A list of Pharmaceutical Regulatory Requirements for Data Integrity

A compilation of regulatory requirements in pharmaceuticals for data requirements.

SourceReferenceContent
EMAEMA Guideline on GCP compliance in relation to trial master fileA certified copy is a paper or electronic copy of the original record that has been verified (e.g. by a dated signature) or has been generated through a validated process to produce a copy having the exact content and meaning of the original.
EMA/CHMP/ICH Tripartite GCPGuideline for good clinical practice E6(R2)Source Data: All information in original records and certified copies of original records of clinical findings, observations, or other activities in a clinical trial necessary for the reconstruction and evaluation of the trial. Source data are contained in source documents (original records or certified copies).
EMA/CHMP/ICH Tripartite GCPGuideline for good clinical practice E6(R2)Source Documents: Original documents, data, and records (e.g. hospital records, clinical and office charts, laboratory notes, memoranda, subjects’ diaries or evaluation checklists, pharmacy dispensing records, recorded data from automated instruments, copies or transcriptions certified after verification as being accurate copies, microfiches, photographic negatives, microfilm or magnetic media, x-rays, subject files, and records kept at the pharmacy, at the laboratories and at medico-technical departments involved in the clinical trial).

Certified Copy: A copy (irrespective of the type of media used) of the original record that has been verified (i.e., by a dated signature or by generation through a validated process) to have the same information, including data that describe the context, content, and structure, as the original.

When a copy is used to replace an original document (e.g., source documents, CRF), the copy should fulfill the requirements for certified copies.

EudraLexAnnex 11Audit Trails

Consideration should be given, based on a risk assessment, to building into the system the creation of a record of all GMP-relevant changes and deletions (a system generated “audit trail”). For change or deletion of GMP-relevant data the reason should be documented. Audit trails need to be available and convertible to a generally intelligible form and regularly reviewed.

EudraLexChapter 4Generation and Control of Documentation

All types of document should be defined and adhered to. The requirements apply equally to all forms of document media types. Complex systems need to be understood, well documented, validated, and adequate controls should be in place. Many documents (instructions and/or records) may exist in hybrid forms, i.e. some elements as electronic and others as paper based.

EudraLexChapter 4Records: Provide evidence of various actions taken to demonstrate compliance with instructions, e.g. activities, events, investigations, and in the case of manufactured batches a history of each batch of product, including its distribution. Records include the raw data which is used to generate other records. For electronic records regulated users should define which data are to be used as raw data. At least, all data on which quality decisions are based should be defined as raw data
OECDGLP No 1Section 2.3 item 7. Raw data means all original test facility records and documentation, or verified copies thereof, which are the result of the original observations and activities in a study. Raw data also may include, for example, photographs, microfilm or microfiche copies, computer readable media, dictated observations, recorded data from automated instruments, or any other data storage medium that has been recognized as capable of providing secure storage of information for a time period as stated in section 10, below. (Section 10 not reproduced here.)
OECDGLP No 17Data (raw data): Data (raw data) may be defined as measurable or descriptive attribute of a physical entity, process or event. The GLP Principles define

raw data as all laboratory records and documentation, including data directly entered into a computer through an automatic instrument interface, which are the results of primary observations and activities in a study and which are necessary for the reconstruction and evaluation of the report of that study.

Data (derived data): Derived data depend on raw data and can be reconstructed from raw data (e.g., final concentrations as calculated by a spreadsheet relying on raw data, result tables as summarized by a LIMS, etc.).

OECDGLP No 173.4. Audit trails

An audit trail provides documentary evidence of activities that have affected the content or meaning of a record at a specific time point. Audit trails need to be available and convertible to a human readable form. Depending on the system, log files may be considered (or may be considered in addition, to an audit trailing system) to meet this requirement. Any change to electronic records must not obscure the original entry and be time and date stamped and traceable to the person who made the change.

Audit trail for a computerised system should be enabled, appropriately configured and reflect the roles and responsibilities of study personnel. The ability to make modifications to the audit trail settings should be restricted to authorised personnel. Any personnel involved in a study (e.g. study directors, heads of analytical departments, analysts, etc.) should not be authorised to change audit trail settings.

