Ensuring Data Integrity in GxP

Olena Chervonenko

November 16, 2023

10 Min Read



Our world provides us with abundant data at every moment of every day that we constantly analyze to make decisions. What is most important in a business/laboratory context is that the data we receive be attributable, accurate, legible, permanent, contemporaneous, and original.

A company’s pharmaceutical quality system (PQS) plays a vital role in analyzing data integrity. As explained in ISO/IEC 2382:2015, data describe formalized representations of information suitable for communication, interpretation, or processing (1). According to the same ISO standard, data integrity refers to the preservation of accuracy and consistency regardless of changes made. Pharmaceutical companies heavily rely on data in their business operations. From drug development and preclinical research to clinical trials, manufacturing, and creation of a registration dossier, data sets play a crucial role in ensuring the quality, efficacy, and safety of medicines as well as building brand trust.

A significant amount of data are generated and assessed for analysis of production and for batch certification. It is no surprise that data integrity has become a “hot topic” in the pharmaceutical industry.

The Importance of Data Integrity
Data integrity holds great importance for several reasons. For an example, suppose that you are a qualified person responsible for certifying a batch. You have been provided with the batch manufacturing records for 100 batches of a medicinal product, each with a batch size of 100,000 vials. While reviewing the first dossier, you discover that all printouts from the weight balance, which are essential for quality control (QC), are missing. You see that the weight balance used in the QC laboratory lacks integrated computer software and therefore doesn’t store electronic copies of the data. You notice similar situations in subsequent dossiers. In such cases, can you be certain that the final data are correct and that the product’s quality truly meets specified requirements? Could data have been manipulated? You either must reject and dispose of the batch or conduct a full repeat QC inspection, resulting in significant loss of time and money. Additionally, your obligations to a distributor might be compromised, and the risks to your company’s reputation could be high.

Although you might not have identified the lack of primary data, it might be detected by regulators during a good manufacturing practice (GMP) inspection. Consequently, your company could receive a warning letter from the from the US Food and Drug Administration (FDA) or a noncompliance report from a European regulatory body addressing data-integrity issues.

The above example represents just one possible situation in a product life cycle, but data integrity is essential in many other areas and throughout an entire product life cycle. A common problem faced by many biopharmaceutical companies is that not everyone recognizes that data-integrity requirements apply fully to every element in a supply chain. Data are crucial throughout a product’s shelf life plus one year — from production of a medicinal product to its storage. Data confirm the quality of final medicinal products and must be made readily available on request. Every activity (including transportation and outsourcing) generates data, the integrity of which is vital to ensuring the quality of a final medicinal product.

No matter what types of activity a biopharmaceutical company performs — production, distribution, importation, clinical-trial management, QC, transportation, software development, and so on — all actions generate data. A company’s PQS must continually ensure, monitor, and improve on the integrity of those data. Although computerized systems have become integral to the work of biopharmaceutical manufacturers, paper-based data still play a significant role, and both types of practices must meet regulatory requirements as outlined in the guidelines (1–10).

Regulated industries use the ALCOA acronym in reference to a framework for ensuring data integrity, an essential part of ensuring good documentation practices (GDPs). ALCOA stands for attributable, legible, contemporaneous, original, and accurate. It encompasses the quality attributes for data discussed below.

A (Attributable): Data must be traceable to an individual person and (where relevant) a measurement system. In paper records, attributability can be achieved by the use of initials, a full handwritten signature, or a controlled personal seal. In electronic records, unique login credentials can link users to actions that create, modify, or delete data. Alternatively, unique electronic signatures, whether biometric or nonbiometric, can be used. An audit trail should capture user identification (ID), with date and time stamps, and an electronic signature should be linked securely and permanently to its signed record.

L (Legible and Permanent): Data and metadata must be readable throughout a data life cycle. Electronic data can be accessed (made legible/readable) by using the original software application that created them.

C (Contemporaneous): Data must be generated and recorded (captured and documented) at the same time.

