Guest Column | March 19, 2018

What's New In MHRA's Revised Data Integrity Guidance — A Detailed Analysis

By Barbara Unger, Unger Consulting Inc.

What’s New In MHRA’s Revised Data Integrity Guidance — A Detailed Analysis

The Medicines and Healthcare Products Regulatory Agency (MHRA) published a revision to its 2015 Data Integrity Guidance, finalizing the draft revision published for consultation in 2016. The MHRA Inspectorate blog says the health authority received over 1,300 comments during the consultation process. The revision was a coordinated effort among the GCP, GDP, GLP, GMP, and GPvP inspection groups, reflecting a broad source of input. MHRA specifically excluded devices from the scope of this guidance. Regarding alignment with guidances from other health authorities, MHRA states: “The GXP data integrity guidance has a high degree of alignment with documents published by other regulators such as PIC/S, WHO, OECD (guidance and advisory documents on GLP) and EMA. It is designed to facilitate compliance through education, whilst clarifying the MHRA’s position on data integrity and the minimum expectation to achieve compliance.”

The scope of the MHRA guidance and WHO guidance includes the entirety of GXP. The PIC/S guidance on the same topic addresses GMP and GDP, and the EMA and FDA guidances address GMP, although the principles are relevant to GXP.

Revisions, Additions, And Deletions From The 2015 Version

The 2018 revision of the MHRA Guidance on Data Integrity and Definitions, in general, provides more detail and granularity than the 2015 version. Several items from the 2015 version are absent from the 2018 version. Similarly, MHRA includes new topics and significantly increased detail in the 2018 version. We address all below and identify the nature of each addition, deletion, or revision. We group the type of changes together within the two divisions in the document.

Nature Of Change

Change Details

 

Principles, Criticality, Risk, And System Design

Deletion

Figure 1 in the 2015 version, showing the spectrum of simple to complex computerized systems, has been removed. The text in section 4.3 of the 2018 version provides a narrative version of the 2015 Figure 1. The 2016 draft guidance included the figure; it was removed as an outcome of the consultation process.

Addition

The scope of the 2015 guidance was limited to GMP; the scope of the 2018 version includes GCP, GLP, and GMP for pharmaceuticals and excludes consideration of devices. Reference is made to the introduction section of the guidance. The introduction section is largely new in this revision.

Addition

The Principles of Data Integrity section introduces the acronym DIRA (data integrity risk assessment). Many of the 10 principles consolidated in this section reflect requirements that were found throughout the earlier document but consolidated in the 2018 version.

Revision

The 2015 version included a section titled Establishing Data Criticality and Inherent Integrity Risk that is substantially expanded with new text and detail. Additional detail is provided in examples.

Revision

Section 5.0, titled Designing Systems and Processes in the 2018 version, has also been substantially expanded. It addresses a GLP example where scribes record activities, such as for necropsies.

Revision

The format is revised from a tabulation format that included terms, definitions, and expectations/guidance (where relevant) in 2015 to a non-tabulated narrative format in 2018.

 

Definitions And Interpretations

Deletion

The revised definition of raw data in section 6.2 does not include the potential for the use of “true copies.”

Deletion

The definition of lifecycle (section 6.6) has been revised and omits the previously specified duration of archival arrangements and retrievability of data for inspection.

Deletion

The concept of a primary record has been removed. This removes confusion and perhaps bad practices the 2015 version may have appeared to support.

Addition

The revised definition of raw data in section 6.2 now includes source data as defined in the ICH GCP guidance. It also provides additional detail on simple electronic instruments that may store electronic data, such as pH meters or balances. Guidance is provided on how firms should manage situations where electronic data is retained.

Addition

Section 6.5 on data governance now includes requirements to ensure this is included in quality agreements and that data is “directly accessible on request from national competent authorities.”

Addition

Section 6.7 on Recording and Collection of Data is new.

Addition

Section 6.8 on data transfer/migration is new. Data transfer processes should be validated. This section also addresses the requirements for use of electronic worksheets, which I interpret to be spreadsheets such as Excel.

Addition          

Section 6.9 on Data Processing is new and requires traceability of “user defined parameters and addresses expectations for activities such as re-integration of chromatography data to ensure it is not being “manipulated to achieve a more desirable result.”

Addition

The 2018 revision adds section 6.10 on Excluding Data. For data that is excluded, the justification for doing so should be documented, and all data should be retained and available for review. This section does not apply to GPvP, as this is covered by pharmacovigilance legislation.

Addition

The 2018 version adds section 6.14 addressing electronic signatures. It references the MHRA/HRA draft guidance on the use of electronic informed consent for the GCP area.

Addition

Section 6.20 on IT Suppliers and Service Providers is an important and welcome addition and addresses software as a service, platforms as a service, and infrastructure as a service.

Addition

The glossary adds new terms and their definitions including: eCRF, ECG, data quality, DIRA, data cleaning, directly accessible, and advanced electronic signatures.

Revision

The definition of data (section 6.1) has been revised to be more detailed than simply “information derived or obtained from raw data” and includes the “+” attributes of “ALCOA +,” though it does not use this term. Data is to be complete, consistent, enduring, and available in addition to meeting the ALCOA attributes.

