Safety & Risk Management | Clinical Research & Post Approval Support | Regulatory Affairs & Operations | Technology Services

www.sciformix.com

Getting Data Integrity Right inthe Life Science IndustryGetting Data Integrity Right inthe Life Science Industry

Safety & Risk Management | Clinical Research & Post Approval Support | Regulatory Affairs & Operations | Technology Services

For several years, the FDA and other global regulatory bodies have emphasized the importance of accurate and reliable data in assuring drug safety and quality. However, with increased digital sophistication and the number of partnerships, data integrity violations have been on the rise.

In an effort to bring this issue to the forefront, the FDA released a draft guidance in 2016 on Data Integrity and Compliance with CGMP. The guidance states, “In recent years, the FDA has increasingly observed CGMP violations involving data integrity during CGMP inspections. These observations are troubling because ensuring data integrity is an important component of the industry’s responsibility to ensure the safety, efficacy, and quality of drugs and of the FDA’s ability to protect the public health. These data integrity-related CGMP violations have led to numerous regulatory actions, including warning letters, import alerts, and consent decrees.”

Data integrity may conjure the image of intended and dishonest manipulation of data to achieve some benefit or avoid negative consequences. Yet, while purposeful data adulterations do occur, many data integrity violations are not purposeful and are a result of improper training, ineffective SOPs, poor

Market Landscapesystems or a lack of clarity within the regulations themselves. The CGMP framework recognizes that technologies and approaches evolve over time to advance innovation. Therefore, regulations and guidance are created with built-in flexibility to accommodate these changes. Unfortunately, these accommodations often result in a lack of clarity which lead to risk analysis and the development of risk mitigation strategies.

Impact on Life Science CompaniesLife science companies need to reestablish the lack of trust that has developed after various regulatory authorities have discovered data integrity issues. The main contributor to this trust deficit is life science's management's indirect lack of oversight. Regulatory agencies are issuing 483’s, Warning Letters (WL) and Import Alerts, due to their increased scrutiny of life science companies, while remediation efforts for these violations are lengthy and expensive.

Getting data integrity right is a challenge as it requires a concentrated, continuous effort to develop and maintain the policies, culture and discipline required to avoid regulatory issues. However is the future pain of not taking action now worth it? We don't believe so. The time, hard costs, opportunity costs, and strategic distraction of fixing a data integrity regulatory deficiency significantly outweighs the investment of time and energy to create appropriate data integrity detection systems and controls. Establishing appropriate data integrity detection programs affords a company a sustainable strategic advantage.

Safety & Risk Management | Clinical Research & Post Approval Support | Regulatory Affairs & Operations | Technology Services

•

•

processes are in place to eliminate data integrity issues. Many organizations are reassessing their data integrity programs even though they are significant projects that take a long time and are often met with conflicting priorities. Organizations struggle to find the will to pay for the programs while knowledgable data integrity consultants are scare. Even organizations that have proper data integrity systems and processes in place are still vulnerable during regulatory audits because, in spite of their processes being documented and followed, they cannot prove compliance i.e. have documented evidence to show that the data is accurate when the inspectors come calling.

Regulatory Details Lost Revenue & Hard Costs Opportunity & Other Costs

Major Global Manufacturer received WL in early 2012 for US plant, highlighting GMP and testing issues. This led to reduced output and the eventual closure of the facility for 9 months. The WL was closed out two years later.

Total Cost: $64 million

Large India Based Manufacturer received WL for India facility in late 2015. Previously FDA approved innovator drug rescinded, generic production forced to move. Site re-inspection not likely until Q2 2017.

Revenue: Projected loss of $50 million a year from drug delay for at least the length of the import alert period (estimated at 18 months). Production at facility being shifted elsewhere.

Opportunity: With a historical ROCE of 21.6% and net margin of 33%, the opportunity cost of reduced profits and increased expenses estimated to be $ 13.5 million.

Revenue: Facility projections reduced by $20 million for the remainder of FY 2012. Production shifted elsewhere, mitigating lost revenues post 2012.

