data integrity Archives - European Industrial Pharmacists Group (EIPG)

Patient involvement in the development, regulation and safe use of medicines


by Giuliana Miglierini The Council for International Organizations of Medical Sciences (CIOMS) has published the CIOMS report on “Patient involvement in the development, regulation and safe use of medicines”. The report marks an important step forward towards a harmonised approach to Read more

Webinar: Implementation of Contamination Control Strategy Using the ECA template


The next EIPG webinar will be held in conjunction with PIER and University College Cork on Friday 21st of October 2022 (16.00 CEST), on the implementation of Contamination Control Strategy (CCS) using the ECA* template. This is the second Read more

Real-world evidence for regulatory decision-making


by Giuliana Miglierini Digitalisation is rapidly advancing also in the regulatory field, as a tool to improve the efficiency and accuracy of processes used for the generation and use of data to inform the regulatory decision-making. To this instance, real-world Read more

EMA’s consultation on draft Q&As on remote certification of batches by QP

, , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

by Giuliana Miglierini

The last two years saw the implementation of a high degree of regulatory flexibility as a mean to respond to the many challenges posed by the travel bans consequent to the pandemic. After this “experimental” phase, regulatory authorities are now considering the possibility to allow the routine implementation of some remote procedures in the field of pharmaceutical production.

It is the case of the remote certification/confirmation of batches by the Qualified Person (QP): after the publication of a draft guideline in the form of Q&As (EMA/INS/169000/2022), the European Medicines Agency (EMA) has launched a short public consultation which will remain open up to 13 June 2022. Comments may be sent by email.

The guideline offers EMA’s point of view on the requirements for the physical attendance at the authorised manufacturing site applying to QPs in order to routinely run the remote certification of batches, outside emergency situations. The document has been drafted by the GMDP Inspectors Working Group; it is composed of four questions and their relative answers and it addresses some considerations arising from the experience gained on the application of the guidelines for human and veterinary medicines issued during the pandemic. These last ones were elaborated in cooperation between the European Commission, the Coordination group for Mutual recognition and Decentralised procedures – human (“CMDh”), the Inspectors Working Group, the Coordination group for Mutual recognition and Decentralised procedures – veterinary (“CMDv”) and EMA.

The Agency also warns that the contents proposed by new Q&As’ guideline may be subject to any other interpretation by the European Court of Justice, which is the ultimate responsible for the interpretation of the EU legislation.

The contents of the Q&As

The routine remote certification or confirmation of batches may in future apply to the activities carried out by the QPs within the EU and European Economic Area (EEA), with reference to manufactured or imported human and veterinary medicinal products and investigational medicinal products.

The first answer clarifies that it could be possible for the QP to routinely run remote batch certification or confirmation only if this type of practice is accepted by the relevant national competent authority (NCA) of the member state where the authorised site is located. To this instance, it should be noted that some NCAs may request some specific requirements to authorise the routine remote certification procedure, for example with reference to the location of the QPs.

Should the remote certification be allowed on a routine basis, specific requirements should be met in order to validate this practice, starting from its full compliance to the EU legislation and EU GMP guidelines.

The answer to question 2 specifies that all activities should take place in an EU/EEA country, and that the time spent by the QP at the authorised site should be commensurate with the risks related to the processes” hereby taking place. To this instance, it is of paramount importance the ability to demonstrate that the QP acting from remote has maintained full knowledge of the products, manufacturing processes and pharmaceutical quality system (PQS) involved in the remote certification/confirmation of batches. That also means that the QP should be highly reliant on the PQS of the authorised site, and this would be only possible by spending an adequate time on-site to verify the adequacy of the PQS with respect to the processes of interest. The pharmaceutical quality system should also include details of all the procedures used for the routine remote certification/confirmation of batches. The possible use of this type of remote procedure by the QP should be also clearly mentioned in the technical agreement governing the relationship between the authorisation holder and the QP, which should also specify all cases requiring the presence on-site of the QP. A robust IT infrastructure should be in place to guarantee the remote access of the QP to all the relevant documentation in the electronic format needed to achieve bath certification/confirmation, according to the provisions described in Annex 16 to the GMPs (Certification by a Qualified Person and Batch Release). To this instance, presence on-site should be always considered to solve issues that cannot properly be addressed from remote. The demonstration of the presence on-site of the QP falls under the responsibility of the Manufacturing/Importers Authorisation (MIA) holders.

