Good morning everybody I'm Louis Glunz
president of Regis welcome you to our coffee and chemistry talk. We have
plenty of talks and if you look at our website through you're in it YouTube.
I have a little promotion of our company. We're a company that takes molecules from
development up through the clinic to commercial and we do all the associate
the analytical, validation, and impurity work along with that fear you're finding
documents to the Drug Master File (DMF). We have really good fortune that Mike Anisfeld
here as a speaker. Mike has 35 years in the pharmaceutical industry in
production, quality, and technical transfer. Mike was educated UK and it
actually a qualified person in the UK so some of our products are released in
Europe by QPs and Mike is one of those persons. For the last 15 years Mike's
advised Regis, and he's no small part of us having zero 483s on our last three
inspections were very happy about that. Let's make this a productive day. Mike going to talk
for an hour on Data Integrity. This is the number one way that companies find
themselves in FDA warning letters. And actually interesting your presentation
yet some things were car companies are getting some data integrity issues. Oh
you wait wait. Let's welcome up Mike Anisfeld. Good morning everybody! Good morning everybody slight
qualification I am a QP in Europe but because I'm resident here in the
States I'm on a reserve list in Europe the day I move back and tell them I'm
officially back in England I become a full QP again
so that's the bazzara T of the European regulations. Today we're going to talk
about data integrity which is becoming the a number one topic in FDA
inspections. Three weeks ago I was in Seoul Korea with a client who's going
through his fourth FDA inspection so we expected no problem one inspector for
five days three days spent doing data integrity two days looking at the
quality systems never got in production never got into warehousing never got
into validation it was all data integrity so that's the move of FDA
these days. We're living in a world of lots and lots of data and many words and
you hear about this all the time big data data integrity and what does it
really mean to us and what does it really mean to society in general so
it's how do you access the data who can change the data how do you maintain the
data it's all part of that system. Just a bit of history some GMP trends in the
1980s we had basic GMPs you know the regulations came out and
every was trying to get to grips with it. In 1990s we had the part 11 computer
controls, if you remember y2k and we remember the panic of Y2K? Your
bank accounts will disappear on midnight on December 31st 1999. Some of you may be
too young to remember that. Then we had the aughts as they say the 2000s,
where we got into quality systems, out of specifications, CAPA's and trending. Which was new
to many many companies. And now this the theme of this last few years is data
integrity and as I said it really is becoming the real focus of many
inspections, not just FDA maybe British the Swedish other
European countries are also very very concerned about this. So it's becoming a
global issue of really big proportions. Some quality management principles and
where does it all fit together. If you read into ICH International Conference
on Harmonization, they have guidelines which are now in effect basically
worldwide everybody follows them. If you read ICH
Q10 they talk about quality management systems which involves the patient. What
are we doing to impact the patient? Positively I hope! How do we design our
drugs and our API's towards the patient? We talk about leadership and management
responsibilities. Louis's job here at Regis is to give the people, the money,
the finances, the time, to get the job done. Then he delegates the quality
aspects to Dan he regulates the odious the production aspects somebody else but
management is the top key issue. The Process. What is the process we're in?
What are we trying to make? How we're trying to do it? and how do we design it
but it's validated and foolproof? And then where is the evidence of that? Where
is the data of that? And I've highlighted that because that's gonna be the subject
today's discussion. Then we have CAPA Corrective Action Preventive Action. What
do we do if things go wrong? Because none of you came to work this morning saying
I'm gonna mess up things just happen. Well you may do I don't know. I hate the
company I'm gonna really mess it up! But none of us really do that? Things
happen so what do we do how to be correct? And then finally we get into
FDA's big one these days which is their key to getting into data integrity their
key to getting into quality systems. They first go for the annual product reviews.
So it's we give them the information and they can rip us apart. But that's the
Quality management principles. And you have to realize it's not just
pharmaceuticals I don't know if anybody's followed the news in the last
few weeks about the scandal in Japan. Kobe Steel, anybody heard of Kobe Steel?
It hit NPR this morning for the first time.
