28/29 January 2020
Besides the FDA, WHO and PICs, the British MHRA has also published its first guidance on data integrity in early 2015. A revised version, put up for discussion as a draft, quickly followed in July 2016. On 09 March, 2018, the MHRA "GxP Data Integrity Guidance and Definitions" was published in its final version.
At a first glance, there seem to be few changes compared to the draft document. The guideline's structure generally corresponds with the 2016 draft (changes in bold print below); however, the numbering of the chapters was restructured:
3. The principles of data integrity
4. Establishing data critically and inherent integrity risk
5. Designing systems and processes to assure data integrity; creating the 'right environment'
6. Definition of terms and interpretation of requirements
6.2. Raw data (synonymous with 'source data' which is defined in ICH GCP)
6.4. Data Integrity
6.5. Data Governance
6.6. Data Lifecycle
6.7. Recording and collection of data
6.8. Data transfer / migration
6.9. Data processing
6.10. Excluding data (not applicable to GPvP)
6.11. Original record and true copy
6.11.1 Original record
6.11.2 True copy
6.12. Computerised system transactions
6.13. Audit trail
6.14. Electronic signatures
6.15. Data review and approval
6.16. Computerised system user access / system administrator roles
6.17. Data retention
6.18. File structure
6.19. Validation - for intended purpose (GMP; See also Annex 11, 15)
6.20. IT Suppliers and Service Providers (including Cloud providers and virtual service / platforms (also referred to as software as a service Saas / platform as a service (PaaS / infrastructure as a service (Iaas)
It can generally be said that the various chapters have been significantly revised in regards to content and scope. The scope has been increased by app. 50%.
Moreover, a significant requirement, which had been strongly objected by the industry, was removed from the draft. Former chapter 16 "Computerised system user access / system administrator roles" included the following requirement: "It is expected that GMP facilities should upgrade to system with individual login and audit trail(s) by the end of 2017 (reference: art 23 of Directive 2001/83/EC)." This requirement has been considerably defused, but not completely deleted. The new text now reads: "It is expected that companies should be implementing systems that comply with current regulatory expectations2 (2 It is expected that GMP facilities with industrial automation and control equipment / systems such as programmable logic controllers should be able to demonstrate working towards system upgrades with individual login and audit trails (reference: Art 23 of directive 2001/83/EC)"