These are also responsible to make available to the QPs all the hardware and software needed to guarantee the remote access to the relevant documentation (e.g. manufacturing executions systems, electronic batch records system, laboratory information systems etc.) as well as batch registers. All IT systems used for remote batch release should comply with the requirements of Annex 11 to the GMP (Computerised Systems).

On the same basis, it should be possible for NCAs to contemporaneously access for inspection all documentation and batch registers involved in routine remote certification/confirmation at the authorised site of batch release. MIA holders should also guarantee the QP is the only allowed person to access the batch certification/confirmation function and batch register, that the transferred data are complete and unchanged, and that an adequate system for electronic signatures is in place.

Question 3 simply clarifies that some members states may have some specific requirements about the country of residence of the QP, for example it should be the same where the authorised site involved in the remote certification procedure is located.

The last question discusses technical requirements linked to IT-security and data integrity for remote access, a type of procedure presenting a higher intrinsic risk in comparison to the same activities carried on-site. Here again, the main reference is Annex 11; all equipment and software used for remote certification of batches should always reflect the current technological developments.

Among the suggestions made by the Q&A draft guideline is the precise identification of all hardware transferred off-site to the QP, that should be inventoried and kept updated. Hard disks should be encrypted, and ports not required, disabled.

Attention should also be paid to the configuration of any virtual private network (VPN) used by the QP to improve the security of the connection to the IT infrastructure of the authorised site and to prevent unauthorised accesses. Authentication should be based on recognised industry standards (e.g. two-factor or multifactor authentication, with automatic date of expiry). The transfer of data should be secured by strong transport encryption protocols; assignment of individual privileges and technical controls falls under the responsibility of the MIA holder


PIC/S Annual Report 2021

, , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

by Giuliana Miglierini

The Annual Report of the Pharmaceutical Inspection Co-operation Scheme (PIC/S) resumes the many activities and results achieved in 2021, despite the ongoing pandemic that required remote coordination and on-line virtual meetings. To this regard, a written procedure has been used to manage important decisions. PIC/S also supported the harmonisation of the distant assessment procedures used by the various regulatory authorities to run GMP inspections during the pandemic period.

The non-binding co-operative arrangement between international regulatory authorities aims to implement harmonised GMP standards and quality systems in support to harmonised inspection procedures. PIC/S’ new strategic plan for 2023-2027 will be presented at the PIC/S 50th anniversary in 2022. The PIC/S Committee has elected Paul Gustafson (Canada/ROEB) as the new Chairperson for the period 2022-2023; he takes the place of Anne Hayes (Ireland/HPRA).

New memberships and re-assessments

Last year saw the entry into the PIC/S scheme of the Brasilian Agência Nacional de Vigilância Sanitária (ANVISA), one of the main regulators of South America, representing the largest market for medicinal products for this geographic area. ANVISA is the 54th member of PIC/S.

Five other membership applications continued the process of assessment. These include the application of Armenia’s Scientific Center of Drug and Medical Technologies Expertise (SCDMTE), that was requested to update its documentation; the preliminary report should be issued soon.

The Bulgarian Drug Agency (BDA) will benefit of a partial assessment of its application, due to the fact the agency already went through an audit under the EMA Joint Audit Programme (JAP) whose report was shared with PIC/S. Health Canada will also collaborate to this assessment under a MRA procedure.

The Jordan Food and Drug Administration (JFDA) also filed a membership application, as well as another regulator from Africa, the Saudi Food & Drug Authority (SFDA), whose preliminary report is soon expected.