Costs: $35 million in remediation

Opportunity: With a historical ROCE of 20%, opportunity cost of reduced profits estimated to be $9 million. The impact on delayed ANDAs is unpublished and unknown.

Total Cost: $113 - 133 million Costs: Amount of remediation and writedowns expected in 2016 annual report. Estimated to be $25 - $45 million.

The Impact on delayed NDAs and ANDAs is unpublished.

Global Manufacturer received WL and import ban for 2 facilities on Jan 2015 and Mar 2015.

Currently in remediation.

Total Cost: $148 - 178 million

Revenue: Exports dropped $48 million from previous year, after growing 39% over previous 4 years. EBIDA dropped$41 million.

Cost: Amount of remediation and writedowns expected in 2016 annual report. Estimated to be $40 - 70 million.

Opportunity: With a historical ROCE of 20% and the opportunity cost of reduced profits and increased expenses estimated to be $26 million.

41 ANDAs and 38 DMFs are jeopardy of delays.

Large India Based Manufacturer received FDA import alert in early 2013,followed by MHRA recall of multiple products. 2nd facility import alert in late 2013, expanded to all company APIs. All US products recalled early 2015. MHRA closed out late 2015, with FDA close out expected Q2 2016.

Total Cost: $911 million

Revenue: US Revenues dropped from 50% to 24% of totals from 2013-15. Total revenue loss of $760 million expected.

Costs: Write-off $18 million plus unknown remediation expenses. Further amounts expected in 2016 according to annual report. Estimated to be over $100 million.

Opportunity: With a historical ROCE of 18.6% and the opportunity cost of reduced profits and increased expenses estimated to be $51 million.

Other: $7.2 million units recalled, loss of $2.3 billion in market cap

Figure 1: Data Integrity Violation Costs (Lachman Consultants)

Why Should Data Integrity be an Imperative?Regulatory agencies are employing aggressive data forensics and systems experts to identify possible data integrity issues. The inspections conducted by the US-FDA from 2003 to 2016 resulted in 105 data integrity deviations across a number of global life sciences companies. Figure 1 details some of the regulatory data integrity violations along with the costs, often exceeding $100M.

As a result, regulatory agencies have established rules and guidance (ISPE, WHO, PIC/S and GAMP) that ensure product and patient safety and business

Safety & Risk Management | Clinical Research & Post Approval Support | Regulatory Affairs & Operations | Technology Services

www.sciformix.com

Assessing YourData Integrity RisksData integrity is an essential element of a company’s quality system, especially in the life science industry. According to guidance provided by the FDA, MHRA and WHO, data integrity relates to the accuracy, completeness, and consistency of data. While requirements for maintaining data integrity traditionally existed in various regulatory guidelines and best practices, it is required regardless of whether the data exists in paper form or electronic form. Today’s business environments are diverse in nature, where one may contain a standalone machine and an independent business process where others would contain multiple complex machines and interdependent business processes. Maintaining data integrity in such a broad range of scenarios has become a challenging task.To prove their data integrity status, organizations can first conduct a risk assessment. However, as it can be expensive to fix issues that arise, they must be prepared to budget for mitigation of any gaps that are identified. Not only do organizations need proper technology and security in place, but they also need to ensure that they control and monitor all of their processes to determine where a data integrity issue may arise.

Elements of Data IntegrityData integrity is defined as the degree to which all data (electronic, paper-based, or hybrid) is complete, consistent, and accurate throughout the lifecycle of the data. ALCOA is the data integrity standard of regulatory bodies. The elements of ALCOA are the same whether the data is electronic, paper-based, or a combination.

ALCOA+, where the ‘+’ sign indicates additional attributes to be considered which are ‘Complete, Consistent, Enduring, and Available’. This puts emphasis on records being Complete wherein all the relevant associated data and audit trail is available for each record. Consistent describes data being consistent irrespective of time or the medium where the data is retained. Enduring means the data is long lasting and secure. Available means, data is always accessible as and when required to be presented.

