GCP Data Integrity

Written By Peter Baker

I just finished reading the newly published EMA guideline titled: “Guideline on computerised systems and electronic data in clinical trials”.  I think I have now transformed into a total data nerd, because I found myself completely engrossed in the text!  My first thought was one of relief: I found the guide to be 100% harmonized with the many existing GXP guides for data integrity.  We will not find in the document a prescribed checklist to follow when setting up or evaluating a trial management strategy.  This is by design.  Checklists lead to trouble!  We are the experts in our data processes, and only we have the ability to design a risk-based management strategy that meets our patient expectations! 

We do (at least) see an excellent high level critical-thinking roadmap to success (Section 4) for inspection readiness (via patient protection), some thoughts on which are outlined below:

1.       Data Integrity

  • The guideline uses the concept of data governance to ensure data integrity.  This is a necessary addition, as governance focuses industry on the process (a wholistic approach), rather than just the people!

2.       Responsibilities

  • In this section we see an emphasis on data ownership (although that exact terminology is not used).  When ownership is assigned, required tasks get done!

3.       Context

  • Here we see the regulator explain that metadata provides the context necessary to generate information.  Data by itself (without the associated context) cannot be used for decision-making.  Only by including the associated metadata in the governance strategy can we generate information used for making decisions and conclusions (for example, by ensuring via Audit Trails that the data entry was made by the authorized employee, at the designated timepoint, etc…). 

4.       Source Data

  • This is an excellent section that outlines the ability to take a risk-based approach to ensuring accuracy of our data.  Here is where we see a break from downstream GMP requirements for “original records”, however, this will most likely be adapted within the GMP framework as we move into more advanced data analytics (e.g. machine learning).

5.       Criticality & Risks

  • To wrap up the emphasis on governance, the guide directs us over to the concepts outlined in ICH Q9 (R1) – with an almost cut/paste strategy!

6.       Data Capture

  • Due to the wide variety of data acquisition tools that may be involved in a study, the regulators state that a “detailed diagram” of the data flow should be available.  This is excellent guidance and is not optional (see the section on data integrity above), as the data & process map is the best tool to initiate process understanding, with the ultimate goal of true governance. 

7.       Electronic Signatures

  • This section is a reminder regarding the requirements for e-sigs, the reason being that without these safeguards in place, the regulator cannot consider the resulting decisions to be based on accurate and complete data sets.  Just a friendly reminder!

8.       Data Protection

  • Confidentiality of subject data cannot be compromised.  The regulator includes here a section on GDPR to ensure that the risk-based governance plan considers confidentiality and implements controls that are commensurate with this risk.  This is not optional!

9.       Validation

  • To understand the roadmap at this point, we are directed to Annex 2 of the document, which is an extensive guide to CSV.  We see alignment here with FDA’s 2018 DI guidance, with an emphasis on evaluating hardware, software, personnel and documentation as part of the validation process (see section A2.3).  We also see some limited aspects of an Agile approach to validation (see section A2.5), following a risk-based approach.  In summary, this section is a brief summary of an expected modern approach to GXP validation lifecycle.

10.   Direct access     

  • This section (in my opinion) may be a prelude to the expectation that inspectors be provided remote access to GXP data sets (read-only access), as the regulators attempt to reduce travel burden and improve efficiency through remote evaluations. 

Section 5 and 6 get down into the weeds Computerised Systems (5) and Electronic Data (6), largely harmonized with Part/Annex 11 expectations.  Pay special attention to section 6.2, as it outlines some very specific inspector expectations regarding Audit Trails, for example, the ability to export the “entire audit trail as a dymamic data file”… This means the inspector expects to receive an exported data file with the ability to sort/filter/process the data during inspection (data analytics).  It appears that the days of providing exported PDFs are over, as this is not in a usable format and the inspector has no ability to perform their job of protecting and promoting public health. 

In summary, this is another excellent harmonized GXP guide for industry with some additional specific requirements for the BIMO world.  The takeaway message, as with all recent DI guides, is to:

1.       Activate critical thinking and be open to flexible data management strategies (perfection is not the goal)

2.       Each step and interface within a process must be evaluated for hazards/risks (think accuracy and completeness)

3.       When relevant aspects of the design/operation/monitoring of the process have been evaluated and the management strategy decided, we are now operating within a validated state – and are inspection ready!

Let’s get to it!

Pete

Peter Baker https://www.liveoakqa.com
Previous

Sources of Variability
Next

Root Cause Analysis