Particularly complex is the case of the application by several Competent Authorities of the Russian Federation that jointly submitted a complete membership application in December2020. A larger team, consisting of a Rapporteur and several Co-Rapporteurs, shall be nominated to better manage the procedure. The involved Russian authorities are the Ministry of Industry and Trade of the Russian Federation (Minpromtorg Russia), the Federal Service for Surveillance in Healthcare (Roszdravnadzor), including the “Information and Methodological Center for Expertise, Accounting and Analysis of Circulation of Medical Products” (FGBU “IMCEUAOSMP” of Roszdravnadzor),the Federal “State Institute of Drugs and Good Practices” (FSI “SID & GP”), and the Federal “Scientific Center for Examination of Medical Devices” of the Ministry of Health of the Russian Federation (FSBI ”SCEMD”).

Among authorities undergoing the pre-accession procedure is the Chinese regulatory agency National Medical Products Administration (NMPA), whose application will be assessed by Jacques Morenas (France/ANSM) as Rapporteur and Raphael Yeung (Hong Kong SAR, China/PPBHK) as Co-Rapporteur.

Reviewing of the pre-accession application is also ongoing for the Analytical Expertise Center (AEC) of the Ministry of Health of Azerbaijan, the Bangladesh’s Directorate General of Drug Administration (DGDA, this 2-year timeframe for the pre-accession expired in February 2021, and a new application was required) and the Drug Regulatory Authority of Pakistan (DRAP), that was invited to apply for membership subject to the implementation of the PIC/S GMP Guide.

PIC/S also run a Joint Reassessment Programme (JRP) in parallel with the EU’s JAP to re-evaluate its members for equivalence on a regular basis. In 2021 the JRP included the reassessment of regulatory authorities from Indonesia (NADFC), New Zealand (Medsafe), and South Africa (SAHPRA).

PIC/S also established new contacts in 2021 with other non-member authorities, including Cameroon’s Laboratoire National de Contrôle de Qualité des Médicaments et d’ Expertise, China’s Institute of Veterinary Drug Control, Cuba’s Centro para el Control Estatal de Medicamentos, Equipos y Dispositivos Médicos (CECMED), and Montenegro’s Institute for Medicines and Medical Devices.

New guidances and revisions of existing ones

Among the new guidances adopted in 2021 are the Annex 2A for the Manufacture of ATMP for Human Use and Annex 2B for the Manufacture of Biological Medicinal Substances and Products for Human Use, that entered into force on 1 May 2021 (PE 009-15). The documents were finalised by the PIC/S Working Group on the revision of Annex 2 of the PIC/S GMP Guide.

The Working Group on Data Integrity issued two other guidance documents that entered into force on 1 July 2021, the Guidance on Good Practices for Data Management and Integrity in Regulated GMP/GDP Environments (PI 041-1) and a restricted Aide Memoire on inspection of data management and integrity (PI 049).

PIC/S also issued the Good Practice Guidelines for Blood Establishments and Hospital Blood Banks (PE 005) and the related Aide Memoire to Inspections of Blood Establishments and Plasma Warehouses (PI 008), that entered into force on 1 June 2021. The dedicated Working Group will now address the revision of PI 019 (PIC/S Site Master File for Source Plasma Establishments) and PI 020 (PIC/S Site Master File for Plasma Warehouses).

PIC/S and EMA’s joint Working Group on Annex 1 reviewed the comments received to the second public consultation and drafted the final version of the Annex.

The Working Group on Harmonisation of the Classification of Deficiencies is finalising the revision of the PIC/S SOP on Inspection Report Format (PI 013-3) in order to align it with the abovementioned PI 040-1. The Working Group on Controlling Cross-Contamination in Shared Facilities is as well finalising the revision of its Guidance on Cross-Contamination in Shared Facilities (PI 043-1).

PIC/S is also working to harmonise its GMP Guide and Annexes to the rules established by the European Union, in collaboration with EMA through the PIC/S-EMA Joint Consultation Procedure. Many chapters and annexes of the PIC/S-EU GMP Guide were considered during 2021, including Chapter 1 (Pharmaceutical Quality System), Chapter 4 (Documentation) and Annex 11 (Computerised Systems), Annexes 4 and 5 (Veterinary Medicinal Products), Annex 13 (Investigational Medicinal Products), Annex 16 (Certification by an Authorised Person & Batch Release), and Annex21 (GMP Obligations for Importation to the EU).

