1. Introduction
1.1 This document provides guidance for UK industry and public bodies regulated by the UK MHRA including the Good Laboratory Practice Monitoring Authority (GLPMA).
Where possible the guidance has been harmonised with other published guidance. The guidance is a UK companion document to PIC/S, WHO, OECD (guidance and advisory documents on GLP) and EMA guidelines and regulations.
1.2 This guidance has been developed by the MHRA inspectorate and partners and has undergone public consultation. It is designed to help the user facilitate compliance through education, whilst clarifying the UK regulatory interpretation of existing requirements.
1.3 Users should ensure their efforts are balanced when safeguarding data from risk with their other compliance priorities.
1.4 The scope of this guidance is designated as ‘GXP’ in that everything contained within the guide is GXP unless stated otherwise. The lack of examples specific to a GXP does not mean it is not relevant to that GXP just that the examples given are not exhaustive. Please do however note that the guidance document does not extend to medical devices.
1.5 This guidance should be considered as a means of understanding the MHRA’s position on data integrity and the minimum expectation to achieve compliance. The guidance does not describe every scenario so engagement with the MHRA is encouraged where your approach is different to that described in this guidance.
1.6 This guidance aims to promote a risk-based approach to data management that includes data risk, criticality and lifecycle. Users of this guidance need to understand their data processes (as a lifecycle) to identify data with the greatest GXP impact. From that, the identification of the most effective and efficient risk-based control and review of the data can be determined and implemented.
1.7 This guidance primarily addresses data integrity and not data quality since the controls required for integrity do not necessarily guarantee the quality of the data generated.
1.8 This guidance should be read in conjunction with the applicable regulations and the general guidance specific to each GXP. Where GXP-specific references are made within this document (e.g. ICH Q9), consideration of the principles of these documents may provide guidance and further information.
1.9 Where terms have been defined; it is understood that other definitions may exist and these have been harmonised where possible and appropriate.
2.0 The principles of data integrity
2.1 The organisation needs to take responsibility for the systems used and the data they generate. The organisational culture should ensure data is complete, consistent and accurate in all its forms, i.e. paper and electronic.
2.2 Arrangements within an organisation with respect to people, systems and facilities should be designed, operated and, where appropriate, adapted to support a suitable working environment, i.e. creating the right environment to enable data integrity controls to be effective.
2.3 The impact of organisational culture, the behaviour driven by performance indicators, objectives and senior management behaviour on the success of data governance measures should not be underestimated. The data governance policy (or equivalent) should be endorsed at the highest levels of the organisation.
2.4 Organisations are expected to implement, design and operate a documented system that provides an acceptable state of control based on the data integrity risk with supporting rationale. An example of a suitable approach is to perform a data integrity risk assessment (DIRA) where the processes that produce data or where data is obtained are mapped out and each of the formats and their controls are identified and the data criticality and inherent risks documented.
2.5 Organisations are not expected to implement a forensic approach to data checking on a routine basis. Systems should maintain appropriate levels of control whilst wider data governance measures should ensure that periodic audits can detect opportunities for data integrity failures within the organisation’s systems.
2.6 The effort and resource applied to assure the integrity of the data should be commensurate with the risk and impact of a data integrity failure to the patient or environment. Collectively these arrangements fulfil the concept of data governance.
2.7 Organisations should be aware that reverting from automated or computerised systems to paper-based manual systems or vice-versa will not in itself remove the need for appropriate data integrity controls.
2.8 Where data integrity weaknesses are identified, companies should ensure that appropriate corrective and preventive actions are implemented across all relevant
activities and systems and not in isolation
2.9 Appropriate notification to regulatory authorities should be made where significant data integrity incidents have been identified.
2.10 The guidance refers to the acronym ALCOA rather than ‘ALCOA +’. ALCOA being Attributable, Legible, Contemporaneous, Original, and Accurate and the ‘+’ referring to Complete, Consistent, Enduring, and Available. ALCOA was historically regarded as defining the attributes of data quality that are suitable for regulatory purposes. The ‘+’ has been subsequently added to emphasise the requirements. There is no difference in expectations regardless of which acronym is used since data governance measures should ensure that data is complete, consistent, enduring and available throughout the data lifecycle.
