Data Integrity:

Success by Design
Fat-finger, Falsification and
Fraud

Presented by Trevor Schoerie

30 July 2015

150204_POUT
The 3 Fs of data integrity
System design failures and design controls

An inadvertent mistake made by an

Fat Finger operator during the course of their work
that can be made either on paper or
electronically.

An individual who deliberately writes or

Falsification enters data or results with the intention
to deceive.

Collusion between two or more

individuals who deliberately write or
Fraud
enter data or results with the intention
to deceive.

Slide 2 © PharmOut 2015

World’s biggest medicines recall

The suspension follows audits of the

company's manufacturing premises,
which revealed widespread and serious
deficiencies and failures in the company's ‘The Australian public
manufacturing and quality control should not forget how
procedures, including the systematic bad the manufacturing
and deliberate manipulation of practices were at <the
quality control test data. company> which
prompted what may be
the world's biggest
• 219 products immediately recalled
medicines recall.’
• 1650 export products cancelled

Source
https://www.tga.gov.au/product-recall/pan-pharmaceuticals-limited-regulatory-action-product-recall-information
https://www.tga.gov.au/media-release/tga-reminds-australians-potential-danger-pan-pharmaceuticals

Slide 3 © PharmOut 2015

The Rogue Analyst

…… that he believed "a rogue analyst" had manipulated the test

results, but "the defendant tried to downplay the seriousness of
the matter".

Giving evidence, the former IT manager said:

“The MD said to me, 'What is happening with the computer? Is

there any data still on it?' to which I replied, 'No, there is no data
still on it, I've reformatted the computer," he told the court.

The MD then asked him whether a

computer expert would be able to "Can you make it so
retrieve the data if they were to access the data is not
the computer. retrievable by
anyone?"

http://www.smh.com.au/news/business/drug-recall-tests-manipulated-court-told/2005/07/18/1121538910545.html
Slide 4 © PharmOut 2015
A horse called Jim
A German scientist, Emil von Behring discovered that diphtheria
antitoxin present in certain animals' blood could be made into a serum
and injected into humans. His development of serum therapy against
the disease earned him the first Nobel Prize in Medicine in 1901.

Jim was retired from milk cart duties and In the late 19th century
enlisted into the production of serum. In the late 19thwas
diphtheria century
one of the
Unfortunately, Jim contracted tetanus diphtheria
world'swas
mostone of the
feared
between the 25th Aug. and 30th Sept. 1901 world's most feared
childhood diseases.
and was put down. childhood
Childrendiseases.
infected with
Children infected
diphtheria hadwith
a 10 to
Tragically, blood drawn on the 30th Sept was diphtheria had a of10dying
to
15% chance from
mislabelled, the 24th Aug and released, it 15%thechance
disease of dying from
resulted in the death of 12 children. the disease

This incident and a similar Smallpox vaccine incident lead to the passage
of the Biologicals Controls of 1902, which established the Center
Biologics Evaluation and Research and later the formation of the FDA in
1906.
Slide 5 © PharmOut 2015
 MHRA – Data Integrity Definitions and
Guidance for Industry & Blog

“a new look at an old topic”

Slide 6 © PharmOut 2015

Misconception

“There is a general misconception that data integrity failures only

result from acts of deliberate fraud.

…. majority of issues relate to –

• bad practice,
• poor organisational behaviour and
• weak systems,
which create opportunities for data to be manipulated.

….. some basic behavioural, procedural and technical steps to

significantly improve their systems.”

MHRA – David Churchward

Slide 7 © PharmOut 2015

Design Controls for Data

Identify critical data

Identify risks to different types of data

Determine the level of confidence required

Establish controls over the data lifecycle

Generate proof (audit trails, checklists, summaries)

Slide 8 © PharmOut 2015

Identify critical data
CFR Part 11, Scope and Application
Three critical data criteria –
1. Predicate rules - e.g. approved, reviewed and verified - in
place of paper format
2. Submitted to the inspector - in addition to paper format,
and that are relied on to perform regulated activities
3. Regulatory submission -
helped us determine critical steps or data.

New FDA Draft Request for Quality Metrics – July ’15

“in lieu of inspection”

APR data, cPk, lot acceptance rate, OOS rate, Complaint rate, CAPA
effectiveness,
Slide 9 © PharmOut 2015
FDA Part 11 – Design controls

• limiting system access to authorized individuals

• use of operational system checks
• use of authority checks
• use of device checks
• determination that persons who develop, maintain, or use
electronic systems have the education, training, and experience
to perform their assigned tasks
• establishment of and adherence to written policies that hold
individuals accountable for actions initiated under their electronic
signatures
• appropriate controls over systems documentation
• controls for open systems corresponding to controls for closed
systems bulleted above (§ 145 11.30)
• requirements related to electronic signatures

Slide 10 © PharmOut 2015

 PIC/S Chapter 4

control,
monitor
and record

accuracy, integrity

availability, legibility

PIC/S Guide to Good Manufacturing Practice for Medicinal Products PE 009-11

Slide 11 © PharmOut 2015
Data integrity What type of data
PIC/S GMPs would you classify
as critical?