Virtual training in the pandemic period

Four virtual training events were organised in 2021, among which a PIC/S webinar for inspectors on ICH Q12 (Pharmaceutical Product Lifecycle Management) that was attended by around350 participants from 50 agencies and 44 different jurisdictions.

The webinar on Distant assessment/Remote Virtual Inspection co-organised with the EU Commission Expert Sub-Group on Inspections in the Blood, Tissues and Cells Sectors (IES) was attended by around 325 participants.

The 2021 PIC/S annual seminar was hosted by the Ministry Food and Drug Safety (MFDS) of the Republic of Korea, and saw the participation of 315 inspectors from 54 authorities.

The 2nd meeting of the PIC/S Expert Circle on Controlling Cross-Contamination in Shared Facilities (CCCISF) was virtually hosted and was attended by 375 participants.

Last year saw also the provision of new harmonised and standardised GMP training activities for inspectors under the PIC/S Inspectorates’ Academy (PIA) initiative, a web-based educational centre also involved in setting up a standardised qualification process of inspectors.


FAT and SAT, a critical step for the introduction of new equipment

, , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

by Giuliana Miglierini

There are two key moments to be faced to introduce a new piece of equipment in a pharmaceutical plant: a factory acceptance testing (FAT), usually performed by its manufacturer to verify the new equipment meets its intended purpose, prior to approve it for delivery and once arrived at its final destination and installed, a site acceptance testing (SAT) run by the purchasing company and is part of the commissioning activity.

According to an article published in Outsourced Pharma, the commissioning of a new piece of equipment poses many challenges, and criticalities needs to be considered both from the business and regulatory point of view. Pharmaceutical plants are very complex and often customised upon the specific business needs, and the delivery of a new equipment requires the interaction of many different parties, both internal and external to the purchasing company. FAT, SAT and commissioning activities require a careful planning and detailed responsibilities for all participating parties to be included within the Commissioning and Qualification Plan (CQV plan). A possible responsibility matrix is suggested by the authors to provide clarity and ensures ownership of activities.

FAT, assessing the equipment at the manufacturer site

FAT and SAT testing involve the visual inspection of the equipment and the verification of its static and/or dynamic functioning, in order to assess the actual correspondence to the user requirement specifications (URS). While FATs are usually based on simulations of the equipment’s operating environment, SAT testing occurs at the final site after installation, thus it reflects the real operating conditions and environment in order to support qualification.

There are many different elements to be considered during FAT testing, including for example verification of the existing site drainage, piping, or room dimensions, or the position of the handle for accessibility, as well as software design specification, interface, and device integration.

The FAT exercise is always highly recommended, as it is essential to solve in advance (before shipment to the final destination) any error or malfunctioning of the equipment, that otherwise might occur at the purchasing company’s site. This results in the optimisation of the delivery and commissioning process, with important savings in terms of both time and costs for the purchasing company. To ensure for the transparency of FAT testing, the entire procedure (that requires usually 1-3 days, depending on the complexity of the equipment to be verified) is usually performed in the presence of a third party inspector and customer representative.

A comprehensive set of documentation should be always available to support FAT, including URS, drawings, checklists and procedures, calibrations and certifications, data sheets, references, etc. Raw data acquired during FAT are transmitted to the customer for analysis and validation. FAT should take into consideration all aspects relevant to the evaluation of the safety and functionality of the equipment and its compliance to URS, GMPs and data integrity. To this regard, it is also important for the engineering team called to run the new equipment at its final location to learn and share knowledge with the manufacturer along the entire commissioning process, so to increase the first-hand direct experience. According to the article, this is also critical to authorise the shipment of the equipment to the final destination, a step that should always be performed by an authorised, trained, and approved subject matter expert.

 SAT acceptance testing

All criticalities emerged during the FAT exercise are then checked again at the final site, after installation and verification; additional test cases may also be added to the SAT protocol to check for potential failure modes. SAT testing is performed once all connections between the new equipment and other machines/softwares are in place, under the real operating parameters, and may be witnessed by a representative of the equipment’s manufacturer.

