【Academic Sharing】Data Integrity of Medical Devices

Since FDA and EU issued warning letters to many domestic enterprises due to data integrity issues in 2015, data integrity issues have become the focus of the entire industry. In the following years, this issue has gradually extended to medical device manufacturers and operators, and various countermeasures such as regulations and guidelines have been continuously released (such as WHO Data and Records Management Standards Guidelines, MHRAGMP Data Integrity Definition and Industry Guidelines, FDA Data Integrity and cGMP Compliance Guidelines Draft, PDA Data Integrity Code of Conduct Elements). Most of these materials focus on introducing some basic requirements for data integrity, and some try to circumvent data integrity issues from a technical level. This article will explore the possible evolution trend of data integrity based on the nature of the problem.

1. Definition of Data Integrity

What exactly is data integrity? According to the MHRA guidelines, data integrity is defined as follows: Data integrity should ensure that all data are complete, consistent and accurate throughout the life cycle of the data.

China's GMP has requirements under several clauses, such as production records must be complete and accurate; records should be filled in in a timely manner, with true content, clear handwriting, easy to read, and not easy to erase; records, maps and curves automatically printed by production and inspection equipment should be used as much as possible, and the name, batch number and information of the recording equipment of the product or sample should be indicated, and the operator should sign the name and date.

The ALCOA guidelines for data integrity require that data records must meet the following requirements: ① traceable (Attributable); ② legible (Legible); ③ contemporary (Contemporaneously); ④ original (Original); ⑤ accurate (Accurate).

2. Understanding of data integrity

According to the review and notification data of various regulatory agencies, the core of task data integrity is that the data remains complete, secure and authentic.

"Complete" means that the data is comprehensive and detailed enough. For example, the reporting time information in the production record of a medical device product cannot just record the total time of 1 hour, but should record the time when production started and the time when production ended, because the latter is more accurate and detailed.

"Security" includes the security of record maintenance and storage, which means that the generation, modification and deletion of all records are controlled, fully authorized and audited, traceable and the storage of data records is long-term and reliable. The purpose of security is to ensure that the data is authentic.

"Authenticity" means that the data is real, in other words, it is not forged data, which is the most important. On the premise that the data is authentic, another point to consider is the timeliness of the data. For example, a batch of raw materials is put into storage, and the incoming materials are inspected in time, and then put into storage in time, but if the inspection records and storage records are not maintained in the system in time, or the order of entering the inspection records and storage records into the system is reversed, this will cause auditors to doubt the authenticity of the data.

3. Current status of enterprises

According to the flight inspection data released by the National Bureau: Since the computerized system came into effect, among the 12 problematic enterprises found in 2015, 6 involved data integrity defects, accounting for 50% of the total.

According to statistics on the FDA and EU global audit reports in 2015 and 2016, about 80% of FDA warning letters contain data integrity issues, and about 70% of EU GMP non-compliance reports also involve similar issues.

As mentioned earlier, the requirement for data integrity has always existed, and this is not a new requirement, but why do companies suddenly encounter so many problems? The reason is that GMP inspections in the past usually give companies ample operating space in advance, and companies have enough time to prepare complete data to deal with GMP inspections. However, with the increasing routine of flight inspections, companies are no longer allowed to prepare data to deal with audits, and companies are required to solve this problem in a practical way in their daily work.

4. Analysis of the causes of data integrity

By analyzing the contents of the unannounced inspection reports and the audit warning letters from the FDA and the EU, data integrity issues can be divided into the following categories:

4.1 Data falsification

For example: "There is a suspicion of fabricating batch production records", "Incomplete sampling and inspection records, untrue inspection reports", "Falsification of product production quality process control data", "Falsification and replacement of API manufacturer labels, and falsification of API manufacturer inspection reports".

Data falsification is the most common type of warning letter and is also the easiest to be caught by auditors. The author even encountered a company that provided customer complaint records for several consecutive years with the same users and the same problems. This shows that the company is not even serious about falsification. Of course, any form of falsification is undesirable.

