The FDA and other Health Agencies have an expectation that companies understand the capability of their systems that generate and store data/records including any data integrity risks associated with such systems. The MHRA 2018 GXP Data Integrity Guidance and Definitions¹ states:

“Senior management should be accountable for the implementation of systems and procedures to minimize the potential risk to data integrity, and for identifying the residual risk, using risk management techniques such as the principles of ICH Q9.”

Keeping that in mind, it is then critical for companies to execute comprehensive Data Integrity Risk Assessments (DIRA) for systems that generate and store both paper (manual)-based systems as well as computer-based and hybrid systems. A DIRA is based upon the concept of Quality Risk Management (as per ICH Q9) where the purpose is to identify risks to patient safety, product quality and Data Integrity as well as to identify the actions to mitigate such risks. The WHO 2019 Draft Guideline on Data Integrity² references the following to address the risk to the integrity of data:

“……application of QRM with identification of all areas of risk to DI through data integrity risk assessment (DIRA) and implementation of appropriate controls to eliminate or reduce risks to an acceptable level throughout the life cycle of the data.”

The focus of DIRA is to determine the risk to generated data/records in terms of the requirement that the data is complete, accurate, consistent, trustworthy and reliable throughout the lifecycle of the record (i.e. from data creation, processing, review/reporting/use, retention/retrieval and destruction). Therefore, a primary tool when executing DIRA is to conduct Data Process Mapping which will identify the various systems (and associated system interfaces) which the data/record comes into contact during its lifecycle and then for the individual systems generate system data flow diagrams. This concept aligns with the MHRA 2018 GXP Data Integrity Guidance and Definitions,¹ which states:

“….an example of a suitable approach is to perform a data integrity risk assessment (DIRA) where the processes that produce data or where data is obtained are mapped out and each of the formats and their controls are identified and the data criticality and inherent risks documented.”

The goal with such data mapping is to identify those junctures where data is being transferred between systems (i.e. chromatographic data being transferred to a LIMS system or where data is being transferred from the source system to long term storage) and where data is being transformed/modified (e.g. the processing of chromatographic data or conversion of analog signal to digital). At each juncture, data integrity risk should be assessed to determine if the data will maintain the ALCOA+ data quality attributes of being Attributable, Legible, Contemporaneous, Original, Accurate, Complete, Consistent, Enduring and Available. For each system that is generating data, there must be an understanding of what constitutes complete records (i.e. including all the critical metadata including the various audit trails). To illustrate the above, consider the simple operation but in three separate scenarios:

1. Operator weighing out material with only a digital display of the weight of material and manually entering the weight into electronic batch record (EBR)
2. Operator weighing out material with the generation of a paper weight slip and manually entering weight into EBR.
3. Operator weighing material with an automated transfer of weight into EBR.

When performing a DIRA, Scenario 1 clearly poses the highest Data Integrity risk in terms of both prevention and detection as the process is manual and there is a lack of a permanent record for the weighing step. Scenario 3 is the lowest risk since it relates to the manual operation and is limited to weighing. There is an automated capture of the activity within the electronic record (e-record) via an audit trail. However, with Scenario 3, the onus is on the validation to demonstrate accuracy of the data transfer and that there is a complete record of that transfer which is automatically retained and secure. For Scenario 2, there is a weight slip to capture the weight but there could be a risk of the fading of such a weight slip over time and to maintain a complete record metadata will need to be entered manually into a paper base system (i.e. logbook). With various data generating systems, companies must understand where manual processes exist and recognize the data integrity risk they pose with an aim of automating (with the necessary validation) where possible. Otherwise, there is a need to implement procedural controls to reduce the risk associated with the manual operation to an acceptable, justifiable level. However, when validating an automated system there must be an understanding of the manual interactions with such a system and that those risks are considered and understood during validation. As stated in MHRA 2018 GXP Data Integrity Guidance and Definitions¹: 

“The data integrity risk assessment (or equivalent) should consider factors required to follow a process or perform a function. It is expected to consider not only a computerized system but also the supporting people, guidance, training and quality systems. Therefore, automation or the use of a ‘validated system’ (e.g., e-CRF; analytical equipment) may lower but not eliminate data integrity risk.”

It is imperative that a DIRA for a system that is used by a cross-functional team includes representation of the system SMEs/process owner, QA, IT, Validation and Data Governance Officer and that there are comprehensive, procedural specified checklists to drive consistency and ensure that all elements are considered.

DIRA should be a key component of a company’s Data Governance program and integral to a company’s Quality Management System. As an example, a company’s internal audit program should include DIRA as a mandatory component and DIRA should be referenced within the company’s vendor qualification program. The DIRA (and the results from its execution) must be considered and evaluated during all phases of a system life cycle: implementation/validation of a system, as part of change management, system periodic review and then as part of system retirement.

