This is the first of four articles looking at the new UK’s Medicines and Heathcare products Regulatory Agency (MHRA) guidance for industry on data integrity.
Global Data Integrity Problems
Data integrity is a major regulatory topic that has been the subject of a number of articles by myself in Scientific Computing over the past few years focusing on chromatography data systems1,2 and warning letters issued in mid 2013.3,4 Data integrity is not just an Indian and Chinese problem, but a global issue, as many data integrity problems are based on poor and/or outdated working practices rather than a minority of cases involving data falsification.
Cases of fraud and falsification have occurred in the United States with Able Laboratories5 and Leiner Health Products6 over 10 years ago. As a result, the United States regulator, the Food and Drug Administration (FDA) has taken the lead, such as:
- Updated Compliance Program Guide 7346.832,7 which has as objective 3 a data integrity audit of laboratory data.
- Trained their inspectors in data integrity, which means that there is now a focus on computerized systems and the data contained therein rather than paper output.
- There is level 2 guidance for some aspects of data integrity: shared user log-ins, why paper cannot be raw data from a computerized system, and using samples as SST injections.8
The European Medicines Agency has started posting GMP non-compliances online, where many cases of data integrity have been noted,9 and Health Canada has now stated that GMP inspections will be unannounced due to data integrity issues that it has uncovered.10
MHRA Approach to Data Integrity
Our story begins in December 2013 when the MHRA gave the pharmaceutical industry an early Christmas present via their Web site.11 This announcement stated that, from January 2014:
The MHRA is setting an expectation that pharmaceutical manufacturers, importers and contract laboratories, as part of their self-inspection programme must review the effectiveness of their governance systems to ensure data integrity and traceability.
This was an extension of self-inspections (internal audits) under Chapter 9 of EU GMP.12 However, in addition to the pharmaceutical company itself, it was also an expectation that the data integrity of a company’s suppliers (e.g. API suppliers, contract manufacturing and contract laboratories) are included in these assessments as well.
In March 2014, the MHRA wrote to suppliers of chromatography data systems to request a copy of their software and documentation in order to understand how each system worked. The unwritten lines of the letter I have surmised are so that the inspectors can identify how data can be falsified using a specific CDS application. It is not known how many suppliers responded with copies of their software.
The next stage of the story is that, in April 2014, MHRA and other European inspectors received training in data integrity from Monica Cahilly who is one of the trainers for the FDA on this subject.
In January 2015, MHRA released a guidance for industry on data integrity.13 Following feedback from the industry, MHRA issued a second version in March 2015.14 This is a good point, as it shows that they are willing to listen to the pharmaceutical industry.
Read More: Is It Time to Replace Your Chromatography Data System?
The focus of these articles is an interpretation and critique of the second version of the MRHA data integrity guidance for laboratories working to European Union GMP regulations, such as analytical development in R&D and quality control in pharmaceutical manufacturing. In doing so, some of the main differences between the first and second versions of the document will be highlighted and discussed.
MHRA Data Integrity Guidance Overview
The guidance14 consists of 16 pages and is divided into two main sections: discussion and definitions. The discussion section of three pages consists of an introduction, followed by topics on establishing data criticality and inherent integrity risk, and designing systems to assure data quality and integrity. The definitions section comprises 19 definitions combined with the MHRA expectation or guidance. It is the latter section, specifically the regulatory guidance or expectation, which provides most of the value in the document.
As we shall see, writing of the document in parts appears rushed, as there are some interesting areas, which I believe to be unintended, where there are mistakes and gaps in the definition portion of the document. Some of the original gaps have been corrected in the second version of the guidance, but some errors remain. The major issue I have with the definitions section is that it reads as a shopping list, rather than integrating and interleaving the definitions together to create a better idea of exactly what is required by the agency.
In summary, the MHRA guidance can be described as good, but not that good.
It is good in that it sets out definitions and regulatory expectations for data integrity and clarifies some points. It is not that good, as it fails to integrate the individual definitions and expectations into a meaningful description of what needs to be done to comply, mainly by lacking figures. However, these comments should not understate the fact that this is the first comprehensive guidance for industry on data integrity that has been issued by a regulatory authority. Although some may argue that the FDA’s CPG 7346.8327 should be the first such document, as it outlines a laboratory data integrity audit. However, this is intended for inspectors not industry. The MHRA document is a guidance for industry.
1 in 28?
One question that struck me reading the document for the first time was why has the MHRA taken the steps to publish this guidance for industry? The UK is one of the 28 member states of the European Union, and each member state has its own regulator responsible for inspections within its borders and for inspections outside the EU. However, the regulations and the majority of guidance documents or concept papers are usually issued by the European Medicines Agency (EMA), the pan European body responsible for regulations, product licensing, etcetera. What will one EU-competent authority achieve working on its own?
