18 August 2022

Data Integrity in GMP environment

Data integrity continues to be one of the main topics during inspections conducted by competent authorities all over the world. With the growing use of computerized systems and rising prevalence of outsourcing manufacturing processes, ensuring data integrity is becoming more challenging in an increasingly complex pharmaceutical manufacturing industry. To address this issue, multiple legislation and guidance documents have been published in recent years:

  • FDA 21CFR Part 11: Electronic Records and Signature

The FDA’s Regulations on electronic records and electronic signatures (ERES). Usually known as Part 11, it defines the criteria under which electronic records and electronic signatures are considered trustworthy, reliable, and can be used to replace to paper records in your process. According to the regulations, data records need to be reliable and accurate over their entire lifecycle. And to this purpose the FDA actually refers to the well-known ALCOA principle/acronym.

  • FDA: Data Integrity and Compliance with cGMP

Besides the regulations in Part 11, the FDA also provides a guidance document which helps to clarify the impact of data integrity in cGMP environment.  Although it is not legally binding it contains a great Q&A that answers many practical questions regarding data integrity.

  • GAMP®5 Record & Data Integrity

Although GAMP®5 is not a legislation it does present helpful guidelines, describes principles and procedures that facilitate the production of high-quality products and focuses on the complete manufacturing process by stipulating that quality cannot be tested into a batch of product but must be built into each stage of the manufacturing process.

  • EU-GMP Annex 11

EU-GMP Annex 11 is the part of the GMP Guidelines that defines the terms of reference for computerized systems, but it is not a regulation, like the FDA’s 21 CFR Part 11. These guidelines are quite similar to their US counterpart and define criteria under which electronic records and electronic signatures should be managed.

  • MHRA, PIC/S, WHO, and EMA

Different organization have all drafted guidelines of their own and are all designed to facilitate compliance in their own way, whilst clarifying their own position on this subject and what they expect from manufacturers:

MHRA – Guidance on GxP data integrity

PIC/S – Good practices for data management and integrity in regulated GMP/GDP environments

WHO – Guidance on good data and record management practices

EMA – Data Integrity

Data Integrity in the pharmaceutical manufacturing industry is the state where data are attributable, legible, contemporaneous, original, accurate, complete, consistent, enduring, and available (ALCOA+) Data altered such that it no longer fulfils these criteria is considered as falsi­fied, regardless of it being due to human error or generated deliberately. Even the US FDA refers to ALCOA+ principles and this acronym has proven to be a worthful tool to provide proof of compliance and operational integrity for data.

These principles apply all throughout the lifecycle of a data record for which the EMA gives a succinct overview:

  • generation and recording of data;
  • processing into usable information;
  • checking the completeness and accuracy of reported data and processed information;
  • data (or results) are used to make a decision;
  • retaining and retrieval of data which protects it from loss or unauthorised amendment;
  • retiring or disposal of data in a controlled manner at the end of its life.

Different authorities have slightly different views on some aspects of being compliant, however they all agree on the basic elements of data integrity compliant system:

  • Audit Trail

The secure, computer-generated, time-stamped electronic record that allows to reconstruct certain events that relate to the creation, modification, or deletion of an electronic record.

  • Meta Data

Metadata is the contextual information that is necessary to understand data because values like numbers, for instance, would be useless without additional information describing what it ‘means’ (think in terms of mg, s, and m but also the time and place of electronic stamps).

  • Identification control ID and password

Users of systems that generate electronically or digitally signed records are subject to identification rules.

  • Difference between Static and Dynamic Records

Specifically mentioned in the US FDA Guidance document it states you should keep in mind the difference between the use of “static” and “dynamic” in relation to record format: static as fixed data document such as a paper record or an electronic image and dynamic as record format allows interaction between the user and the record content such as a chromatogram where the integration parameters can be modified.

  • Backup Data

Backup is defined as a true copy of the original data that is maintained securely throughout the records retention period that should include the metadata and is maintained securely throughout the record retention period.

  • System Validation

The definition of a system includes not only both hardware and software but also peripheral devices, networks, …

  • Training

Company culture influence and employee can affect data integrity greatly. Although staff at all levels should understand data integrity and their responsibilities in the process (according to their roles), process, system, and data owners should receive additional training on the consequences of integrity breaches to assure a proper mindset regarding this subject.

The PIC/S guideline presents a very helpful checklist that can be used during the process of identification of possible data integrity in company quality management system. And in case data integrity issues are identified, they need to be dealt with the same approach as any other deviation; determine the extent, perform the root cause analysis, take corrective and preventive actions (CAPA) based on sound scientific evidence.