2. Is it possible to use multiple batch numbers in packaging of medicinal products?

H+V January
2005

GMP inspectors have discussed the desirability of more than one batch number appearing on the packaging
of medicinal products.

It is normal practice for companies to use a bulk batch number that is different from the finished product
batch when the bulk is packaged as several sub-batches. There is normally an element in the numbering
format common to the bulk batch and finished product batches that clearly ties these together. The
difference normally takes the form of a suffix, prefix or both.

A matter of concern for the inspectors is when the bulk and finished product batch numbers are completely
different and there is no obvious connection between the two. Even though the manufacturer has a system
of traceability, the inspectors agree that this is an undesirable practice and should be avoided. The main
reasons for this are:

 patients and healthcare professionals may mistakenly believe that there has been a packaging error;
 hospitals often remove products from the outer packaging and traceability may therefore be lost;
 confusion may occur in the case of recall, rendering such action potentially ineffective.
It is accepted that there may be exceptional cases where multiple batch numbers are displayed on a pack,
such as in combination product packages. In addition, products that require relabelling following parallel
distribution are expected to display the original manufacturer's batch number. Manufacturers are
recommended to discuss individual cases with the relevant supervisory authority. In all cases, traceability
must be maintained.

1. What are the quality defect reporting requirements of EU GMP?

Suspected product quality defects (e.g. product deterioration, packaging mix-up, among others)
should be reported to the competent authority with responsibility for the manufacturing site (or
importer where the manufacturer is located outside the EEA), and to the competent authority in
each EEA market supplied. In case of impact to EU centrally authorised products, the EMA must also
be notified. This notification should be prior to taking any market action, unless, as per paragraph
8.26 of Chapter 8, the need for market action is so serious as to warrant immediate action to
protect patient or animal health.

Confirmation of a quality defect does not require completion of the investigation. Reporting should
be initiated when available information supports the detection of the issue and when the initial
assessment of the potential risks presented to patients/animals indicates that it could result in
market action. Notification to competent authorities should typically take place within one working
day of confirmation that reporting is required.

In cases where a suspected quality defect involves multiple manufacturing sites, reporting
responsibilities should be defined in a technical agreement. It is normal expectation that the MAH
and site of final EU batch certification should take the lead on reporting, unless otherwise justified.

Manufacturers are encouraged to notify their national competent authority (or EU Supervisory
Authority for sites located outside the EEA) of confirmed serious GMP issues with the potential to
lead to a suspected product defect requiring market action (e.g. media fill failure, serious equipment
failure, etc.). Confirmation of a serious GMP issue does not require completion of the investigation;
reporting should be initiated when available information confirms the detection of the issue.

Serious GMP issues which may result in an abnormal restriction in supply should be notified to the
MAH and relevant competent authorities in accordance with legal obligations given in Art 23(2) of
Directive 2001/83/EC, Art 27 of Directive 2001/82/EC, Regulation 726/2004 and EMA guidance1:
In the event that a medicinal product which is the subject of a marketing authorisation issued
by an EEA authority, and which is marketed in another third country (or countries)
then the marketing authorisation holder shall forthwith inform the relevant EU competent
authority of any prohibition or restriction imposed by the competent authorities of any
country in which the medicinal product is marketed and of any other new information which
might influence the evaluation of the benefits and risks of the medicinal
 product concerned (e.g recalls or serious GMP issues). This is even if the particular batch
subject to the prohibition or restriction is not marketed in the EEA.
In cases where national competent authorities set additional national expectations regarding what
quality defects should be reported and the timelines for reporting, these should be complied with.

1
http://www.ema.europa.eu/ema/index.jsp?curl=pages/regulation/document_listing/document_listi
ng_000238.jsp&mid=WC0b01ac0580024593

1. What are the differences between EU and World Health Organization (WHO) requirements for
GMP? H July 2006
EU GMP principles and guidelines are laid down in Directive 2003/94/EC (human medicines)
and Directive 91/412/EEC (veterinary products). These principles and guidelines are subject to
further detailed guidance in the form of the EU GMP guideline with its annexes.
WHO publishes its own GMP guidance documents.

