Safeguarding data to ensure patient safety and the quality of medical products is at the forefront of new guidance from the UK’s Medicines and Healthcare products Regulatory Agency (MHRA).
Data integrity issues have been cited frequently in US FDA Form 483s and warning letters for pharmaceutical and active ingredient manufacturers
, as well as in statements of noncompliance with GMP from MHRA.
Examples of such issues include attempts to dispose of or re-enter certain data on computer systems.
“The risks to data are determined by the potential to be deleted, amended or excluded without authorisation and the opportunity for detection of those activities and events,” MHRA’s guidance says. “The risks to data may be increased by complex, inconsistent processes with open-ended and subjective outcomes, compared to simple tasks that are undertaken consistently, are well defined and have a clear objective.”
The guidance notes that both paper-based and electronic data can be used but data generated manually on paper “may require independent verification if deemed necessary from the data integrity risk assessment or by another requirement,” whereas the “inherent risks to data integrity relating to equipment and computerised systems may differ depending upon the degree to which the system generating or using the data can be configured, and the potential for manipulation of data during transfer between computerised systems during the data lifecycle.”
The guidance also defines certain terms and its interpretations at length, including what “raw” or source data means, what metadata is, what audit trails are, comparisons between “original record” and “true copy,” and definitions of data governance, data lifecycle and data transfers or migrations.
In terms of validating computerized systems, the guidance notes they “should be validated for their intended purpose which requires an understanding of the computerised system’s function within a process. For this reason, the acceptance of vendor-supplied validation data in isolation of system configuration and users intended use is not acceptable. In isolation from the intended process or end-user IT infrastructure, vendor testing is likely to be limited to functional verification only and may not fulfil the requirements for performance qualification.”
MHRA also notes that this guidance should be read in conjunction with the applicable regulations and the general guidance specific to each GXP.
“Where GXP-specific references are made within this document (e.g. ICH Q9), consideration of the principles of these documents may provide guidance and further information,” MHRA says.
In August 2016, the European Medicines Agency and the Pharmaceutical Inspection Co-operation Scheme (PIC/S) also released draft guidance and a question and answer document
to help ensure that data integrity is maintained during the process of testing, manufacturing, packaging, distributing and monitoring medicines.
Medicines & Healthcare products Regulatory Agency (MHRA) ‘GXP’ Data Integrity Guidance and Definitions