Introduction to the MHRA Guidance – Setting the Scene
The introduction to the MRHA guidance looks at the justification for data integrity and the first sentence sets the scene:
Data integrity is fundamental in a pharmaceutical quality system which ensures that medicines are of the required quality.14
It goes on to state that this guidance is complimentary to EU GMP. It also reiterates an MHRA expectation for a data governance system, which repeats their original 2013 approach.11 It also warns companies not to return to paper, as this would be a breach of European Union directive 2001/83/EC15 which, in article 23, requires companies to take account of scientific and technical progress.
Two changes have been made in the March 2015 version of the document in the introduction:
- The first is informational and refines the scope of the document to active substances (APIs) and dosage forms. Therefore, it excludes excipients from the scope of the guidance, presumably as these are lower risk.
- The second change is more far-reaching for regulated organizations. In the original version, the guidance stated that organizations are “not expected to implement a forensic approach to data checking, ….”.
However the revised version slips in four additional words to read “not expected to implement a forensic approach to data checking on a routine basis, ….”.
This changes the whole approach to data integrity: the original version wanted a system to provide an acceptable state of control based on data integrity risk. However, do we now need to have CSI on standby to rush in waving their torches around looking for clues whenever a data integrity alarm is raised?
Perhaps a more rational approach is that we leave the forensics to the regular self-inspections or for cause audits and the acceptable state of control to routine operations, such as the second-person checks of laboratory data and the reportable results?
Drowning in Integrity Definitions
The MHRA guidance document gives a definition of data integrity which is shown in Table 1 along with four other definitions (two from the FDA, one from National Institute of Science and Technology and one from the Institute of Electronic and Electrical Engineers – IEEE) of either data integrity or integrity. I have deliberately listed all five definitions in Table 1 to illustrate that different organizations, or even different divisions of the same regulatory organization, can have different approaches to the same subject.
Table 1: Data Integrity and Integrity Definitions
Source |
Definition of Data Integrity or Integrity |
MHRA14 |
The extent to which all data are complete, consistent and accurate throughout the data lifecycle (data integrity). |
FDA 116 |
The degree to which a collection of data are complete, consistent and accurate (data integrity) |
FDA 217 |
Data, information and software are accurate and complete and have not been improperly modified (integrity) |
NIST18 |
The property that data has not been altered in an unauthorized manner (data integrity). |
IEEE19 |
The degree to which a system or component prevents unauthorized access to, or modification of, computer programs or data (integrity) |
What can we learn from these definitions of integrity and data integrity? Let us attempt to reconcile and combine them into a single approach for data integrity:
- Data must be complete, consistent and accurate (MHRA & FDA 1, 2).
- Data have a life cycle (MHRA, NIST).
- Data must not have been improperly modified (FDA, NIST).
- If using a computerised system the software should prevent unauthorised modification of data (FDA 2, IEEE).
The first three bullet points hold for manual processes, as well as hybrid and electronic computerized systems, and the fourth point covers hybrid and electronic systems.
Wrong Definition of Data and Integrity Criteria
In the definition section, data is defined as information derived or obtained from raw data (e.g. a reported analytical result).14 This definition is misleading. How can be data be defined as information? Data are processed and reduced to information, which itself can be further interpreted to produce knowledge. However you look at it, data can never be information. MHRA’s own definition equated information as analytical results (i.e. a reduction of raw data).
In the regulatory expectation for data is the requirement to comply with ALCOA principles. Table 2 shows these criteria in the first five rows (Attributable, Legible, Contemporaneous, Original and Accurate). The first line of each criterion is the MHRA requirement, and underneath are my additions to them. However, when looking at data integrity, ALCOA principles, which were developed for paper records, are not sufficiently comprehensive. The GAMP Data Integrity SIG has adopted the EMA GCP20 criteria for electronic source data, which are shown in Table 2 in the last four rows and summarized as ALCOA+. The four additional criteria are: Complete, Consistent, Enduring and Available. Therefore, the data definition and the regulatory expectation sections in the MHRA guidance need to be revised, in my opinion, to be comprehensive for paper, hybrid and electronic processes and systems.
