Confused by Data Integrity Guidance ?

(Data Integrity Guidance: “Pick and Mix” !)

Paul Smith
Agilent Technologies
paul_smith@agilent.com

1st May GSK Stevenage 1

 Agenda
• Background / Introduction External Hyperlink 

• Data Integrity Guidance Documents:

– FDA
More Detailed Analysis……..
– MHRA
– WHO
High Level Comparison…..
– PIC/S

• Additional Information (Appendix)

Key:
(Including GAMP DI Guidance)….
FDA Food and Drug Administration

MHRA Medicine and Healthcare Products Regulatory Agency

WHO World Health Organization

2 1st May GSK Stevenage PIC/S Pharmaceutical Inspection Co-operation Schema

It’s Only Paper! – A Dark Industry Background
• Paper = Commodity
• Quality Varies
• It Ages…… Differently
• Historically……
2018 Paper • Store Paper – to Re-Print…...

Paper is a commodity,
purchased by procurement…..
[and they change suppliers – different 2017 Paper 2014 Paper
quality / aging properties……]

2016 Paper 2013 Paper 2011 Paper

2015 Paper 2012 Paper 2010 Paper

1st May GSK Stevenage 3

 Visible / known…… (4 % of DI Problems
Known to Senior Mgt.)

More not visible / unknown…..

DATA INTEGRITY - BACKGROUND

1st May GSK Stevenage 4

 Where is the Quotation From ?
‘GXP’ Data Integrity Guidance and Definitions Title: MHRA 2018 Data Integrity Final Guidance 
“When is it permissible to invalidate a cGMP result and exclude it from the determination of batch conformance ?”
Q 2 - FDA Dec. 2018 Data Integrity Guidance for Industry
https://www.fda.gov/media/97005/download

“Equally important are the procedure to audit data and programs and the process for correcting errors.”
FDA 1993 Laboratory Inspection Guide 

“Data integrity in computer-based information systems is a concern because of damages that can be done by
unauthorized manipulation or modification of data.”
Does Anyone Disagree With these Statements ?
“The emphasis on controlling access to data has served to mask the issue of data integrity.”

Thomas R Ivan, 1991 MSc Thesis, Comparison of Data Integrity Models

https://apps.dtic.mil/dtic/tr/fulltext/u2/a243770.pdf
[Note: may need to cut and paste the above link into your browser]
5
1st May GSK Stevenage
Print Out = Raw Data ?
Balance Simple Complex HPLC

Data
Complexity
Data Data
(e.g. Balance Print Out) (e.g. Chromatograms)
Simple Meta Data Complex Meta Data
See Appendix

✓  FDA Level 2
Guidance

Raw Data = Print Out

✓
Raw Data = Electronic Copy
1st May GSK Stevenage 6
ALCOA+ – Foundation of Data Integrity….
People need to be able to understand / remember
and “relate” to Data Integrity requirements……..…

Attributable…………………….…… A - Who Did The Work (work attribution and passwords)

(Sharing passwords is like sharing your toothbrush !)

Legible…………………………………….. L - Can You Read It

(Electronic or Paper)

Contemporaneous……...... C - Was it Recorded at The Time

(No Writing on Hand / Lab. Coat / Post it Note…Etc.)

Original……………………………..……. O - Is it Original or “True Copy”

(Original Data or Certified Copy)

Accurate………………………………… A - No Errors or Undocumented

Changes (represents what was done)
(Is it Representative of The Work)
Complete
+ Consistent
Enduring
Available 1st May GSK Stevenage 7
MHRA Labs. Symposium
PDF Copy: Courtesy of the Medicines and Healthcare products Regulatory Agency, © Crown 2019

13th March 2019 Added value in maintaining a dialogue:

Jason is interested in feedback from

this meeting….
“…. What else can the Regulator do… ?”
(paraphrase of e-mail)

The Importance of Dialogue: Opportunity to provide feedback……

Presentations from the MHRA event are normally only for delegates (crown copyright). However, following a request
/ e-mail exchange with Jason, a PDF of this presentations has been made available to this GAMP meeting.

1st May GSK Stevenage 8

DATA INTEGRITY GUIDANCE

1st May GSK Stevenage 9

 Guidance Documents…… A Lot of Guidance
FDA MHRA WHO PIC/S EMA ECA Other

1993 2015 2016 FDA 2016 Country Industry

2016 Data
Inspection 1st DI Good DI
Guide Guidance Data MHRA Governance 2017 2018
23 Q & A And
And China PDA TR80
Record Data
Level 2 2016 Other 2017 Integrity
Guidance 2nd DI Management PIC/S GMP 2018
Practices for
2010 Guidance Members ? Matrix Russia
[Final] GMP