Kobe Steel makes the steel for automobile industry, and about 80 percent
of all cars made in Japan use Kobe Steel. Well it turns out that they've been
fudging all their data about the steel strength, and now there's a huge scandal
which could impact every car made in Japan over the last 10 years, and could
be massive, massive recalls. We're not sure yet what's gonna be happening. So
it's not just the pharmaceutical industry who we worry about. It impacts
everybody it impacts everything! Mitsubishi Motors another Japanese
company manipulated data to make the fuel economy for some of its cars look
better. Hey if Volkswagen does it why don't we! I
mean hey! Let's join the club. This one blows
my mind the US Air Force managed to lose a hundred thousand records in its
database because they didn't do any backups. The US Air Force didn't do
backups lost a hundred thousand records? Doesn't that tell you something about
government, or in specifically where was there QA people to make sure the system
worked properly? So it's not just pharmaceuticals. This is an old one from
pharmaceuticals in 2003, where this company called Pan Pharmaceuticals had
to recall every product on the market because they had systematic and
deliberate manipulation of their quality controlled test data. If they couldn't do
the test I just write at a number makes no difference nobody's going to check
Well guess what? They got caught out and caught out. There was a period in
2004 that you could not get a vitamin product from always, because
everyone had been made in Australia and shipped over here and he was a worldwide
recall. The company went out of business about six months later. So it's everything. Now it is a global
concern. You want guidelines on data integrity?
Well there's one issued by the World Health Organization (WHO). The Pharmaceutical
Inspection Cooperation (PIC/S) Scheme which is 50 countries has a guideline and it's
identical word-for-word for the European Medical Agency (EMA). The British have come out
with a great one an FDA has come out with a guideline 'ish'. It doesn't exactly
tell you what exactly to be done and how. If you really want to know what to do
read the British one. It's really the word for word tells you, no nonsense what
to do. So I'll give you that reference all you have to do is Google: 'MHRA Data
Integrity guideline'. You'll get it, it's free. So realize that if your data is not
accurate, if we can't trust it it may as well not exist. Why do we bother having
it? Means a lot of work to create it. So let's talk about what is data integrity.
It's more than you may believe. It's the extent to which data is complete,
consistent, and accurate throughout the data lifecycle from the initial
generation, through recording and processing, including transformation of
the data from manual to computer, from computer, to another computer, to a backup,
to a restore it. Does it all hang together?
Many companies I go to actually have you check that the restore function works?
You back up the data great. But how do we know the file wasn't
corrupted during the backup? When I say oh. Well I said well let's do it now.
let's play humor me. Let's try and restore the data now and
come back at lunchtime and show me the ax restore data matches the original
data. Lunchtime comes and go as they say well
we're still trying to do it. Well come on it should be just a press of a button!
Right through retention archiving retrieval and finally destruction. Yes
eventually you will destroy the data 10 to 20 years from now you still need to
keep the data probably not so data sits in the middle of three circles it's like
a Venn diagram. Confidentiality you don't want your data getting out to other
people. Integrity can we rely on the data is
integral and is it available to review that availability is often a big problem.
The key to data integrity is what is called ALCOA. Everybody familiar with the
term ALCOA? Aluminium Corporation of America, ALCOA
that's their logo just remember ALCOA. No I don't have
shares in ALCOA. And it's the key to data integrity.
(So let's) What is this ALCOA? It's an acronym for five things the A is
attributable. You clearly know who recalled the data who performed the
activity it's been signed and it's been dated and you know who wrote the
document and when they did it. Last year I was in India at API company, and the
batch records are in English. Nice I can read it, and I'm looking at the batch
record the production cycle the processing cycle the reaction time is 48
hours at a certain temperature and pressure and rotation. I'm looking at 48
hours worth of data and it's all written with the same slope of the hand writing
the same color ink and it's all exactly written down the middle of the column.