PIC/SPI 041-1 (Draft

2)

Complete: All information that would be critical to recreating an event is important when trying to understand the event. The level of detail required for an information set to be considered complete would depend on the criticality of the information…A complete record of data generated electronically includes relevant metadata.
PIC/SPI 041-1 (Draft

2)

Many electronic records are important to retain in their dynamic (electronic) format, to enable interaction with the data. Data must be retained in a dynamic form where this is critical to its integrity or later verification.
PIC/SPI 041-1 (Draft

2)

The original record can be described as the first-capture of information, whether recorded on paper (static) or electronically (usually dynamic, depending on the complexity of the system).

Information that is originally captured in a dynamic state should remain available in that state.

UK MHRA‘GXP’ Data Integrity Guidance and Definitions6.2. Raw data (synonymous with “source data” which is defined in ICH GCP)

Raw data is defined as the original record (data) which can be described as the first-capture of information, whether recorded on paper or electronically. Information that is originally captured in a dynamic state should remain available in that state.

Raw data must permit full reconstruction of the activities. Where this has been captured in a dynamic state and generated electronically, paper copies cannot be considered as ‘raw data’…. In all definitions, the term ‘data’ includes raw data.

UK MHRA‘GXP’ Data Integrity Guidance and DefinitionsA static record format, such as a paper or electronic record, is one that is fixed and allows little or no interaction between the user and the record content. For example, once printed or converted to static electronic format chromatography records lose the capability of being reprocessed or enabling more detailed viewing of baselines.

Records in dynamic format, such as electronic records, allow an interactive relationship between the user and the record content. For example, electronic records in database formats allow the user to track, trend and query data; chromatography records maintained as electronic records allow the user or reviewer (with appropriate access permissions) to reprocess the data and expand the baseline to view the integration more clearly.

Where it is not practical or feasibly possible to retain the original copy of source data, (e.g. MRI scans, where the source machine is not under the study sponsor’s control and the operator can only provide summary statistics) the risks and mitigation should be documented.

UK MHRA‘GXP’ Data Integrity Guidance and Definitions6.11.1      Original record

The first or source capture of data or information e.g. original paper record of manual observation or electronic raw data file from a computerised system, and all subsequent data required to fully reconstruct the conduct of the GXP activity. Original records can be Static or Dynamic.

6.11.2      True copy

A copy (irrespective of the type of media used) of the original record that has been verified (i.e. by a dated signature or by generation through a validated process) to have the same information, including data that describe the context, content, and structure, as the original.

A true copy may be stored in a different electronic file format to the original record if required, but must retain the metadata and audit trail required to ensure that the full meaning of the data are kept and its history may be reconstructed.

Original records and true copies must preserve the integrity of the record. True copies of original records may be retained in place of the original record (e.g. scan of a paper record), if a documented system is in place to verify and record the integrity of the copy. Organisations should consider any risk associated with the destruction of original records.

It should be possible to create a true copy of electronic data, including relevant metadata, for the purposes of review, backup and archival. Accurate and complete copies for certification of the copy should include the meaning of the data (e.g. date formats, context, layout, electronic signatures and authorisations) and the full GXP audit trail. Consideration should be given to the dynamic functionality of a ‘true copy’ throughout the retention period (see ‘archive’).

Data must be retained in a dynamic form where this is critical to its integrity or later verification. If the computerized system cannot be maintained e.g., if it is no longer supported, then records should be archived according to a documented archiving strategy prior to decommissioning the computerized system. It is conceivable for some data generated by electronic means to be retained in an acceptable paper or electronic format, where it can be justified that a static record maintains the integrity of the original data. However, the data retention process must be shown to include verified copies of all raw data, metadata, relevant audit trail and result files, any variable software/system configuration settings specific to each record, and all data processing runs (including methods and audit trails) necessary for reconstruction of a given raw data set. It would also require a documented means to verify that the printed records were an accurate representation. To enable a GXP compliant record this approach is likely to be demanding in its administration.

UK MHRA‘GXP’ Data Integrity Guidance and Definitions4.3 Hybrid

Where hybrid systems are used, it should be clearly documented what constitutes the whole data set and all records that are defined by the data set should be reviewed and retained. Hybrid systems should be designed to ensure they meet the desired objective.

