Data integrity is a central requirement to validate the production of pharmaceutical products according to the good manufacturing practices (GMPs). According to the World Health Organization’s Guidance on Good Data and Record Management Practices, “data integrity is the degree to which data are complete, consistent, accurate, trustworthy and reliable and that these characteristics of the data are maintained throughout the data life cycle”.

Data integrity was first introduced into regulatory requirements in 1971: the UK’s “Orange Guide” asked that copies from master records should avoid transcription errors and were carrying initials of people who performed each activity. A record of the history of each batch had also been provided. The concept entered European GMPs in 1989, establishing that each alteration or correction of data had to be signed, with specification of the reason and allowing reading of the original data. EU GMPs also defined that records must be completed at the time the action is taken, detailing also the name of the person in charge of performing and checking the action. According to the expert of pharmaceutical development Gilberto Dalmaso, almost 500 warning letters have been issued by the FDA in the last few years reflecting deficiencies in data integrity; many letters released by the UK authority MHRA in 2015 also involved data integrity lapses.

An article published in the American Pharmaceutical Review shows that the number of warning letters which include data integrity issues greatly increased in the period 2014-2018, from 18 to 69 respectively, while far less pronounced was the increasing in the number of letters without data integrity (5 in 2014 vs 22 in 2018).

What is data integrity

GMPs do not define exactly common terms – such as verify, review and check – that are typical of data integrity controls. The issue has been addressed in an article by James Vesper published on Pharmaceutical Online.

Another article signed by Chris Brook on Digital Guardian discusses the distinctions between considering data integrity as a state or a dynamic process. When data integrity is considered a state, explains Brook, the data set has to be valid and accurate; measures and other information are used to demonstrate this validity and accuracy when data integrity is considered as a process, and they have to be stored in a database. The article defines many possible sources for rejecting data, such as human or transfer errors, informatics viruses or malware and hacking activities, hardware problems or physical compromise to devices. Verification and checking of data integrity allow to exclude all these possible threads, thus confirming that the acquisition and transfer of data occurred correctly; data can thus be considered reliable and trustworthy. 

The lack of clear definitions

James Vesper discussed the lack of a unique definition for the above mentioned terms governing data integrity. The GMPs released by the authorities of different geographical areas (US, EU, Canada, UK or PIC/S) just ask for a confirmation that these activities were run correctly during pharmaceutical manufacturing. Industry is completely free to decide how to apply these concepts, and data integrity is then subject to the inspection activities carried out by regulators. 

According to the classification proposed by Vesper on the basis of the most common industrial best practices, the “verification” step corresponds to the presence of a witness monitoring in real time through direct observation that all critical manufacturing activities are performed correctly. This “4 eyes” observation can be also referred to the CFR requirement that all manually recorded information needs to be verified by a second signatory.

The “review” step usually refers to controls run by a second person on documents and technical procedures in order to verify they reflect all needed requirements. These are better evaluated during the “check” step, when the specific activity is posed under strict scrutiny to confirm it complies all regulatory requirements. Both the checking and reviewing are not necessarily real-time processes, and can involve repetition of certain activities by a second person in order to confirm they have been run correctly (“double check”). 

QRM to guide data integrity activities

Quality risk management (QRM) has become the new standard for pharmaceutical quality; the principles identified in the ICH Q9 guideline can be used to guide all activities related to risk assessment and management also in the field of data integrity. 

As reported by the Vesper’s article, another useful reference to plan the verification and review process is represented by the guideline published by the Pharmaceutical Inspection Co-operation Scheme (PIC/S). The document highlights the critical records that should be considered during the exercise, i.e. those documenting critical steps within batch records, batch production records of non-critical process steps or laboratory records for testing steps. Each of these records requires a specific approach to verification, review and checking, which should be described by local standard operating procedures (SOPs).

On this basis, James Vesper suggests a possible approach to confirmation of data integrity that can be flexible in terms of the rigor applied to the exercise and to the relative criticality of each action, event or data considered. Under this hypothesis, the review step should be carried out “after-the-fact” by a second person in charge to examine data and evidence to confirm everything has been done correctly. The checking should involve the direct observation of the “result” of a certain action or event, while the verification should be run through the real-time direct observation of events or by a second, independent performance of the task. And because many tasks are now automated, humans should also perform a review of machine-generated records/data and qualify all equipment and devices used in manufacturing operations in order to control the correct actions were incorporated within their functions.