Through executing Quality Risk Management principles, a company will identify the Data Integrity Risks on the system and then identify risk reduction controls to mitigate the risk to an acceptable level. However, when developing such risk reduction controls there needs to be an understanding of the potential impact for a Data Integrity failure on that system, which in turn considers the criticality of the data/records that are generated by the system. The level of risk mitigation must be commensurate with the potential detrimental impact of failure.

For example, with the above three scenarios for the operator weighing the material, it must be understood how that activity can ultimately impact product quality/critical quality attributes (CQAs) along with any regulatory implications. Further, when implementing controls to address risk there needs to be distinction between interim controls versus long term controls. As an example, for a laboratory computerized system that is already in operation, the DIRA may identify that the system does not have audit trail/system log capabilities. Such an instrument may generate test data/records that are used to support the release of Finished Drug product and as such the records/data generated on that system are critical. The absence of an audit trail/system log (and thus not being able to account for the activities on the system) is considered unacceptable.

Therefore, to support the continued operation of the system an immediate/interim action maybe identified such as implementing a manual logbook system in combination with a real time verification of activities and heightened access controls on the system. This interim control would be in place until the system was upgraded (via change management) with the necessary automated audit trail/system logs. The implementation of any action to address any identified risk must occur via a company’s change control procedure where effectivity of the remediation must be assessed and documented. This is particularly critical for interim controls where the timeframe for when the long-term corrective action must be defined and justified. As is stated in MHRA 2018 GXP Data Integrity Guidance and Definitions¹ in the context of computerized systems that do not have an audit trail:

“Where add-on software or a compliant system does not currently exist, continued use of the legacy system may be justified by documented evidence that a compliant solution is being sought and that mitigation measures temporarily support the continued use.”

What is paramount when conducting DIRA is having a robust understanding of the system as it currently operates in terms of potential impact to the validity of the data/record output and the current controls in terms of prevention and detection. For example, for chromatographic testing, a high-risk activity is the processing of the initially acquired data due to the manual nature, risk of reprocessing, use of inhibit integration, manual integration, processing to achieve a desired result, etc. The DIRA must ask what are the existing controls to address those risks and the existing means of detection (data review, audit trail detection, etc.).

Another critical consideration when executing DIRA for operation systems is that when data integrity gaps are identified, they must be appropriately investigated. As the FDA 2018 Data Integrity and Compliance with Drug cGMP Guidance³ states:

“FDA encourages you to demonstrate that you have effectively remediated your problems by investigating to determine the problem’s scope and root causes, conducting a scientifically sound risk assessment of its potential effects (including impact on data used to support submissions to FDA), and implementing a management strategy, including a global corrective action plan that addresses the root causes.”

The information described highlights the importance of incorporating DIRA when implementing a new system at a company and its reference to the system’s project plan. The DIRA would be executed across the intended system workflow and confirm the required system preventative and detection measures/controls. These controls are to be validated to ensure the integrity of the afforded data/records. The DIRA must be comprehensive and consider software, hardware/infrastructure, personnel and documentation requirements over the lifecycle of the system.

The DIRA must also consider the risk of a system failure and whether the system has contingencies so that there is no loss or alteration to acquired data. For example, when acquiring chromatographic data as part of a sequence of injections, if there was a system failure during that sequence it must be assured that the complete data acquired up to the point of the system failure is retained, secure and is retrievable and is not at risk of alteration due to the system failure.  

The PDA published Technical Report (TR) 84 “Introducing Data Integrity Requirements into Manufacturing and Packaging Operations”⁴ in 2020 which reaffirms that Data Integrity is not only a concern for the laboratory but for any aspect of the pharmaceutical industry where data and records are generated and handled.

Data Integrity Risk Management must be recognized as an iterative process where there should be periodic reassessment of any system residual risk and associated justifications. This is particularly critical for any investigations on a system where such risks may relate to the investigation root cause. The success of the DIRA is based upon the understanding of the system (including, where applicable, the relationship with other systems) where it is paramount that tools such as Data Mapping are used. 

References
1. Medicines and Healthcare products Regulatory Agency (MHRA), “‘GxP’ Data Integrity Guidance and Definitions”, Revision 1; March 2018, https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/687246/MHRA_GxP_data_integrity_guide_March_edited_Final.pdf 
2. World Health Organization, “Guideline on Data Integrity”, Draft for Comments, October 2019, https://www.who.int/medicines/areas/quality_safety/quality_assurance/QAS19_819_data_integrity.pdf
3. U.S. Food and Drug Administration, “Data Integrity and Compliance with Drug CGMP – Questions and Answers – Guidance for Industry”, December 2018, https://www.fda.gov/media/119267/download
4. Parenteral Drug Association, “Technical Report No. 84 (TR 84) Integrating Data Integrity Requirements into Manufacturing & Packaging Operations, September 2020, available at https://www.pda.org/bookstore/product-detail/5801-tr-84-data-integrity

---

Paul Mason, Ph.D.
Lachman Consultants

Paul Mason, Ph.D., is a Director in the Science and Technology Practice at Lachman Consultant Services, Inc. He has more than 20 years of experience in the pharmaceutical industry.