What would you think to yourself? Is this written by the person who did the job
when they did the job? Probably not! So I said to these QA director next and
I said, "You know I don't believe that the actual operator wrote there's details
because 48 hours is six shifts each of six hours and you can have six types of
handwriting but it's all one type of handwriting.", and he goes Mr. Anisfeld, you
are totally correct. I said then why doesn't the operator do it? And they said
well the operator can't read or right. I said okay I can understand that yeah
read and write English. Why don't you write it in the local language Marathi?
This is outside Mumbai. Marathi. He says no no Mr. Anisfeld
you don't understand what I'm saying the local operator can't read or write
anything. Totally illiterate in any language so we have to have the
supervisors come in afterwards and write down what we think they will happened. So
there's your first basic problem of data integrity. Legible. It must be possible to
read or interpret the data after it's recorded. It must be permanent that means
no pencils, no unexplained high hieroglyphics or symbols or codes and if
it's correct it has to be done properly. You know the proper way one line through
signature date new number or if in Japan two lines through as Japan is different
no two I in one line through in Japan it means not whatever it is in two lines
through means it's an error. It has to be Contemporaneous. The data has to be
recorded at a time it was generated in close proximity to the location where
the data is generated. So I went to one company where the balances are three
rooms away down the corridor, and they go along to do the weighing, and they
remember what the weighing is they come back three rooms they write it down. Not
exactly the best practice. Original. The data has to be preserved in an unaltered
state. If not you have to explain why not and you have to certify copies of the
data. In France it is terrible there is a cultural thing there don't ask me why it
is but it's a cultural thing. You want the data in reports to be neat and typed
and legible. So they do that. They take the original data they copied into the
typists and she typed up all neatly and legible, and then they throw away the
original. Don't ask me why. I see that even this year. I saw that and lastly it
has to be accurate has to really reflect the action or the observation made the
data has to be checked where necessary and modifications have to be explained
if they are not evident. So the data has to be checked where necessary that
doesn't mean every piece of data has to be checked. There are what we call
critical data elements and non-critical data elements. So if I'm recording your
training. There are critical elements of the
training: What was the topic? Who gave it? When was it given? What is not critical
is the exact time it started to the second and the exact time it finished to
the second. So that's critical non critical and there are many documents we
have in our industry that really are not critical and don't need a second
signature. I go to some places where everything has a second signature, and
then the amount of manpower that takes on the amount of checking and rechecking
is incredible. So first look at your data and say what is critical and what is not
critical? You have to have a system to make sure you have data integrity.
You can't just say well of course we have. Jim wrote it. Jim, we trust Jim, he's been here
for twenty years. If he says he wrote it on Wednesday, he wrote it on Wednesday.
That is a German attitude, but it's not acceptable. In Germany people work for the
same company for years and years and years and after 20 years working with
something you still don't know his first name. It's Herr Schmitt! So you need to
have a system and process designed to encourage compliance with the principles
of data integrity. You need to consider ease of access, usability, and location
when ensuring proper controls. For example now this slide is totally stolen
by me from the MHRA Data integrity guidelines. I make no claim to write
written it so when you get to the guideline you'll see this exactly again.
You need to record times that events happen if you are critical for time. I
went to a company in Pittsburgh recently and every room I went to showed a
different time. Not off by one minute or two minutes one room said 2:30 another
one said ten minutes past 11:00. I mean no synchronization whatsoever! This is
Pittsburgh. So you have to have access to clocks, and they should be master/slave
synchronized. One master clock and all the others mirror it. and it should
ideally be synced to a time clock you know by these atomic time. I have one
in my bedroom. It's every hour on the hour some signal goes to a satellite
and it's always correct as is my watch. Accessibility to batch records, and I
would also add testing records at locations where the activity
takes place. Ad-hoc data recording a later transcription to official
records is not necessary. I went to a place recently where the weighing
records was actually original was written on a paper towel, and then they
took a paper towel and took it back to the lab, because the weighing was three
rooms down. And I said, well where's the original data because I saw them do it on paper towel
over there but here there's no paper towels. And well no we transcribed. Well
the best solution to that is either take the lab book with you, or take the paper
towel cut it out and stick it in the lab book I mean one of the other but, I want
the original data. Control of a blank paper templates for data recording. Many
places you go to they spilled some acid over the paper in the datasheet, go back
to the lab, get/photocopy another data sheet and bring it in. Well how do we
know the original data was the real data and what's been copied now on a new one?
