MHRA: Data Integrity defined?

In July 2016, the MHRA released a draft document for consultation entitled MHRA GxP Data Integrity Definitions and Guidance for Industry.  As the name suggests, it is a glossary of DI terms where the definitions are further explained with some context to aid in applying the existing regulations available. This is an update to their guidance released in March 2015. While they have not re-defined data integrity, there are some differences to note.

The guidance relates heavily to building your DI environment with a practical risk-based approach to the data collected, whether electronically or manually. It refers frequently to ICH Q9 Quality Risk Management as a practical approach to determining the effort required in applying data governance restrictions.

As a direct comparison on the updates, one definition has been removed and there are six new definitions:

Definitions removedDefinitions added
Primary RecordsData transfer/migration
Data processing
Recording data
Excluding data
Electronic signatures
Cloud providers and virtual service / platforms (also referred to as software as a service SaaS / platform as a service (PaaS) / infrastructure as a service (IaaS))

The addition of cloud/virtual service providers is reflective of how technology has moved in the past 15 months between the guidance versions. It reinforces the need to apply vendor assurance controls to technology providers and not just manufacturing or quality service providers.

The following topics are still prevalent in the guidance and also in industry today.

Data Governance

Data governance is expected to utilise the principles of ICH Q9 when applying controls. Data governance is essentially using a QMS system for data integrity, the QA equivalent to QC. Its implementation is expected through:

  • Organisational awareness
  • Employee training
  • Vendor assurance
  • Lifecycle management
  • Self inspection

There is a new commentary on periodic review of DI control systems. Without performing a self-inspection of the controls it would not be possible to know if there are active unaddressed issues or potential risks.

This concept is also applicable to cloud and platform service providers, as outlined in Section 20, where the system or infrastructure is not owned by the organisation. The data integrity must be maintained across the impacted third parties for the lifecycle of the data.

‘DIQbD’

There is also an emphasis on the design of the controls to support data quality and integrity. The idea of ‘data integrity/quality by design’ is something that aligns with the ISPE GAMP® 5 system validation process and PIC/S PE 009 Annex 15 Qualification and Validation. In order to apply the regulations appropriately, the organisation must understand the:

  • data required
  • collection system and processing
  • criticality to the patient
  • risk of data tampering
  • controls required

Each of the requirements should be documented and risk assessed before implementing a system. The validation process provides an ideal framework for documenting the data integrity lifecycle.

GMP facility deadline

The guidance places a lot of emphasis on metadata integrity and two sections highlight the importance of user identification and data change controls/restrictions:

  • Section 13 Audit Trail
  • Section 16 Computerised system user access / system administrator roles

While hybrid systems are accepted if they provide the adequate level of control, it is expected that GMP facilities, whose hybrid system does not meet the requirements for DI, should update their system by the end of 2017 with reference to Art 23 of Directive 2001/83/EC.

Current thinking

The guidance does not report any major revelations or changes to DI or its definitions, that have not already been discussed in recent times through ISPE conferences, the 2016 National GMP and Validation Forum or in an earlier blog (Why is Data Integrity still a ‘hot topic’ and why do we continue to discuss it?)

The simple matter is that DI is still a hot topic because the regulators are still discussing it. It is still the cause of an increasing number of regulatory citations over the last 5 years:

  • 2 in 2010 to 10 in 2014
  • 17% of warning letters in 2014
  • 30% of warning letters in 2015
  • Failures were predominantly in almost all API warning letters in 2015.

(Source: Roy T. Cherris, Bridge International Assoc., 2016 National GMP and Validation Forum, July 2016).

The deadline for comments to the draft are open until 31 October 2016 and can be submitted via the link to the MHRA website at the top of this article.