Regulatory Handbook

Data Integrity:
FDA and Global
Regulatory Guidance
Author:
Siegfried Schmitt,
Principal Consultant,
PAREXEL Consulting

Introduction
Data integrity is a prerequisite for the regulated healthcare industry as decisions
and assumptions on product quality and compliance with the applicable regulatory
requirements are made based on data. Drug and medical device manufacturers
or (service) providers, healthcare organizations, regulators and other government
organizations, and users, i.e., patients and healthcare professionals, rely on data.
Breaches in data integrity can have negative consequences and may lead to
patient injury, or even death.
Whereas in the past data integrity was relatively easy to prove using forensic
methods analyzing ink and paper, the advent of computerized systems has
brought with it a different level of complexity. Identifying whether there could
have been undocumented or even malicious changes to electronic data or records
requires additional tools and expertise.
As it is much easier to change electronic data and records than it is to change
a paper or other physical record, there is a much higher chance of such changes
being effected. The regulatory authorities have put much emphasis on data
integrity in recent years, not least because they have uncovered serious cases
of data integrity breaches. This document provides references to the applicable
regulations, guidance and reports on data integrity (breaches).

Your journey. Our mission.

tm

|2

Definitions
Main Criteria for Data Integrity
[R.D. McDowall, Spectroscopy, Focus on Quality, December 2010]

Accurate

No errors or editing without documented amendments

Attributable

Who acquired the data or performed an action and when?

Available

For review and audit or inspection over the lifetime of the record

Complete

All data is present and available

Consistent

All elements of the record, such as the sequence of events, follow on and are dated or
time stamped in expected sequence

Contemporaneous

Documented at the time of the activity

Enduring

On proven storage media (paper or electronic)

Legible

Can you read the data?

Original/Reliable

Written printout or observation or a certified copy thereof

Trustworthy

The data and the record have not been tampered with

Breaches of data integrity (BDI) are acts of falsification, document adulteration,

forgery and providing misleading information.
[Carmelo Rosa ISPE FDA 3rd Annual GMP conference June 2014 Baltimore MD: Current Inspectional and Compliance
Issues in Data Integrity (www.ispe.org)]

Your journey. Our mission.

tm

|3

Major Regulatory Guidelines

US FDA

21 CFR Parts 11, 211, 803 [http://www.accessdata.fda.gov/scripts/cdrh/cfdocs/cfcfr/cfrsearch.cfm]

Guidance for Industry Part 11, Electronic Records; Electronic Signatures - Scope and Application,
August 2003
Carmelo Rosa ISPE FDA 3rd Annual GMP conference June 2014 Baltimore MD: Current Inspectional and
Compliance Issues in Data Integrity (www.ispe.org)

European Council

EudraLex Vol 4 Chapter 4 and Annex 11 [http://ec.europa.eu/health/documents/eudralex/vol-4/index_en.htm]

Directive 1999/93/EC of the European Parliament and of the Council of 13 December 1999 on a
Community framework for electronic signatures [http://eur-lex.europa.eu/legal-content/EN/TXT/
PDF/?uri=CELEX:31999L0093&from=EN]

ICH

ICH Q7 [http://www.ich.org]

MHRA
www.mhra.gov.uk

The MHRA is setting an expectation that pharmaceutical manufacturers, importers and contract
laboratories, as part of their self-inspection program must review the effectiveness of their governance
systems to ensure data integrity and traceability [http://www.mhra.gov.uk/Howweregulate/Medicines/
Inspectionandstandards/GoodManufacturingPractice/News/CON355490]
-- This aspect has been covered during inspections since the start of 2014, when reviewing the adequacy
of self inspection programs in accordance with Chapter 9 of EU GMP
-- It is also expected that in addition to having their own governance systems, companies outsourcing
activities should verify the adequacy of comparable systems at the contract acceptor
-- The MHRA invites companies that identify data integrity issues to contact:
[email protected]
-- GMP/GDP Consultative Committee, Note of Meeting; MHRA drew members attention to the
announcement on the website in relation to the Inspectorates expectations in relation to
self-inspection and data integrity [http://www.mhra.gov.uk/Howweregulate/Medicines/
Inspectionandstandards/GoodManufacturingPractice/News/CON355490]
-- If companies identify issues, they are invited to contact the MHRA to discuss the issues and how to
move forward
-- MHRA is looking at how current inspection practice can be changed in order to build in data reliance
checks early on in the inspection process. The result of the checks will then determine whether the
remainder of the inspection process is carried out normally or if indeed a more forensic approach is taken
-- In order to prepare for the process, industry can look at the way they design their systems, enabling
the operators of those systems to comply. Easy checks that can be carried out during supplier audits
or self-inspection include sample reconciliation and building in appropriate checks of audit trails and
raw data. These are the types of things that will be initially looked for
-- Additionally, a section on data falsification will be added to the Compilation of Community Procedures
Falsification in the context of EU GMP changes are being made to the definition of Critical deficiency
in EU GMP:
-- Any wilful misstatement, misrepresentation, manipulation, adulteration, rewriting, hiding, replacing
of quality related documents, materials, activities or buildings in order to give an item the appearance
of GMP compliance when this is not the case EU Compilation of Community Procedures. [Gerald W.
Heddell at the ISPE/FDA conference Baltimore June 2014]

