Guest Column | December 13, 2016

Comparing Recent Data Management/Integrity Guidances From MHRA, WHO, & PIC/S

By Barbara Unger, Unger Consulting Inc.

Over the past two years, several major regulatory authorities have published new guidance documents addressing data management and data integrity in the pharmaceutical industry. My previous article addressed three of these: the draft guidance from the U.S. Food and Drug Administration (FDA) published in April 2016, the guidance from the European Medicines Agency (EMA) posted in August 2016, and the Drug Data Management Standard from the China Food and Drug Administration (CFDA) published in October 2016. In this article, we continue with the guidance from the UK’s Medicines and Healthcare products Regulatory Agency MHRA, the Pharmaceutical Inspection Co-operation Scheme (PIC/S) harmonization cooperative, and the World Health Organization (WHO).

Simply due to the comparable length of the documents, the analysis will first address the MHRA guidance (effective and draft revision). We will look at the WHO and PIC/S guidance separately.

MHRA Data Integrity Definitions and Guidance for Industry

The effective version of the MHRA guidance on data integrity was published in March 2015, and a draft revision was published for consultation in July 2016. At a high level, the most significant difference between the two is that the proposed revision applies to GxP systems, whereas the original applied only to GMP. It makes logical sense to extend the scope of the guidance beyond GMP, particularly considering data integrity problems in the GCP areas in the past several years (including but not limited to the WHO notices of concern issued to Quest Life Sciences Private Limited and Svisera Labs Private Limited in 2015).

Along with the broadened scope, the revised draft is formatted differently and includes a few additional terms with definition and explanation. In other cases, terms have been reorganized or the definition and examples have been expanded. In one notable instance, a term (primary record) is no longer included in the revised draft. The important changes are identified in the table below.

Deleted Terms

Primary record is a term found in the existing guidance but is not included in the revised guidance. It may have been eliminated to resolve confusion about what constitutes a primary record and the perhaps incorrect decision by some to discard original data records that were not designated as the primary record.

New Terms

Data transfer / migration is new to the draft revision.

Electronic signature has been added to the revised draft with a definition and identification of the governing directive. The text here is important and states: “An inserted image of a signature alone or a footnote indicating that the document has been electronically signed (where this has been entered by a means other than the validated electronic signature process) is not sufficient.” It also states that “Where a paper or pdf copy of an electronically signed document is produced the metadata associated with an electronic signature should be maintained together with the associated document.”

Cloud providers and virtual service platforms is new to the draft revision and reflects many of the common practices in the GxP area to move toward data storage in the cloud.

Revisions and Enhancements

Original records / true copy are treated as separate sections (11.1 and 11.2 respectively in the draft revision) in the revision, though expectations do not seem markedly different. Both documents state that a process must be in place to ensure that the copy is verified to be complete. The revision adds that the verified true copy “may be verified by dated signature or by a validated electronic signature.

Data processing is expanded to its own section (8) in the draft revision.

The data lifecycle definition and example in the effective version mentions that at least two years of data “must be retrievable in a timely manner for the purposes of regulatory inspection.” The draft revision is silent about the specific time-bounded data that must be available for inspection.

Computer system transaction addresses the concept of “temporary memory” and that the time data spends in this temporary memory should be minimized, because data in this status is not subject to visibility in an audit train if they are changed or deleted. The page of examples in the effective guidance is not present in the draft revision.

Data review has been expanded in the revised draft to address data exchanged between companies. Before accepting a summary report from the contract acceptor in lieu of exchange of original data or a true copy, the contract giver should perform an evaluation of “the contract acceptor’s quality system including compliance with data integrity principles”. When the contract acceptor does not perform a data review, these responsibilities must be “documented and agreed” by the parties.

Computerized system user access / system administrator roles is expanded to state that “Controls should be applied at both the operating system and application levels.” Further, now that the draft revision includes GCP processes, an example is provided about the locking of clinical trial data at a specific point in the management process.

Audit trail in the draft revision has been modified to remove the term “full audit trail” in describing all changes to the data. The draft revision has been refined to state that “It is not necessary for audit trail review to include every system activity.”

Data retention is modified in the draft revision so that the mention of contracted data and document retention to a third party is eliminated.

Archive is modified in the revised draft to address what actions should be taken when legacy systems ae no longer supported.

Backup must be periodically tested as a new requirement in the revised draft.


We might expect to see a final version publish in early 2017 based on a three-month consultation period for the draft revision.

Remember, the existing guidance includes two requirements that are expected to be met by the end of 2017:

  • In the absence of an audit-trailed computer system, a paper-based audit trail may be implemented if they “achieve equivalence to integrated audit trail[s].” If equivalence cannot be demonstrated, firms must “upgrade to an audit trailed system by the end of 2017.” The WHO guidance takes a bit more stringent approach and states that “The use of hybrid systems is discouraged, but where legacy systems are awaiting replacement, mitigating controls should be in place.”
  • Regarding the lack of unique logins, “It is expected that GMP facilities should upgrade to systems with individual login and audit trails by the end of 2017.”

