Mitigating Data Integrity Risks

June 15, 2016
Jennifer Markarian

Jennifer Markarian is manufacturing editor of Pharmaceutical Technology.

Equipment and Processing Report

Equipment and Processing Report, Equipment and Processing Report-06-15-2016, Volume 9, Issue 6

Computerized systems can solve some of the data integrity problems with conventional paper-based systems.

Data integrity is an important issue for pharmaceutical manufacturing. Pharmaceutical Technology spoke with Oliver Wolf, senior product manager at MasterControl, about some of the benefits and challenges of ensuring data integrity using electronic systems.

Mitigating data integrity risksPharmTech: What are the primary data integrity risks associated with paper-based systems and with computerized systems? How can these risks be mitigated?

Wolf (MasterControl): The primary data integrity risks associated with paper-based systems are data loss, data accuracy, and process integrity. All of these risks can be reduced or even eliminated effectively through computerized systems. In the physical world, complete data loss can occur through something as simple as losing track of a piece of paper or something as calamitous as a fire. Well-designed computer systems will make complete data loss virtually impossible as long as an effective backup and disaster recovery system is in place.

Data accuracy can be compromised by honest mistakes or willful tampering with data, whether you are working in a paper or an electronic system. Electronic systems can eliminate many common sources of errors by automating data processing steps, such as data transcription and calculations. When it comes to willful falsification, more automation does mean less opportunity for tampering. In practice, however, most electronic systems still rely on humans to some degree. These systems do improve detectability but nonetheless still rely on strong review and approval processes.

In FDA-regulated environments, recording who reviewed and approved the data is a crucial element. Paper systems can do a decent job in defining the reviewer/approver, but again rely on human review to catch routing errors that an electronic system may eliminate.

An added risk in electronic records stems from the easy data access these systems afford, which raises the concern that an unauthorized person could access your data. FDA's approach emphasizes that systems need to be designed in a way that such falsification would require the collusion of at least two people. Simply put, while your database administrator may have the ability to alter data without much of a trace, this role does not typically have the motive to do so. Outsiders’ access to your data still obviously is a concern, and implementing sound security procedures is extremely important.

Detecting problemsPharmTech: How can manipulation of electronic records be detected?

Wolf (MasterControl): Well-designed electronic systems have mechanisms in place to ensure that data simply cannot be altered through ordinary means by their users when it is not meant to be changed. So, in these systems you would expect that records, once approved, are simply put into read-only mode. In cases where edits are required after the fact, such systems would only allow edits once the record is revised, or at least is bumped back into an ‘in-process’ state. Either mechanism requires personnel to run through an approval process again. This will generate a full record of the changes made and approvals committed.

21 Code of Federal Regulations Part 11 outlines a number of requirements that FDA-regulated companies must meet in their use of electronic records and signatures. This includes requirements for user passwords, audit trails, and mechanisms that tie an electronic signature to the record it signs. Although this does not mean that it is impossible to change data, for example by gaining direct database access, even a technically proficient person would have trouble updating all records to avoid contradictory data. If data tampering of this level of sophistication is suspected, a good place to start is to compare date and timestamps between activity logs, audit trails, signatures, and the record itself.

Validating systemsPharmTech: What are the requirements of/best practices for validating a computer system/electronic records?

Wolf (MasterControl): In FDA-regulated industries, the entity using a computer system is responsible for validation-ensuring the proper functioning of all aspects of the system. Using a risk-based approach to assess high-risk areas of a given system, and then focusing validation testing on those areas, has become acceptable. It has also become acceptable to rely on vendor documentation for testing of the lower-risk areas, especially when the reliability of the documentation has been confirmed through a vendor audit.

What the high-risk areas of a given system are depends on many factors, including the types of products a company or facility manufactures and what impact the data processed in the system could have on the integrity of these products. System functionality to focus on would certainly include data access and security, electronic signatures, approval processes, and audit trails. Figure 1 shows a validation plan for a system.

PharmTech: What do you see as the most important thing for companies to do or recognize regarding manufacturing data integrity? 

Wolf (MasterControl): The most challenging aspect in the implementation of computerized systems in FDA-regulated industries seems to be finding a solid balance between ensuring your risk exposures are mitigated and not stifling your use of innovative systems by being overly conservative and stringent. This can be especially challenging given that validation and quality assurance activities are often seen as part of a checks and balances system that is almost designed to be confrontational. There are no easy answers here. Every company has a unique culture, but creating one that allows for a cooperative approach can certainly pay dividends.