PAI 2018 Books GAMP

Guide ‘GXP’ Data 2018 2018
7346.832 Integrity Good Data
2010 Guidance Practice Governance
For Data 2018 2017
& And [RDI]
Definitions Data
DI DI [Final] Management Integrity
Guidance Guidance & for
2016 2018 Integrity…. GMP
[Draft] [Final] [Draft 3] [V2, Extended to
Feedback
Good Practice
- Manufacturing]
Guide 2018
[Key Concepts]

Ongoing
1st May GSK Stevenage
10
Links to • 1993 Inspection Guide  12 pages

Guidance FDA • Level 2 Guidance  8 pages

• PAI Guidance  53 pages
Documents • Data Integrity Guidance  13 pages Excluding “publications”
MHRA
• 2015 DI Guidance (V1.1)  16 pages 1,400 Pages of Guidance
• 2016 DI Guidance  14 pages (Google: “Data Integrity Guidance” - ~100,000,000 Hits)
• 2018 DI Guidance (Final)  21 pages • Not Harmonized, but
Common Principles (GMQA)
WHO • 2016 Good Data & Record Management  46 pages
• Different Content / Formats
• Different Perspectives
PIC/S • 2018 Good Practice for Data Management & Integrity  (Select PI 041-1) 52 pages

• 2016 Q & A  9 pages

EMA
• 2017 DI GMP Matrix (see slide 7)  Presentation, 22 pages

• 2016 Data Governance and Data Integrity for GMP Contact Bob McDowall 71 pages
ECA
• 2018 Data Governance and Data Integrity for GMP or Margarita Sabater 89 pages
[extended to include manufacturing]

External Hyperlink  • 2017 China Translation Available from Barbra Unger (Rx – 360 Working Group) 12 pages
• 2018 PDA TR80 https://store.pda.org/TableOfContents/TR80_TOC.pdf (PDA - € 325 – PDA Book Store) 63 pages

Other • 2018 Russia  37 pages

• 2016 OECD Application of GLP Principles to Computerized Systems  33 pages
• 2017 GAMP RDI / 2018 Key Concepts  (Purchase from ISPE - € 185 – ISPE Member) 152 pages / 196 pages

• 2018 Book – Data Integrity & Data Governance (Purchased from RSC)  600 pages
1st May GSK Stevenage 11
 Guidance Documents…… A Lot of Guidance

Pages: 136
FDA MHRA WHO PIC/S
Word Count: ~50,000

DI 2018 2016 2018

Guidance ‘GXP’ Data Good Good
2018 Integrity Data Practice
[Final] Guidance And For Data
& Record
Definitions
[Final]
Management Management
Practices &
[Final] Integrity….
50,000 words [Draft 3]
is a small book… Feedback

(the average size of a

Mills & Boon Book !)

Pages: 17 21 46 52

Word Count: 5,805 7,836 15,486 19,321

12
1st May GSK Stevenage
Different Guidance Interpretation
Data Integrity Guidance If a Guidance Document Includes
Guidance
the word “must”
Documents - Do you need to comply with the requirement ?
Need to be
Interpreted !
(“what, but not how”) Manufacturing / R&D May Interpret
These Questions Differently ?

Language of Compliance: If a Guidance Document Only

Includes the word “should”
• Company SOP – Must / Should
- Do you need to comply with the requirement ?

Does the same thinking apply to:

• Regulatory Guidance – Must / Should ? 13

1st May GSK Stevenage
Must / Should - Comparison
Wording of Data Integrity Guidance

46
Which Guidance
FDA 16 Includes:
Data Integrity Guidance
130
MHRA SMALLEST
17
number of MUST
statements ?
225
WHO 6
LARGEST
395
number of
PIC/S 57 SHOULD
statements ?
0 100 200 300 400
Number of Times Cited
14
1st May GSK Stevenage Should Must
 FDA DATA INTEGRITY GUIDANCE

Time

2014 2015 2016 2017 2018

Draft Final

Was: ucm495891
(Final)
(Dec. 2018)

 15
1st May GSK Stevenage
 Press Statement (Data Integrity Guidance)
December 12th 2018 
“The guidance covers the design, operation, and monitoring
of systems and controls to maintain data integrity.”