UK MHRA‘GXP’ Data Integrity Guidance and DefinitionsThe audit trail is a form of metadata containing information associated with actions that relate to the creation, modification or deletion of GXP records. An audit trail provides for secure recording of life-cycle details such as creation, additions, deletions or alterations of information in a record, either paper or electronic, without obscuring or overwriting the original record. An audit trail facilitates the reconstruction of the history of such events relating to the record regardless of its medium, including the “who, what, when and why” of the action.
US FDA21 CFR Part

211.194 (a)

 

Laboratory records shall include complete data derived from all tests necessary to assure compliance with established specifications and standards, including examinations and assays
US FDA21 CFR Part

211.188

Batch production and control records shall be prepared for each batch of drug product produced and shall include complete information relating to the production and control of each batch.
US FDA21 CFR Part

211.68(b)

Hard copy or alternative systems, such as duplicates, tapes, or microfilm, designed to assure that backup data are exact and complete and that it is secure from alteration, inadvertent erasures, or loss shall be maintained.
US FDA21 CFR Part

58.3(k)

Raw data means any laboratory worksheets, records, memoranda, notes, or exact copies thereof, that are the result of original observations and activities of a nonclinical laboratory study and are necessary for the reconstruction and evaluation of the report of that study.
US FDA21 CFR Part

58.3

Raw data means all original nonclinical laboratory study records and documentation or exact copies that maintain the original intent and meaning and are made according to the person’s certified copy procedures.

Raw data includes any laboratory worksheets, correspondence, notes, and other documentation (regardless of capture medium) that are the result of original observations and activities of a nonclinical laboratory study and are necessary for the reconstruction and evaluation of the report of that study.

Raw data also includes the signed and dated pathology report.

US FDA21 CFR Part 211.180(d)Records required under this part may be retained either as original records or as true copies such as photocopies, microfilm, microfiche, or other accurate reproductions of the original records. Where reduction techniques, such as microfilming, are used, suitable reader and photocopying equipment shall be readily available.
US FDAData Integrity and Compliance with CGMP Guidance for

Industry (draft)

Electronic copies can be used as true copies of paper or electronic records, provided the copies preserve the content and meaning of the original data, which includes associated metadata and the static or dynamic nature of the original records.

True copies of dynamic electronic records may be made and maintained in the format of the original records or in a compatible format, provided that the content and meaning of the original records are preserved and that a suitable reader and copying equipment (for example, software and hardware, including media readers) are readily available.

US FDAData Integrity and Compliance with CGMP Guidance for

Industry (draft)

What is an “audit trail”?

For purposes of this guidance, audit trail means a secure, computer-generated, time-stamped electronic record that allows for reconstruction of the course of events relating to the creation, modification, or deletion of an electronic record. An audit trail is a chronology of the “who, what, when, and why” of a record.

For example, the audit trail for a high performance liquid chromatography (HPLC) run could include the user name, date/time of the run, the integration parameters used, and details of a reprocessing, if any, including change justification for the reprocessing.

Electronic audit trails include those that track creation, modification, or deletion of data (such as processing parameters and results) and those that track actions at the record or system level (such as attempts to access the system or rename or delete a file).

CGMP-compliant record-keeping practices prevent data from being lost or obscured (see §§ 211.160(a), 211.194, and 212.110(b)). Electronic record-keeping systems, which include audit trails, can fulfill these CGMP requirements.

US FDAData Integrity and Compliance with CGMP Guidance for IndustryFor the purposes of this guidance, static is used to indicate a fixed-data document such as a paper record or an electronic image, and dynamic means that the record format allows interaction between the user and the record content. For example, a dynamic chromatographic record may allow the user to change the baseline and reprocess chromatographic data so that the resulting peaks may appear smaller or larger. It also may allow the user to modify formulas or entries in a spreadsheet used to compute test results or other information such as calculated yield.
WHOTRS No. 996

Annex 5

Data means all original records and true copies of original records, including source data and metadata and all subsequent transformations and reports of these data, which are generated or recorded at the time of the GXP activity and allow full and complete reconstruction and evaluation of the GXP activity. Data should be accurately recorded by permanent means at the time of the activity. Data may be contained in paper records (such as worksheets and logbooks), electronic records and audit trails, photographs, microfilm or microfiche, audio- or video-files or any other media whereby information related to GXP activities is recorded.
WHOTRS No. 996

Annex 5

Dynamic record format.

