A data governance policy should call for a data governance
plan which lays out, among other things: goals and objectives of
data integrity governance; organization and data ownership; a
strategic approach to the organizations data life cycle and other
important elements such as incident and problem management,
access and security management, and a quality risk framework.
Other supporting processes to consider will be auditing, metrics,
inventory classification, validation, and training. An FDA inspector will view a data governance policy and plan as a strong commitment by the organization to sustaining data integrity.
TRAINING AND LEVERAGING CGXP KNOWLEDGE
According to FDA, “Training personnel to detect data integrity
issues is consistent with the personnel requirements under §§
211.25 and 212.10, which state that personnel must have the ed-
ucation, training, and experience, or any combination thereof, to
perform their assigned duties.”
Throughout the draft, “Data Integrity and Compliance with
cGMP Guidance for Industry,” the FDA refers to “requirements
with respect to data integrity”in predicate rules and electronic sig-
nature and record-keeping requirements. Mary Lyda, former FDA
officer and current vice president, global quality assurance, Ac-
celovance, Inc., said,“It all goes back to training. It is essential that
everyone in an organization understands the fundamental prin-
ciples of data integrity within cGxPs and that the FDA and other
regulatory authorities expect data to be reliable and accurate.”
Most organizations will already have a robust training pro-
gram around these regulations that can be leveraged. Training
on the importance of data integrity principles may be a matter
of refreshing the work force’s knowledge of concepts such as
ACOLA—an acronym representing the following data integrity
elements: attributable, legible, contemporaneous, original, accu-
rate—referenced in all four guidance documents—and how to
properly report errors, omissions and abnormal results.
“Companies are waking up to the fact that data integrity issues are not isolated to countries like India and China and often
have to do with cultural nuances,” said Ajit Simh, adjunct professor in the Department of Regulatory Sciences program at California State University of San Diego. “So management needs to
make the effort to understand why individuals may be making
data integrity errors. For example, back dating in some cultures
is seen as a way of‘saving face,’ which may be a higher motivator
than accurately recording data.
“General staff training should not be overlooked since it pro-
ASSESSMENT AND RISK ANALYSIS
vides the critical foundation to achieve a state of understanding
for doing the right things rather than policing and implementing
IT barriers to prevent the wrong things.”
In addition, the data integrity cross-functional team, with
concerted help from the quality and training department, should
orient training material on the goals and objectives defined in the
data integrity organizational plan with practical examples of how
to achieve parity with the organization’s aspirations.
According to FDA, “Firms should implement meaningful and ef-
fective strategies to manage their data integrity risks based upon
their process understanding and knowledge management of
technologies and business models.”
Regulated data and records should be identified and docu-
mented in preparation for assessment and risk analysis. An excel-
lent way to prepare includes a data flow analysis to identify the
role of elements or units in regulated processes. Completing this
as early as possible, such as during a system specification phase
is ideal, but may be more difficult from a retrospective approach.
In addition, a risk framework commensurate with the company
sector should be determined.
Many companies are now going back and completing or updating reviews of data integrity by preparing a corporate level
questionnaire template to be used to evaluate and prioritize systems in areas such as data integrity impact, system inputs for accuracy, implemented controls, system outputs for accuracy, security, and 21 CFR Part 11 compliance, with a focus on audit trails.
Examples of questions that may appear on a questionnaire related to data integrity impact might include, but are not limited to:
• Can misinterpretation of product quality, safety or efficacy
result from corruption or loss of records?
• Can the product be adulterated, or can the release of adulterated or quarantined product result from corruption or loss of
• Can the product be misbranded as a result of corruption or
loss of records?
• Can the ability to recall the product be compromised by the
corruption or loss of records?
The uniformity of such a template allows for standardization
and consistent implementation of the Data Integrity Governance
Policy, procedures and plan, as well as a better risk evaluation of
data for decision making and prioritization of where resources
and money should be spent.
According to TGA, “Processes for the access, generation, con-
trol and review of electronically generated data and records, in-
cluding, but not limited to system validation, configuration and
ensuring reviews of source data and audit trails are routinely per-
formed, based on risk.”
The FDA and other regulatory agencies have advocated a risk-
based approach for some time now and applying this to data in-
tegrity governance is no exception. “Building data integrity into
the quality framework, if done earlier in the process, will save
time and money and enable better benefit-risk assessments,”
said Dr. Nancy Pire-Smerkanich.“Formalized benefit-risk frame-
works have value to enhance transparency and support decision
making, but are not utilized enough in the industry.”
Selecting a risk framework should be in line with the indus-
try sector and balanced with other quality resource demands.
More specifically, said, Dr. Pire-Smerkanich, “Manufacturers and
analytical laboratories should design and operate systems which
provide an acceptable state of control based on the data integrity
risk, and which is fully documented with supporting rationale.”
A risk approach can become an important support factor in balancing data influence decisions and the impact of data to product
quality or safety. When carrying out a batch release for example,
a manager may need to decide if data, which determines compliance with critical quality attributes, is of greater importance than