Data integrity is a global expectation as evidenced by the Medicines and Healthcare Products Regulatory Agency (MHRA) guidance, published in January and March of 2015 [3, 4], joining the FDA and European Medicines Agency (EMA) in prescribing expectations.
For life science companies, data integrity is both a regulatory compliance and also a financial issue. With industry’s increasing reliance on technology and digital data, data integrity has begun to claim its place in the spotlight.
On numerous occasions regulators have cited companies for inadequate controls on the integrity of data, raising questions as to the authenticity and reliability of the data [5, 6, 7, 8]. Therefore, implementing a successful corporate data integrity program has become a prerequisite for successful GxP compliance in the 21st century and an integral part of a company’s Quality Management System (QMS).
This Concept Paper focuses on electronic records and computerized systems – a key area of emphasis for GAMP®. However, manual systems and paper based records remain a key area of data integrity failures. The risks associated with manual systems, including the risks between manual and computerized systems, should not be overlooked. The intent of this Concept Paper is to share implementation considerations based on the experiences of several companies, including successes and challenges. Although the specifics of each individual company’s data integrity program will be different, the considerations described should give companies a direction for creating a successful corporate data integrity program.
2 Critical Success Factors
2.1 Executive Sponsorship
an effective data integrity program need executive commitment. In FDA’s terminology, “senior management with executive authority” will be called upon to promote the data integrity cause, provide appropriate resource allocation, settle differences of opinion and priorities, and ensure that data integrity expectations are carried out across all levels of the organization .
Best practice experience dictates obtaining an officer of the company as the sponsor for the data integrity program because, at some point, sponsors will be required to:
set a direction
break down organizational resistance to change
The higher the level of the sponsor, the greater the force that can be leveraged to ensure alignment across the company.
Practically speaking, however, actual day-to-day sponsorship, guidance, and supervision of the data integrity program will likely be delegated to a mid-level executive. Regardless of who serves as the sponsor, management accountability, at all levels of the corporation from the Chief Executive Officer (CEO) to the operations floor supervision, plays a key role in ensuring data integrity. It is critical that they “walk the talk” and foster an environment that promotes and ensures good data integrity practices. By doing so, they demonstrate the core values of integrity in response to a failure. They do not incentivize data falsification and discourage the “wanting to please management” mentality that can lead to many data integrity issues. And of most importance, they eliminate the fear of management retribution and foster an environment where employees are empowered and encouraged to identify and report data integrity issues on the shop floor.
The MHRA stated in their guidance that: “The data governance system should be integral to the pharmaceutical quality system.” [3, 4] They also prescribe that the effort and resource assigned should be commensurate with the risk.
Executives need an awareness of four key benefits that a data integrity program can deliver, including:
Financial (e.g., bottom line) benefits
Legal product liability
Specific points to emphasize these key benefits include:
Good data integrity practices are increasingly seen by regulators and investors as a fundamental requirement foraccurate financial reporting and forecasting .
More than a decade of experience combining good data integrity practices with risk-based computerized system validations has shown that this combination can reduce the overall costs of validation – and maintain such validation.
Good data integrity requirements cross multiple regulatory health agency rules, including those of the FDA, EMA, Health Canada, MHRA, and both the harmonized International Council on Harmonisation (ICH) and Pharmaceutical Inspection Convention and Pharmaceutical Inspection Co-operation Scheme (PIC/S) guidelines, reducing the work needed to comply with each region.
Good data integrity practices (often seen as akin to good recordkeeping practices in the legal costs during product liability litigation and e-discovery .
By showing that the return on investment in an effective data integrity program outweighs the costs, the support of executive sponsors will be easier to obtain.
It is vital to obtain senior level executive sponsorship for a corporate data integrity program to ensure a holistic, thorough system that can withstand regulatory scrutiny.
2.2 Cross-Functional Steering Committee
The senior management sponsor will set the data integrity expectation and priorities; however, a steering committee consisting of the company’s functional leaders and departmental supervisors will ensure their implementation. Because regulated data is created, reviewed, transformed and summarized, stored, migrated, and archived across multiple departments, an effective data integrity program requires a wide variety of functional inputs.
Data also crosses regulatory boundaries, e.g., data initially collected in clinical settings and nonclinical laboratories may fall under the Good Clinical Practice (GCP) and Good Laboratory Practice (GLP) regulations, only to be later used in assessing postmarket safety issues and fall under the Good Pharmacovigilance Practice (GPvP), Current Good Manufacturing Practice (CGMP), or even the Good Distribution Practices (GDPs). An effective data integrity program controls the integrity of regulated data across the data life cycle, all the way from its initial creation to its eventual long-term disposition and destruction. In this light, a cross-functional approach to implementing an effective data integrity program is a necessity.
To obtain accurate and helpful input, stakeholders from each of the key functional areas need to be represented in the program implementation group. Experience has shown that too large a team will be unwieldy and ineffective. Rather, consider a core steering committee supplemented on an ad hoc basis by subject matter experts and functional leaders of relevant regulated operations, as they come under the overall data integrity control framework during its implementation throughout the organization.
2.2.1 Avoid Temptation
It may be tempting to assign the responsibility for implementing the data integrity program to the Information Technology (IT) department or to the Records and Information Management (RIM) department. Avoid this! There are a number of reasons why succumbing to this temptation carries a high risk.
First, IT and RIM personnel do not have the business process knowledge to decide when a data set is “complete,” or “accurate,” or “original,” and so on. Additionally, IT or RIM may not actively be involved in all the company’s day-today activities of the data life cycle. Without the capability to discern data quality, they cannot identify and implement controls designed to minimize the risk to data integrity:
How is the IT manager to assess if the chromatogram included all the results?
When is it appropriate to drop a particular outlier from a data set?
How should the RIM analyst view a request to catalogue and store the raw chromatography data (including
sample set, injection sequence, and manual integration log) versus just the summary output graph?
Can the RIM analyst identify raw data versus transformed data – or whether data is missing?
Second, data integrity requires a series of controls spanning the entire data life cycle. Often, neither IT nor RIM will have insight into the company’s data that either exist at a vendor, are transferred into the company from a vendor (or vice versa), or are created and held on behalf of the company at a vendor (such as through usage of a Contract Research Organization (CRO) or Contract Manufacturing Organization (CMO). Failing to acknowledge the need for controls around data from such vendors leaves a gap in the data life cycle that allow for accusations of data integrity failure.
Finally, there is a risk of scope creep if data integrity initiatives are turned over to IT. FDA is focused on a narrow application of integrity controls intended to avoid regulated data fraud and/or regulated data loss. In contrast, IT-led data integrity initiatives can quickly upscale into broad, corporate-wide data governance initiatives leaving FDA’s data integrity controls as a subset of the greater body of data governance. It is better to view the implementation of an effective data integrity program as a step toward the long-term data governance; therefore, it is recommended to let IT lead the greater data governance initiative but not the more narrow GxP data integrity effort. Leaving data integrity in the hands of IT or RIM is a recipe for confusion, frustration, and non-compliance.
Read more by downloading Considerations for Corporate Data Integrity Program (Published: March 2016).