WHO
www.who.int

WHO Notices of Concern [http://apps.who.int/prequal/assessment_inspect/info_inspection.htm]

Your journey. Our mission.

tm

|4

Discussion Topics
Regulatory agency inspection observations

Companies are encouraged to review published inspection

observations regarding data integrity. These are a valuable
source of information, however, these merely list the
symptoms, not the underlying root causes. We have
grouped the observations to make them more useful for
root cause analysis. All of this information is publicly
available free of charge on the following websites:
http://www.fda.gov/ICECI/EnforcementActions/default.htm
http://eudragmdp.ema.europa.eu/inspections/
displayWelcome.do

An analysis of the observations in the above resources

shows that there are three key areas of concern:
L ack of adequate controls
L ack of staff competence
L ack of adequate root cause analysis
Without doubt, such issues can occur in any company
anywhere in the world. Thus, it is prudent to pay particular
attention to these aspects when addressing data integrity.

Literature articles

These often provide summary overviews of data integrity

issues, combined with an analysis of the underlying issues
and potential root causes. In addition, they often discuss
solutions and industry best practices. Not all literature sources
are free of charge. The following are a selection of pertinent
article excerpts from several sources widely used in industry.

Of the five drug GMP warning letters issued December

2009February 2010, three showed data integrity lapses.
[Data Integrity Problems Continued to Surface in Recent
Warning Letters, The Gold Sheet February 2010]
FDA inspectors using a new forensic approach to
inspections in responding to a rash of data integrity

Data integrity problems continue to bedevil pharmaceutical

manufacturers, if recent warning letters issued by FDA
are any indication

Your journey. Our mission.

tm

|5

problems found in pharmaceutical manufacturing

facilities. Attorneys advise firms to pay careful attention
to their adverse event reports and field alert reports
as data integrity breaches can be found there too
FDA and the pharmaceutical industry are recommending
a forensic approach to inspections and internal audits to

combat growing data integrity problems: Digging

through trash cans and drawers is not considered out
of bounds in the current environment. [FDA Aggressively
Looking for Data Integrity Problems in Inspections, The
Gold Sheet June 2014]

Data Integrity Issues Everywhere?

Excerpt from Data Integrity, Pharmaceutical Technology Europe, Volume 38, Issue 7, pp. 82, July 2014.
www.pharmtech.com

Q: Data integrity issues have been making headlines

recently, in response to foreign inspections by the
Food and Drug Administration or European regulatory
agencies. Based on these reports, it appears that the
issues centre largely on manufacturing companies in
Asia. Should we conclude that this only concerns firms
already struggling to comply with basic good practices in
this part of the world?
A: In general, media tend to report on the most serious
violations uncovered by regulators. Oftentimes when
companies find similar issues through their own internal
investigations, they remain confidential and unreported.
Therefore, it would be presumptuous to assume violations
reported on by the press are representative of the industry
as a whole.
However, what inspections have triggered is increased
attention toward potential data integrity issues lurking
across the industry. Few companies would have data
integrity verification activities integrated into their quality
oversight programs before these examples of serious
violations of healthcare regulations became public knowledge
in the form of warning letters, consent decrees or reports
in the European EudraGMDP database.
Conscientious companies have taken these potential data
integrity issues seriously by starting internal investigations,
incorporating data integrity assessments into their quality
assurance oversight programs, and in some cases,

establishing a special data integrity office. Companies even those in good standing with regulators - have initiated
such activities regardless of existing or anticipated
compliance concerns.
The question now is, what have these internal investigations
uncovered, if anything? The answer, surprisingly, is that
they have uncovered a significant amount. Once you start
studying analytical data, root cause analyses, logbooks
and any other data source, gaps are repeatedly found in
data traceability and trustworthiness. A few data-related
issues include: uncertainty where the data originated from
and who created it - e.g. where several analysts use the
same user ID and password on a set of similar instruments;
which raw information produced the reported data - e.g.
where a summary table reports stability data results, but
all raw data on the chromatography instrument have since
been deleted, and whether these are the original data e.g. where there is no audit trail on the analytical
instrument. These issues are not necessarily the result
of wilful malpractice, but are often caused by insufficiently
controlled processes, poor documentation practices,
suboptimal quality oversight and, often enough,
professional ignorance.
Occasionally people do intentionally falsify data. This is
unfortunate but, thankfully, still a rarity.