Today, regulatory inspections from organizations such as the FDA, MHRA, etc. focus on the detailed controls necessary for data integrity. Is your firm getting this right?

Figure 2: Elements of Data Integrity

Attributable to the person, system, or device generating the data. The information that is captured should identify the source of the data and accurately record any changes made.

Legible and permanent. Data is to be recorded and stored in a durable medium that ensures readability for the full period of time that the data might need to be accessed or legally referenced.

Contemporaneous. Data is to be recorded as the data is generated or at the time an event is observed.

Original record. In other words, a true copy. Data is to be used or presented as it was created.

Accurate. Data is to be verified as being free of errors. Data accuracy is to be demonstrated as correct via repeatable calculation, algorithm,or analysis.

Indicates additional attributes to be considered which are ‘Complete, Consistent, Enduring, and Available’.

A

L

C

O

A

+

Attributable Legible Contampo-raneous

Original Accurate Available

Enduring Consistent Complete

DATA

Safety & Risk Management | Clinical Research & Post Approval Support | Regulatory Affairs & Operations | Technology Services

www.sciformix.com

Getting StartedSince data integrity is pervasive, widespread, and has serious implications to a company’s operations and patient safety, it must become a strategic imperative at the highest levels of an organization. To ensure that organizations have control and can monitor all of the processes that can help identify a data integrity issue, adequate budget and resources must be allocated. Oftentimes, outsourcing Data Integrity and Compliance initiatives to functional experts is an effective and cost-efficient way of implementing this oversight so employees can focus on getting safe and effective products to market.

Many companies seek experts who specialize in Data Integrity and Validation and who have a unique blend of regulatory, technology, scientific and process knowledge to oversee and deliver quality data integrity initiatives.

Sciformix MethodologySciformix employs a two stage, multi phase process methodology for executing Data Integrity Solutions (Figure 3).Stage 1: Data Integrity – Assessment Stage 2: Data Integrity – RemediationData Integrity Assessment evaluates the company’s current state of controls and processes. It provides an overall assessment and identifies where the company stands with respect to data integrity; and highlights any areas of concern.

Phase 1 – Business Process Analysis Gather detailed understanding of the business processes and data flow, and verify dependencies on the technical infrastructure such as servers, networking devices, communication links, and stand-alone equipment. After careful analysis, recommendations are made on business processes which may not be in line with the expectations of regulatory agencies and might lead to data integrity issues.

Phase 2 – Requirements IdentificationIdentify data integrity requirements for the process, including regulatory, business, and management

system requirements. By comparing the data flow identification in Phase 1 with the requirements identification in Phase 2, we identify the company’s possible risk areas with regard to data integrity.

Phase 3 – Gap Analysis and Current State AssessmentVerify the controls (procedural, technical, physical, and awareness programs) implemented to protect data integrity and assess their effectiveness. The study of the controls, risk areas and data flow serve as inputs for the gap analysis exercise. The Current State Assessment Report includes an analysis of the ‘as-is’ vs the ‘to-be’ status with detailed observations of the existing controls against the required controls for ensuring data integrity, along with recommendations for improving the data integrity performance.

The Current State Assessment Report allows the organization to clearly understand their state of data integrity compliance.

Phase 1Business Process

Analysis

Phase 2RequirementsIdentification

Phase 3Gap Analysis and

Current StateAssessment

Stage 1: Assessment

Safety & Risk Management | Clinical Research & Post Approval Support | Regulatory Affairs & Operations | Technology Services

www.sciformix.com

•

•

Safety & Risk Management | Clinical Research & Post Approval Support | Regulatory A�airs

Data Integrity Remediation analyzes in rigorous detail each process step and ends with continuous monitoring and improvement. The remediation stage delivers a Risk Assessment Report, Risk Remediation Measures Plan, Post Implementation Outcome of Risk Remediation and an engagement opportunity between Sciformix and the client for ongoing service in GxP areas.

To address the gaps/issues in the assessment report, Sciformix works with the client to help address data integrity issues using a systematic approach.