FDA doesn't like that at all. Abbott paid a fine of around quarter
million dollars for that about 15 years ago. There's a real big issue. Access
rights preventing data amendments. I would expect that the minimum there is
an SOP that defines who can access data? Who can read data? Probably anybody. Who
can write new data? Only authorized validated analysts, or trained analyts. Who
can edit data? Probably only one or two people on the very strict controls, and
who can delete data? Even more restrictive controls. But these things
need to be defined in SOPs. You need to have audit trails. Audit trails need to
be automatically generated. You can't have a little log saying well I change
this on that and that's it. The system itself has to have audit trails and
these audit trails need to be reviewed and FDA's latest thinking is when you do
an HPLC chromatogram you print out the run sheet, you print out the
chromatograms, and then you also print out the audit trail for that day or that
operators work, and it needs to be reviewed as part of the batch record
review. Automated data capture and Printers attached to the equipment is
encouraged. So you don't have to write numbers down just take a printout. It's
encouraged it's not a must but it's encouraged. and printers obviously have
to be close to where they're the work is being done. If you are checking data you
also have to have access to the raw data. So when QA does the batch record review
and gets the QC lab it's not sufficient to get just a certificate of analysis
from the lab they need to get the raw data with all the chromatograms without
all the printouts of a QA can do a second person check or a third person
checking some company. You need to control the physical
parameters of time, space and equipment to perform the tasks to be done is required
many places don't have room for printers don't have room for computer inputs so
they transfer the data by hand. What we call sneaker ware. They take a disk away
move it somewhere around. You have to have enough space to do these things.
and as I said before staff checking the activities need to have the raw data
this is a British thing that allows scribes to record activity on behalf of
somebody else under exceptional circumstances a different company in
India I saw the work of making tablets and the guys doing his work and standing
just inside the door of the room is the supervisor with a checklist. The batch
record riding up all the data because can't read it legibility. Guys just not
able so the British allowed containment recording who compromises the
productivity to accommodate cultural or staff literacy language and activities
performed by an operator but witnessed and recorded by the supervisor. The FDA
doesn't allow that. the British do. In both situations the supervisor recording
should be contemporaneous and it goes on. Now there are different data record
formats and depends on the complexity of what's going on. We can have simple
activities, all the way through to complex activities. Simple activities may
not require software at all and a printout could we represent the original
data. For example, I'm doing a weighing. I do the weighing, I get a print out from the
printer. There's no computer no data saved in the weighing balance there's no
linkage to a LIMS system. What I do is I weigh it here's the printout
that's a simple system. All the way to the most complex which has complex
software and the printout itself doesn't represent the original data. The original
data is captured in the hard disk inside the computer. I don't know if you're
aware every time you made a photocopy on your photocopy machine, the big
one downstairs hallway. There is a hard disk in there, and it keeps a copy of
what you copied. Police could go in there ten years from now and see exactly
what's being covered on that machine. So that's the original data. The print out
is a facsimile. So we have no software all the way through to complex software,
and if you put all your pieces of equipment on this scheme, a pH Meter has no software, the printout is what you get
that's it. All the way through to Enterprise resource planning (ERP), LIMS systems,
even CAPA systems, the further you get the more complex the data, the more you
have to worry about data integrity. Can we trust? Can we rely on the data? My
slides by the way have a series of builds on them and when you print out
the handouts the trouble is it doesn't always print all the series of builds.
I'm more than happy if you give me a business card, I can send you the
original of the presentation, and then you can see the whole thing, all right.
