Earlier this year, the UK’s MHRA published GMP Data Integrity Definitions and Guidance for Industry. This sixteen page document lays out definitions of various data integrity terms such as “data lifecycle” and “metadata” and “primary record” used by MHRA regulators and inspectors. Whether your firm sells medicinal products in the UK or not, this guidance document is well worth the time to read. Embedded throughout the document are multiple suggestions and expectations of real-world regulated data integrity controls that MHRA expects – and that FDA expects (at least according to public FDA Warning Letters issued over the past five years).
Amongst the various definitions and example controls set out by MHRA, are these four:
- Data integrity
- Data lifecycle
- Raw data
- Original record/True copy
Just these four terms have caused a great deal of consternation and confusion in the industry, and MHRA sets out to provide a framework within which to consider controlling the conversation and the data integrity expectations.
Data Integrity is “The extent to which all data are complete, consistent and accurate throughout the data lifecycle.”
Real-World Implication: In order to ensure data accuracy, legibility, consistency, originality, attributability, completeness, etc. throughout the data lifecycle, data integrity controls need to exist all along the data chain-of-custody – from initial data creation, data processing and manipulation and usage, data transmission and/or interim storage, and then finally through long-term data archival and retention. Computerized system validation is only going to go so far. Firms need data integrity policies, procedures, audits, training, and so on throughout all four stages of the data lifecycle.
Data Lifecycle is “All phases in the life of the data (including raw data) from initial generation and recording through processing (including transformation or migration), use, data retention, archive/retrieval and destruction.”
Real-World Implication: All four stages of the data lifecycle need to be controlled, especially if the firm has a supplier create, manage, use, store, transmit, et al regulated data on its behalf. Data integrity controls must exist within – and a firm must audit – suppliers dealing in regulated data. Firms may want to obtain help from a data integrity expert to identify appropriate data chain-of-custody controls to insist upon at suppliers. Not all data integrity controls are created equal, and more data integrity should exist at a contract manufacturer or clinical research organization than at a supplier who simply prints product inserts.
Raw Data is “Original records and documentation, retained in the format in which they were originally generated (i.e. paper or electronic), or as a ‘true copy’. Raw data must be contemporaneously and accurately recorded by permanent means. In the case of basic electronic equipment which does not store electronic data, or provides only a printed data output (e.g. balance or pH meter), the printout constitutes the raw data.”
Real-World Implication: Conversely, for data that are used to generate chromatographs, spectrographs, and other visual analyses, the raw data will likely need to be retained in its original, digital form. As FDA notes, “The printed paper copy of the chromatogram would not be considered a “true copy” of the entire electronic raw data used to create that chromatogram, as required by 21 CFR 211.180(d). The printed chromatogram would also not be considered an “exact and complete” copy of the electronic raw data used to create the chromatogram, as required by 21 CFR 211.68. The chromatogram does not generally include, for example, the injection sequence, instrument method, integration method, or the audit trail, of which all were used to create the chromatogram or are associated with its validity. Therefore, the printed chromatograms used in drug manufacturing and testing do not satisfy the predicate rule requirements in 21 CFR Part 211. The electronic records created by the computerized laboratory systems must be maintained under these requirements” [see FDA's Level 2 FAQs on cGMPs].
In other words, there is no getting around the need for data integrity controls in the 21st century.
Original Record/True Copy is “Data as the file or format in which it was originally generated, preserving the integrity (accuracy, completeness, content and meaning) of the record, e.g. original paper record of manual observation, or electronic raw data file from a computerized system; a True Copy is an exact verified copy of an original record.”
Real-World Implication: This definition and its attended verification expectations is not just an MHRA expectation, it’s been a legal and regulatory expectation since the early 1990s, embedded in FDA 21 CFR § 11 (e.g., Part 11), the US Uniform Electronic Transactions Act of 1999, the international legal concept of a “certified copy,” parts of FDA’s Application Integrity Policy of 1991, and the most recent, internationally accepted British Standard 10008 Evidential Weight and Legal Admissibility of Information Stored Electronically (2014) that I was responsible for reviewing, editing, and verifying late last year.
MHRA’s data integrity definition guidance is one of many examples of insight into how data integrity controls allow the regulator – and thus the patient – to trust and rely upon your data claiming product safety and efficacy. While digital data integrity has been an established legal and regulatory principle for several decades now, the controls around data integrity are constantly evolving as technology, businesses processes, and organizations evolve. As should be evident from just the above four definitions, data integrity is not just an IT concern or a quality concern or a regulatory concern.
Data integrity is an issue of trust. Either all the regulated day your organization generates, obtains from suppliers, uses, relies upon, and archives is trustworthy or it isn’t. You can’t have a little bit of data integrity just as you can’t be a little bit pregnant. Your data is either trustworthy or it isn’t.
If you need help with regulated data integrity chain-of-custody controls on any or all of the four stages of the data lifecycle, contact a data integrity expert through my firm’s website, Ceruleanllc.com.