O (Original Record or “True Copy”): The initial or source capture of data or information, along with all subsequent data necessary to reconstruct the good practice (GxP) activity fully, must be available.

A (Accurate): For paper records, the process of capturing data should be defined clearly, and the data must be recorded accordingly. This includes specifying the expected record format (e.g., date) and precision (e.g., number of decimal places). Data sources must be clearly and unambiguously documented. If data are recorded using a computer system, verification performed during an initial qualification and subsequently during changes and repair activities must ensure that those data are captured from correct sources and processed correctly (through linearization, normalization, or conversion, for example).

When the regulatory framework was improved, four more data properties were added to create ALCOA+:

Complete: Data must include relevant metadata, ensuring that all necessary information is captured and documented.

Consistent: The dates and times of activities must be recorded in chronological order, maintaining consistency and sequence.

Enduring: Data must be stored in ways that ensure their integrity and longevity.

Available: Data should be accessible and available for easy viewing or verification upon request by authorized personnel.

It is important to note that the ALCOA+ principle applies to electronic data, paper records, and hybrid systems, encompassing all types of data management.

Following ALCOA+ Attributes — Just the Beginning
Simply adhering to the attributes described above is not enough. A present-day PQS requires that all changes made to data be documented and traceable through a change-management process. However, to maintain a PQS, a significant number of staff members must evaluate each change initiative. For that, the risk-management process comes into play.

A Data Integrity Risk Assessment (DIRA) identifies risks inherent to systems and processes that generate data or from which data are obtained. A DIRA must encompass an entire data life cycle and assess the criticality of those data. It addresses relevant computerized systems, personnel, staff training, outsourcing activities, and an overall quality-assurance system. Criticality is determined by evaluating how data influence decision-making.

Identified risks must be assessed and mitigated. A DIRA must be documented and reviewed periodically to ensure its currency and the effectiveness of identified control measures. A periodic risk review must be conducted throughout a document’s life cycle, including review of associated data. The frequency of such a review is based on the level of risk determined through the assessment process.

Once areas in need of corrective and preventive actions are identified, the risk-assessment team documents priorities specific to actions and controls (assuming an appropriate level of residual risk) and communicates those to management and staff. Staff training and periodic reminders of the company’s data-integrity policy are crucial to maintaining regulatory compliance. If long-term preventive actions are identified, then short-term risk-mitigation measures must be implemented to ensure acceptable data management in the interim and to maintain focus. Identified risk controls include organizational, procedural, and technical measures such as procedures, processes, equipment, tools, and other systems to prevent and detect situations that could compromise data integrity.

A PQS must ensure that systems (computerized and paper-based) meet regulatory requirements to ensure data integrity. A company’s vendor-qualification process must incorporate a risk-assessment approach to selecting a computerized systems/software vendor. Even previously installed and validated computerized systems should be reassessed periodically for compliance with current requirements. Appropriate preventive and detection controls must be identified and implemented based on the risk assessment.

The effectiveness of the implemented controls can be evaluated through different means, such as

• tracking and trending data
• reviewing data, metadata, and audit logs
• conducting routine audits and/or self-inspections, including assessments focused specifically on data integrity and computerized systems.

Computerized Systems
All computerized systems used in GxP-relevant environments must undergo validation. When GxP systems are used for data acquisition, recording, transmission, storage, or processing, it is essential to identify potential risks that a system and its users can pose to data integrity.

Software used in conjunction with GxP instruments and equipment must be configured and validated appropriately. The validation process encompasses aspects such as design, implementation, and maintenance of controls to ensure the integrity of manually and automatically generated data; implementation of GDPs; and appropriate management of data-integrity risks throughout a data life cycle.

Efforts should be made to eliminate unauthorized access and adverse data manipulation throughout that life cycle. For cases in which electronic instruments or systems without configurable software and electronic data retention are used (such as certain pH meters, balances, and thermometers), controls must be established to prevent adverse data manipulation and use of repeated testing to achieve desired results. Although technical controls should be prioritized, additional procedural and administrative controls are needed to manage aspects of computerized system control when technical controls are absent.