So documentation requirements for data integrity when you do chromatography
work. I would expect to see the print run chart, the sample sequence, how you what
you injected, your blanks, your standards, your calculation of system suitability,
your actual runs, your system suitability, again. So print the systems is really
from the start in the end print all the chromatograms, print all the calculations,
and then print the audit trail for all work by that analyst for that day. That's
nowadays what is expected to be the minimum for QA to reviewing for the QC
lab manager to review the data, and FDA is spending a lot of time on the audit
trail. There is an inspector, FDA inspector by the name of Peter Baker who
is originally a chemist and is a wiz on this stuff. I've suffered through two of his inspections. And he knows HPLC is much
better than most of you in the lab do, and he can do a number on this he got so
bad that he caused two years ago three years ago 17 Indian Pharmaceutical companies
to get warning letters, and the result of that was the Indian pharmaceutical
Association asked the government not to renew his Visa! (laughter) And he got kicked out of India really
seriously. He spent the next year at FDA headquarters teaching other FDA
inspectors exactly what he knew, so now we have Peter Baker and lots of mini
Peter Baker's! And Peter Baker then came to China and I suffered through his
second audit. I suffered through one in India, I suffered through another one
in China, and again he found things that we had no idea what he wasn't even
looking for, and we got another warning letter on that. He's now been kicked out
of China as well. I'm not sure where he is now but he is really knows his data
integrity. We have to worry about data governance how do we address who owns
the data throughout the lifecycle considering the design operational
monitoring of the systems to comply with the principles of data integrity over
intentional and unintentional changes of information. How do we control this?
Who thinks about it? So include staff training in the importance of data
integrity principles. The creation of a work environment that enables the
visibility of errors. When you make an error, it should show up. My wife recently
had a blood test, and her hemoglobin level went down to 6.9, and instead of
just reporting the results, overlaid over the result was the word 'Panic Panic' to
catch the nurses' attention, the doctor's attention, because when your blood level, when your
hemoglobin goes down to that level, you can die. Two more drops in it,
you're dead. So they all came running like crazy. You have to have a
transfusion, right now. So that's how you get people's attention. The same with the
errors. The visibility of errors. Senior management is responsible to implant the
systems, the procedures to minimize the potential risks of data integrity and
identify the residual risk, the using risk management techniques explained in
the risk management ICH guidelines. And contract givers, that's you, using an
outside lab or an outside testing facility have to ensure that data
ownership, governance, and accessibility are included in contract and technical
agreement. It should also govern data governance as
part of your vendor assurance program. So part of your audits now of vendors is:
how do they control their data? how do you know that their data is intact
integrity? And raw data has to permit the full reconstruction of the activities
resulting in the generation of the data. In the case of basic electronic
equipment which does not store data, or provides only a printed output, the printout
constitutes the raw material. For HPLCs, GCs, UV, the print out is not the
raw material. No matter what your SOP says. Because I've been to place where it
says in our facility we consider the printout to be the raw data. That's fine
for you that's not fine for the authorities. The raw data is won't the
first capture point. Are you all familiar with the term metadata? Metadata a
really important issue. Some people are always confused by this. If you go home
when your wife is on the telephone. You can hear the discussion from her side of
it or his side of it just past on the phone, and you know the conversations
going on and you can hear one side of the conversation. You have no idea who
they're speaking to. A month later when you get your phone bill, you'll get a
list of the date, who was called, the time of the call, the duration of the call.
That is the metadata giving context to the one-sided conversation you heard a
month ago. So the conversation itself is the data. The metadata gives you the
background to it. Metadata without the data is useless.
Data without the metadata is useless. So you need to make sure that you keep both
so when you have a chromatogram you can see the print out but the metadata is
all the who did the assay, what time they did the assay what other assays were
done. That's all the metadata and that's what needs to be seen in the audit trail.
