Taking a Holistic Approach for Data Governance

A company should consider whether it has a data governance policy and, if so, whether it is comprehensive and effective. Data governance policies have become a regulatory expectation as one of the core quality system policies. It has been stated by the Medicines and Healthcare products Regulatory Agency (MHRA) (1, 2), European Medicines Agency (EMA) (3), World Health Organization (WHO) (4, 5), Pharmaceutical Inspection Cooperation Scheme (PIC/S) (6), and the Australian government’s Therapeutic Goods Administration (TGA) (7) that a data governance system should be an integral part of the pharmaceutical quality system. The United States Food and Drug Administration (FDA) draft data integrity guidance states: “Firms should implement meaningful and effective strategies to manage their data integrity risks based upon their process understanding and knowledge management of technologies and business models” (8). In response, many organizations have hastily created a data governance policy. Somewhere in the haste to get a data governance policy in place, many organizations lost sight of the purpose and function of a data governance system.  As defined by the MHRA, a data governance system is the “sum total of arrangements to ensure that data, irrespective of the format in which it is generated, is recorded, processed, retained, and used are complete, consistent, and accurate record throughout the data lifecycle” (1, 2). The stated purpose of the data governance system is to ensure data integrity is maintained, but the ultimate goal is to ensure patient safety. The data governance system, at all firms seeking to be fully cGMP compliant, should provide an acceptable state of control based on risk. 

Establishing a data governance system might appear simple enough: just one more policy to be written and added to the corporate quality manual. However, issuance of a quality system policy, in itself, will do little toward ensuring the integrity of data, unless the policy addresses all relevant aspects of the company’s operations, including personnel behaviors and actions. Data integrity breaches can result from intentional actions, poor practices, or inadequate systems/procedures. To be effective, a data governance policy must drive personnel behaviors and actions, including that of senior management. The role of senior management with respect to the integrity of data needs to be emphasized. International Council for Harmonization (ICH) Q10 states: “Senior management has the ultimate responsibility to ensure an effective pharmaceutical quality system is in place to achieve the quality objectives, and that roles, responsibilities, and authorities are defined, communicated, and implemented throughout the company” (9). The MHRA draft data integrity guidance additionally states: “Senior management is responsible for the implementation of systems and procedures to minimize the potential risk to data integrity, and for identifying the residual risk, using risk management techniques such as the principles of ICH Q9” (2). In addition to the legal and ethical responsibilities for ensuring patient safety, the financial risks of poor data integrity as discussed in a white paper (10) justify significant engagement by senior management. 

An all too familiar regulatory observation is, “Your quality system does not adequately ensure the accuracy and integrity of data to support the safety, effectiveness, and quality of the drugs you manufacture.”  Ensuring data integrity requires a holistic approach. The Parenteral Drug Association (PDA) has described the elements of a code of conduct (11). Correspondingly, a comprehensive data governance policy should include guidance for the following key systems supporting an effective data governance policy: a code of ethical conduct, employee training, systems and procedures regarding the control and security of raw data, internal audits by quality assurance personnel, reporting and investigation of suspect data integrity breaches, disciplinary actions, regulatory agency notification, and data integrity with respect to outsourced services. The following paragraphs contain recommendations for these key systems, which are further detailed by PDA in its “Points to Consider” document (11). 

Code of ethical conduct

Companies should adopt a code of ethical conduct, which includes the following: 

• A commitment to the development and commercial marketing of safe and effective medicines of high quality that comply with all applicable standards and regulatory requirements 

• Company and management commitment to provide the necessary resources and training and support of a work environment culture that enables open and transparent communications, professional behavior, and compliance at all levels

• A commitment requiring personnel at all levels, without exception, to maintain the integrity of all the data and records that are generated from product development to commercialization of all products throughout the lifecycle of each product

• A zero-tolerance policy for any employee who is found to purposefully manipulate and/or falsify any data/records

• A commitment to investigate all reported instances of questionable or unethical behaviors and take appropriate action

• An encouragement for employees, without fear of retaliation, to report any coercion by coworkers or supervisors, implicit or explicit, to compromise data integrity

• A management commitment to: fully investigate any breaches; determine the root cause; implement the proper corrective actions and preventive actions (CAPAs) preventing future recurrences; verify the validity and reliability of the data; retest and recall impacted product batches, or resubmit/amend the pertinent sections of an impacted submission; and fully disclose the investigation to the relevant agencies/authorities, as appropriate.