Although EU and WHO GMP guidance documents do differ in some details, the main principles
remain the same. EU requirements fulfil all the recommendations of WHO.

2. What is a GMP certificate and what is the difference between GMP certificates, certificates
of medicinal product (CMPs, also called certificates of pharmaceutical products, CPPs) and
certificates of suitability to the monographs of the European Pharmacopoeia (CEPs)? H+V July
2006
A GMP certificate is a certificate issued following a GMP inspection, by the competent
authority responsible for carrying out the inspection, to confirm the GMP compliance status of the
inspected site.
GMP certificates are site-specific, but can be restricted to particular activities depending on the
scope of the inspection (e.g., manufacturing activities related to a specific product).
Directives 2001/82/EC and 2001/83/EC , as amended state that after every GMP inspection, and
within 90 days of the inspection, a GMP certificate shall be issued to a manufacturer, if the outcome
of the inspection shows that the manufacturer complies with GMP.
CMPs are product-specific certificates issued by the competent authority that granted the marketing
authorisation. The European Medicines Agency issues CMPs on behalf of the European Commission
for centrally authorised products.
CMPs are issued in the context of the World Health Organization certification scheme on the quality
of pharmaceutical products moving in international commerce, to confirm the marketing-
authorisation status of the products. These certificates also confirm the GMP compliance status of
the manufacturing sites. CMPs are mainly used by companies to support applications to export their
pharmaceutical products to countries with less-developed regulatory systems.

CEPs are certificates issued by the European Directorate for the Quality of Medicines and Healthcare
(EDQM) to confirm that a certain active substance is produced according to the requirements of
the relevant monograph of the European Pharmacopoeia or of the monograph on transmission
spongiform encephalopathies.
CEPs can be used by companies when submitting an application for marketing authorisation, and
replace much of the documentation required for the active substance in the marketing-authorisation
dossier. GMP inspections of active-substance manufacturers can be requested by EDQM in the
context of the CEP certification scheme.
Data integrity
Data integrity enables good decision-making by pharmaceutical manufacturers and regulatory
authorities.It is a fundamental requirement of the pharmaceutical quality system described in EU
GMP chapter 1, applying equally to manual (paper) and electronic systems.

Promotion of a quality culture together with implementation of organisational and technical

measures which ensure data integrity is the responsibility of senior management. It requires
participation and commitment by staff at all levels within the company, by the company’s suppliers
and by its distributors.

Senior management should ensure that data integrity risk is assessed, mitigated and communicated
in accordance with the principles of quality risk management. The effort and resource assigned to
data integrity measures should be commensurate with the risk to product quality, and balanced with
other quality assurance resource demands. Where long term measures are identified in order to
achieve the desired state of control, interim measures should be implemented to mitigate risk, and
should be monitored for effectiveness.

The following questions and answers describe foundational principles which facilitate successful
implementation of existing guidance published by regulatory authorities participating in the PIC/S
scheme. It should be read in conjunction with national guidance, medicines legislation and the GMP
standards published in Eudralex volume 4 .
The importance of data integrity to quality assurance and public health protection should be
included in personnel training programmes.

 WHO - Annex 5: guidance on good data and record management practices

How can data risk be assessed?

Data risk assessment should consider the vulnerability of data to involuntary or deliberate
amendment, deletion or recreation. Control measures which prevent unauthorised activity and
increase visibility / detectability can be used as risk mitigating actions.

Examples of factors which can increase risk of data integrity failure include complex, inconsistent
processes with open-ended and subjective outcomes. Simple tasks which are consistent, well-
defined and objective lead to reduced risk.