III Clarification of Terms

17 Pages, 5,805 Words

I Introduction

II Background
Question & Answer 2 – 18

III Clarification of Terms

Question & Answer 2 – 18

1st May GSK Stevenage 16

FDA Data Integrity Guidance
• Changes to Questions 13 Pages 17 Pages

Q & A Format – 18 Questions…. • Changes to Content

• Changes to References
4,669 Words 5,805 Words
1. Clarify Terms…..
2. When is it permissible to invalidate a cGMP result and exclude it from the determination of batch conformance?
3. Does each CGMP workflow on a (previously “our”) computer system need to be validated ?
4. How should access to CGMP computer systems be restricted ?
5. Why is FDA concerned with the use of shared login accounts for computer systems ?
6. Who should blank forms be controlled ? 
7. Who should review audit trails ? (Questions 8 in Draft Guidance)
8. How often should audit trails be reviewed ? (Question 7 in Draft Guidance)
9. Can electronic copies be used as an accurate reproduction of a paper record ? 2018 (Final)
10. Is it acceptable to retain paper printouts or static records…., such as FT-IR instrument ?
11. Can electronic signatures be used…… ?
12. When does electronic data become a cGMP record ?
13. Why has the FDA cited use of actual samples during system suitability..?
14. Is it acceptable to only save the final result….. ?
15. Can an internal tip regarding a quality issue….. DI…. Outside of quality ?
16. Should personnel be trained in data integrity…. ?
17. Is the FDA investigator allowed to look at my electronic records ?
18. How does FDA recommend data integrity problems….. be addressed ? st 17
1 May GSK Stevenage
FDA – Question 2 Changes
2018 (final new wording) 2016 (draft deleted words)

Implies that it is permissible

under some contexts !

Stronger alignment with Out of Specification (OOS) requirements….. (limits “testing into compliance”)

2018 – Part of Q2 Answer 1 of the 16 (must)

2018 – Part of the Answer to question b “What is “metadata” ?

1st May GSK Stevenage

2 of the 46 (should) 21 CFR…. Ref. 18
FDA – Wordcount • Changes to Questions
Q & A Format – 18 Questions…. • Changes to Content
Overall Increase = + 24 %
• Changes to References (pages & words)

Word Count Example

Q17 Answers

Q17 - 41 words (2016)

Q17 - 110 words (2018)

% Change =

110 – 41
x 100 = 168 %
41

% Change
Across The Guidance

1st May GSK Stevenage 19

FDA – Wordcount • Changes to Questions
Q & A Format – 18 Questions…. • Changes to Content
Overall Increase = + 24 %
• Changes to References (pages & words)

Word Count Example

Q17 Answers

Q17 - 41 words (2016)

Q17 - 110 words (2018)

% Change =

110 – 41
x 100 = 168 %
41

Sections with
the Largest %
Change

1st May GSK Stevenage 20

FDA – Wordcount • Changes to Questions
Q & A Format – 18 Questions…. • Changes to Content
Overall Increase = + 24 %
• Changes to References (pages & words)

Word Count Example

Q17 Answers 1a. What is Data Integrity
8. How often should audit
Q17 - 41 words (2016) trails be reviewed ?
Q17 - 110 words (2018)

% Change =

110 – 41
x 100 = 168 %
41

Sections With
the Greatest Change 17. Is FDA allowed to look
at electronic records ?

1st May GSK Stevenage 21

 22

FDA – CFR (Code of Federal Regulations)…...

• Changes to Questions
Q & A Format – 18 Questions…. • Changes to Content
CFR 
• Changes to References (Keyword Search)

Q13 Answers
2016 (3) 2018 (9 new)

CFR References….

Change in CFR References

Across The Guidance

1st May GSK Stevenage

 23

FDA – CFR (Code of Federal Regulations)…...

• Changes to Questions
Q & A Format – 18 Questions…. • Changes to Content
CFR 
• Changes to References (Keyword Search)

Q13 Answers
2016 (3) 2018 (9 new)

CFR References….

Sections with
the Largest No of
CFR Changes

1st May GSK Stevenage

 24

FDA – CFR (Code of Federal Regulations)…...

• Changes to Questions
Q & A Format – 18 Questions…. • Changes to Content
CFR 
• Changes to References (Keyword Search)

Q13 Answers
2016 (3) 2018 (9 new) 1c. What is an “audit trail” 13. Why has FDA cited use of
actual samples during
“system suitability” tests….

CFR References….

7. Who should review audit trails ?

Sections With the 8. How often should audit trails
Greatest Change be reviewed ? (Note Q’s swapped)

1st May GSK Stevenage

FDA – CFR (Code of Federal Regulations)…...
• Changes to Questions
Q & A Format – 18 Questions…. • Changes to Content
• Changes to References
~ 50 Unique CFR References ! 11. Can electronic signatures be
FDA DI Guidance

Unique to 2018: used instead of handwritten

2016 signatures for……
11.2a
211.103 7. Who should review audit trails ?
2018 211.182
211.188(b) 8. How often should audit trails
be reviewed ?

Total CFR References (includes repeat ref’s.) Q2 2018 (Final)

2016 (Draft)
FDA DI Guidance

2016 2. When is it
permissible to
invalidate…..etc.
2018

Different CFR References (in the “Answer”)

1st May GSK Stevenage
25
Summary of FDA DI Changes
• Increased References to the CFR… (Audit Trails Q7 & 8, and Trial Injections / System Suitability Q13)

• Expanded Wording…. (What is Data Integrity ? Q1a, How often should audit trails be reviewed Q8, and Is the FDA
Allowed to Look at Electronic Records ? Q17)

• Potential Expansion – Inspection Authority (e.g. “including electronic communications that support CGMP
activities”, e-mail Q17 +168 %)

• Invalid Data Criteria Clarified (OOS) (“Exclude data…” all data must be evaluated, even invalidated data Q2)

• Enhanced Audit Train Review (audit train must be reviewed.. Etc, Q7, Q8 (“Review” mentioned 38 times,
19 for Q7&8. Ctrl F of guidance – See footnote p8….)