Employee training

All employees should be trained on the basic applicable cGxP, good documentation practices (GDP), code of ethical conduct, and data integrity policies along with other relevant subjects based on the assigned job functions and/or the defined roles and responsibilities. Annual cGxP training should cover: GxP topics, code of ethical conduct, and data integrity policies and procedures.

Control and security of raw data

There should be established procedures and processes to ensure data are accurate, legible, contemporaneous, original, attributable, complete, consistent, enduring, and available (ALCOA+) when needed (7). Records must include complete data (12). 

Procedures should address, as applicable, GxP activities, such as: GDP, sample handling, weighing practices, chromatographic practices, data review, internal audits, computer system validation, instrument qualification, reference standard and test sample reconciliation and accountability, data retention policies, investigations, and handling of suspect data integrity events.

Documented procedures should clearly define the terms: “data,” “raw data,” “metadata,” “static record data,” and “dynamic record data.”  Data security procedures must address source data, dynamic records, static records, and all forms of metadata.

GxP data, records, and documentation include, but are not limited to, clinical records, non-clinical study records, development and commercial operations, test data, analytical records including cross-references, reports, batch records, process data, logbooks, deviations, investigations, maintenance cleaning records, environmental monitoring data/alarms, validation documentation, annual product reviews, etc. 

Instrument/equipment use logbooks or the electronic equivalent should be maintained to allow for the reconstruction of events associated with testing/manufacturing. Logbooks should record activity (including any batches or samples involved), date and time of activity, and operator signoff along with any comments.

Manual operations require stringent oversight and should require contemporaneous, second-person verification of data entry to reduce the data integrity risk. For basic electronic equipment incapable of electronic data storage (e.g., balance, pH meter), a printout is considered the raw data. 

All forms, worksheets, templates, registers, logbooks, and notebooks must be issued, controlled, and managed throughout the lifecycle of the records following documented procedures. These records must be reconciled as part of record issuance and controls. 

Records must be made contemporaneously as specified in GDP procedures and consistent with ALCOA principles (7). Employees must sign/initial and date the original hardcopy records contemporaneously with the recording activities. Similarly, the data reviewer must sign/initial and date the review of records contemporaneously. 

Data review. Companies should establish adequate data review procedures to verify the accuracy, consistency, completeness, and truthfulness of data and information (hardcopy and electronic) generated for GxP-related activities. This verification includes the review of metadata (e.g., audit trail). All supporting information (e.g., qualification status of equipment, equipment-use logbooks, procedures, reference standards) should be reviewed. The data review procedures should provide details to ensure the complete information/data associated with cGMP production and testing are reported (12, 13).

Computerized systems. Computer system validation (CSV) following the system development lifecycle (SDLC) approach should be evidenced with proper documentation for all equipment and instruments that are equipped with the ability to acquire, process, and maintain electronic records (14). Qualifications for systems, as configured, must meet both US 21 Code of Federal Regulations (CFR) Part 11 requirements and regulatory expectations for ensuring data integrity. Vendors generally do not provide systems that are validated as configured and, therefore, supplemental validation, once computerized systems are installed, is almost always required. Mapping of the established data flow process (data acquisition, processing, review, reporting, and backup/archive) should be part of the qualification documentation.

Computerized system access requires unique user login accounts for each user to be implemented for computerized systems to allow actions to be attributable. It is a fundamental cGMP requirement that all activities performed are attributable to the individual that performed them. System administration should be an information technology (IT) function. The user types and privileges for each computerized system must be defined and documented. Computerized system account creation, maintenance, periodic review, and deactivation needs to be described in applicable procedures as another key part of the holistic data governance system. Additionally, the following should occur:

• There should be a documented procedure to require system end users to log off the system, and access-timeouts should also be established.

• System users should not have the ability to delete, save-as and rename, or modify electronic records on standalone or network computerized systems.

• Metadata such as date/time and programs built for simple manufacturing and laboratory devices that do not have electronic storage capability (e.g., balance, loss on drying apparatus, pH meter, titrator) should be password-protected, and the ownership of the password should be granted only to personnel who have no vested interest in the data.

• There should be established electronic record naming conventions and, wherever possible, the naming conventions should include meaningful information on the source, such as equipment used, sample tested, and date of acquisition. 

• Audit trails should be configured “on” and users should not have the ability to amend or disable the audit trail.

• Only validated software (e.g., spreadsheet, database access, instrument application) should be used for GxP-related activities.

