The Data Integrity Triad: A Framework for FDA-Regulated Manufacturers

The Data Integrity Triad: A Framework for FDA-Regulated ManufacturersThis article is an abbreviated introduction to Chinmoy Roy's "The Data Integrity Triad." Read the full article on LinkedIn here.

Chinmoy Roy, The FDA GroupThe rise in Data Integrity warning letters are forcing companies to make a beeline for obtaining an understanding of data integrity. A close examination of management objectives where data integrity issues have unraveled indicates that they have been driven by the self-interest of profit. 

They hesitate to switch out older equipment for newer ones with technical controls to enforce data integrity. They also hesitate to provide the required level of personnel resources for regular audit trail reviews, investigation of data integrity issues etc.

While regulatory agencies are actively hiring computer savvy personnel familiar with the intricacies of electronic data, business expediency dictates pharmaceutical industry management to shadow those efforts by ensuring that adequate budgets are allocated to hire personnel with the right blend of IT and compliance expertise.

The purpose of this paper is to suggest a control framework to ensure data integrity in an organization.

Contaminated data

MHRA’s July 2016 draft version for GxP Data Integration Definitions and Guidance for Industry defines data integrity as “the extent to which all data are complete, consistent and accurate throughout the data lifecycle.” We may consider data integrity as synonymous with product purity wherein the product is either contaminated or not contaminated. So too with data integrity where the metric is binary in nature. Data is either contaminated or not contaminated. There is no in between to signify a “degree of breach or contamination”.

So, what is data integrity?

Data Integrity may be appropriately defined as “the state of completeness, consistency, timeliness, accuracy and validity that makes data appropriate for a stated use”. It is a data characteristic that lends it the assurance of trustworthiness. It is defined by the oft-mentioned ALCOA+ attributes. NIST SP 800-33 defines data integrity as the state when data has not been altered in an unauthorized manner. It covers data in storage, during processing and while in transit. Data integrity’s guiding principles include:

  1. The care, custody and continuous control of data

  2. Measures implemented to ensure that GxP regulated computerized systems and paper based as well as computerized data are adequately and securely protected against willful or accidental loss, damage or unauthorized change.

  3. Such measures should ensure the continuous control, integrity, availability and where appropriate the confidentiality of regulated data

Thus, data integrity is a process wherein data is not modified in an uncontrolled manner as it progresses through several groups within an organization to undergo any number of operations such as capture, storage, retrieval, update and transfer. It is a measure of the validity and fidelity of a data object.

Assuring enterprise-wide data integrity

When it comes to assuring data integrity, the situation is more complex because words mean different things to different people. To the IT Security group it is the assurance that information can be accessed and modified only by those authorized to do so. To the Database Administrator it is about data entered into the database are accurate, valid and consistent.

To the Data Owner it is a measure of quality, with existence of appropriate business rules and defined relationships between different business entities and to the Regulator, data integrity is the quality of correctness, completeness, wholeness, soundness and compliance with the intention of the creators of the data. This difference in meaning creates a fertile ground for miscommunication and misunderstandings, with the risk that the activity will not be done well enough because of unclear accountabilities.

Notwithstanding the impossibility of eliminating all vulnerabilities to data integrity in the organization, controls should be established to reduce the propensity for data integrity errors and vulnerabilities. Such controls should integrate and coordinate the capabilities of people, operations, and technology through a data integrity assurance infrastructure. It hinges upon a multi-faceted approach consisting of the following triad components:

  1. Management controls

  2. Procedural controls

  3. Technical controls

Continue reading Chinmoy Roy's full article on LinkedIn here.

Topics: Process, Regulations, Quality Standards, FDA Compliance, Data Integrity