• Stricter Access Control (“PET Drug Guidance” ref. removed, system admin should be independent of record content)

• Appendix – Robert Wherry (GAMP DI SIG) (permission to share his annotated copies of FDA DI Guide)
1st May GSK Stevenage
26
 MHRA DATA INTEGRITY GUIDANCE

(Final)
(Mar. 2018)

Time
Mapping (2016 to 2018)
2014 2015 2016 2017 2018 See Appendix

V1.0

V1.1

Draft

Final

27
1st May GSK Stevenage 
MHRA Data Integrity Guidance
Simple… • Concept of “Primary Record” (was in 2015)
• Deletions • Line Numbers !
Figure 1
Changes • Revisions
• End of the World ! – 2017 Audit “Deadline” !
• Additions
• Introduction – opening sentence !

Analysis by Barbra Unger

(permission to share)
 Highlighted Copy of 2018 MHRA Guidance by Barbra Unger


+ Barbra Unger Blog 1st May GSK Stevenage 28
– DI Guidance Changes 
MHRA Data Integrity Guidance
15 Pages 16 Pages 14 Pages 21 Pages
3,567 Words 3,963 Words 5,407 Words 7,836 Words
Time

Jan. 2015 Mar. 2015 Jan. 2016 1,300 Comments Mar. 2018

Draft For
Ver. 1.0 Ver. 1.1
Consultation Structure Final Version
Figure 1
Simple Complex Introduction /
Paper Electronic
Data Integrity
Positioning
Principles
Diagram
(Risk Based. Ref. GMQA)
+
Definitions +
Some Integrated / Mature
Guidance Data Integrity
Reads like a set of PPT Figure 1 Guidance
training slides (Evolving…)
(e.g. “MOSTLY Definitions”)
Table No Figure 1
(more granular)

“GXP”
[more overtly GXP]
1st May GSK Stevenage
29
MHRA Data Integrity Guidance
21 Pages, 7,836 Words Final Version – Mar. 2018
Table of Contents - New
Background / Introduction

Draft Versions
Principles of DI (10)

Establishing Data
Criticality / Risk

Designing Systems…..

Definitions /
INTERPRETATION

1st May GSK Stevenage Glossary / References 30

MHRA Data Integrity Guidance
21 Pages, 7,836 Words
67 % of Word Count – Section 6

67 % 20 Sub Sections
Audit Trail

Access / Use
True Copy

Electronic Data Review…

Signatures

5 Largest Sub-Sections
of Section 6
1st May GSK Stevenage 31
 Revisions to Guidance Comments (Abbreviated – See Guidance)
MHRA DI
Establishing Data
Integrity Risk
Guidance
Criticality and Inherent
(Section 4, p 5)
- Revisions
Substantial expansion, structure and new text / detail
Sections 4.5 & 4.6 – Risk Assessment & Remediation
Designing Systems and Processes… Substantial expansion, use of “Scribes” (e.g. GLP example, for
“Scribes” (e.g. GLP example, for
(Section 5, p 7) contemporaneous recording sterile operations by observations now included).

Data Definition (Section 6.1, p 8) Now includes the + of ALCOA+ (e.g. Complete, Consistent…. Etc.)
(e.g. Complete, Consistent…. Etc.)

Raw Data (Section 6.2, p 8) No

No electronic
electronic storage,
storage, print
print out
out == Raw Data (e.g.
Raw Data balance).
(e.g. balance).

Data Integrity Definition (Section 6.4, p 9) Substantial expansion (e.g.

Substantial expansion now incorporates requirement for quality risk
(e.g. now incorporates requirement for quality risk
management
management systems,
systems, sound
sound scientific
scientific principles
principles and
and good
good document
document practice).
practice).

Original Record Definition (Section 11.1, p 11) Rewording “attribution

of static
Now includes: of whorecord
and dynamic performed the activity.”
format
nd
Original Record Definition (Section 11.1, p 11) Manual observation – risk assessed(2nd(2check,
risk assessed check, depending on criticality)
depending on criticality)

Audit Trail (Section 6.13, page 13) Substantial changes. (e.g.

(e.g. Definition,
Definition, justify
justify legacy
legacy systems
systems (evidence
(evidence of
of
compliant solution being sought), risk assess –– for data review, use of exception report.
cited – if
Deficiency may be cited if remediation
remediation not
not implemented
implemented inin aa timely
timely manner).
manner).