Revision

The revised definition of data integrity (section 6.4) includes the requirement to incorporate risk management: “quality and risk management systems including adherence to sound scientific principles and good documentation practices.” The definition is substantially expanded from the one-sentence version in the 2015 draft guidance.

Revision

The section on original record/true copy is now divided into two sections (6.11.1, titled “Original Record,” and 6.11.2, titled “True Copy”).

Original Record: This section is revised to address GCP examples, such as medical imaging results. It also is expanded to include examples where manual observations such as manual titrations and visual interpretations may need to be supported by second person verification.

True Copy: This section has been revised to state that true copies may be stored in a different electronic format than the original under specific circumstances. This section also states that when relying on “true copies,” the firm should consider risks that may be associated with the destruction of the original records. It also provides specific information on what should be verified to ensure a “true copy” includes adequate content. The new version also addresses how to accommodate situations where computer systems are no longer supported.

Revision

The section on Computerised System Transactions (section 6.12) now specifies that the time interval before saving data should be minimized for situations where multiple operations are combined into a single transaction. A paragraph is now included that addresses factors in this area that should be considered during system design.

The two figures in the 2015 version are not included in the 2018 document. For those who aren’t IT experts, the figures provided added value.

Revision And Deletion

The definition of audit trail has been substantially expanded in section 6.13. Further, some of the explanation is expanded and states that when the system administrator amends or turns off the audit trail, that action should be recorded and retained.

The 2015 version states that systems should have audit trails and unique login capability by the end of 2017. The 2018 version removes a specific date for meeting this requirement but does not remove the requirement.

The 2018 version states: “Where relevant audit trail functionality does not exist (e.g. within legacy systems) an alternative control may be achieved for example defining the process in an SOP and use of log books. Alternative controls should be proven effective.

Where add-on software or a compliant system does not currently exist, continued use of the legacy system may be justified by documented evidence that a compliant solution is being sought and that mitigation measures temporarily support the continued use.1

1 It is expected that GMP facilities with industrial automation and control equipment/systems such as programmable logic controllers should be able to demonstrate working towards system upgrades with individual login and audit trails (reference: Article 23 of Directive 2001/83/EC).”

The 2018 version addresses audit trail review and states that these may be reviewed as a list of relevant data or by an exception reporting process. This guidance defines the content of an exception report and states it is a “validated search tool.” Further, reviewers must have “sufficient knowledge and system access to review relevant audit trails, raw data and meta data.”

MHRA also states they may identify a deficiency when systems that do not meet audit trail or individual user account expectations do not have remediation identified or subsequently implemented.

Revision

Data Review and Approval, described in section 6.15, is expanded. The revision states, “Data review should be documented and the record should include a positive statement regarding whether issues were found or not, the date that review was performed and the signature of the reviewer.” As part of gap assessments, firms should consider how they address the requirement for a “positive statement” regarding the data review.

This section also addresses features of data review when a different organization generated the data, e.g., contract laboratories or contract manufacturers. In my opinion, this is an important addition.

Revision

Section 6.16 addressing computerized system user access/system administrator roles is revised to 1) address login at the operating system and application levels, 2) address MRP systems that may have non-GXP components, and 3) revise access rights depending on clinical trial status for GCP documentation.

Revision

Section 6.17 on Data Retention adds the term “validated” to describe the scanning process for paper records. The 2018 version does not address the circumstances where data is retained by a third party.

Revision

Sections 6.17.1 and 6.17.2 on archive and backup, respectively, have been substantially expanded. The archive section specifically addresses how to manage legacy systems.

Revision

Section 6.18 on file structure has been simplified and shortened. Details of flat files versus relational database structure have been eliminated.

 

Click here to view a version of the revised guidance with all new text highlighted.

Conclusion

The additional detail and new topics in this guidance are welcome. The expanded detail covers important areas for which little guidance is currently available, for example the area of IT suppliers and service providers. The use of software as a service, platforms as a service, and infrastructure as a service continues to increase in the industry. Firms that perform gap assessments against guidance documents, particularly data integrity guidance, would be well-served by repeating that assessment with this revision of the MHRA guidance. Many sections have been added in this revision, and many others have been significantly expanded in the level of detail. It does not appear that new, unexpected requirements are identified in this update, but the level of detail in explanations and examples certainly provide additional clarity and may result in a shift in firms’ interpretations. We will continue to follow this to determine if any changes in enforcement are reported as a result.

About The Author:

Barbara Unger formed Unger Consulting, Inc. in December 2014 to provide GMP auditing and regulatory intelligence services to the pharmaceutical industry, including auditing and remediation in data management and data integrity. Her auditing experience includes leadership of the Amgen corporate GMP audit group for APIs and quality systems. She also developed, implemented, and maintained the GMP regulatory intelligence program for eight years at Amgen. This included surveillance, analysis, and communication of GMP-related legislation, regulations, guidance, and industry compliance enforcement trends. Unger was the first chairperson of the Rx-360 Monitoring and Reporting work group (2009 to 2014) that summarized and published relevant GMP- and supply chain-related laws, regulations, and guidance. She also served as the chairperson of the Midwest Discussion Group GMP-Intelligence sub-group from 2010 to 2014. She is currently the co-lead of the Rx-360 Data Integrity Working Group.

Unger received a bachelor's degree in chemistry from the University of Illinois at Urbana-Champaign. You can contact her at bwunger123@gmail.com.