Skip links

MHRA ‘GXP’ Data Integrity Guidance

UK MHRA have just published the final version of the ‘GXP’ Data Integrity Guidance and Definitions Revision 1 on 09 March 2018

This guidance was first published in March 2015 and has been widely used as a reference in pharmaceutical
industries since.

The objective of this guide is to help companies and regulators have confidence in the quality and the integrity of the data generated to ensure patient safety and quality of products and an important emphasis is to be able toreconstruct activities from the data.

This new guidance revision is more practical and covers more areas than the March 2015 version, the guidance
covers the same ground as the already published WHO Guidance on Good Data and Record Management Practices (TRS 996 Annex 05, 2016) but the emphasis is different. The WHO guide is very strong on the way to manage paper-based systems and electronic systems. In this guide, the scope is wider and has many practical details about the whole range of issues that a company needs to consider to manage data integrity.
The definition of data integrity (DI) is slightly altered to emphasise the whole data life cycle.

“Data Integrity is the degree to which data are complete, consistent, accurate, trustworthy, reliable and that thesecharacteristics of the data are maintained throughout the data life cycle. “

“The data has to be collected and maintained in a secure manner, so that they are attributable, legible, contemporaneously recorded, original (or a true copy) and accurate. Assuring DI requires appropriate quality
management, risk management, and Good Documentation Practice”
The Guide has an introduction explaining that:

  • Companies should balance priorities when considering DI
  • The scope is all GxP
  • The guide sets the minimum requirements to achieve data integrity compliance
  • It is important to use a risk-based approach
  • Use together with the applicable GxP regulations

The guidance covers the increasing use of electronic data capture, automation of systems, use of remote data
centres, the increased complexity of supply chains and ways of working via third party service providers. The scope includes manual processes with paper records, hybrid systems, and fully automated computerised systems. There is a strong message for companies to get a grip on the subject, it has to be part of the Pharmaceutical Quality System and companies need to:

  • Take responsibility – requires senior management commitment
  • Use risk assessment to apply the right level
  • Moving from paper to automated or vice-versa may not solve the real issues
    o Use CAPA processes to investigate problems

The Guide includes important advice for Companies for example:
o Access controls and system administrator accounts
o The setting of clocks to record when data is collected
o Accessibility of records by users where they are needed
o Use of forms to manage correct data capture
o Reconciliation of print outs
o Use of SME’s
o Use of quality metrics
There is very strong emphasis on the following key points:
o The use of available technology to reduce risks to data integrity
o Creating the right environment
o Creating the right organisational culture
o Perform a DI risk assessment for all processes that produce data
o Permitting a full reconstruction of the record
o Information that is originally captured in dynamic form should remain available in that form

o it is not appropriate for static (printed / manual) data to be retained in preference to dynamic (electronic) data
o Systems have to be designed to prevent data manipulation when there is limited opportunity for detection
such as stand-alone systems with user-configurable output common in lab systems.
o Systems and processes should be designed to be compliant with the principles of data integrity and to
enable the desired behaviour
There is guidance on managing DI with paper systems and with electronic systems and companies need to consider
the supporting environment, people and training
There is extensive guidance on metadata and raw data (original data) and how this is captured and retained to permit
full reconstruction of the record, specific points include:

o In the case of basic electronic equipment that does not store electronic data or provides only a printed data
output (e.g. balances or pH meters), then the printout constitutes the raw data.
o Where manual transcriptions occur (for example results of a manual titration or visual interpretation of
environmental monitoring plates) these should be verified by a second person or validated system.
o Critical parameters get a special mention, the integrity of this data is also critical. The data has to show that
the parameters are within an appropriate limit, range, or distribution to ensure patient safety and product
There is guidance on Original records and true copies. True copies of original records may be retained in place of the original record (e.g. a scan of a paper record) if a documented system is in place to verify and record the integrity of the copy and a full audit trail is required.
There is guidance on data governance, data life cycle, data recording, data transfer, data processing, data retention, discarding data, archiving, backup, file structure, validation and IT suppliers.
There are strict rules on the audit trail, these are a form of metadata. GxP data requires an audit trail which has to be reviewed. If there is no audit trail it is possible to manage with a paper system but companies should actively look for a technical, compliant solution. Audit trails and retained records are important to allow reconstruction of all data processing activities.

e-Signatures have to comply with international standards. The guide does not mention US FDA 21 CFR Part 11 but if you read between the lines then this is implied. The e-signature is regarded as metadata and has to be retained with the record.
Systems have to be validated following annex 11 and annex 15. Backup and business continuity procedures are very important and have to be tested.
Finally, an appropriate notification to regulatory authorities is required when significant data integrity incidents occur.
This new publication generally implies towards a shift to using more electronic systems to achieve a ‘manageable’ and ‘long-term’ high standard of compliance.
The full document from MHRA about ‘GXP’ Data Integrity Guidance and Definitions can be downloaded from
this link

Leave a comment