Phase 4 – Risk Management Sciformix engages a data integrity risk management process that includes risk identification, analysis, evaluation and mitigation based on the relevant business and legal/regulatory requirements. The end result is a risk template that allows an organization to commit immediate changes to adhere to compliance requirements and propose a long term commitment for overall risk management.

Figure 3: Sciformix Methodology

identification and

Goal Activities Deliverables

Understand current business process

Business process analysis mapping with individual deliverables across various GxP systems

Data integrity requirements across various systems

Business process analysis

of information and practices mapped

A report discussing systemt and processeswhere currently data integrity risk are noted

Data integrity gap

current statePreparation of gap analysis protocol and execution

Gap Analysis and Current State Assessmentidentifying current gaps and what degree of risk

Draft a plan for risk management

Remediation Plan containing list of remediation and mitigation activities against the documented risks1) Risks Remediation Measures2) Process of Risk Remediation3) Evidence of reduced risks

Prioritize and reduce risk

Changes in configuration of systems/workflow or upgradation will be carried out

On going risk monitoring and improving open risk areas

Designing and implementing protocol to reduce residual risk for new or existing systems

Procedure for continuous monitoring by Standard Operating Procedure.1) Continuous Monitoring SOP2) Handholding in SOP implementation3) On–going support on residual risk being mitigated by procedural control. Establishment of Data Integrity office to further reduce future Data Integrity risk.

Phase 1Business Process

Analysis

Phase 2RequirementsIdentification

Phase 3Gap Analysis and

Current StateAssessment

Phase 4Risk

Management

Phase 5Risk

Reduction

Phase 6Continuous

Monitoring &Improvement

Business Process Map for individual GxP Systems. This should clearly call outcritical/major/minor flows or steps, manual intervention areas, and interfaces with external systems

outcome with current flow

A Plan of Action to remediate risk consisting of:1) System Configuration Change2) Workflow changes 3) Additional controls

Addressing Identified risks

Safety & Risk Management | Clinical Research & Post Approval Support | Regulatory Affairs & Operations | Technology Services

www.sciformix.com

Stage 1: Assessment

Stage 2: Rem

ediation

Phase 5 – Risk ReductionThe Risk Reduction process helps the client prioritize data integrity risks on parameters such as business and regulatory impact. We assist the client in selecting suitable controls for managing their risks. Various controls may be implemented including policies, procedures, technical systems, and training. The next step is to work with the client to isolate such areas, add practices/solutions, integrate with enterprise systems and document residual risks with short term timelines for remediation.

Phase 6 – Continuous Monitoring & ImprovementSciformix partners with the client to ensure a continuous path to improvement that includes a program for residual risk management and possible solution implementation to address residual risk at an acceptable level to the organization.

US | EU | India | Philippines

Trusted Services. Built on Science.Sciformix Corporation1500 West Park Drive, Suite 210Westborough, MA 01581 USAPhone : 1 (877) 576-5005Fax : 1 (508) 302-6520Email : bizteam@sciformix.com

www.sciformix.com

Sciformix Corporation is a leading scientific knowledge-based organization that provides process, technology and consulting services to the life sciences industry. We collaborate with our clients through the entire product development lifecycle to provide a full range of services from study design to post marketing surveillance and commercialization support.

Safety & Risk Management | Clinical Research & Post Approval Support | Regulatory Affairs & Operations | Technology Services

SummaryGlobal Life Science companies need a dependable, objective partner to meet the challenges of creating business and technology environments which ensure data integrity. When these companies gain confidence that the needed data integrity processes have been implemented, they can eliminate the worry and risk to their corporate reputation which would result from a negative regulatory finding. Rather, they can position themselves as organizations that consistently and depeandably produce quality and safe products for medical consumers. Sciformix is ready to help you do data integrity right.

www.sciformix.com

Stage 2: Remediation

Phase 4 Risk Management

Phase 5Risk Reduction

Phase 6Continuous

Monitoring &Improvement