Data integrity provides assurance that data records are reliable and accurate. Regulations meant to ensure data integrity in pharmaceutical laboratories are found in several parts of 21 CFR governing GxP areas and have been enforced by the FDA for decades. While many of these regulations were initially developed for paper-based processes, 21 CFR Part 11 was published in 1997 to extend data integrity regulations into the modern era with electronic records and electronic signatures.

All of the data integrity principles that were developed for the paper and ink era still apply to electronic systems and data capture. However, there are several trends in the pharmaceutical industry that make data integrity compliance especially challenging for today’s laboratories:

• increased utilization of electronic technologies
• increased availability and usability of data
• evolving data integrity regulations around electronic technologies
• evolving business models (e.g., globalization)

Regulatory agencies worldwide are increasingly focusing their efforts on data integrity in GxP laboratories. This increased focus has led to a number of guidance documents being published recently on data integrity, including:

• The World Health Organization (WHO) published its final version of “Good Data and Records Management Practices” guidance document in 2016
• The European Medicines Agency (EMA) issued good manufacturing practice (GMP) guidance to ensure the integrity of data in August of 2016
• The Food and Drug Administration (FDA) issued a “Data Integrity and Compliance With cGMP” guidance document in April of 2016
• MHRA published ‘GXP’ Data Integrity Guidance and Definitions in March of 2018

With the spotlight of global regulatory inspections shining on data integrity in Manufacturing and GMP areas, you need to know what’s new and what the impact is on data integrity in GxP. Astrix Technology Group recently sponsored a webinar conducted by Joseph Franchetti, FDA Regulatory Compliance Specialist, that highlighted the current thinking of regulatory agencies on data integrity. In this blog, we will provide a summary of some of the most important points made by Mr. Franchetti in this webinar for your review.

Data Integrity Regulations

Important GMP regulatory requirements were described in 21 CFR Part 211:

• Instruments must be qualified and fit for purpose
• Software must be validated
• Any calculations used must be verified
• Data generated in an analysis must be backed up
• Reagents and reference solutions should be prepared correctly with appropriate records
• Methods used must be documented and approved
• Methods used must be verified under actual conditions of use
• Data generated and transformed must meet the criterion of scientific soundness
• Test data must be accurate and complete and follow procedures
• Data and reportable value must be checked by a second individual to ensure accuracy, completeness, and conformance with procedures
• Laboratory control records should include complete data derived from all tests conducted to ensure compliance with established specifications and standards, including examinations and assays.

In this last point, “complete data” refers to raw data/observations generated in the course of an analysis, the associated metadata which helps to provide the proper context, and the audit trail when using computerized systems that shows how and why the data has been modified and who it has been modified by.

Recent Guidance Documents on Data Integrity

While companies in the United States typically look to the FDA for guidance on data integrity regulations, it can also be valuable to stay up to date with regulatory guidance published by agencies in other parts of the world, as regulatory agencies worldwide are all moving in the same direction with respect to thinking on data integrity. Towards that end, the Medicines and Heathcare products Regulatory Agency (MHRA) in the United Kingdom published a guidance document in March 2015 entitled GMP Data Integrity Definitions and Guidance for Industry.

This guidance document made a number of helpful suggestions for systems (both electronic and paper-based) designed to ensure data integrity. These systems should include:

• Access to clocks (synchronized) for recording timed events
• Accessibility of batch records at locations where activities take place so that ad hoc data recording and later transcription to official records is not necessary
• Control (free access) over blank paper templates for raw data recording
• User access rights which prevent, or audit trail, data amendments
• Automated data capture or printers attached to equipment such as balances, pH meters, etc.
• Proximity of printers to relevant activity
• Control of physical parameters (time, space, equipment) that permit performance of tasks and recording of data as required
• Access to sampling points (e.g., for water systems)
• Access to raw data for staff performing data checking activities

This guidance document also defined an acronym ALCOA+ which helps to define important characteristics the principles necessary for data integrity:

ALCOA

Attributable – Data must contain information about who performed an action and when? If a record is changed, who did it and why? This information should be linked to the source data.

Legible – Data must be recorded permanently in a durable medium and be readable.

Contemporaneous – The data should be recorded at the time the work is performed and the date/time stamps should follow in order

Original – Recorded data records should be the original record or a certified true copy.

Accurate – Any data errors or editing of data are recorded with documented amendments.