WHO and PIC/S Guidance

These two data integrity guidance documents from WHO and PIC/S provide more granularity and examples than do the FDA, EMA, and CFDA guidances (all of which were covered in my previous article). Both documents from WHO and PIC/S are 40+ pages long but are worth reading for the wealth of detail. The content and requirements are similar, though the organization is different. Both PIC/S and WHO reflect the ALCOA+ attributes for data, requiring that it be attributable, legible, contemporaneous, original, accurate, complete, consistent, enduring, and available.

The PIC/S draft guidance, titled Good Practices for Data Management and Integrity in Regulated GMP/GDP Environments, is dated August 10, 2016. t is intended to be used by inspectors in “interpretation of GMP/GDP requirements in relation to data integrity and the conduct of inspections.” It is not available for public consultation; instead, feedback will be provided by the inspectors using the guidance. Consistent with FDA and EMA, PIC/S states that the guidance does not impose additional requirements, but rather provides guidance on the interpretation of existing PIC/S requirements. Thus, predicate rules and existing requirements provide the framework for ensuring integrity of data. It is written for GMP/GDP, but the principles are applicable to GxP systems, and it would not be surprising to see the scope expanded in the future.

The PIC/S guidance is divided into 14 sections, many of which have subsections. The eight sections that address specific topics, rather than general principles and background, include:

  • Section 5: Data governance system section explains that data governance extends through the product lifecycle and consists of both organizational and technical components. The process should be risk-based. Data criticality and risk to data should drive the extent and nature of controls. Data governance, as a part of the pharmaceutical quality system, includes review by management to monitor its effectiveness.
  • Section 6: Organizational influences on successful data integrity management include the expectation that this process is owned by executive management. Cultural features and the status of the company’s quality culture are key components. Success is ensured by appropriate resource allocation, both in the areas of personnel and financial spend for the necessary equipment and software. Finally, the firm must have a process whereby staff can report on suspected problems in the area of data integrity, and the company is to investigate and resolve these reports consistent with the deviation process with the firm’s quality system.
  • Section 7: General data integrity principles and enablers are expressed as the ALCOA+ attributes, applicable to both electronic and paper records.
  • Section 8: Specific data integrity considerations for paper-based systems is one of the largest sections of the guidance. It addresses the controls that should be implemented to control blank forms, templates, and records. This section includes detailed tables that address the risks associated with failure to control the generation, distribution, completion, verification, and retention of records. Section 8.12 also addresses the “remote review of summary records”, such as data transmitted between sites and data transmitted between a contract giver and contract acceptor. This is an important section to read and consider.
  • Section 9: Specific data integrity considerations for computerized systems addresses control of computer systems within the context of the quality system. Several tables address the expectations and potential risks in computer system qualification and validation, collection and review of critical metadata (audit trails), and establishment of appropriate security. It further addresses data capture, review, storage, and archival.
  • Section 10: Data integrity considerations for outsourced activities describes the concerns for ensuring data integrity throughout the supply chain, including requirements that might be included in quality agreements. This is similar to the requirement from MHRA that firms are responsible to ensure their suppliers and contract providers have adequate data governance processes in place.
  • Section 11: Regulatory actions in response to data integrity findings provides a detailed tabulation of the existing GMP/GDP requirements that are referenced in data integrity observations. This is similar to sections in both the FDA and EMA guidances in identification of predicate rule / chapter and annex requirements that establish trustworthiness of data and records. This section also identifies the classification of deficiencies to assist in ensuring consistency within the PIC/S inspectorate.
  • Section 12: Remediation of data integrity failures describes the actions firms should take when data integrity failures have been identified and confirmed. This is similar in content to the requirements that FDA included in recent warning letters describing its expectations for data integrity remediation. These actions include detailed investigations to identify the root cause of the problems, risk assessments of the potential impacts on product quality and patient safety, and corrective and preventive action (CAPA) plans to prevent these problems from recurring.

The WHO guidance, Guidance on Good Data and Record Management Practices, published in May 2016, applies to GxP systems. This guidance progressed through public consultation prior to being finalized. The document includes a single appendix titled “Expectations and examples of special risk management considerations for the implementation of ALCOA+ principles in paper-based and electronic systems.” The appendix is similar to the tabulated presentations in the effective MHRA guidance (above), where expectations for paper records and electronic records are provided in detail.

