Final Guidance on Data Integrity – The FDA was beat to the punch by the British Medicines and Healthcare Products Regulatory Agency
Hyman Phelps MacNamara PC’s LawBlog brings us this news “Agency Publishes Final Guidance on Data Integrity – the British Medicines and Healthcare Products Regulatory Agency that is”
As the article points out, the FDA draft guidance was published two years ago. The British [or more formally the British Medicines and Healthcare Products Regulatory Agency (MHRA)] beat the FDA and published a guidance on “GXP Data Integrity.” Even though the FDA has yet to finalize its guidance I’m sure someone at the FDA has been tasked to read what the British wrote, so we should too.
The LawBlog does a good job summing up the data integrity principals which I’ll further summarize.
- An organization should ensure that data is complete, consistent and accurate in all its forms.
- Appropriate data integrity controls are necessary for all systems both manual or computerized.
- As with any system, when gaps or weaknesses are found, an appropriate corrective and preventive actions are implemented holistically.
- The British extends the FDA’s ALCOA concept to ALCOA+; Data integrity is:
- Attributable, Legible, Contemporaneous, Original, and Accurate,
- Complete (i.e., the data must be whole – a complete set),
- Consistent (i.e., the data must be self-consistent),
- Enduring (i.e., lasting throughout the data lifecycle)
- Available (i.e., readily available for review or inspection purposes);
- I guess they called it ALCOA+ because ALCOACCEA looks like a new latin species name.
- Data integrity effort considers the risk to product or patient (e.g. reduced risk reduced effort; high risk high effort)
- Systems and processes should be designed in a way that facilitates compliance with the principles of data integrity;
- Paper systems (should be controlled as if they could be tampered with) — for example, use of controlled books with numbered pages, may be necessary to prevent the re-creation of a paper record;
- Using a scribe to record on another’s behalf is acceptable, providing everyone signs off and everything is done at the same time.
- Data doesn’t need to be saved just because it can be saved. However, the exclusion of data must be justified (at a level similar to that followed by the scientific method)
- Basic security principals, apply, such as to limit access to the minimum necessary data access for a person to perform their role; and tighter controls are needed for people with elevated (i.e. system administrator) access
- As with all risk management systems, organizations are expected to implement, design and operate a documented system that manages an appropriate and acceptable data integrity risk. This means the rational for acceptable risk needs to be documented, such as creating a data integrity risk assessment (DIRA)
Knowledge Bank is NOT a legal firm; The materials available at this web site are for informational purposes only. Please consult with an attorney for all legal matters.