Implementing Data Control Strategy to ensure Data Integrity

Biopharmaceuticals shall demonstrate at any time their compliance with Data Integrity (DI) requirements. We all know that data Integrity is not a new topic rather, it is an old concept made essential in today’s digital age.

So, ensuring data integrity means you will need to implement a data management and control strategy. As stated in PICS Good Practices for Data Management and Integrity in Regulated GMP-GDP Environments, data integrity failure results from bad practice and the absence of the required data control measures.

Data Control Strategy

Implementing Data Control Strategy shall start with data lifecycle understanding and control to identify GxP impact they could have on process and/or on product. This should be based on quality risks assessment of data lifecycle.

Data Control Strategy is a planned set of actions, processes and controls derived from data flows, records, and risk management understanding, that assures data quality and integrity compliance. Data control strategy requires all necessary tools, processes, and rules that define how to generate, manage, analyze, and act upon biopharmaceutical data. A data control strategy helps taking the batch release decision for example based on data you trust, and you know they are compliant with internal and Regulatory requirements.

The key elements of data control strategy are:

  • Implementation of effective SOPs where Single or Multiple SOP, Standard Templates and training program are in place and address how data is generated, collected, transmitted, treated, analysed, used, and stored
  • Systems Control that includes Paper-based system are well documented, GMP areas of system knows and validated. You must regularly update your system inventory to ensure its accuracy.
  • Data lifecycle Management that describes the data flow mapping, single or multi-complex system and their compliance
  • Data Risk Management that defines the risk management methodology and approach where risks related to digital devices and equipment are identified and mitigated.

Implementation of effective SOPs

The main objective of this key element is to apply the 5W1H methodology to data management as described in Figure 1: The Five W’s and One H Approach to Data Control Strategy SOP Development. Data review process shall be based on how the data is generated. A particular consideration shall be made for electronic and paper-based records and clearly described in SOP. Processes relating to the data review must be described in terms of frequency, roles, responsibilities, and approach to risk-based review of data that include metadata, audit trail as relevant.

The procedures shall ensure that the entire set of data is considered in the reported data and shall include the review and management of all locations where data may have been stored.

Figure 1 : The Five W’s and One H Approach to Data Control Strategy SOP Development

GxP System Control

Data Control Strategy should ensure that each data set is Attributable, Legible, Contemporaneous, Original, Accurate, Complete, Consistent, Enduring, Available to assure drug substance and drug product quality. Data integrity is expected through the control of digital/electronic systems, data, and audit review processes.

Measures should be put in place to manually control paper-based Records.  Good Documentation Practices must address how the supervisory control shall be made as a human operator directly actuates some form of the final control element to influence a process variable.

Regarding digital and computerized system, the controls should be focused on the compliance of the systems with regulatory requirement. You should develop a procedure for ensuring that the digital and computerized systems fit for intended uses. The following Key elements should be described and controlled:

  • Each system shall be identified and complied with applicable GxP requirements
  • Quality System shall include the description of the entire system lifecycle activities
  • Each system shall be assessed for quality risks and impact it can have on the data integrity and compliance
  • Each GxP regulated system must be compliant and fit for the intended use as per approved quality system management
  • Dataflow shall be mapped and understood to ensure security and reliability of the data
  • Each GxP regulated system must be qualified and validated as per GxP Regulated System requirements and Validation Lifecycle Procedure
  • Maintaining System Inventory List and compliance through the system lifecycle management.

Data Lifecycle Management 

One important key element of data control strategy consists of managing your data lifecycle that shall support reliable decision making because it takes into consideration data ownership, processes and potential risks associated with the integrity of the data. Data Lifecycle mapping provides a format or structure that facilitates the data flow withing the system or process.

It is important to develop appropriate standard operating procedures that describe:

  • How data is mapped,
  • Data lifecycle phases,
  • Elements to consider within the lifecycle
  • Data Ownership
  • Data Risk Control and Mitigation Action Plan

The basic and standard data lifecycle shall include the following step: Data creation; Processing; Review, Reporting and use; Retention and Retrieval; and Destruction as described in Figure 2: Data Lifecycle Phases.

Figure 2 : Data Lifecycle Phases (ISPE GAMP Guide: Records and Data Integrity, First Edition, March 2017)

Thus, ensuring an effective Data Lifecycle Management in compliance with Data Integrity principles means you should assure a total control of resources and digital/computer systems through how data is generated and collected for processing, analysis and traceability to the point of storage or destruction.

Data Risk Management

Most of regulatory and industry guidance recommend adopting quality risk management that can be apply to pharmaceutical quality. Indeed, a quality risk management policy must be applied to all aspect of drug product lifecycle including development, manufacturing, distribution, inspection, and submission/review processes.

Regarding data and digital/computerized system, it is highly recommended to define Risk Management Methodology and approach where risks relating to the system are identified and controls implemented to reduce potential risks to an acceptable level. Some key areas for which risks should be assessed and evaluated are:

  • Application Management
  • Breaches Accountability
  • Data Governance
  • Data Quality
  • IT/Digital access control and security
  • System lifecycle management

IT Vendors/Suppliers and Service Providers including Cloud providers and virtual service/platforms, also referred to as software as a service SaaS/platform as a service (PaaS) / infrastructure as a service (IaaS), must be subjected to Risks assessment and evaluation processes to ensure that:

  • The service provided, Data ownership, retrieval, retention, and security are well understood
  • The physical location and the impact of any applicable laws are taken into considerations
  • Data can be accessed in timely manner
  • Business continuity plan is effective

System and Functional Risk Assessment shall be part of Digital and Computerized Validation activities to evaluate the compliance of the system with 21 CFR Part 11 (US FDA); EU GMP Annex 11 and Health Canada Guidance GUI-0050. As part of a risk management system, decisions on the extent of validation and data integrity controls should be based on a justified and documented risk assessment of the digital and computerized system.

References

  • MHRA GxP Data Integrity Guide, March 2008
  • ECA Guidance Document – Data Governance and Data Integrity for GMP Regulated Facilities, October 2016
  • US FDA – Data Integrity and Compliance with Drug CGMP, December 2018
  • APIC – Practical risk-based guide for managing data integrity V1, March 2019
  • WHO Good Data and Record Management Practices and Integrity in Regulated GMP/GDP Environment; November 2018
  • PICS – Good Practices for Data Management and Integrity in Regulated GMP-GDP Environments, July 2021
  • Health Canada – Good manufacturing practices guide for drug products (GUI-0001), July 2020
  • Health Canada Annex 11 to the good manufacturing practices guide: Computerized Systems: GUI-0050, August 10, 2021
  • US FDA- 21 CFR Part 11, Electronic Records; Electronic Signatures, Revised as of April 1, 2020
  • ISPE GAMP Guide: Records and Data Integrity, First Edition, March 2017

About the authorKossi Molley, Chemist, LSSBB