Table 2: ALCOA+ Criteria for Data Integrity
Criterion |
Meaning |
Attributable |
Attributable to the person generating the data (MHRA) Who acquired the data originally or performed an action subsequently to it and when? |
Legible |
Legible (MHRA) Can you read the data together with any metadata or all written entries on paper? |
Contemporaneous |
Contemporaneous (MHRA) Documented (on paper or electronically) at the time of an activity |
Original |
Original record or true copy (MHRA) Written observation or printout or a certified copy thereof Electronic record including metadata of an activity |
Accurate |
Accurate (MHRA) No errors in the original observation(s) No editing without documented amendments / audit trail entries by authorized personnel |
Complete |
All data from an analysis, including any data generated before a problem is observed, data generated after repeat part or all of the work or reanalysis performed on the sample. For hybrid systems, the paper output must be linked to the underlying electronic records used to produce it. |
Consistent |
All elements of the analysis, such as the sequence of events, follow on and data files are date (all processes) and time (when using a hybrid or electronic systems) stamped in the expected order |
Enduring |
Recorded on authorized media e.g. laboratory notebooks, numbered worksheets, for which there is accountability or electronic media Not recorded on the backs of envelopes, laboratory coat sleeves, cigarette packets or Post-It notes |
Available |
The complete collection of records can be accessed or retrieved for review and audit or inspection over the lifetime of the record. |
The next part of this series will look at the data governance system.
References
- R.D.McDowall, Scientific Computing, November 2007 http://www.scientificcomputing.com/articles/2007/09/four-cds-compliance-lessons?cmpid=horizontalcontent
- R.D.McDowall, Scientific Computing, March – April 2011 http://www.scientificcomputing.com/articles/2011/05/ensuring-data-integrity-regulated-environment?cmpid=horizontalcontent
- R.D.McDowall, Scientific Computing, July 2013 http://www.scientificcomputing.com/articles/2013/09/fdas-focus-laboratory-data-integrity-%E2%80%93-part-1
- R.D.McDowall, Scientific Computing, August 2013 http://www.scientificcomputing.com/articles/2013/09/fdas-focus-laboratory-data-integrity-%E2%80%93-part-2
- Able Laboratories 483 Inspectional Observations (July 2005)
- Leiner Health Products FDA Warning Letter, (August 2007)
- Compliance Program Guide (CPG) 7346.832 Pre Approval Inspections, FDA May 2010, effective May 2012
- FDA Level 2 guidance Questions and Answers on Current Good Manufacturing Practices, Good Guidance Practices, Level 2 Guidance – Records and Reports. Question 7: In warning letters to firms, why has FDA objected to the practice of using actual samples to perform system suitability testing (sometimes also referred to as “trial,” “test,” or “prep” runs)?
http://www.fda.gov/Drugs/GuidanceComplianceRegulatoryInformation/Guidances/ucm124787.htm - EMA EudraGDMP database
http://eudragmdp.ema.europa.eu/inspections/gmpc/searchGMPNonCompliance.dof - Health Canada database
http://www.hc-sc.gc.ca/dhp-mps/compli-conform/gmp-bpf/index-eng.php - MHRA Expectation Regarding Self Inspection and Data Integrity, December 2013
The original web page was http://www.mhra.gov.uk/Howweregulate/Medicines/Inspectionandstandards/GoodManufacturingPractice/News/CON355490 This page has now been archived and a snapshot is available at http://webarchive.nationalarchives.gov.uk/20141205150130/http://www.mhra.gov.uk/Howweregulate/Medicines/Inspectionandstandards/GoodManufacturingPractice/News/CON355490 - EU GMP Chapter 9 Self Inspections:
http://ec.europa.eu/health/documents/eudralex/vol-4/index_en.htm - MHRA GMP Data Integrity Definitions and Guidance for Industry version 1, January 2015
- MHRA GMP Data Integrity Definitions and Guidance for Industry version 2, March 2015
- Medicinal Products for Human Use, EU Directive 2001/83/EU, Article 25 (2001)
- FDA Glossary of Computer Systems Software Development Terminology (1995)
- FDA Guidance on Content of Premarket Submissions for Management of Cybersecurity in Medical Devices (Oct 2014)
- NIST SP 800 – 33 Underlying Technical Models for Information Technology Security, December 2001
- IEEE Software Engineering Standard 610 (Glossary, 1990
- Reflection paper on expectations for electronic source data and data transcribed to electronic data collection tools in clinical trials, European Medicines Agency, 2010
R.D. McDowall is Director of R D McDowall Ltd. He may be contacted at [email protected].
Related Content
- Review and Critique of the MRHA Data Integrity Guidance for Industry – Part 2: Data Governance System
- Review and Critique of the MRHA Data Integrity Guidance for Industry – Part 3: Data Criticality and Data Life Cycle
- Review and Critique of the MRHA Data Integrity Guidance for Industry – Part 4: System Design, Definitions and Overall Assessment