The general sections of the WHO guidance are divided as follows:

  • Section 5: Quality risk management to ensure good data management requires the data management process to exist within the quality system, with appropriate organization and structure to prevent, detect, and remediate deficiencies. Quality risk management should be applied throughout the data lifecycle.
  • Section 6: Management governance and quality audits begins by stating that “assuring robust data integrity begins with management.” Success in this area begins with behaviors and sound processes and procedures. The section suggests metrics related to data integrity that the quality unit might monitor and report to management to evaluate the health of the quality system. It also states that all GxP records are subject to inspection by the responsible health authorities.
  • Section 7: Contracted organizations, suppliers, and service providers have a role to play in data integrity assurance as part of the supply chain. Similar to the MHRA expectations, any contracted service provider should be evaluated to ensure it has an adequate data governance system. Agreements and contracts should specify responsibilities in this area.
  • Section 8: Training in good data and record management should be provided to staff. Some personnel should receive more in-depth training, particularly those who review and audit electronic data. These staff members should be trained to evaluate software configurations and critical metadata and learn how data may be deleted or overwritten, so  their reviews can be effective in the detection of altered or deleted data.
  • Section 9: Good documentation practices apply to both paper records and electronic records. Like the PIC/S guidance, this section defines the ALCOA attributes and states that the attributes of complete, consistent, enduring, and available also apply. Appendix 1 provides additional factors to consider during implementation of good documentation practices.
  • Section 10: Designing and validating systems to assure data quality and reliability identifies various requirements regarding configuration and design controls necessary to ensure the appropriate level of system validation. Activities also include the development of risk mitigation approaches and controls through the data lifecycle, from data capture through data retention and disposal.
  • Section 11: Managing data and records throughout the data life cycle includes evaluation and remediation of ongoing risks through the lifecycle. The section identifies examples that should be considered during data collection and recording, data processing, data review and reporting, and data retention and retrieval.
  • Section 12: Addressing data reliability issues discusses actions firms should take when suspected data reliability issues are identified. Firms should evaluate the potential impact of these issues on product quality and patient safety. The investigation should identify and remediate the root cause of the problem and prevent risks from recurring. All activities are to be conducted and documented within the quality System.


The similarity among the MHRA, WHO, and PIC/S guidances is obvious and was facilitated by participation of many of the same teams, if not the same people, in their development. Similarly, the EMA and FDA Q&As do not stand in isolation and represent communication between and among the regulatory authorities. The draft document from China, the most recently published of the data integrity guidances, reflects features found in the others. While the formal scope in several of the documents is identified to be GMP/GDP or GMP alone, the concepts are applicable to all GxP areas. Some high points from all the global regulatory agency documents are as follows:

  • The FDA, EMA, and PIC/S guidances provide detailed information on the need to comply with existing rules, chapters/annexes, and guidance that govern data integrity. Thus, the focus on data integrity and data management does not represent implementation of new requirements, but rather an application of existing requirements.
  • If ever there was a lingering belief that a printed chromatogram represents raw data, all authorities are clear that raw data is data in the format in which it was originally collected. So, for those firms who have laboratory equipment with associated computers and software, and who maintain they are a paper-based organization, that’s just not correct. Your laboratory computer systems moved your firm into the world of electronic records. Recognizing this sooner rather than later, and implementing the necessary remediation, will save the grief and cost of having a regulatory authority point this out.
  • It is important to consider the status of data governance and data integrity of suppliers and contract manufacturing/laboratory sites. All guidances, excepting the one from FDA, explain responsibilities and expectations for these types of arrangements.
  • All agencies focus on the expectation for a risk-based approach over the data lifecycle, concepts that are fundamental to ICH Q guidance. In addition, the data governance activities are to be part of the firm’s quality system.
  • Guidance from all agencies includes both paper records and electronic records within their scope. Regarding electronic signatures, the guidances that address this state that use of a stored digital image of a person’s handwritten signature is not acceptable.

In conclusion, individuals who want to learn about the expectations for data management and data integrity would be well served to read the guidance documents published by all the regulatory authorities. The guidances from PIC/S and WHO provide more granularity than the others. Taken together, this collection of guidance documents is substantially harmonized, likely based on the overlap of individuals and teams who contributed to their development. These guidance documents should be considered along with publicly available enforcement actions taken by FDA, EMA, and WHO in the areas of data management and data integrity. Collectively, they provide a sound basis for any firm that wants to evaluate and improve their compliance status in this area.

About the Author:

Barbara Unger formed Unger Consulting, Inc. in December 2014 to provide GMP auditing and regulatory intelligence services to the pharmaceutical industry, including auditing and remediation in the area of data management and data integrity. Her auditing experience includes leadership of the Amgen corporate GMP audit group for APIs and quality systems. She also developed, implemented, and maintained the GMP regulatory intelligence program for eight years at Amgen. This included surveillance, analysis, and communication of GMP related legislation, regulations, guidance, and industry compliance enforcement trends. Barbara was the first chairperson of the Rx-360 Monitoring and Reporting work group (2009 to 2014) that summarized and published relevant GMP and supply chain related laws, regulations, and guidance. She also served as the chairperson of the Midwest Discussion Group GMP-Intelligence sub-group from 2010 to 2014. Barbara is currently the co-lead of the Rx-360 Data Integrity Working Group.

Before Amgen, Barbara worked for the consulting firm Don Hill and Associates, providing regulatory and quality services to the pharmaceutical industry, and for Eli Lilly and Company in quality and CMC regulatory affairs positions. She began her career in the pharmaceutical / device industry with Hybritech Inc. and received a bachelor's degree in chemistry from the University of Illinois at Urbana-Champaign.