Establishing data criticality and inherent integrity risk
3. Establishing data criticality and inherent integrity risk
3.1 Data has varying importance to quality, safety and efficacy decisions. Data criticality may be determined by considering how the data is used to influence the decisions made.
3.2 The risks to data are determined by the potential to be deleted, amended or excluded without authorisation and the opportunity for detection of those activities and events.
The risks to data may be increased by complex, inconsistent processes with open ended and subjective outcomes, compared to simple tasks that are undertaken consistently, are well defined and have a clear objective
3.3 Data may be generated by:
(i) Recording on paper, a paper-based record of a manual observation or of an activity or
(ii) electronically, using equipment that range from simple machines through to complex highly configurable computerised systems or
(iii) by using a hybrid system where both paper-based and electronic records constitute the original record or
(iv) by other means such as photography, imagery, chromatography plates, etc.
Paper
Data generated manually on paper may require independent verification if deemed necessary from the data integrity risk assessment or by another requirement. Consideration should be given to risk-reducing supervisory measures.
Electronic
The inherent risks to data integrity relating to equipment and computerised systems may differ depending upon the degree to which the system generating or using the data can be configured, and the potential for manipulation of data during transfer between computerised systems during the data lifecycle. The use of available technology, suitably configured to reduce data integrity risk, should be considered.
Simple electronic systems with no configurable software and no electronic data retention (e.g. pH meters, balances and thermometers) may only require calibration, whereas complex systems require ‘validation for intended purpose’.
Validation effort increases with complexity and risk (determined by software functionality, configuration, the opportunity for user intervention and data lifecycle considerations). It is important not to overlook systems of apparent lower complexity. Within these systems, it may be possible to manipulate data or repeat testing to achieve the desired outcome with limited opportunity for detection (e.g. stand-alone systems with a user-configurable output such as ECG machines, FTIR, UV spectrophotometers).
Hybrid
Where hybrid systems are used, it should be clearly documented what constitutes the whole data set and all records that are defined by the data set should be reviewed and retained. Hybrid systems should be designed to ensure they meet the desired objective.
Other
Where the data generated is captured by a photograph or imagery (or other media), the requirements for storage of that format throughout its lifecycle should follow the same considerations as for the other formats, considering any additional controls required for that format. Where the original format cannot be retained due to degradation issues, alternative mechanisms for recording (e.g. photography or digitisation) and subsequent storage may be considered and the selection rationale documented (e.g. thin layer chromatography).
3.4 Reduced effort and/or frequency of control measures may be justified for data that has a lesser impact to product, patient or the environment if those data are obtained from a process that does not provide the opportunity for amendment without high-level system access or specialist software/knowledge.
3.5 The data integrity risk assessment (or equivalent) should consider factors required to follow a process or perform a function. It is expected to consider not only a computerised system but also the supporting people, guidance, training and quality systems. Therefore, automation or the use of a ‘validated system' (e.g. e-CRF; analytical equipment) may lower but not eliminate data integrity risk. Where there is human intervention, particularly influencing how or what data is recorded, reported or retained, an increased risk may exist from poor organisational controls or data verification due to an overreliance on the system's validated state.
3.6 Where the data integrity risk assessment has highlighted areas for remediation, prioritisation of actions (including acceptance of an appropriate level of residual risk) should be documented, communicated to management, and subject to review. In situations where long-term remediation actions are identified, risk-reducing short-term measures should be implemented to provide acceptable data governance in the interim.
.JPG)
![Difference between Stability[Shelf life] Specification and Release Specification](https://4.bp.blogspot.com/-O3EpVMWcoKw/WxY6-6I4--I/AAAAAAAAB2s/KzC0FqUQtkMdw7VzT6oOR_8vbZO6EJc-ACK4BGAYYCw/w680/nth.png)
0 Comments