So it's the data describes the structure the interrelationships and other
characteristics. It's an integral part of the original record, and without the
metadata the data has no meaning. You need to make sure the accuracy
completeness and content of the meaning of the data and the metadata throughout
the data life cycle. So if Regis is making an API, and you do, and your
typical expiration date is what three years? Let's say three years. Then you
need to keep the data for how long? Not three years,
because your API is going into somebody else's tablets, and they have a four year
expiration date, and the GMP says you keep data for the expiration date plus
one year or two years in Europe, so that your customer has four years plus a 1
that's 5 plus your 3 is 8, and then your lawyers will say keep it forever. But but
you have to think about the usage and the data retention time, okay. You need to
worry about destruction of the data should and you need to consider the
criticality and applicable legislative retention requirements. Archiving data
should be put in place for long-term retention of relevant data in compliance
with legislation. I became the QA manager of a company and I was looking at all
our data. We had nice computers which at that time had three and a half inch
floppy disk. I inherited some 11 inch disks the original Wang disks. Couldn't
read them! I had no way of knowing what the data said. That's one of the problems we
have today. CD ROMs as a data media storage is old hat. It's going out the
way. You keep your data on a cloud. Where's the cloud? Anyone know where the
cloud is? Who controls the cloud? How do you know what's happening your data? All
these things come up cloud computing. You like the clouds? Took a long time to find a
picture of clouds. All right. Here's a big issue because everybody's going to the
cloud both for downloading software and for keeping your data. We have software
providers who have SAS, high SaaS software as a service, infrastructure as
a service. If you want to buy Microsoft Word today you probably can't buy it as
a disk you could only rent it for them and have to pay a fee every year. They're
keeping it as a service. You rent the service. Same with Adobe when you're
trying to print out documents you can't buy the discs anymore I still use
version 9 because it's on the disk that I've got, otherwise if I went to today's
version 13 every year I got to pay 130 bucks! To me that's insane, that's
how they make money. So where you use a cloud or virtual services you have to
pay attention to understand what is being provided who owns it how you
retrieve it how is retained and its security. The physical location where the data is held including the impact of any laws
applicable to that geographic location should be considered. Has anybody heard
of these Svalbard islands in northern Arctic Ocean?
Svalbard it's a little set of islands owned by Norway, and it is year round
average temperature 30 degrees. It is cold, and these server farms which have
all these computerization get very very hot, so they are looking for places where
they can cool it down. ah Svalbard, and we now have
several data farms up in Svalbard. Who owns that data? Well the company you
hired from? But what is the legislative rules for that data? Norway? Well that depends
on which part of Svalbard you are? Because half of Svalbard is Russian. So
you're gonna go with the laws of Russia to keep your data, and data hacking? We've
heard that recently, or is it gonna be the Norway? Have you even thought
about this. Responsibility of the contract give our acceptor and remember
the cloud is a contract acceptor you're going to tell them store my data has to
be defined and agreement, and if you want to go ordered it anybody want to go to
Svalbard. It's difficult to get to by the way. You need to have timely access to
the data including the metadata and ordered trails and you need to have kept
by the data owner and the national competent authorities on request. You
should be able to go there with reasonable advance notice. Hey I want to
come and audit your facilities for GMP compliance because this is part of GMP
and I want to come next November. Oh I can't come in November why not well
there's no plane and no boat. Oh so you've got to think about those sort of
things. Contracts with providers define the responsibilities for archiving
continued right readability of the data throughout the retention period and
appropriate arrangements must exist for the restoration of the software of the
season as per its original interactive validated state. Many people rent
software these days. I just mentioned word they say the advantage of renting
software is we are constantly updating it so you never have an old version, and
then you say well what about constantly validating your updates?
You get silence. Because if you're buying a validated software great you
use it but if they update it and don't even tell you though they just
automatically do it every day, every night and then they don't tell you it's
validated. Now you get into trouble when FDA shows up. So this is a big issue. Business continuity arrangements should include in the contract and tested.