Electronic Signatures (Section 14, p 14) Substantial expansion –– related

Substantial expansion related to use (e.g.
to use aspects to consider)
(e.g. aspects to consider)

Data Review & Approval (Section 6.15, p15) Periodic Audit –– might verify effectiveness of existing control measures
might verify effectiveness of existing control measures

User Access – must be used Sys. Admin….…should not …interest in the data..
Computerised System Access (Section 16, p 16) System Admin. – should not be assigned to….. direct interest in the data…

Data Retention (Section 6.17, p 17) Destruction of

Destruction Data –– procedures
of Data procedures should
should consider
consider data
data criticality
criticality &
& legislation…
legislation…

File Structure Definition (Section 6.18, p 19) Simplified

st
and shortened –– different
different structures
structures require
require different
different controls
controls
1 May GSK Stevenage 32
Section 6.20 Title change (p 19) IT Suppliers and Service Providers.
MHRA DI Guidance - Additions
Additions to the Guidance
Table of Contents (p 2)
Scope….
Principles of Data Integrity (p 4)
Raw Data (p 8)
Recording and Collecting of Data (p 10)
Data Transfer / Migration (p 10)
Data Processing (p 11)
Excluding Data (p 11)
Electronic Signatures (p 14)
Data Review and Approval (p 15)
Archive (p 18)
Glossary (p 20)
Comments (Abbreviated - See Guidance, 2016, 2018)
And associated numbering. Not present in 2016 version
More “overtly GXP” (e.g. Ref. GMP:4-7, GLP: 1-5, GCP: 1-6, GDP: 0-2, GXP:6-20)
Consolidation – of 10 principles (3.1 to 3.10, previously throughout 2016 draft)
Synonymous with ‘source data’ – ICH GCP Ref.
Justify – “resolution (detail)” of Data, Blank Forms – Should be controlled
Substantial Expansion – There should be an audit trail, procedures should include
rationale, transfer should be validated, software should be managed through QMS, Electronic
Worksheets should be version controlled… etc.
Now includes: “attribution of who performed the activity”.
Not Applicable to GPvP
References MHRA draft – informed consent for GCP
Substantial Expansion - …Should meet all applicable regulatory requirements and be
risk-based.
Hybrid Systems – “…references between physical and electronic records must be
maintained…”
st
1 May GSKdata
Stevenage 33
eCFR, ECG, quality, DIRA.... etc.
 WHO DATA INTEGRITY GUIDANCE

Time

2014 2015 2016 2017 2018

Draft

Final

Technical Report 996

(Final)
(2016)

34
1st May GSK Stevenage 
WHO Data Integrity Guidance
Primary Focus: Education and Understanding

ALCOA

46 Pages, 15,486 Words

1st May GSK Stevenage 35

WHO Guidance – ALCOA Structure
Contemporaneous
For Each section of ALCOA

Definition

Table

Expectations Expectations
(Paper) (Electronic)

Special Risk
Management
Requirements
(Each ALCOA Term) 1st May GSK Stevenage 36
WHO Guidance – ALCOA Structure
For Each section of ALCOA Contemporaneous

Definition

Table

Expectations Expectations
(Paper) (Electronic)

Special Risk
Management
Requirements
(Each ALCOA Term) 1st May GSK Stevenage 37
 PIC/S DATA INTEGRITY GUIDANCE

Time

2014 2015 2016 2017 2018

Draft 2 Draft 3

P1041-1
(Draft 3)
(Nov. 2018)

38
1st May GSK Stevenage 
PIC/S Data Integrity Guidance
Most Granular Table of Contents

14 Main Sections 59 %
Specific Data Integrity
Considerations….

8. ….. Paper-Based 9. ….. Computerised Systems

Systems

Section 8 & 9 Structure

• Text (Explanation)
52 Pages, 19,321 Words • Table Format:
- Expectations
1st May GSK Stevenage 39
- “Instructions”
PIC/S Data Integrity Guidance
Includes: Procedural Control

Includes: Validation of
Technical Control

1st May GSK Stevenage

40
PIC/S Data Integrity Guidance

Expectations Table
Table Format Applies
to Sub-Sections:
8.4, 8.6,
9.2 – 9.8

Instructions Table
Table Format Applies
to Sub-Sections:
8.7, 8.8, 8.10, 8.12

1st May GSK Stevenage

41
 42

PIC/S DI Guidance – Expectations Table

Table

Expectations Specific elements that should be Life Cycle Stages (8.4):

Section checked / Potential risk of not - Generation
(e.g. 8.4)
Details… meeting expectations - Distribution & Control

Details….

Example 8.4 – Expectations for generation, distribution….

Very
Structured
Content

Table Format Applies

to Sub-Sections:
8.4, 8.6,
9.2 – 9.8

1st May GSK Stevenage

 43

PIC/S DI Guidance – “Instructions” Table

Table
What to Do
How should records Specific elements that should be
How, What to
be corrected? checked when reviewing records:
When, Check….
Where…. Details… Details….
(e.g. 8.10)

Very Structured Content

– “Instructional” / Directional in nature
Example 8.10 – True copies….