Records in dynamic format, such as electronic records, that allow for an interactive relationship between the user and the record content. For example, electronic records in database formats allow the user to track, trend and query data; chromatography records maintained as electronic records allow the

user (with proper access permissions) to reprocess the data and expand the baseline to view the integration more clearly.

Static record format.

A static record format, such as a paper or pdf record, is one that is fixed and allows little or no interaction between the user and the record content. For example, once printed or converted to static pdfs, chromatography records lose the capability of being reprocessed or enabling more detailed viewing of baselines.

WHOTRS No. 996

Annex 5

The use of hybrid systems is discouraged, but where legacy systems are awaiting replacement, mitigating controls should be in place…

A hybrid approach might exceptionally be used to sign electronic records when the system lacks features for electronic signatures, provided adequate security can be maintained…

Replacement of hybrid systems should be a priority.

Data Integrity Thoughts

At the MHRA Blog, a GDP Inspector has posted some thoughts on Data Integrity. As always, it is valuable to read what an agency, or a representative, of an agency in this case, is thinking.

The post starts with a very good point, that I think needs to be continually reiterated. Data Integrity is not new, it is just an evolution of the best practices.

Data Integrity

It is good to see a focus on data integrity from this perspective. Too often we see a focus on the GCP and GMP side, so bringing distribution into the discussion should remind everyone that:

  • Data Integrity oversight and governance is inclusive of;
    • All aspects of the product lifecycle
    • All aspects of the GxP regulated data lifecycle, which begins at the time of creation to the point of use and extends throughout its storage (retention), archival, retrieval, and eventual disposal.

Posts like this should also remind folks that data integrity is still an evolving topic, and we should expect more guidance from the agencies from this in the near future. Make sure you are keeping data integrity in your sites and have a process in place to evaluate and improve.

I recommend starting at the beginning, analyzing the health of your current program and doing a SWOT.

data integrity SWOT

 

 

 

Data Integrity in the quality system

Data integrity has been, for the last few years, one of the hot topics of regulatory agency inspections for the last few years, one that it has often been noticed seems to be, at times, a popular umbrella for a wide variety of related topics (that usually have a variety of root causes).

Data Integrity is an interesting grab bag because it involves both paper and electronic data. While some of the principles overlap, it sometimes can seem nebulous, Luckily, the MHRA recently published a final guidance on GXP Data Integrity that ties together several threads. This is a great reference document that lays out some key principles:

  1. Organizational culture should drive ALCOA
  2. Data governance is part of the management review process
  3. Data Risk Assessments with appropriate mitigations (full risk management approach)

I love the snarky comment about ALCOA+. More guidances should be this snarky.

The FDA so far this year has been issuing warning letters and 483s in more traditional GMP areas, such as testing and validation. It will be curious if this lessening of focus in a subtle shift in inspection, or just the result of the sites inspected. Either way, building data integrity into your quality systems is a good thing.

Processes and tools for the prevention, detection, analysis, reporting, tracking and remediation of noncompliance to data integrity principles should be integrated into the Quality Management System to:

  • Prevention of data integrity issues through governance, training, organizational controls, processes, systems underlying and supporting data integrity.
  • Detection of data integrity issues through leveraging existing Quality Systems, tools and personnel.
  • Remediation of data integrity issues through leveraging existing Quality Systems that identify and track implementation of corrective/preventive action(s).

Some ways to integrate includes:

  • Data integrity training for all employees
  • Include as an aspect of audits and self-inspections
  • Controls in place to ensure good documentation practices
  • good validation practices
  • Computer system lifecycle management (include audit trail reviews)
  • Ensure your root cause investigators and CAPA people are trained on data integrity
  • Data integrity as a critical decision point in change management

Data integrity, like many other aspects of a quality culture, are mindsets and tools that are applied throughout the organization. There really isn’t a single project or fix. By applying data integrity principles regularly and consistently you build and ensure. A such, data integrity is really just an affirmation of good quality principles.