This is the second of a four-part series reviewing and critiquing the recent Medicines and Healthcare products Regulatory Agency (MHRA) guidance for industry document on data integrity.1 The first part of the series2 provided a background to the guidance document and discussed the introduction to the document. In this part, we will look at the MHRA requirement for a data governance system.
Data Governance System
The MHRA guidance document defines a data governance system as:
The sum total of arrangements to ensure that data, irrespective of the format in which it is generated, is recorded, processed, retained and used to ensure a complete, consistent and accurate record throughout the data lifecycle.1
Let us explore what this should entail. First, no other regulatory agency is requiring organizations to have a data governance system. However, this is a good idea given the number of issues involving data integrity that have been found recently. The rationale for this is based on MHRA’s interpretation of ICH Q10 on Pharmaceutical Quality Systems (PQS),3 which is incorporated in Part 3 of EU GMP4 and that of EU GMP Chapter 1 on PQS,5 which is based in part on ICH Q10.
Under the clause 1.8 for GMP for medicinal products it states
(vi) Records are made, manually and/or by recording instruments, during manufacture which demonstrate that all the steps required by the defined procedures and instructions were in fact taken and that the quantity and quality of the product was as expected.
There is a similar requirement for quality control laboratories in clause 1.9 which states:
(iv) Records are made, manually and/or by recording instruments, which demonstrate that all the required sampling, inspecting and testing procedures were actually carried out. Any deviations are fully recorded and investigated;
I believe that it is on these two clauses that MHRA bases the interpretation for a data governance system. As required by EU GMP Chapter 4, records are evidence that instructions have been executed correctly.6 However, it is a long stretch from sections 1.8 and 1.9 of EU GMP to a data governance system. In contrast, FDA has a least burdensome approach to the interpretation of their medical device regulations,7 in a risk-based world, should this not be the way forward?
As shown diagrammatically in Figure 1: a data governance system can operate within the overall pharmaceutical quality system, as there are data integrity requirements contained in EU GMP Annex 118 for computerized systems, as well as requirements in Chapters 4 and 6 for paper, hybrid and electronic records.6,9 The data governance system covers all processes involved in generating data and records during the course of pharmaceutical supply, manufacturing, testing and release. The controls to be applied to individual records, especially critical ones, are determined by risk management, which will outline the data integrity approaches for each system.
More detail is provided on the data governance structure by the MHRA in the definitions section of the guidance:1
- Data governance should address data ownership throughout the lifecycle, and consider the design, operation and monitoring of processes / systems in order to comply with the principles of data integrity including control over intentional and unintentional changes to information.
- Data Governance systems should include staff training in the importance of data integrity principles and the creation of a working environment that encourages an open reporting culture for errors, omissions and aberrant results.
- Senior management is responsible for the implementation of systems and procedures to minimise the potential risk to data integrity, and for identifying the residual risk, using the principles of ICH Q9. Contract Givers should perform a similar review as part of their vendor assurance programme1
From this, we can derive the following elements of a data governance system, which are listed below and shown linked in Figure 1:
- management responsibilities
- risk assessment
- data owners, who can be equated to the process owners of computerised systems under Annex 118 and the responsibilities combined
- policies and procedures
- training, including data integrity
- creating a no-blame culture around data integrity
Taking the criteria that were abstracted above from the MHRA guidance above, we can interweave them within an existing pharmaceutical quality system shown in Figure 2. Note, as shown in Figure 2, the five areas of the data governance system are not standalone silos, but interact with each other.
- Management Responsibilities: Senior management now has overall responsibility for quality and compliance with GMP within the PQS, as defined in EU GMP Chapter 1,5 what needs to be added are the additional responsibilities for data integrity within each senior manager’s functional area.10 The responsibilities are to ensure that data are acquired, secured, transformed and reported in accordance with defined procedures and that deviations will be documented and investigated. Typically, these responsibilities, but not the accountability, will be devolved to the data owners of specific processes and computerized systems.
- Working Culture and Data Integrity Issues: This is the most important area that senior management can foster. What is required is the creation and maintenance of an open and no-blame culture to enable staff to raise data integrity issues. Part of this culture is the ability of staff to raise data integrity issues without fear of retribution via reporting mechanism to senior management.
