a variety of formats.
 
The data governance section also reviews which organizational and technical areas should have data governance controls.
 
Data criticality and data risk should factor into a risk-based approach to data governance, according to the guidance. The success of an organization’s data integrity management system will depend in large part on how organizational influences and company culture are successfully integrated into the data integrity plan. A relatively open, non-hierarchic management structure will require a different approach than a more closed, top-down structure. Specific suggestions about how to take corporate culture into account are included in the guidance.
 
The final document also includes a section on general data integrity principles and “enablers” that help put the principles into operation. The guidance outlines basic data integrity attributes: both paper and electronic systems should be attributable, legible, contemporaneous, original and accurate; these attributes are sometimes referred to by the “ALCOA” mnemonic. Additionally, information should be complete, consistent, enduring and available.
 
“If these elements are appropriately applied to all applicable areas of GMP and GDP related activities, along with other supporting elements of a Pharmaceutical Quality System, the reliability of the information used to make critical decisions regarding drug products should be adequately assured,” according to the guidance.
 
The final guidance includes a section on specific elements that should be checked during a record review, and details expectations for generation, distribution and control of records.
 
A dedicated section of the guidance addresses specific data integrity considerations relating to computerized systems, including expectations and potential risks in qualifying computer systems. System security issues such as user access controls are also addressed in detail in this section.
 
Data integrity within hybrid systems is also addressed, but the document discourages use of such systems because of their complexity and “potential increased vulnerability to manipulation of data.”
 
Outsourcing activities also have their own section in the final guidance; general supply chain considerations, document verification, and considerations for audits and general surveillance are among the topics covered.
 
The guidance document also includes a section on potential regulatory actions that may be taken in response to deficiencies or other data integrity findings. This portion of the guidance places a variety of types of deficiencies into broader categories; it also gives suggestions for remediation of data integrity failures. This section, however, “is not intended to affect the inspecting authority’s ability to act according to its internal policies or national regulatory frameworks,” according to the PIC/S authors.
 
The final guidance document runs to 63 pages, including a glossary of terms.   

PIC/S