Supposing your cloud provider in Svalbard goes out of business. Or there
is an earthquake because that is an earthquake zone and the whole of the
island goes. Now what do you? Do you have backup plans? So there's data
integrity business, especially as more and more people are going the cloud
becomes more and more difficult. You can learn a lot by looking at warning
letters from different agencies. The FDA has warning letters. The European
Medicines Agency (EMA) has warning letters and it's very easy to find them. Just go
European Medicines Agency (EMA). They don't call it warning letters. They call it. It's
another word for it. It'll come back to me, but there's another word besides
warning letters. Oh certificate of compliance. Just type in that word and
you'll get that. The United Nations also has one by the way. Let me give you some
examples. Now I mentioned the Chinese per oh sorry the Japanese problem today of
the cars and steel. Here's another recent one from last month. Shandong Vianor in China. The firm failed to ensure that lab records including complete data
your management acknowledged falsifying analytical test results that were used
to support your release of something to the United States. Not good. And then
your analysts revealed that the so and so a lot was sub potent however the
stivic analysis provided shows with respect well in question about the why
the C of a reported passing results even other batch actually failed. your quality
unit manager stated, "I made a mistake." My question is where's QA? Because that was
the lab manager. Where was QA? Where was their audits? Or more importantly where's
the audits, that should have been happening from their clients? Because
they're making API for American customers. What happened to their audits?
This is a real interesting one from a company called Wockhardt. In India Wockhardt is a huge huge Indian Hospital group. they same areas we have a North Shore
connect and we have the other chains here in the States Wockhardt has about 200
hospitals and they decided that really they should vertically integrate in
every way possible so they bought the makers of (bed) sheets so
they could get all the sheets at a cheap rate into the hospital. And then they
said we can do the same with drugs and we started up doing drug manufacturer
only trouble was they didn't have much idea about GMP and drug manufacture in
general. So they've had repeatedly warning letters and this one from
December while reviewing gas chromatography (GC) data on instruments so
and so, our investigator found unreported results including OOS test
results for raw materials. He didn't investigator explain why you failed to
investigate. Also found you reported only two of three chromatographic
injections during in process sample testing for residual solvent. You didn't
explain why you excluded the third injection. Not good and your response
indicates you have initiated a retrospective review of data over a
multi-year period but your response is inadequate because it does not explain
the depth of your electronic data review so you begin to see how FDA's
expectation of data integrity is getting tougher and tougher. Let's go to a place
that is about what two miles from here it's probably one mile from here. Morton
Grove pharmaceuticals. Now Morton Grove has a very interesting history this is
over 20 years it's gone through a successive series of ownerships and
changing from the investment groups to pharmacy groups to investment group and
now to a pharmaceutical ownership. Morton Grove pharmaceutical always had the same name
in the same building. It is now owned by Wockhardt of India. the same Wockhardt of
the previous slide, and your firm hasn't got proper controls over computer
systems. Investigators observe the IT staff in
your facility share the usernames and passwords to access your electronic data
storage system. Your IT staff can delete or change directories and files without
telling anybody. That is a major basic thing that integrity is a really serious
issue. It could be that their IT group here a mile from here takes directions
straight from the IT group in India could be. Who knows? All I know is that
Wockhardt is not doing well with data integrity
anywhere in the world. It also goes on, you failed to ensure that lab
records include complete data. When our investigator
reviewed your investigation of the above failure results we found your
investigation assigned the cause of the failures to analyst error, if repeat
tests delivered passing results. The original results were invalidated
without scientific justification under the protocol and only retest results
were reported. You can't do that. That comes back to your basic CAPA
investigations. Your investigations have to have scientific rationale and
validity before you say, these results are lab error analyst error. In
fact companies that spend more attribute more than 10% of all that problems with
the investigations to analysts are probably not doing a good job in the
investigation because it's real quick and easy to I'll blame the analyst to
move on. So that's a huge issue there. Japanese company earlier this year. The
audit trail showed you perform this testing in duplicate. The audit trail
indicated you conducted the sequence analyzing impurities of that lot. The
audit trail showed a new sequence was started 24 hours after the first
sequence. None of the 19 chromatograms generated
in the first sequence were maintained and available for review. So ok, I don't
have the original data I don't know why you got rid of it. What was wrong with it?
so how do I know I can trust the second set of data? That's all comes out from
looking at the audit trail and on the second set of chromatograms you could
only provide you could not provide any rationale for not maintaining the
original data and you failed to document the scientific justification for
repeating the analysis. And again he goes on you don't mention electronic data for
your ultra violet visible (UV/Vis) spectrophotometer and you don't have an
audit trail, and in addition you revise the procedure called procedure on
testing records all the data generated from any analytical device should be
kept as records. However your response is inadequate.
