State of the Art Data Integrity - A Critical Inventory

Data integrity is nothing new – its concept was introduced more than twenty years ago by regulatory authorities. So why does it receive so much attention over the last years? 

This blog will explain the importance of data integrity and shed light on the relevant factors like risk and controls to achieving compliance. In addition, it will present new roles and trends and elaborate on data governance and life cycle management.

It’s not easy to nail it down: numerous definitions of data integrity by FDA, NIST, IEEE, MHRA, and others exist. Yet the common denominator is the ALCOA+ principle.

Today, almost any decision in the world of pharmaceutical manufacturing is based on data. This includes critical ones that have direct impact on patient safety and product quality. Manual execution is replaced by automation, paper evidence by electronic records. Information or data therefore must be trustworthy as it is being used for important decisions. Although achieving data integrity is no rocket science, on average roughly 50% of the FDA’s warning letters over the last 5-7 years mention data integrity issues (Analysis of FDA FY2019 Drug GMP Warning Letters).

Currently, the majority of data integrity problems occurs in the following areas:

• access control and security measures (e.g. shared user login or missing audit trail) 
• no contemporaneous recording
• data discrepancies not being investigated
• testing into compliance
• data critical to quality not adequately collected, retained, or reviewed 
• original data overwritten
• fraud

While the root cause is usually not easily identified, a number of typical hazards potentially impacting data integrity can be named:

• Temporary storage of data leading to data falsification
• System interface errors causing loss or corruption of data
• Manual transcription or data entry errors
• Uncontrolled access as the root of unauthorized approvals
• Software or configuration errors ending in processing failures
• Hardware failures resulting in loss of data or reduced data availability

Learn more? Join our webinar on data integrity (German speaking).

Find out more

For those companies receiving warning letters or facing data integrity issues, the adverse impact ranges from bad reputation and increased efforts over product recalls to being excluded from lucrative markets. On the other hand, companies handling their valuable data with care not only benefit from better decisions and gain more trust, but they sharpen their position for new opportunities, too.

Looking at the latest trends reinforces the impression that data requires digitization and – vice versa – digitization is built upon data. However, data is of limited value without integrity!

Not only humans, but far more important systems, create, update, share, store, analyze, and transform data. With regard to the ongoing ‘trend’ artificial intelligence (AI), which evolved to a hot topic in the pharmaceutical industry, data integrity is a driving factor that cannot be understated. The CEO of Merck KGaA, Stefan Oschmann, was even quoted to have said that “(…) big data is essential (…) it will be just as important as biology or chemistry!”

With that in mind, imagine using digital twins or machine learning techniques based on faulty data! Consider the value of data analytics without integrity! Looking ahead, automated  decision making is within grasp with the right tools and data. That is being driven forward as some would like to eliminate all paper and hybrid records as these are difficult to maintain in a compliant state throughout their full retention period.

Therefore, it doesn’t come by surprise that the “ISPE Records and Data Integrity Guide” already states that“(…) data integrity is underpinned by well-documented, validated GxP computerized systems, and the application of appropriate controls throughout both the system and data life cycles (...) ”This statement is further explained in ISPE’s latest “Good Practice Guide on Data Integrity by Design”, resulting in the notion that “(…) validation of computerized systems (…) is necessary to achieve data integrity, while data integrity requirements must be considered as part of each validation effort  (….).”

Crucial: the human factor

No matter how good an application or a computerized system is, some aspects require attention that are beyond technical controls: The personnel creating and managing the data. In other words, the organizational culture (e.g. how to deal with errors) and maturity is a driving factor in achieving compliance through data integrity. Every organization wants to be aware and to have effective controls in place. However, even awareness and management understanding are no guarantee for acting competent. Only if a company applies policing and monitors execution for failure it may reach the final level of maturity: to unconsciously (!) applying good practices on a constant basis.

For definition  and the theoretical foundation of this approach, compare with the “Data Management Maturity Model” by the CMMI Institute. 

A mature organization will also heed high pressure and will be able to learn from deviations by evaluating projects at all stages. Such an organization will investigate and successfully uncover root causes, demand accountability, and reward owning up. When leaders and subject matter experts gather for decision making, they will apply a method called ‘Critical Thinking’.

Critical thinking is a process of evaluating information systematically, to be precise in a rational and disciplined way. A team represents a variety of perspectives to come up with balanced and well-reasoned answers. This includes experts that help to provide effective interpretation of data and situation while avoiding biases and assumptions. Instead of ruling out what may go wrong, worst case scenarios are being considered and gaps in data governance and processes identified, thereby challenging the effectiveness of controls.

Speaking of controls, it should have become obvious by now: In order to achieve full data integrity, different types of controls need to be in place, including: 

• Behavioral controls (people) 
• Technical controls (technology)
• Procedural controls (processes) 

However, every strategy has its limits. While data integrity controls help to prevent and detect fraud (which actually is a subset of all data integrity issues), even the best system cannot distinguish between a mistake (i.e. wrong data entered accidentally, e.g. a typo) and a fraudulent activity (i.e. wrong data entered intentionally).

Focus on data and reap the reward!

To apply a commensurate level of control it helps to not only look at systems and processes, but put the focus on the data. One way to achieve this is to establish a good level of data governance. According to MHRA, data governance is the “(…) arrangements to ensure that data, irrespective of the format in which they are generated, are recorded, processed,­ retained and used to ensure the record throughout the data lifecycle.” In addition to the long-known process and system owners, new roles for data owners and data stewards have been introduced. Those new roles take care of tactical coordination and implementation for data integrity and implementing data usage management and security policies.

The reward for successful data governance is just the opposite of data integrity issues: improvements in quality, a reduced number of defects, fewer recalls, higher confidence, and overall better decision making.

The data owner, supported by the data steward, is also responsible for managing the data’s life cycle. This is an important aspect of data integrity by design. Actually, data should always have a designated owner at any point in its life cycle. As a baseline, robust risk-based business processes should be defined and implemented and data flows understood. Furthermore, a specific data life cycle should be defined, based on the supported process. This needs to take into account that data may be transferred across multiple systems, and analyze the risks associated with such transfers. Therefore a holistic approach including effective handover of data ownership responsibilities between roles is compulsory.

Although this may sound ambitious: one could argue that finally data integrity is nothing but ‘compliance reloaded’. It is rather the sum of all facets, the level of detail, and the stringency of a data integrity by design approach that is new. Most of its ingredients are usual suspects. However, the importance of data, its quality, and its integrity, cannot be overstated.

Do you have questions on a special data integrity topic?

Get in touch