Table Format Applies

to Sub-Sections:
8.7, 8.8, 8.10, 8.12

1st May GSK Stevenage

 High Level DI Comparison
Source Title Pages / Scope / Comments and Recommendations (Pick, Concern, Useful)
Words Format (2 sets of complementary guidance documents…)

Data Integrity and 17 cGMP •• Easiest

Easiest to
to understand
understand thethe -- “WHY”
“WHY” -- of
of FDA
FDA Focus
Focus (Q&A
(Q&A format).
format).
FDA Compliance With •• CFR Complexity (e.g.
CFR Complexity (e.g. FDA “Cite
“Legal” ID”) – makes
wording ID”) – hard
it hardest
& FDA “Cite to deeply
to
5,805 Q&A
Drug CGMP (2018) understand legal CFR
deeply understand CFR requirements
requirements (if (if
“new” to to
“new” Data Integrity).
Data Integrity).

“GXP” Data Integrity 21 GXP •• Widest

Wide GXP scope,
scope, corestrength:
strengthdefinition of of
- definition terms
terms/ EXPLANATION
/ explanation
MHRA Guidance and of DI
of DI principles
principles and
and interpretation
interpretation of
of requirements.
requirements.
7,836 Principles
Definitions (2018) •• Understand
Understand Data
Data Integrity Principles –– APPLY
Integrity principles APPLY toto all
all situations.
situations.
•• Harmonized
Harmonized to to incorporate
incorporate industry
industry feedback.
feedback.
Guidance on good 46 GXP •• Holistically,
Greater scope greater scope
than the than
other 3. the other 3.
WHO data and record More •• Best structure
Best structure and
and description
description ofof ALCOA.
ALCOA.
15,486 Granular ••
management (2016) Document Practice
Document Practice (Section
(Section 9).
9).
practices •• Governance is
Governance is Key.
Key.
Good Practices for 52 GMP/ •• Sections
Sections 88 (paper)
(paper) and
and 99 (computer) based systems…,
(computer) based systems…,
PIC/S Data Management GDP particularly the
particularly “Expectation” and
the “Expectation” “Instructional” Tables
and “Instructional” Tables
19,321
and Integrity in (2018)
More •• Good
Good for
for understanding
understanding Data
Data Integrity
Integrity Risks.
Risks.
Regulated GMP.GDP Granular •• Mapping
Mapping of of ALCOA
ALCOA against
against EUEU and
and PICS
PIC/SGMP.
GMP.
Environments •• Most
Most “instructional”
“instructional” of
/ “Directional”
all the guidance.
of all the guidance.

Change = Clarity of Requirements / • “Pick and Mix” !

1st May GSK Stevenage 44
“Continued Focus” !
 “Houston (Regulator)
We Have a Problem”
Q 15
“Can an internal tip or information regarding a quality issue, such as
potential data falsification, be handled informally outside of the documented
CGMP quality system?”

• No….. Must be fully investigated under cGMP

• “FDA Invites individuals to report”… DrugInfo@fda.hhs.gov
Q 18 • Refers to Application Integrity Policy……

“Appropriate notification to regulatory authorities should be made
3.9 where significant data integrity incidents have been identified”.

• Quality Culture – transparent and open reporting…

What does the 4.7

guidance say about 5.1 • QMS Requirement – mechanism for staff to report….

“Show and Tell” ? 12.1 • Investigation - Notify Health Authorities – material impact

5.2.3 • Data Governance – …communication of expectations….

Notify Regulator Vs empowerment to report failures…
“Whistle Blower”……. 6.1.2 • Quality Culture – control measures cover open / closed…
(Case Studies in Bob’s Presentation)
6.2.5 • Ethics/Policies – …confidential escalation program

Key Guidance Areas 1st May GSK Stevenage 45

1st May GSK Stevenage 46
Additional Reference Information

1st May GSK Stevenage 47

MHRA Labs. Symposium
Symposium Highlights…..
13th March 2019 • Agenda
• Practical Applications of DI
• 
QC / QA
• Method Validation
• “Live” Inspection Interviews
• Electronic “Polling” tool / Q
• MHRA - High DI “Expectations”
• Workflow Mapping…..
• Risk Assessment
• Data Integrity “Weaknesses”:
• Don’t Publicise (e.g. restrict to
people who “need to know” – to correct)
• Corrective Action (“fix”)…..

“GXP” Range of MHRA Guidance………

1st May GSK Stevenage 48

GAMP DATA INTEGRITY GUIDANCE

1st May GSK Stevenage 49

 Contents (35 pages) GAMP - RDI
 1. Introduction (6 pages)
2. Regulatory Focus (4 pages)
3. Data Governance Framework (11 pages)
4. Data Life Cycle (10 pages)
April 2017 5. Quality Risk Management (4 pages) 6. Corporate Data Integrity
7. Data Integrity Maturity Model (11 pages)
8. Human Factors
Management 9. Data Audit Trail and Audit Trail Review
(46 Pages) 10. Data Auditing and Periodic Review
 11. Inspection Readiness
12. Integrating DI Into Records Mgt…..