4.2 Data association logic errors

For example: "The product has been sold below cost for a long time, and the relevant data records of its production quality management are unreliable", "The purchase records of raw materials are chaotic, and the information of the inbound and outbound ledgers, supply department reports, financial detailed ledgers and financial invoices is inconsistent", "Key quality management personnel use product samples that have been inspected and qualified to replace the samples taken by the sampling personnel, resulting in untrue inspection results".

Data association logic errors are a new trend in data integrity audits in recent years. Many companies' business data is fine from the perspective of single transaction records, but problems can be seen when compared with related transactions. For example, the time of finished product sales and delivery records is earlier than the time of finished product release inspection, which is obviously unreasonable.

4.3 Data is not timely

For example: "There is a problem of re-testing by modifying the computer time", "The time of all in and out documents is at night", "A large number of quality inspection records were carried out in a very short time".

This type of problem first excludes the possibility of corporate fraud, that is, the actual operation has occurred, and the recorded information is correct. But the problem is that the information of the actual operation has not been systematically managed in a timely manner. If the information is not maintained in time to guide the next business processing, it means that these transactions are out of control, and all management controls are placed on the management quality of the operators.

5. Enterprise response

So as an enterprise, how should we implement data integrity to deal with the corresponding audit? In view of the various reasons for non-conformity mentioned in the previous article, further analyze its deep-seated roots.

First, the problem of data fraud. Data fraud is essentially a problem of corporate integrity. It can be said that the problem of data integrity has never been a technical problem. If the idea of fraud is not fundamentally eliminated from the management and operation level, no matter how good the hardware, software and process are, data integrity problems cannot be eliminated. Therefore, to fundamentally solve data fraud, we must first eliminate the idea of fraud in the awareness of management and employees, and secondly, we must formulate severe punishment measures for fraud in the system. Finally, it is very important to control the system process as much as possible, that is, to implement these control points in the system. For example, when making a finished product delivery document, you must find the corresponding quality inspection release form, and the system must verify the data of both.

Secondly, about the problem of data association logic errors. This is the top priority. Part of the data association logic errors is actually a problem of data fraud. After excluding the cause of fraud, it is because these related data come from unrelated systems, that is, the quality system and the production system, warehouse system, etc. are separated. The information that needs to be associated with the previous and subsequent processes logically is generated on different systems, which leads to various possible errors. To solve this problem, the quality management system needs to be linked to the ERP system, WMS system and even the MES system, so that the control management needs can be controlled at the unified logical layer (with different management systems underneath) from the logical control level. For example, in the quality management system, the warehouse entry and exit transactions in the warehouse system can be directly triggered according to the results of the quality inspection form, which can ensure that the time and quantity of the entry and exit documents must be generated on the basis of the quality inspection report.

Again, the data is not timely. In most cases, it is due to the workload. Due to the strict quality management requirements, the workload of business processing is huge, and the operation interface may not be user-friendly enough. In order to ensure the normal and rapid operation of the business, employees may think about letting the logistics run first, and the system-level processing is concentrated in the spare time. To solve this problem, the quality system needs to be able to increase automation as much as possible. And this automation needs to be supported by a cross-system platform. For example, when a receipt business is generated in the ERP system, the system should automatically trigger the quality inspection requirements in the quality system according to the settings, and then the system can determine the final quality inspection results based on manual or hardware readings. If there are quality inspection problems, the system will further automatically trigger the deviation management or SCAR management process. Through this automation, the workload of employees can be greatly reduced, and the untimely generation of data can also be avoided.

In short, the importance of data integrity is unquestionable. For enterprises, they must first pay attention to it at the ideological level, establish a standardized quality management system, and follow the most basic principles of GMP: there are rules to follow, follow the rules, and have evidence to check. At the same time, a cross-platform integrated, continuously expanding, and automated quality management platform is a strong support. Only based on such a platform can the efficiency of execution be guaranteed.