Manual entry of critical data should be checked by a second

person or managed as part of or a validated system

§4.20, 4.21,

§6.17

Slide 12 © PharmOut 2015

Definitions
approved, reviewed and verified

Verified Witnessed Checked

Approved Authorised Performed

Prepared

Slide 13 © PharmOut 2015

Technical Design Controls

1. System complexity / inherent data risk

2. User access, permissions
3. Transactional windows
4. Data structure and location
• Dynamic vs static, hosted
• File structure
• Audit trails and metadata
5. Validation vs functional verification

Slide 14 © PharmOut 2015

1. System complexity
Data criticality and inherent integrity risk

Simple Complex

Filter
pH Integrity LC-MS LIMS
Meter Tester System

UV HPLC
ERP
Spec
System
CAPA
FT-IR System

No software Simple software Complex software

Printouts could Printouts not
represent original data representative

Slide 15 © PharmOut 2015

2. User Access

System access User/group Watch recently

Individual logins (always) permissions the departed
Appropriate to an (CC)
individuals roles
No IT Department?
Independence of roles
PQS / QMS visibility

Slide 16 © PharmOut 2015

3. Transactional window

Data entry window, idle log off

No Added raw material? Performed Checked
by by
1 Ensure room and vessel is No Added raw material? Performed Checked
….. by by
2 Add 100 litres purified 1 Ensure room and vessel is
water …..
Start the stirrer
Add 0.3kg catalyst 2 Add 100 litres purified
Add 2kg buffer water
Add 30kg lactose 3 Start the stirrer
3 Record the time: 4 Add 0.3kg catalyst
_______________am/pm
5 Add 2kg buffer
6 Add 30kg lactose
7 Record the time:
_____________am/pm

Slide 17 © PharmOut 2015

4. Data structure and location

• Dynamic, i.e. mirrored, DC, backed up?

• Business continuation planning?
• Data only or real process information
• Can be restored? With Audit trail and metadata?
• If hosted,
• who else can see it?
• Service Level Agreement?
• Can company and other parties inspect?

Slide 18 © PharmOut 2015

Just data vs process information, i.e.
importance of metadata?
Date TIC601 HIC601

20/07/2015 22.00 69.80

21/07/2015 23.00 68.30
22/07/2015 24.00 66.50
23/07/2015 25.00 62.10
24/07/2015 25.00 63.60
27/07/2015 25.00 80.90
28/07/2015 22.00 65.40
29/07/2015 21.00 53.80
30/07/2015 20.00 55.10

Slide 19 © PharmOut 2015

Meta data vs just data?
Date Location Temp. % RH Operator Date/time
As per WI023/1 < 25oC <75%

20/07/2015 Top rack 22.00 69.80 TS 20Jul15 06:07:28GMT

21/07/2015 Top rack 23.00 68.30 TS 21Jul15 06:09:26GMT
22/07/2015 Top rack 24.00 66.50 TS 22Jul15 06:14:15GMT
23/07/2015 Bottom rack 25.00 62.10 TS 23Jul15 06:06:78GMT
24/07/2015 Top rack 25.00 63.60 TS 24Jul15 07:01:25GMT
27/07/2015 Top rack 25.00 80.90 TS 27Jul15 06:11:55GMT
27/07/2015 Top rack 25.00 72.30 TS 27Jul15 06:15:12GMT
*notation/deviation….
28/07/2015 Top rack 22.00 65.40 TS 28Jul15 06:23:25GMT
29/07/2015 Bottom rack 21.00 53.80 TS 29Jul15 06:07:10GMT
30/07/2015 Top rack 20.00 55.10 TS 30Jul15 06:04:30GMT

Available through the audit trail.

Slide 20 © PharmOut 2015
Ditto, blank and brackets

Date Location Temp. % RH Operator Remarks

As per WI023/1 < 25oC <75%

20/07/2015 Top rack 22.00 69.80 TS

21/07/2015 Top rack 23.00 68.30 “
22/07/2015 Top rack 24.00 66.50 “
Left blank?
23/07/2015 Bottom rack 25.00 62.10 “
24/07/2015 Top rack 25.00 63.60 “
27/07/2015 Top rack 25.00 75.90
28/07/2015 Top rack 22.00 65.40
29/07/2015 Bottom rack 21.00 53.80 TS
30/07/2015 Top rack 20.00 55.10

Slide 21 © PharmOut 2015

5. Functional verification vs validation?
Determined by system complexity

• Raw data includes equipment printouts, original workbook

and logbook entries, readings transcribed by an operator
from an electronic display, or a hand worked calculation, an
observation etc.

• Raw data is a type of record but there is also an inference

that the original 'result' is used further to derive a final
result.

• Information captured within a batch record is raw data if it

can’t be sourced from a validated electronic system.

Slide 22 © PharmOut 2015

 MHRA GMP Data Integrity Definitions &
Guidance for Industry, March 2015 and Blog

Compliment PQS Risk Expectation Design

Intended to The “data Effort and Not expected Design and

compliment governance resource to implement operate a
existing EU assigned to a forensic system that
system” governance
GMP integral to approach provides an
should be
the PQS acceptable
commensurate
with the risk to state of control
product quality based on data
integrity risk

Data integrity requirements apply equally to manual (paper) and

electronic data

Slide 23 © PharmOut 2015

Data must be:

A – Attributable to the person generating the data

L – Legible and permanent

C – Contemporaneous

O – Original record (or “true copy”)

A - Accurate

Slide 24 © PharmOut 2015

 Design DI into your systems
Paper based

Control of Documents Verified Reflective

Initials &
blank forms, available in ‘true of the
Signature
pen right place at copies’, observation
registers
policy/white right time, +- scans data
out time limits checking
Legible/ Contempora
Attributable Original Accurate
Permanent neous

Active Data System clock, Meta data, Data

directory, annotation sync., data about capture,
e-sig, audit tools, audit transaction the data that manual
trails, trail window permits data entry
metadata reconstruction

Electronic
Slide 25 © PharmOut 2015
Take home message

• It’s a big old problem

• Identify critical data
• Its not just the labs
• Its not just IT systems
• Culture –
• awareness and education

….. some basic behavioural, procedural and technical steps

to significantly improve their systems.

MHRA – David Churchward

Slide 26 © PharmOut 2015

Thank you for your time.

Trevor Schoerie

[email protected]
www.pharmout.net

Slide 27 © PharmOut 2015