19 Technical Requirements

Table of 26 Procedural Requirements

Contents
Appendices 13. User Requirements
(107 pages) 14. Process Mapping and Interfaces
Development 15. Risk Control Measures…..
(28 Pages) 16. Data Integrity Concerns – Architecture....
17. Data Integrity for End-User Applications

Key Strength of RDI

Culture
Operational 18. Retention, Archiving, and Migration
(15 Pages) 19. Paper Records and Hybrid Systems

Data Life Cycle General 20. References

(11 Pages) 21. Glossary
50
Data Integrity Maturity Model 1st May GSK Stevenage
 GAMP - Key Concepts
Contents (93 pages)
RDI
1. Introduction (3 pages)
2. Data Governance (27 pages)
3. Data Life Cycle (18 pages)
4. Risk Management Approaches (27 pages)
5. Critical Thinking (16 pages) 1. Data Integrity Gemba Checklist in the Lab.
2. IMPACT Tool Applied to Data Integrity
3. Corporate Data Integrity Program Case Study
4. Culture and Continuous Improvement Capability Road Map
Oct. 2018 5. Regulatory Definitions of Data Terminology
6. Requirements Planning
7. Requirements Specification and Data Integrity Risk for Interfaces
Good 8. Example of a Four-Tier Classification System of a Life Science

Practice  9.
Company
Security Controls
Guide 10.
11.
Case Study: DBA and Security Controls for an RTSM System in a GCP
Case Study: DBA and Security Controls for an ERP System in a
Data
12.
Medical Device Manufacturing Environment
Case Study: Laboratory Computerized System
Integrity
13. Case Study: Uncontrolled Spreadsheet Risks/
14. Case Study: Process Control System
15. Case Study: Business Application System Issues
23 Appendices 16. Reviewing Laboratory Systems

(89 pages)
17.
18.
Reviewing IT Systems
Reviewing Supporting Data
What to
19. Auditing Access Controls Audit
20. Regulatory Guidance Regarding Classification of Deficiencies
Table of 21. Detecting Aberrant Results
Contents 22. References (65)
23. Glossary
 51
1st May GSK Stevenage
FDA DI Guidance – ALCOA CFR References
1st May GSK Stevenage
Attributable…………………………...… A 211.101(d), 211.122, 211.188(b)(11), 212.50(c)(10)

Legible…………………………………..…….. L 211.180(c), 212.110(b)

Contemporaneous………..…... C 211.100(b), 211.160(a)

Original…………………………………….…. O 211.180, 211.194(a)

Accurate…………………………………..… A 211.22(a), 211.68, 211.188, 212.60(g)

No Changes Between 2016 (Draft) and 2018 (Final Guidance) – Above is from 2016 (Draft) 52
Changes to FDA Guidance:
Permission to share Annotated Files From - Robert Wherry - Takeda
How should access to CGMP computer
Example – Question 4 Answer systems be restricted ?
Deletions from the
2016 draft guidance:

2016 (Draft)

Changes highlighted Example – Question 4 Answer Change in wording and annotation

with annotation: (see example below):

2018 (Final)

1st May GSK Stevenage 53

MHRA DI Guidance – Index Map
MHRA 2016 DI Guidance (Draft Version for consultation) MHRA 2018 DI Guidance (Version 1)
• Cover Page
• Table of Contents
• Background 1. Background
• Introduction 2. Introduction
• Establishing data criticality and inherent integrity risk 3. The principles of data integrity
• Figure 1 4. Establishing data criticality and inherent integrity risk
• Designing systems to assure data quality and integrity 5. Designing systems and processes to assure data integrity: creating the ‘right environment’
• Definitions and guidance 6. Definitions of terms and interpretation of requirements
1. Data 6.1 Data
2. Raw data (GCP: synonymous with ‘source data’) 6.2 Raw data (synonymous with ‘source data’ which is defined in ICH GCP)
3. Metadata 6.3 Metadata
4. Data Integrity 6.4 Data Integrity
5. Data Governance 6.5 Data Governance
6. Data Lifecycle 6.6 Data Lifecycle
7. Data transfer / migration 6.7 Recording and collection of data
8. Data Processing 6.8 Data transfer / migration
9. Recording data 6.9 Data Processing
10. Excluding data 6.10 Excluding data
11.1 Original Record 6.11.1 Original record
11.2 True Copy 6.11.2 True copy
12. Computer system transactions 6.12 Computer system transactions
13. Audit Trail 6.13 Audit Trail
14. Electronic signatures 6.14 Electronic signatures
15. Data Review 6.15 Data review and approval
16. Computerised system access / Sys. Admin. Roles 6.16 Computerised system user access / system administrator roles
17.1 Archive 6.17.1 Archive
17.2 Backup 6.17.2 Backup
18.1 Flat files 6.18 File structure
18.2 Relational databases 6.19 Validation – for intended purpose (GMP; See also Annex 11, 15)
19. Validation – for intended purpose 6.20 IT Suppliers and Service Providers
20. Cloud providers and virtual services / platforms…etc. 7. Glossary
8. References
Deleted New 54
1st May GSK Stevenage
PIC/S – A Key Component in Regulatory Collaboration
Dr. Margret Hamburg
(Former FDA Commissioner)