Results from SATs may thus differ from those obtained from the FAT previously run by the manufacturer. From the regulatory point of view, SAT testing is a key element to demonstrate the compliance of the equipment to GMP requirements and to support the overall quality and safety of pharmaceutical productions. In this case too, many are the possible elements to be inspected and verified, including interlocks, ventilation, internal box pressure, electrical/hydraulic connections and safety systems, visual checks of components, training of the operators, etc.

A plan for each testing phase

FAT planning begins at the very moment of the purchasing company placing the order for the new equipment, and it has to reflect all URS to be checked for acceptability of the manufactured apparatus. This step in the design is critical and calls for a strict and positive communication between the manufacturer and its customers, a key point to take into consideration all elements that should enter the project.

All identified items and procedures to be challenged during FAT and SAT testing are usually addressed within the CQV plan, that connects the design phase to user requirements specifications and the other elements impacting the commissioning and qualification processes (i.e. system impact assessment, design specification, functional risk assessment, hardware / software specifications, Installation / Operational / Performance Qualification), including deviations and change management. The plan specific to SAT testing should include the scope, test specifications and logs, a test summary, the Commissioning report and the final Certificate of Acceptance.

Transparency and a robust statistical approach should represent main targets along the entire commissioning and validation procedure, that may be run with the assistance of external consultants. All activities that shall enter the regulatory dossiers should always be justified and documented, also under the perspective of data integrity. The Outsourced Pharma’s article also suggests paying a particular attention to controls on data provided by the manufacturer in the case a risk-based leveraging is applied.


The new PIC/S guideline on data integrity

, , , , , , , , , , , , , , ,

by Giuliana Miglierini

The long waited new PIC/S guideline PI 041-1 has been finally released on July 1st; the document defines the “Good Practices for Data Management and Data Integrity in regulated GMP/GDP Environments”, and it represents the final evolution of the debate, after the 2nd draft published in August 2016 and the 3rd one of November 2018.
While maintaining the previous structure, comprehensive of 14 chapters for a total of 63 pages, some modifications occurred in the subchapters. The Pharmaceutical Inspection Co-operation Scheme (PIC/S) groups inspectors from more than 50 countries. PIC/S guidelines are specifically aimed to support the inspectors’ work, providing a harmonised approach to GMP/GDP inspections to manufacturing sites for APIs and medicinal products.

Data integrity is a fundamental aspect of inspections
The effectiveness of these inspection processes is determined by the reliability of the evidence provided to the inspector and ultimately the integrity of the underlying data. It is critical to the inspection process that inspectors can determine and fully rely on the accuracy and completeness of evidence and records presented to them”, states the Guideline’s Introduction.
This is even more true after the transformation impressed by the pandemic, resulting in a strong acceleration towards digitalisation of all activities. The huge amount of data produced every day during all aspects of the manufacturing and distribution of pharmaceutical products needs robust data management practices to be in place in order to provide adequate data policy, documentation, quality and security. According to the Guideline, all practices used by a manufacturer “should ensure that data is attributable, legible, contemporaneous, original, accurate, complete, consistent, enduring, and available”. This means also that the same principles outlined by PIC/S may be used also to improve the quality of data used to prepare the registration dossier and to define control strategies and specifications for the API and drug product.
The guidance applies to on-site assessments, which are normally required for data verification and evidence of operational compliance with procedures. In the case of remote (desktop) inspections, as occurred for example during the pandemic period, its impact will be limited to an assessment of data governance systems. PIC/S also highlights that the guideline “is not intended to provide specific guidance for ‘for-cause’ inspections following detection of significant data integrity vulnerabilities where forensic expertise may be required”.

The impact on the entire PQS
PIC/S defines data Integrity as “the degree to which data are complete, consistent, accurate, trustworthy, and reliable and that these characteristics of the data are maintained throughout the data life cycle”.
This means that the principles expressed by the guideline should be considered with respect to the entire Pharmaceutical Quality System (and to the Quality System according to GDPs), both for electronic, paper-based and hybrid systems for data production, and fall under the full responsibility of the manufacturer or the distributor undergoing the inspection.
The new guidance will represent the baseline for inspectors to plan risk-based inspections relative to good data management practices and risk-based control strategies for data, and will help the industry to prepare to meet the expected quality for data integrity, providing guidance on the interpretation of existing GMP/GDP requirements relating to current industry data management practices without imposition of additional regulatory burden. PIC/S highlights that the new guidance is not mandatory or enforceable under the law, thus each manufacturer or distributor is free to voluntarily choose to follow its indications.