Risk assessment should include a business process focus (e.g. production, QC) and not just consider
IT system functionality or complexity. Factors to consider include:

 Process complexity
 Process consistency, degree of automation /human interface
 Subjectivity of outcome / result
 Is the process open-ended or well defined
This ensures that manual interfaces with IT systems are considered in the risk assessment process.
Computerised system validation in isolation may not result in low data integrity risk, in particular
when the user is able to influence the reporting of data from the validated system.

How can data criticality be assessed?

The decision which data influences may differ in importance, and the impact of the data to a
decision may also vary. Points to consider regarding data criticality include:

 What decision does the data influence?

For example: when making a batch release decision, data which determines compliance with critical
quality attributes is of greater importance than warehouse cleaning records.
  What is the impact of the data to product quality or safety?
For example: for an oral tablet, active substance assay data is of greater impact to product quality
and safety than tablet dimensions’ data.

What does ‘Data Lifecycle’ refer to?

‘Data lifecycle’ refers to how data is generated, processed, reported, checked, used for decision-
making, stored and finally discarded at the end of the retention period.

Data relating to a product or process may cross various boundaries within the lifecycle, for example:

 IT systems
o Quality system applications
o Production
o Analytical
o Stock management systems
o Data storage (back-up and archival)
 Organisational
o Internal (e.g. between production, QC and QA)
o External (e.g. between contract givers and acceptors)
o Cloud-based applications and storage

‘Data lifecycle’: What risks should be considered when data (or results) are used to make a
decision?

The following aspects should be considered when determining risk and control measures:

 When is the pass / fail decision taken;

If data acceptability decisions are taken before a record (raw data or processed result) is saved to
permanent memory, there may be opportunity for the user to manipulate data to provide a
satisfactory result, without this change being visible in audit trail. This would not be visible to the
data reviewer.

This is a particular consideration where computerised systems alert the user to an out of
specification entry before the data entry process is complete (i.e. the user ‘saves’ the data entry),
or saves the record in temporary memory.

5. What should be considered when reviewing the ‘Data lifecycle’?

The ‘Data lifecycle’ refers to the:

 Generation and recording of data

 Processing into usable information
 Checking the completeness and accuracy of reported data and processed information
 Data (or results) are used to make a decision
 Retaining and retrieval of data which protects it from loss or unauthorised amendment
 Retiring or disposal of data in a controlled manner at the end of its life
‘Data Lifecycle’ reviews are applicable to both paper and electronic records, although control
measures may be applied differently. In the case of computerised systems, the ’data lifecycle’
review should be performed by business process owners (e.g. production, QC) in collaboration with
IT personnel who understand the system architecture. The description of computerised systems
required by EU GMP Annex 11 paragraph 4.3 can assist this review. The application of critical
 thinking skills is important to not only identify gaps in data governance, but to also challenge the
effectiveness of the procedural and systematic controls in place.

Segregation of duties between data lifecycle stages provides safeguards against data integrity
failure by reducing the opportunity for an individual to alter, mis-represent or falsify data without
detection.

Data risk should be considered at each stage of the data lifecycle review.

‘Data lifecycle’: What risks should be considered when assessing the generating and recording of
data?
The following aspects should be considered when determining risk and control measures:

 How and where is original data created (i.e. paper or electronic)

 What metadata is associated with the data, to ensure a complete, accurate and traceable record,
taking into account ALCOA principles. Does the record permit the reconstruction of the activity
 Where is the data and metadata located
 Does the system require that data is saved to permanent memory at the time of recording, or is it
held in a temporary buffer
In the case of some computerised analytical and manufacturing equipment, data may be stored as a
temporary local file prior to transfer to a permanent storage location (e.g. server). During the
period of ‘temporary’ storage, there is often limited audit trail provision amending, deleting or
recreating data. This is a data integrity risk. Removing the use of temporary memory (or reducing
the time period that data is stored in temporary memory) reduces the risk of undetected data
manipulation.