ALCOA+

Complete – Data records should contain all data including repeat or reanalysis performed on the sample (21 CFR 211.194)

Consistent – There should be consistent application of data time stamps in the expected sequence.

Enduring – Data should be recorded in a permanent, maintainable form for the useful life.

Available – Data should be available/accessible for review/audit for the life-time of the record.

This document also sets the expectation that pharmaceutical companies, importers and contract labs will review the effectiveness of their data governance systems to ensure data integrity, and that companies outsourcing activities should verify the adequacy of comparable systems at the contract acceptor.

Two other recent guidance documents that contain valuable information and are worth going through are MHRA’s ‘GXP’ Data Integrity Guidance and Definitions published in March 2018 and the FDA’s Data Integrity and Compliance With cGMP published in April 2016.

Meeting Regulatory Expectations

Data integrity issues happen for a number of reasons. Some of the more common include:

• Ignoring SOPs to meet deadlines.
• Insufficient education & understanding amongst personnel
• Insufficient data integrity controls built into informatics systems
• Improper or nonexistent instrument qualification and computer system validation procedures
• Cutting corners to save money.
• Lack of regular internal and/or external data integrity audits
• Lack of a culture of quality – difficult to fix, as it involves people.

It is important to develop a data integrity strategy to mitigate risks across the full data lifecycle. This strategy should contain the following elements:

• Predict Violations – Predict the most likely data integrity breaches by identifying vulnerabilities within the organization.
• Prevent Violations – Train employees, design & validate systems, add security to systems, focus on external sources (e.g., contractors, vendors, etc.), establish Good Documentation Practices (GDPs), educate and enforce good behaviors.
• Detect Violations – Monitor and identify issues not predicted or prevented to provide rapid response through data and audit trail review, system administrative audit trail review, and internal and/or external audits.
• Respond to Violations – Efficient management of efforts to develop policy, address audit findings and produce corrective actions.

Most companies are not proactive with regard to data integrity (predict, prevent, detect) and are thus mostly responding to data integrity violations.

With respect to data governance, the PIC/S 2016 draft guidance document sets the expectation that organizations will design systems that “ensure that data, irrespective of the process, format or technology in which it is generated, recorded, processed, retained, retrieved and used will ensure a complete, consistent and accurate record throughout the data lifecycle.” Pharmaceutical companies should consider the design, operation and monitoring of each of the following processes to comply with the principles:

• Data development
• Database operations management
• Data security management
• Reference and master data management
• Data warehousing and business intelligence management
• Document and content management
• Metadata management
• Data quality management
• Data architecture management

The PIC/S document recommends a risk-based approach to data governance, where “Manufacturers and analytical laboratories should design and operate a system which provides an acceptable state of control based on the data integrity risk, and which is fully documented with supporting rationale.”

Finally, there are a number steps that are important for organizations to take in order to ensure compliance with data integrity regulations:

• Embed verification activities into internal audit processes.
• Enforce Good Documentation Practices
• Train your internal auditors to understand what to look for when detecting data integrity deficiencies.
• Create an awareness among staff so they can assist with this endeavor, and report concerns before they become full-fledged issues
• Seek quality external support to assure completely unbiased, third-party investigations and/or to enhance your internal investigation program.

Why Astrix

Astrix Technology Group is a laboratory informatics consulting, regulatory advisory, and professional services firm focused on serving the scientific community since 1995. Astrix professionals have the skills and expertise necessary to architect, implement, integrate and support best in class solutions for your organization’s laboratory environment.

Our professionals can also help to ensure that your laboratory systems and staff comply with the FDA’s data integrity mandates. We provide experienced professionals knowledgeable about FDA regulations to conduct a thorough data integrity assessment of your laboratory informatics environment to identify data integrity risks. Working with an external consultant that has expertise in data integrity evaluations to audit your laboratory environment is best practice, as an expert with fresh eyes will be able to effectively locate issues you missed.

Conclusion

Regardless of the regulatory authority, all guidance documents have the same flavor around the foundational terminology and information on technology controls. Compliance with electronic data integrity requires a fairly complex design that not all out-of-the-box systems have in place. All organizations utilizing electronic systems must implement risk-based controls for data integrity, as these controls serve to both prevent and detect data integrity issues.

Data integrity is maintained through processes and procedures, training and vigilance:

• Detailed system use and maintenance procedures with data integrity discipline built-in.
• Strict, verified adherence to procedures.
• Regular training for applicable personnel focusing on data integrity topics