Principles for data governance
The establishment of a data governance system, even if not mandatory, according to PIC/S would support the company to coherently define its data integrity risk management activities. All passages typical of the data lifecycle should be considered, including generation, processing, reporting, checking, decision-making, storage and elimination of data at the end of the retention period.
“Data relating to a product or process may cross various boundaries within the lifecycle. This may include data transfer between paper-based and computerised systems, or between different organisational boundaries; both internal (e.g. between production, QC and QA) and external (e.g. between service providers or contract givers and acceptors)”, warns PIC/S.
Chapter 7 specifically discusses the Good document management practices (GdocPs) expected to be applied, that can be summarised by the acronyms ALCOA (Attributable, Legible, Contemporaneous, Original, Accurate) and ALCOA+ (the previous plus Complete, Consistent, Enduring and Available).
Data governance systems should take into consideration data ownership and the design, operation and monitoring of processes and systems. Controls should include both operational (e.g. procedures, training, routine, periodic surveillance, etc) and technical features (e,g, computerised system validation, qualification and control, automation or other technologies to provide control of data). The entire organisation should commit to the adoption of the new data culture, under a top-down approach starting from the Senior management and with evidence provided of communication of expectations to personnel at all levels. Sections 6 of the guideline provides some examples in this direction. The ICH Q9 principles on quality risk management should be used to guide the implementation of data governance systems and risk minimisation activities, under the responsibility of the Senior management. Efforts in this direction should always be commensurate with the risk to product quality, and balanced with other quality resource demands. In particular, the risk evaluation should consider the criticality of data and their associated risk; the guideline provides an outline of how to approach the evaluation of both these factors (paragraphs 5.4 and 5.5). Indication is also provided on how to assess the effectiveness of data integrity control measures (par. 5.6) during internal audit or other periodic review processes.
Chapter 8 addresses the specific issues to be considered with respect to data integrity for paperbased systems, while those related to computerised systems are discussed in Chapter 9. As many activities typical of the pharmaceutical lifecycle are normally outsourced to contract development & manufacturing organisations (i.e. API manufacturing, formulation, analytical controls, distribution, etc.), PIC/S also considered in the guideline the aspects impacting on the data integrity of the overall supply chain (Chapt. 10). “Initial and periodic re-qualification of supply chain partners and outsourced activities should include consideration of data integrity risks and appropriate control measures”, says the guideline.

The regulatory impact of data integrity
Recent years have seen the issuance of many deficiency letters due to problems with data integrity,. Approx. half (42, 49%) of the total 85 GMP warning letters issued by the FDA in 2018, for example, included a data integrity component.
The new PIC/S guideline provides a detailed cross-reference table linking requirements for data integrity to those referring to the other guidelines on GMPs/GDPs for medicinal products (Chapter 11). Guidance on the classification of deficiencies is also included in the document, in order to support consistency in reporting and classification of data integrity deficiencies. PIC/S notes that this part of the guidance “is not intended to affect the inspecting authority’s ability to act according to its internal policies or national regulatory frameworks”.
Deficiencies may refer to a significant risk for human or animal health, may be the result of fraud, misrepresentation or falsification of products or data, or of a bad practice, or may represent an opportunity for failure (without evidence of actual failure) due to absence of the required data control measures. They are classified according to their impact, as critical, major and other deficiencies.
Chapter 12 provides insight on how to plan for the remediation of data integrity failures, starting from the attention required to solve immediate issues and their associated risks. The guideline lists the elements to be included in the comprehensive investigation to be put in place by the manufacturer, as well as the corrective and preventive actions (CAPA) taken to address the data integrity vulnerabilities. A Glossary is also provided at the end of the guideline.