It is important to recognize that delaying implementation of computerized systems does not necessarily reduce inconsistencies or provide greater protection against regulatory scrutiny regarding data integrity. Data integrity underlies every activity within a pharmaceutical system, including staff training, pharmaceutical development, preclinical and clinical trials, manufacturing, QC, and logistics operations such as storage and transportation. Because all those activities generate data, it is imperative to ensure the integrity of their data to guarantee the quality, safety, and efficacy of a final product. Computerized systems play a vital role in eliminating potential blind spots that could serve as environments for data manipulation.

Additional Steps for PQS Compliance
It is crucial for every modern pharmaceutical company to assess its compliance with current data-integrity requirements. As a result, self-inspections have become a key activity for quality-assurance departments. If a company lacks that expertise, help is available. External organizations with experienced and qualified personnel can conduct a comprehensive inspection to identify gaps and help prevent critical issues related to compromised data integrity.

1 ISO/IEC 2382:2015: Information Technology — Vocabulary. International Organization for Standards: Geneva, Switzerland, 2015 (Corrected Version 2022); https://www.iso.org/obp/ui/en/#iso:std:iso-iec:2382:ed-1:v2:en.

2 21 CFR Part 11. Guidance for Industry. Electronic Records; Electronic Signatures — Scope and Application. US Code of Federal Regulations. US Food and Drug Administration: Rockville, MD, 2003; https://www.fda.gov/regulatory-information/search-fda-guidance-documents/part-11-electronic-records-electronic-signatures-scope-and-application.

3 21 CFR 211.65. Equipment Construction. US Code of Federal Regulations. US Food and Drug Administration: Rockville, MD, 2023; https://www.accessdata.fda.gov/scripts/cdrh/cfdocs/cfcfr/cfrsearch.cfm?fr=211.65.

4 EMA. Good Manufacturing Practice (GMP). European Medicines Agency: Amsterdam, the Netherlands; https://www.ema.europa.eu/en/human-regulatory/research-development/compliance/good-manufacturing-practice.

5 EudraLex. The Rules Governing Medicinal Products in the European Union, Volume 4, Annex 11; Computerised Systems. Good Manufacturing Practice Medicinal Products for Human and Veterinary Use, 2010; https://health.ec.europa.eu/medicinal-products/eudralex/eudralex-volume-4_en.

6 Guidance for Industry. Data Integrity Compliance with Drug cGMP: Questions and Answers. US Food and Drug Administration: Rockville, MD, 2018; https://www.fda.gov/regulatory-information/search-fda-guidance-documents/data-integrity-and-compliance-drug-cgmp-questions-and-answers.

7 ISPE/GAMP. GAMP Records and Data Integrity Guide. International Society for Pharmaceutical Engineering, March 2017; https://ispe.org/publications/guidance-documents/gamp-records-pharmaceutical-data-integrity#.

8 GxP Data Integrity Guidelines and Definitions. Medicines and Healthcare Products Regulatory Agency, 2018; https://www.gov.uk/government/publications/guidance-on-gxp-data-integrity.

9 Good Practices for Data Management and Integrity in Regulated GMP/GDP Environments. Pharmaceutical Inspection Convention Pharmaceutical Inspection Cooperation Scheme, 2021; https://www.gmp-publishing.com/content/en/gmp-news/news-about-gmp-cgmp/d/pic-s-final-guideline-on-data-management-and-integrity.

10 Guideline on Data Integrity. Annex 4. World Health Organization Technical Report Series, No. 1033, 2021; https://www.who.int/publications/m/item/annex-4-trs-1033.

Based in Ukraine, Olena Chervonenko is associate director of quality management and compliance at PharmaLex; [email protected]; https://www.linkedin.com/in/olena-chervonenko-7a163865; https://www.pharmalex.com.

You May Also Like