For electronic signature use, a company must file the Letter of Non-Repudiation Agreement with FDA attesting that the employees’ electronic signatures are the legal binding equivalent of the traditional handwritten signatures (14). This requirement mandates that the company document its process and systems to verify the authenticity of personnel identification. Computerized systems need to ensure that the person who signs the records electronically enters the account name (User ID) and password at the step where the electronic signature is required. 

Data retention. Companies should establish a record retention policy covering both hardcopy records and electronic records as part of their data governance processes. All records (including all metadata) should be readily available in both human readable and electronic form suitable for inspection, review, and copying by the authorized regulatory official throughout the defined records retention period. Data backup, archival, and recovery processes should be validated and periodically tested.

Internal audit by QA

An effective data governance system should include a documented procedure for the initial and periodic quality assurance (QA) review of the overall systems (paper-based and electronic) and procedures associated with the integrity of data (i.e., procedures regarding collecting, analyzing, reporting, and retaining information and data). The review should include:

• The validation status of computerized systems

• A risk-based review of raw data, including electronic records, to ensure the effectiveness of the data review procedures

• Training records to ensure that training (e.g., GxP, codes of ethical conduct) is provided, as required

• Investigations, events, and deviations and associated quality metrics.

Suspect data integrity breaches

The data governance system should include documented procedures requiring employees to notify management if they become aware of data falsification, unauthorized changes, destruction, or conduct that raises data integrity concerns, and a reporting mechanism for suspected data integrity breaches should be established (e.g., an anonymous data integrity hotline or similar system to encourage reporting of questionable practices).

Procedures should be established for investigating any alleged intentional action, poor practice, or inadequate system/procedure that raises data integrity concerns. The investigation should determine the root cause and impact on product/data quality, from which appropriate CAPAs are derived and implemented.

Disciplinary actions. There should be documented procedures regarding disciplinary action due to wrongful acts, including: data falsification, unauthorized modification, or destruction; violation of the written policies and/or procedures; and any conduct that would raise data integrity concerns.

Regulatory agency notification. Companies should commit to prompt regulatory notification if the company becomes aware that a product in commerce is impacted by a data integrity breach; or if a pending or approved submission contains untrue statements or has omitted statements of material fact. A company must investigate all data integrity breaches and take the appropriate corrective actions to report the correct and complete data/information to the regulatory authorities.

Outsourced services

All pertinent requirements and controls to ensure the integrity of a company’s internal data should apply to contracted manufacturers and/or contract laboratories as defined by the quality agreement and said requirements periodically audited by qualified personnel. 

Conclusion

As stated in the MHRA draft data integrity guidance: “The validity and integrity of the data should be commensurate with the risk and impact of a data integrity failure to the patient or environment” (2).  Keeping the focus on patient safety, companies need to establish comprehensive data governance systems with a holistic design encompassing the key elements described here. For a data governance policy and its associated systems to be effective, management engagement in implementation, operation, and continuous improvement of these systems is of crucial importance to ensuring the integrity of GxP data.

References

1. MHRA, MHRA GMP Data Integrity Definitions and Guidance for Industry (March 2015).
2. MHRA, Draft Guidance, MHRA GxP Data Integrity Definitions and Guidance for Industry (July 2016).
3. EMA, Questions and Answers: Good Manufacturing Practice: Data Integrity (August 2016).
4. WHO, Draft Guidance, Guidance on Good Data and Record Management Practices (September 2015).
5. WHO, Guidance on Good Data and Record Management Practices, Annex 5 (July 2016).
6. PIC/S, Good Practices for Data Management and Integrity in Regulated GMP/GDP Environment (August 2016).
7. TGA, Data Management and Data Integrity (DMDI) (April 2017).
8. FDA, Draft Guidance, Data Integrity and Compliance with CGMP Guidance for Industry (CDER, April 2016).
9. ICH, Q10, Pharmaceutical Quality System (ICH, April 2009).
10. J. Davidson, The Real Cost of Poor Data Integrity in Pharmaceutical Manufacturing, White Paper, May 19, 2016.
11. PDA, Points to Consider - Elements of a Code of Conduct for Data Integrity (March 2016).
12. 21 CFR 211.194 (a)
13. 21 CFR 211.188
14. 21 CFR Part 11.10 

About the Authors

Ron George, PhD, is director of Science and Technology, r.george@lachmanconsultants.com; Thu Truong, JD, is senior associate of Science and Technology; and James Davidson, PhD, is vice-president of Science and Technology, all at Lachman Consultants.