How would your company do in the next regulatory audit on the hot topic of data integrity? I’ve had the opportunity, to interview and discuss recent FDA inspections with staff at multiple firms who primarily have a paper based data and documentation system. As one might think, a paper based organization shouldn’t have much to consider in the electronic data integrity realm of the inspection. The contrary couldn’t have been more extreme.
Do you have instruments and systems that generate printed data, or use an application based software to create a print out of analysis? Most firms do. Most firms exist in a hybrid world of paper and electronic information. It would seem that once you create your paper copy of the data, your paper system is your true and complete record. You even sign your printouts to identify who the user is. Well as some firms who have undergone recent FDA inspections have come to realize, that is not meeting the expectations of the agency. The agency is focused on preserving the integrity of what they consider the true sources data.
Let’s take an instrument that most firms use for an example. A Filter Integrity Tester (FIT) is a staple instrument in the manufacturing realm. Typically, firms use a common user account, such as “operator”, “supervisor”, etc. or none at all. Previous thinking was this was acceptable because the operator would sign the printout indicating that they were the user and performed the test. The system operated in stand-alone configuration so all the 21 CFR part 11 and data integrity rules didn’t apply. This is no longer going to be acceptable in the eyes of the agency and they have demonstrated that with recent inspections. The original data is electronic, then it is printed. How do you know that “all” the original electronic data is exactly what’s on the printout? Maybe it’s validated, but then do you still know it’s “all” the data. What if an operator performs an action that does not generate a printout? This is still considered “all” the data. This data would only be found on a robust audit trail. The agency considers the audit trail to be part of the electronic record and expect that it is reviewed with the test to ensure compliance and test acceptability. And since the information source is electronic, they expect that electronic, original data to be backed up. The paper printout is not considered the original data. Firms need to back up and store all electronic data to a secure location. This would include tests and audit trails.
I’ve given a FIT as an example, but this applies to all electronic systems. Chrom skids running Unicorn, HPLC instruments running Empower or Chromeleon, glasswashers and autoclaves, even analytical balances. Yes, even an analytical balance was given an observation because the operator could change the date and time in the settings. It was not locked to the end users. If the end user could change this, the FDA considers this a potential breach of data integrity and could lead to falsification of information, intentional or not. The landscape is changing and most firms are behind the industry standard for assessing data integrity and compliance to the expectations. Older instrumentation and electronic systems were not designed to meet today’s expectations. To help, here is a quick checklist that can help you identify your general position on 21 CFR Part 11 and data integrity expectations. These points apply to all electronic systems.
- Does each user of the system have a unique user name and password?
- Does the system allow for password complexity designation and lock out after failed attempts?
- Does the system time out?
- Are there procedures in place to identify current users and level of access for electronic systems?
- Are those lists reviewed on a periodic basis?
- Are there procedures controlling granting access to the systems?
- Does the “administrator” of the system perform or review data?
- Is the electronic record backed up to a secure location?
- Is the retrieval and integrity of the backed up data periodically reviewed?
- Can the end user alter or delete any files saved within the application or CPU?
- Are you reviewing the audit trail as part of process acceptance?
- Does the system create an audit trail with the following features?
- Name of user who created the event
- Date and time of the event
- The previous and current value of the data
- A meaning or reason for a change
If you answer ‘no’ to any of these questions, you and your firm should consider a robust internal audit. These are the things the auditors will look for in your next audit. Be proactive and create project plans to tighten your grip on data integrity in your company.
Article by: Arthur Anderson, Senior Consultants, ICQ Consultants Corp.