Checking the regulations and newsletters available for the pharmaceutical industry, data integrity is still the most prominent topic. Driven by various inspections since 2012/2013 this trend has meanwhile arrived at small and medium sized pharmaceutical companies. As a regulatory requirement data integrity has already been existing for more than 20 years defined in the FDA 21 CFR Part 11, which was only rarely checked to its full extent during inspections. The numerous data falsifications that have taken place in Asia have shaken up the health regulatory bodies in Europe and in the USA to start regular data checks during their routine inspections worldwide.
New quality requirements for pharmaceutical products are usually defined in regulations, which have to be adhered to and which are part of the international and national GxP rules. For data integrity similar detailed requirements are still missing: Starting in 2015 a number of guidelines, led by the British MHRA, were published as draft versions, but to date not finally approved. Unfortunately, it has to be noticed that there were no efforts to harmonize these draft rules. Those many different approaches lead to confusing the pharmaceutical entrepreneur while trying to reach compliance with the rules. Particularly, the process ("how to") of the review of relevant audit trails is not yet defined clearly.
The EU GMP Annex 11, published in 2011, just requires "audit trails have to be reviewed regularly", but without any details. To date such a review was only checked rarely by the European health regulatory inspectors. The only source of information are conferences and seminars were inspectors provide their point of view to the public: For the manufacturing of pharmaceutical dosage forms a detailed review of all critical data, prior to the final release, is required for each batch. The costs, i.e. the extra time needed to review such batch data, could be 1-1.5 hours/batch, depending on the complexity of the processes for production and quality control and also on the size of the audit trails.
A risk-based approach, which has been applied in the pharmaceutical industry for more than 10 years, can be very helpful: First of all the critical computerized systems should be evaluated with respect to the integrity of the data managed. Pragmatic approaches will allow completion of such "exercise" within 1 to 1.5 days (medium sized company). This assessment will be the basis for the prioritization of the future activities; it can be documented easily and is the right tool to present the strategy to the investigator. The same risk assessment process can be used to check the relevance of the review of audit trails. Nevertheless, many companies start their data integrity activities with the completion of comprehensive checklists, mainly derived from 21 CFR Part 11, sometimes containing more than 100 questions and requiring one entire day to be filled for each computerized system. Health inspectors will appreciate the effort, but in most cases issue an observation or "483" for the lack of a data integrity compliance strategy for the near future and missing identification of gaps.
Recently the GCP systems came into the focus of inspections, triggered by the manipulations and data falsifications - identified by the WHO in 2014 - at the Indian CRO (Clinical Research Organisation) Quest Life Sciences and - discovered by the EMA in 2015 - at the Indian CRO GVK Biosciences.
For clinical studies the check of the integrity of data is mandatory. It is usually performed by the clinical monitor who, in the past, preferentially reviewed only the documentation, but not the history of data entries. Particular emphasis should be put on the hybrid systems, where data are manually transferred from paper to the electronic application, i.e. from the case record forms (CRFs), a process which is very error prone. If electronic systems (eCRFs) are used for the data entry by the medical doctors involved in the clinical study, the clinical monitor may need to review the correctness of the electronic data, i.e. if data was modified or "cleaned" after the first entry. The risk evaluation of all safety relevant criteria, particularly the identification and assessment of adverse effects/events must have top priority. Furthermore completeness and correct entry of the patients' visits/phone calls and clinical data (e.g. blood pressure, temperature, bodyweight, symptoms) by the nurses/doctors, according to the clinical protocol, have to be verified by the monitors. The extent of such additional control activities to verify all clinical data relevant for the study, emphasizing also on the laboratory results, has so far not been defined by the health regulatory authorities.