Review of the Draft WHO Data Integrity Guidance Part 1: Principles, Risk and Management

Data integrity continues to be the hottest regulatory topic for the pharmaceutical industry, with citations from all major regulatory authorities on a global scale. I wrote a series of four articles in 2015^1-4 on the MHRA Data integrity guidance published in March of that year.⁵ In September 2015, the World Health Organisation (WHO) issued a draft document entitled Guidance on Good Data and Record Management Practices⁶ or, in other words, a data integrity guidance. Even WHO inspectors have found problems with data integrity with organizations that they have inspected. WHO do not issue warning letters like the FDA or non-compliances as do the European Medicines Agency, but Notices of Concern (NOC). Regardless of what the regulatory citation is called, what it means that these worthy organizations are staffed by naughty boys and girls who, through a combination of poor data management practices or willful falsification, have managed to earn the ire of an inspector.

MHRA v WHO guidance documents

As we now have two data integrity guidance documents available to read, let us compare them. In terms of metrics, the MHRA document is 16 pages long with three pages of guidance and 13 pages of definitions along with regulatory expectations for each definition. As the MHRA document is brief, the reader is then required to interpret the text into actions and controls they think the Agency requires.

In contrast, the draft WHO guidance is 35 pages long; well, actually, once the title, table of contents etcetera have been ignored, it is 31 pages. Of which, there are about two and a half pages of definitions and the rest is fairly detailed discussion on a whole range of data integrity topics from corporate responsibility down to the expectations for good documentation practices. The scope and extent of the WHO guidance document far exceeds that of the MHRA, as can be seen in Table 1. The value in the MHRA document lies more in the regulatory expectations that are behind the 19 definitions in the document (albeit that some definitions are erroneous and confusing). As the text in the MHRA document is shorter, there is the need to write much to interpret the content of the MHRA guidance document^1-4 in comparison with this more descriptive of the WHO draft publication. There are much more explicit recommendations and expectations in the WHO publication compared with the MHRA document and, hence, less to interpret. On the other side of the coin, as expectations are laid out more clearly in the WHO document, there is no hiding place when it comes to an inspection or audit. If an organization or laboratory has failed to implement basic items, there can be no complaints.

Given the potential for data integrity guidance in various forms to come from the FDA, PIC/S and EMA, it is interesting to see the comment in the Background section that Collaboration is being sought with other organizations towards future convergence in this area. A single regulatory voice for data integrity? I can see squadrons of pigs flying around my house as I write this.

Table 1: Contents of the MHRA and WHO Data Integrity Guidance Documents
MHRA Data Integrity Guidance	WHO Good Data and Record Management
Introduction   Establishing data criticality and inherent integrity risk   Designing systems to assure data quality and integrity   Data Integrity Definitions and Guidance	1. Introduction and Background 2. Aims and Objectives of This Guidance 3. Glossary 4. Principles 5. Quality Risk Management to Ensure Good Data Management 6. Management Governance and Quality Audits 7. Contracted Organizations, Suppliers, and Service Providers 8. Training in Good Data and Record Management 9. Good Documentation Practices 10. Designing Systems to Assure Data Quality and Reliability 11. Managing Data and Records Across the Data Lifecycle 12. Addressing Data Reliability Issues 13. References and Further Reading

Structure of this review

The remainder of these review articles of the WHO draft guidance will be based upon the document structure shown in Figure 1:

• Aims and Objectives, Glossary and Principles
• Risk Management for Good Data Management and Management Governance and Audits
• Suppliers and Service Providers
• Training
• Good Documentation Practices
• Designing Systems for Data Quality and Managing Data and Records
• Addressing Data Reliability Issues

Introduction, Aims and Objectives, Glossary and Principles

The introduction of the document places the rationale for publication on “failures by organisations to apply robust systems that inhibit risks, to improve the detection of situations where data reliability may not be compromised and/or to investigate and address root causes when failures do arise.” In essence, the pharmaceutical industry has brought this on themselves, as they have failed to ensure integrity of their data.

The objective of the document is to provide implementation guidance for regulated entities to bridge the gaps in current guidance. In this simple statement, the WHO document makes clear that the intention is to go beyond the narrower guidance issued earlier in the year by the MHRA.