Your journey. Our mission.

tm

|6

Here are some steps you should take to ensure data integrity:

Embed data integrity

verification activities into
internal audit processes

Train your internal auditors

to understand what
to look for when detecting
data integrity deficiencies

Create awareness among staff

so they can assist with
this endeavor, and report
concerns before they become
full-fledged issues

Seek external support

to assure completely unbiased,
third-party investigations
and/or to enhance your internal
investigation program

It should come as no surprise that companies already

struggling to meet basic compliance standards are at a
disadvantage when it comes to data integrity. However,
making data integrity a key element of your compliance
approach will give you a competitive advantage. It is always
better to proactively prevent issues, such as data integrity
failures to occur, than trying to remediate and resolve
inspection findings. Compliance excellence makes good
business sense.
The need to ensure data integrity through the life cycle
of a clinical trial and across all the systems involved is
of paramount importance as inconsistent, incorrect or
corrupted data could endanger the safety of patients,
adversely affect the outcome of the trial and increase
the risk of a failure during the submission procedure.
Therefore, this aspect has increasingly become the focus
of regulatory oversight. One of the main drivers for this

has been that the industry has embraced individual

or strategic outsourcing of clinical trial activities to
Contract Research Organizations (CROs) and sponsors
as well as CROs also adopting Software as a Service
(SaaS) offerings especially in the area of Electronic Data
Capture (EDC) or Interactive Voice Response Systems/
Interactive Web Response Systems (IVRS/IWRS). Often
this leads to a chain of partners with an increasing risk
of losing direct control for the sponsor. Even when
strategically partnered with a CRO, the responsibility
to address these risks resides with the Sponsor and
cannot be delegated. This requires extensive and
increasing efforts for oversight, which must be
considered when addressing the risks with regard to
data integrity. [Validation and Data Integrity in eClinical
Platforms June 2014, http://blog.ispe.org/?p=1526]

Your journey. Our mission.

tm

|7

Conferences and Training Courses

As yet only a limited number of events have been organized
on the subject of data integrity. Even fewer have had
regulatory agency speakers presenting. The specific
advantage of these events is the direct access to regulators
and the opportunity to share expertise and experiences
with industry peers. PAREXEL subject matter experts
regularly attend, present and are members of the
organizing committees for such conferences.

In 2014, speakers from FDA presented on the topic of data

integrity at events in the U.S. and overseas (e.g., ISPE FDA
Annual Conference in Baltimore, MD; DIA FDA EDQM Data
Integrity Workshop in Bangalore, India). The presentations
from the regulatory agency speakers are usually made
available via the agencies websites; other presentations
may only be available to the attendees.

Conclusion
Given the increased scrutiny for data integrity, companies are well advised to
establish internal competency, assessment and monitoring programs, and
assure data integrity is an integral part of the internal audit/self-inspection
program. Relevant information on data integrity can be gleaned from a
multitude of sources; and if in doubt, specialist consultants can provide
invaluable assistance with all aspects of compliance.

Author Biography
Siegfried Schmitt, Principal Consultant, joined PAREXEL Consulting in 2007. He provides consulting services to the medical
device and pharmaceutical industry on all aspects of regulatory compliance, particularly the design and implementation
of Quality Management Systems and Competitive Compliance. He is the PAREXEL practice lead for Quality by Design.
Dr. Schmitts areas of expertise include all aspects of quality and compliance for systems, processes, facilities and
operations for drug substances and drug products, for all types of formulations.
He has previously held positions in industry as Senior Production Chemist with Roche and global Quality Director with GE
Healthcare and as Validation Manager with Raytheon and Senior Lead Consultant with ABB.
He is an active member of various industry associations, including DIA, PDA, RAPS and ISPE, conference presenter and
organizer of international events. He is also an accomplished author and editor, and member or chairman of several
boards of editors.
Dr. Schmitt is a chemist by background and holds Chartered Chemist and Chartered Scientist status.

Your journey. Our mission.

tm

|8

WHEREVER YOUR
JOURNEY TAKES YOU,
WERE CLOSE BY.

Corporate Headquarters
195 West Street
Waltham, MA 02451
USA
+1 781 487 9900
Offices across Europe, Asia and the Americas
www.PAREXEL.com

2015 PAREXEL International Corporation. All rights reserved.