Mr Tor Graberg
(Former PIC/S Chair)

Keynote address to the PIC/S 40th Anniversary Symposium

(Dr. Margaret Hamburg):

“PIC/S’ main advantage over a Mutual Recognition Agreement is that it

is not legally binding….” Dr. Margaret Hamburg

1st May GSK Stevenage 55

52 PIC/S
(1 January 2018)
Member Authorities

Iceland EUROPEAN UNION Member

Norway States Agencies (29)

South Korea
Ukraine
Japan
Canada

Switzerland Israel

Chinese Taipei
Liechtenstein Hong Kong
Turkey
USA Thailand
Iran Malaysia

Indonesia
New Singapore
Mexico
Members
New
From 1 Jan’18
Zealand
Argentina Australia

4 Partners South
EDQM Africa
EMA
UNICEF
WHO

1st May GSK Stevenage 56

Candidates for PIC/S Membership
(on 1st June 2018)

Applicants Pre–Applicants
Interested
(Up to 6 years) (Gap Analysis by PIC/S)

• Italy (vet) • Russia • Bulgaria

• Brazil • Pakistan • Hungary (vet)
• Armenia • Saudi Arabia • Nigeria
• China (CFDA)
• India (CDSCO)
• Vietnam
• Philippines

Colour coding for different regions Americas Asia Update Provided by – Bob Tribe
Europe Africa (Retired Chief GMP Inspector - TGA)

1st May GSK Stevenage 57

What Triggered - the Data Integrity Focus ?
Examples of Influential
Differences Between Computer
Data Integrity Events Records and Paper Print Outs:

“Those who forget the past are condemned to repeat it” (Joanna Gallant): 
1993 – Barr Ruling – Testing into compliance – Sued the FDA, “OOS” 
2005 – Able Laboratories – Fraud case – “Let’s go straight to Consent Decree” Difference
FDA Page

Legal

2006 – 2009 – Repeat Violations - FDA Warning Letters – Ignored FDA Actions
2012 – Consent Decree – Application Integrity Policy (AIP)…… “Telephone System”
Consent Decree (see Page 11, X for Telephone Requirement)
FDA Page

1st May GSK Stevenage
58
FDA Remediation……
A Investigate Extent
MARCS-CMS 487471 — 06/09/2016
 FDA Recommendations….. B Risk Assessment

C Management Strategy

59
1st May GSK Stevenage
 60

FDA Remediation Investigation Protocol / Methodology……… Scope

Interview: Current / Former Employees….. Root Cause

A Investigate Extent
Extent…. Report All Deficiencies

Deeper Investigation of Breaches…… 3rd Party

B Risk Assessment Impact of Data Integrity Lapses…… On Drug Quality

Reliability
Detailed Corrective Action…… to Ensure
Completeness

Comprehensive Description…… Root Cause

C Management Strategy
Interim Measures …… Actions

Long Term Measures…… Actions

MARCS-CMS 487471 — 06/09/2016 1st May GSK Stevenage

 Report…… Status
 FDA - Level 2 Guidance
Technical Explanation…….

FDA Level 2 Guidance 

August 2003 Scope
and Applications:

From Level 2 Guidance

“For High Performance Liquid Chromatography (HPLC) and Gas
Chromatography (GC) systems….”

21 CFR 211.68 …………“Exact and Complete”

“Electronic records themselves
to be retained and maintained….”
21 CFR 211.180 (d) …... “Original Records or
True Copies”

“Printed chromatograms do not satisfy the predicate rules…..”

61
1st May GSK Stevenage
ISO 17025

1st May GSK Stevenage 62

Data Integrity and ISO 17025
Attributable………………..… A
A -
(“…technical records shall include the data and
Clause: 7.5.1 identity of personnel responsible for each activity
and for checking data and results”)

Legible………………………….….. L
L - Clause: 7.5.2
(“…ensure that amendments to technical records can be
traced to previous versions or to original observations”)

Contemporaneous.... C
C - Clause: 7.5.1
(“Original observations, date and calculations should be
recorded at the time they are made…”)

Original……………………………. O
O - Clause: 7.5.2 (“…original and amended data shall be retained”)

Accurate……………………….… A
A - Clause: 7.11.3 c) (“….provides conditions which safeguard the
accuracy of manual recording and transcriptions”)

Complete - 7.11.3 e)
+ Consistent -
Enduring -
7.11.6
7.11.3 b)
Available - 8.4.2
1st May GSK Stevenage 63