There are 19 definitions that are presented in a glossary. There is a detailed definition and discussion of an audit trail covering both paper processes and electronic systems. The data integrity definitions of MHRA and FDA (complete, consistent and accurate) are expanded here with the addition of the ALCOA principles, risk management and good documentation practices to produce a definition of:

“Data integrity is the degree to which a collection of data is complete, consistent and accurate throughout the data lifecycle. The collected data should be attributable, legible, contemporaneously recorded, original or a true copy, and accurate. Assuring data integrity requires appropriate quality and risk management systems, including adherence to sound scientific principles and good documentation practices.”

Finally, the principles of good records management outlined in Section 4 and are intended to provide the gateway to the rest of the document:

• Applicability to both paper and electronic data
• Applicability to contract givers and contract acceptors
• Good documentation practices
• Management governance
• Quality culture
• Quality risk management and sound scientific principles
• Data life cycle
• Design of record-keeping methodologies and systems
• Maintenance of record-keeping systems

Risk management for good data management, and management governance and audits

The order of these two sections is a little strange, there is no point in having quality risk management if senior management don’t back the concept of ensuring data integrity. Therefore, I’ll deal with senior management first, and then focus on risk management.

To quote the WHO guide: “Assuring robust data integrity being with management…” The introduction to this section says it all really, if there is no senior management involvement, let’s all pack up and go home. The main elements of the management governance and quality audit section have been summarized in Figure 2, and this falls under four main elements: policies and procedures, culture, quality assurance and management review.

The WHO guidance notes under the remit of the quality unit that there should be regular review of audit trails. This needs to be carefully interpreted. The quality unit is originally a US GMP term, however, in Europe, this function is split into quality control for analysis of product and quality assurance to provide compliance oversight. Review of audit trails associated with laboratory data should be undertaken within the laboratory that generated the data during the second-person review. In addition, quality assurance will be conducting periodic reviews of computerized systems and will probably include elements of data integrity.

Now, having addressed senior management, we can look at quality risk management to ensure data integrity. What is required is that, within the pharmaceutical quality system, there is the appropriate infrastructure, organization, policies and procedures and processes for the prevention and detection of situations (both accidental and willful) that can impact data integrity. The aim is to ensure that good decisions are made on sound data or results. When using a computerized system, the controls required, such as security, access privileges and audit trails, are enforced technically rather than procedurally to ensure compliance. Of course, this will not be possible for paper-based processes or some older computerized systems that do not have adequate technical controls and, hence, procedural controls coupled with training and audits will be required. The long-winded paragraph at the end of this section can be summarized as: work electronically for automated compliance and business efficiency.

To be continued

In the second part of this review, we will discuss the role of suppliers and service providers, staff training, good documentation practices, designing systems for data quality and addressing data reliability issues.

References

1. McDowall, R.D. Review and Critique of the MRHA Data Integrity Guidance for Industry — Part 1: Overview. Scientific Computing 2015 1 Jan 2016; Available from: http://www.scientificcomputing.com/articles/2015/05/review-and-critique-mrha-data-integrity-guidance-industry-%E2%80%94-part-1-overview.
2. McDowall, R.D. Review and Critique of the MRHA Data Integrity Guidance for Industry — Part 2: Data Governance System. Scientific Computing 2015 1 Jan 2016; Available from: http://www.scientificcomputing.com/articles/2015/05/review-and-critique-mrha-data-integrity-guidance-industry-%E2%80%94-part-2-data-governance-system.
3. McDowall, R.D. Review and Critique of the MRHA Data Integrity Guidance for Industry — Part 3: Data Criticality and Data Life Cycle. Scientific Computing 2015 1 Jan 2016; Available from: http://www.scientificcomputing.com/articles/2015/05/review-and-critique-mrha-data-integrity-guidance-industry-%E2%80%94-part-3-data-criticality-and-data-life-cycle.
4. McDowall, R.D. Review and Critique of the MRHA Data Integrity Guidance for Industry — Part 4: System Design, Definitions and Overall Assessment. Scientific Computing 2015 1 Jan 2016; Available from: http://www.scientificcomputing.com/articles/2015/05/review-and-critique-mrha-data-integrity-guidance-industry-%E2%80%94-part-4-system-design-definitions-and-overall-assessment.
5. MHRA GMP Data Integrity Definitions and Guidance for Industry 2nd Edition. 2015, Medicines and Healthcare products Regulatory Agency: London.
6. Draft Guidance on Good Data and Record Management Practices. 2015, World Health Organisation: Geneva.

R.D. McDowall is Director, R D McDowall Limited. He may be reached at [email protected].