From the Experts | Montrium Services Blog

How to Avoid Electronic Data Integrity Issues: 7 Techniques for your Next Validation Project

Written by Gianna De Rubertis | August 9, 2016 at 6:29 PM

Regulatory agencies around the globe are causing life science companies to be increasingly concerned with data integrity.  This comes with no surprise given that Guidance Documents for Data Integrity have been published by the MHRA, FDA (draft), and WHO (draft).  In fact, the recent rise in awareness of the topic has been so tremendous that, less than two years after the original publication, the MHRA released a new draft of its guidance whose scope has been broadened from GMP to all GxP data.

In computerised systems, failures in data integrity management can arise from poor or complete lack of system controls.  Human error or lack of awareness may also cause data integrity issues.  Deficiencies in data integrity management are crucial because they may lead to issues with product quality and/or patient safety and, ultimately may manifest themselves through patient injury or even death.

Given the increased scrutiny for data integrity and potential harm that could arise from data integrity issues, its important to implement controls to prevent and detect breaches in data integrity.  Your computer system validation program can and should be leveraged to ensure these controls are in place.

 

What is Data Integrity?

Data can be defined as any original and true copy of paper or electronic records.  In the broadest sense, data integrity refers to the extent to which data are complete, consistent and accurate.

To have integrity and to meet regulatory expectations, data must at least meet the ALCOA criteria. Data that is ALCOA-plus is even better.

A

ATTRIBUTABLE

You should know who performed an action to generate the data, and when.

L

LEGIBLE

You should be able to read the data. 

C

CONTEMPORANEOUS

The data must be documented at the time of the data-generating activity.

O

ORIGINAL

The data should be available in their original format or a true copy thereof (i.e. backup).

A

ACCURATE

The data should be without error. If amended, the corrections must be documented.

+plus

COMPLETE

CONSISTENT

ENDURING

AVAILABLE

The data must be trustworthy and available for review and inspection throughout the retention period.

 

What is a Computerised System?

A computerised system is not only the set of hardware and software, but also includes the people and documentation (including user guides and operating procedures) that are used to accomplish a set of specific functions.  It is a regulatory expectation that computer hardware and software are qualified, while the complete computerised system is validated to demonstrate that it is fit for its intended use.

How can you demonstrate Electronic Data Integrity through Validation?

Here are some techniques to assist you in ensuring the reliability of GxP data generated and maintained in computerised systems.

Specifications

What to do

Why you should do this

Outline your expectations for data integrity within a requirements specification.

For example:

  • Define requirements for the data review processes.
  • Define requirements for data retention (retention period and data format).

Validation is meant to demonstrate a system’s fitness for intended use.  If you define requirements for data integrity, you will be more inclined to verify that both system and procedural controls for data integrity are in place.

Verify that the system has adequate technical controls to prevent unauthorised changes to the configuration settings.

For example:

  • Define the system configuration parameter within a configuration specification.
  • Verify that the system configuration is “locked” to end-users.  Only authorized administrators should have access to the areas of the system where configuration changes can be made.

The inspection agencies expect you to be able to reconstruct any of the activities resulting in the generation of a given raw data set.  A static system configuration is key to being able to do this.

 

Verification of Procedural Controls

What to do

Why you should do this

Confirm that procedures are in place to oversee the creation of user accounts.

For example:

  • Confirm that user accounts are uniquely tied to specific individuals. 
  • Confirm that generic system administrator accounts have been disabled.
  • Confirm that user accounts can be disabled.

Shared logins or generic user accounts should not be used since these would render data non-attributable to individuals.

System administrator privileges (allowing activities such as data deletion or system configuration changes) should be assigned to unique named accounts.  Individuals with administrator access should log in under his named account that allows audit trails to be attributed to that specific individual.

Confirm that procedures are in place to oversee user access management.

For example:

  • Verify that a security matrix is maintained, listing the individuals authorized to access the system and with what privileges.

A security matrix is a visual tool for reviewing and evaluating whether appropriate permissions are assigned to an individual. The risk of tampering with data is reduced if users are restricted to areas of the system that solely allow them to perform their job functions. 

Confirm that procedures are in place to oversee training.

For example:

  • Ensure that only qualified users are granted access to the system.

People make up the part of the system that is most prone to error (intentional or not).  Untrained or unqualified users may use the system incorrectly, leading to the generation of inaccurate data or even rendering the system inoperable.

Procedures can be implemented to instruct people on the correct usage of the system.  If followed, procedures can minimize data integrity issues caused by human error. Individuals should also be sensitized to the consequences and potential harm that could arise from data integrity issues resulting from system misuse.

Logical security procedures may outline controls (such as password policies) and codes of conduct (such as prohibition of password sharing) that contribute to maintaining data integrity.

 

Testing of Technical Controls

What to do

Why you should do this

Verify calculations performed on GxP data.

For example:

  • Devise a test scenario where input data is manipulated and double-check that the calculated output is exact.

When calculations are part of the system’s intended use, they must be verified to ensure that they produce accurate results.

Verify the system is capable of generating audit trails for GxP records.

For example:

  • Devise a test scenario where data is created, modified, and deleted.  Verify each action is captured in a computer-generated audit trail.
  • Verify the audit trail includes the identity of the user performing the action on the record
  • Verify the audit trail includes a time stamp
  • Verify the system time zone settings and synchronisation.

With the intent of minimizing the falsification of data, GxP record-keeping practices prevent data from being lost or obscured.  Audit trails capture who, when and why a record was created, modified or deleted.  The record’s chronology allows for reconstruction of the course of events related to the record.

The content of the audit trails ensures that data is always attributable and contemporaneous.

For data and the corresponding audit trails to be contemporaneous, system time settings must be accurate.

 

 

  

To conclude

Regulatory agencies are paying closer attention to data integrity management policies.  Its their expectation that you implement proper controls to ensure that maintaining data integrity is more of a reflex and less of an afterthought.

Ultimately, everyone has some responsibility towards achieving data integrity in your organization. However, it’s important that only the right people have access to a computerised system and that they understand the consequences and potential harm that could arise from system misuse or data falsification.

The activities performed during Computerised System Validation go a long way in ensuring that proper technical and procedural controls in place to safeguard the accuracy and availability of your data.

 

Useful Links (Our References)

Medicines and Healthcare Products Regulatory Agency (MHRA):

MHRA Data Integrity Definitions and Guidance for Industry March 2015 [Available at: https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/412735/Data_integrity_definitions_and_guidance_v2.pdf]

MHRA GxP Data Integrity Definitions and Guidance for Industry, Draft version for consultation July 2016 [Available at: https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/538871/MHRA_GxP_data_integrity_consultation.pdf]

U.S. Food and Drug Administration (FDA):

Data Integrity and Compliance With CGMP Guidance for Industry (DRAFT GUIDANCE, April 2016) [Available at: http://www.fda.gov/downloads/drugs/guidancecomplianceregulatoryinformation/guidances/ucm495891.pdf]

World Health Organization (WHO):

Guidance on Good Data and Record Management Practices (DRAFT FOR COMMENT, September 2015) [Available at: http://www.who.int/medicines/areas/quality_safety/quality_assurance/Guidance-on-good-data-management-practices_QAS15-624_16092015.pdf