- Policies, Procedures and Training: Procedures for ensuring data integrity for all activities (both GMP and non-GMP to avoid dual standards) followed by training in these procedures for all staff is essential.11,12 Data integrity must be included in the regulatory requirement for on-going GMP training to reinforce the message. Part of the policies and procedures is the requirement for risk assessment. This needs to be undertaken to determine the impact and criticality of the records generated by each system to determine the controls. Then, via a gap and plan process, assess the existing controls in place to determine what, if any, additional controls are required to ensure data integrity. The GAMP good practice guide on Compliant Part 11 Records and Signatures13 already has a list of controls to protect electronic records, and this could be adapted by organizations to include paper records as well.
- Data Ownership: There is a requirement for a data owner under the MHRA guidance. Rather that create another role, I would suggest that, for computerized systems, the existing process owner in the laboratory for each system should also be responsible for the integrity of data generated and managed within their systems. However, there are potential problems — what happens if data are transferred manually to a spreadsheet for further calculations or are transferred from one system to another electronically — is the same person the data owner? However, if the responsibilities of the process owner and data owner are combined, the issue should be resolved for the majority of processes and systems.
In addition to the MRHA document, there is an extreme example of a data governance system in operation today, and that is documented in the Ranbaxy consent decree that the company and the FDA agreed upon in January 2012.14 This established the post of Chief Data Integrity Officer reporting to the Board with a number of tasks to carry out to resolve the long standing falsification issues that had arisen over the previous four to five years. Part of the setup was the establishment of a whistleblowing phone line that any company employee can call without fear of retribution. I am not advocating such a governance structure, as the Ranbaxy approach has been defined to correct falsification carried out over some time. What is required is to integrate the data governance within the pharmaceutical quality system as shown in Figure 1.
However, after writing this section, I am still reminded that this is a single inspectorate within the European Union — how effective will this request for a data governance system be? Why is the EU not acting in unison?
In this part of the review of the MHRA data integrity guidance, we have focussed in the data governance system promoted by the UK regulator. There is a basis for this when interpreting EU GMP Chapter 1, and an outline of the elements for such a data governance system are presented and discussed. In the next part of this review and critique series, we will look at data criticality and a data life cycle.
- MHRA GMP Data Integrity Definitions and Guidance for Industry version 2, March 2015
- R.D.McDowall, Scientific Computing, Part 1 http://www.scientificcomputing.com/articles/2015/05/review-and-critique-mrha-data-integrity-guidance-industry-%E2%80%94-part-1-overview
- ICH Q10 Pharmaceutical Quality System, 2006
- EU GMP Part 3 ICH Q10 Pharmaceutical Quality System
- EU GMP Chapter 1 Pharmaceutical Quality System
- EU GMP Chapter 4 Documentation, 2011
- FDA The Least Burdensome Provisions of the FDA Modernization Act of 1997: Concept and Principles; Final Guidance for FDA and Industry 2002
- EU GMP Annex 11 Computerised Systems, 2011
- EU GMP Chapter 6 Quality Control, 2014
- J.Avellanet and E.Hitchings, Pharmaceutical Engineering, in press
- EU GMP Chapter 2 Personnel (Principle and clause 2.11)
- 21 CFR 211, Current Good Manufacturing Practice for Finished Pharmaceutical Products
- GAMP Good Practice Guide Compliant Part 11 Records and Signatures, ISPE Tampa FL, 2005
- Consent Decree of Permanent Injunction, Ranbaxy Laboratories and Food and Drug Administration, Case 1:12-cv-00250-JFM, United States Court District of Maryland, January 2012
R.D. McDowall is Director of R D McDowall Ltd. He may be contacted at editor@ScientificComputing.com.
- Review and Critique of the MRHA Data Integrity Guidance for Industry — Part 1: Overview
- Review and Critique of the MRHA Data Integrity Guidance for Industry – Part 3: Data Criticality and Data Life Cycle
- Review and Critique of the MRHA Data Integrity Guidance for Industry – Part 4: System Design, Definitions and Overall Assessment