March / April 2017

2016 ISPE Europe GAMP/Data Integrity Regional Conference

Thomas Zimmer, PhD

There is still a lot of uncertainty on how to effectively structure a corporate data integrity program. It starts with the definition of the scope and often it ends with parallel work between departments who are owners of different systems along the value chain.

Global regulatory authorities have growing concerns about the reliability of records and data on which product quality and patient safety decisions are based. This is demonstrated by numerous regulator citations and the publication of data integrity guidance from the UK Medicines and Healthcare Products Regulatory Agency (MHRA), World Health Organisation (WHO), US Food and Drug Administration, and Pharmaceutical Inspection Co-Operation Scheme.

The prominence of data integrity as an industry challenge was also clearly illustrated by ISPE’s sold-out Data Integrity Conference held in Copenhagen from 4–5 October 2016. Speakers included industry representatives, suppliers, and consultants, bringing perspectives that ranged from technologies to consumers. The conference was also supported by David Churchward (MHRA) and Ian Thrussell (WHO), who provided insight into regulatory concerns and expectations.

The conference addressed the three dimensions of data integrity—culture, processes, and technology—and the 150 delegates in attendance participated in highly interactive sessions that featured challenging and interesting discussions.


David Churchwood, Expert GMP Inspector, MHRA posed a question: Why is data integrity still an issue, given that the requirements have existed in their most basic form since 1989?

He identified three major reasons: impact of quality for the patient, breadth of scope, and outdated control measures. Unreliable data can lead to “precision guesswork” and wrong conclusions that can damage corporate reputations. The fear of failure can often cause wrong behavior, and the complexity of proposed remediation leads to aspiration instead of action.

Noting that “perfection is a barrier to progress,” he said that the right quality risk management approach, balanced with other GMP priorities can play an important role. Management understanding that “it can happen here” and communication of realistic expectations helps create an open reporting culture and teaches personnel the importance of reliable data and its effect on patients and the organization.

Churchward encouraged attendees to avoid data integrity “blind spots such as non-laboratory data, failure to control paper records, data manipulation outside of a controlled environment, and the challenge of supervising international supply chains. The benefits of good data governance, he concluded, lead to better decision-making and protect corporate reputations.

Valeria Frigerio Regazzoni, Deputy Vice-President Quality Auditing and Compliance, Merck Serono, discussed the main action areas in a corporate data integrity program, which include regulated electronic records and signatures, data backup, access control, and traceability. She presented a very interesting “GAPs solutions portfolio” and finally reviewed Excel sheets and other stand-alone systems management.

Per Westerberg, Head of Corporate Quality Systems and Projects, Xellia Pharmaceuticals presented a roll-out project plan for a corporate-wide data integrity implementation program. His main findings when analyzing the readiness of an organization were access control as the “top gap,” back-up and archiving, understanding data review, and audit trail review for both technical and business audits. Overall data integrity, he added, must be understood as a part of a quality culture.

Overall data integrity must be understood as a part of a quality culture.

Brian Duncan, Vice President of Engagement Operations, QXP Quality Executive Partners, focused on factors that lead to breaches. Using the needle in the haystack analogy, he noted that “absence of evidence is not evidence of absence.” He discussed the forensic investigation approach to data integrity breaches, which on areas in which potential data integrity breaches would be most likely be found, and explained the role of witness interviews. Elements for a strong data integrity culture are:

  • Data integrity included in employee handbook
  • Clearly defined, anonymous program for reporting issues
  • Data integrity findings reported to a quality council
  • Risk assessment conducted for every system to evaluate security, access controls, audit trail, and backup
  • Clear remediation plans for systems with missing controls
  • Interim controls establishedThird-party service providers know site policies and the limitations of their roles

Monica J. Cahilly, President, Green Mountains Quality Assurance LLC defined data life cycle management as a planned approach to assessing and managing risks to data in a manner commensurate with its potential effect on patient safety and product quality. It determines how data is captured, processed, reviewed, analyzed and reported, transferred, stored and retrieved, monitored, and retired.

The European Medicines Agency says that data life cycle refers to how data is generated, processed, reported, checked, used for decision-making, stored, and finally discarded at the end of the retention period. Data governance according to MHRA includes the “sum total of arrangements to ensure that data, irrespective of the format in which is generated, is recorded, processed, retained and used to ensure a complete, consistent and accurate record throughout the data lifecycle.”

From a management perspective, organizations should move toward a culture that views data as a competitive asset rather than a necessary evil, and define clear goals for data quality improvement.

Peter Falcon, Associate Director, Global QA, IT Quality, Compliance and Projects, Ferring Pharmaceuticals reviewed challenges encountered during a data integrity remediation program. While many assume that this is a set of new regulations, there is nothing fundamentally new. Furthermore, there is a real need to ensure that data is classified correctly and that data defined as critical is appropriately controlled (e.g., identify critical process parameters and critical quality attributes), validate analytical methods with upper and lower limits, and retain raw data files from HPLC with the metadata for analysis.

Christian Woelbeling, Senior Director Global Accounts, WERUM IT Solutions, explored the operations business. His main message was “transformation in the design and execution of the manufacturing control strategy has to follow a data integrity by design approach.” Without data integrity, data flow can support neither a business process flow nor a manufacturing process flow. The ALCOA data quality requirement is essential. Risk-reducing strategies should be considered a management responsibility, as indicated in ICH Q10. He gave examples for data integrity in manufacturing execution systems (see Figure).


This event was a collaboration between the ISPE Nordic Affiliate and ISPE corporate organization, a very successful alliance certain to be repeated in the future. Due to the great success of this event, ISPE plans to include much of the GAMP conference content at the ISPE 2017 Europe Annual Conference in Barcelona, 3–5 April 2017, and launch a new ISPE GAMP Records and Data Integrity Guide at the conference as well.