You haven't conducted a retrospective review to determine how your failures
main records affects the quality of drugs previously made. So nowadays if FDA
comes up with a data integrity problem it's not just one back today that's the
problem They now once you go back and look at
all the previous batches you made to make sure this Data Integrity problem
doesn't affect all of them. I've had a client where he's had to go back
through three years worth of data for a specific product, because that's the
shelf life on the market. The FDA says well we find a problem in today's
analysis how do we know the last three years where the data is okay. Can you imagine the workload to do that? It's unreal. So all this comes back to
data integrity. I'm only trying to give you an introduction I've got a one-day
seminar on this stuff so I hope I've given you some thoughts some ideas and
if there's a big black cloud hanging over the room, good. But remember Data integrity repair depends on you. It's how you work within
the framework of your company and I thank you for your attention. If there's
any questions please now's the time. I apologize I rushed a
bit because I knew we were at least half an hour late, so if there's any questions
please. Yes sir, yes. so when you're a company we do service and my
clients in New York and I don't change my computer clock now I'm printing my
printout there's an hour difference compared to zero each time and say you
started this thing and then every time there's a solution to that an easy
solution I have a client who makes products in America but one of their
tests is so super specialized specific the equipment to do it is based in
Germany and so they sent the sample over Germany into it so now how do we
synchronize all the boxes have you heard of the universal coordinated time GMT
that company all of their clocks in every facility everywhere worldwide runs
on gmt or UTC that's the way you get out at reading issue for you where do you
see the endgame trending I guess there is no end to the complexity of legal
where no really every every somebody comes up with a new system and you new
routing to replace the cloud then we gonna have to figure out what that what
everything about that it's just an ongoing thing
it's like counterfeit drugs how do you ever get ahead of the counterfeiters you
don't you have to always react it's the same with this how do you get ahead of
it you can't because new technology new ways of working you're always going on
some here's a consult this great FTA comes out with new regulations I get
more business. For you guys who work with it it's a pain in the neck.
sorry John machine o'clock yes please
in my experience it seems like it's there's pressure to do things fast
maybe you that's why you looking at interesting
why is FDA looking at people are getting sloppy the more FDA concentrates on
things like validation things like data integrity the more we're noticing in the
industry basic GMP s are just dropping away people don't focus on that so
things like forget it a sign of entering it well you should have gone automatic
so it's autumn Erin done so yes there is this huge problem as soon as FDA picks a
new topic to concentrate on everybody runs to worry about that and then other
stuff gets left behind it's just the way it is. Yes the cure for all your cloud
storage requires you to have an arraignment with a mythical company
somewhere who knows, but cure is the old-fashioned cure have a backup that's
stored off-site. You control the data. You know where it is. You know think
about it. Cost-effectiveness I don't know but I'm
saying that's the cure I don't trust the cloud I keep nothing on the cloud even
my backups are always on to a local Drive kept in another building yes you commercialization you have to prove
that you did not have the product for commercialization how does your piece
approaches to data integrity reflect upon I'll be honest I don't deal with
intellectual property so I don't even know how to answer your question I'm
sorry I know what I'm an expert in and I know
what I'm not and I stay away from what I'm not sorry yes please laboratory I've seen it with process computers
we're in the production area you can change the parameters of the production
there's an audit trail there and you review that as part of the batch record
review to make sure that the new inputted date if we examine it says
stirred a temperature of 90 to 110 and they can change that depending on
whatever and so you want to make sure that the guy changed it to something
correct so yes I want to see the audit trail as part of the printout of
temperatures and times and also be the audit trail so that's becoming common oh yes oh yes absolutely and it gets
very complicated when the technical agreement includes that your supplier
that's a contract lab is using the cloud for its storages then it gets very
complicated but yes I am seeing it in Last Chance very once if you have any
questions in the future on the back slide is my email address don't try and
follow me I'm never there let's send me an email and I'll get you
an answer within 24 hours thank you everybody