 Is it possible to recreate, amend or delete original data and metadata;

Controls over paper records are discussed elsewhere in this guidance.

Computerised system controls may be more complex, including setting of user privileges and
system configuration to limit or prevent access to amend data. It is important to review all data
access opportunities, including IT helpdesk staff, who may make changes at the request of the data
user. These changes should be procedurally controlled, visible and approved within the quality
system.

 How data is transferred to other locations or systems for processing or storage;

Data should be protected from possibility of intentional or unintentional loss or amendment during
transfer to other systems (e.g. for processing, review or storage). Paper records should be
protected from amendment, or substitution. Electronic interfaces should be validated to
demonstrate security and no corruption of data, particularly where systems require an interface to
present data in a different structure or file format.

Does the person processing the data have the ability to influence what data is reported, or how it is
presented.

. ‘Data lifecycle’: What risks should be considered when assessing the processing data into
usable information?
The following aspects should be considered when determining risk and control measures:

 How is data processed;

Data processing methods should be approved, identifiable and version controlled. In the case of
electronic data processing, methods should be locked where appropriate to prevent unauthorised
amendment.

 How is data processing recorded;

 The processing method should be recorded. In situations where raw data has been processed more
than once, each iteration (including method and result) should be available to the data checker for
verification.

 Does the person processing the data have the ability to influence what data is reported, or how it is
presented;
Even ‘validated systems’ which do not permit the user to make any changes to data may be at risk
if the user can choose what data is printed, reported or transferred for processing. This includes
performing the activity multiple times as separate events and reporting a desired outcome from one
of these repeats.

Data presentation (e.g. changing scale of graphical reports to enhance or reduce presentation of
analytical peaks) can also influence decision making, and therefore impact data integrity.

‘Data lifecycle’: What risks should be considered when checking the completeness and accuracy
of reported data and processed information?
The following aspects should be considered when determining risk and control measures:

 Is original data (including the original data format) available for checking;
The format of the original data (electronic or paper) should be preserved, and available to the data
reviewer in a manner which permits interaction with the data (e.g. search, query). This approach
facilitates a risk-based review of the record, and can also reduce administrative burden for instance
utilising validated audit trail ‘exception reports’ instead of an onerous line-by-line review.

 Are there any periods of time when data is not audit trailed;
This may present opportunity for data amendment which is not subsequently visible to the data
reviewer. Additional control measures should be implemented to reduce risk of undisclosed data
manipulation.

 Does the data reviewer have visibility and access to all data generated;
This should include any data from failed or aborted activities, discrepant or unusual data which has
been excluded from processing or the final decision-making process. Visibility of all data provides
protection against selective data reporting or ‘testing into compliance’.

 Does the data reviewer have visibility and access to all processing of data;
This ensures that the final result obtained from raw data is based on good science, and that any
data exclusion or changes to processing method is based on good science. Visibility of all processing
information provides protection against undisclosed ‘processing into compliance’.

How should the company design and control their paper documentation system to prevent the
unauthorised re-creation of GMP data?
The template (blank) forms used for manual recordings may be created in an electronic system
(Word, Excel, etc.). The corresponding master documents should be approved and controlled
electronically or in paper versions. The following expectations should be considered for the template
(blank) form:

 have a unique reference number (including version number) and include reference to corresponding
SOP number
 should be stored in a manner which ensures appropriate version control
 if signed electronically, should use a secure e-signature
The distribution of template records (e.g. ‘blank’ forms) should be controlled. The following
expectations should be considered where appropriate, based on data risk and criticality:

 enable traceability for issuance of the blank form by using a bound logbook with numbered pages or
other appropriate system. For loose leaf template forms, the distribution date, a sequential issuing
 number, the number of the copies distributed, the department name where the blank forms are
distributed, etc. should be known
 Distributed copies should be designed to avoid photocoping either by using a secure stamp, or by
the use of paper colour code not available in the working areas or another appropriate system.