Build an Effective Data Integrity Program with Risk Management

Editor’s Note: The following blog post summarizes an article that initially appeared in PDA Letter magazine. Read the full article.

Life sciences companies need trustworthy data to ensure the safety and quality of their drug products. Heightened regulatory focus on data contamination is driving companies to pursue a thorough understanding of data integrity and to modify their processes accordingly. 

In this blog post, we’ll learn how to create a risk-based corporate data integrity program to ensure product safety and efficacy.

Why Data Integrity Problems Occur

Complex organizational dynamics, such as human actions and business processes and procedures, cause data integrity problems. These sociotechnical dynamics are explained through the 5P model for human cognitive behavior, shown in Figure 1.

Figure 1: The 5Ps influencing cognitive behavior 

The 5Ps are Principles, Processes, Purpose, People, and Performance. An effective data integrity program is designed to align the 5Ps in an organization.

• Principles are an individual’s core beliefs, guiding philosophies, and attitudes that drive the person’s behavior. They are internal drivers.
• Processes shape a company’s culture. In a process-centric organization, the focus is not only on what needs to be done to manufacture a product but also on the quality of interaction between management and employees.
• Purpose projects the company’s intention through the articulation of the company’s vision, mission, goals, and objectives. A clear articulation of purpose by executive management in the data integrity plan plays a pivotal role in shaping the behavior of the company’s personnel.
•  The primary focus remains on people since their performance directly impacts data integrity. An effective data integrity program should ensure the employee’s principles align with the company’s goals and processes.

The Fraud Triangle

In 2005, sociologist J.T. Wells introduced the fraud framework called The Fraud Triangle. The items in the triangle have been modified to apply to the biopharmaceutical industry. 
Fraud occurs when one or more of these causal factors exist:

1.  Incentive
2. Opportunity 
3. Attitude

Figure 2: The Fraud Triangle modified for the biopharmaceutical industry  

The incentive component is demonstrated by management’s acceptance or tolerance toward behaviors detrimental to data integrity. The opportunity for committing fraud happens when there is no mechanism to detect the fraud. The “everybody is doing it” attitude justifies noncompliant behavior. 

An effective data integrity program must portray management’s unequivocal insistence on honesty and take pride in it. Now, let us explore the controls that must be in place to mitigate recurring data integrity issues.

Data Integrity Controls Triad 

Because it’s impossible to eliminate all data integrity vulnerabilities, controls must be established to reduce the likelihood of errors. Such controls consist of the following control triad components:

•  Management controls ― addressing the people and business factors of data integrity
• Procedural controls ― guidelines that require/advise people to act in specific ways to preserve data integrity
• Technical controls ― implementing technology-based devices to protect information systems from harm

Whereas procedural control is primarily applied to practices and procedures during the data’s lifecycle, technical controls are designed into products to preserve data integrity. Digitization and digital tools, such as a validation lifecycle management system (VLMS), provide the technical controls to inhibit the unauthorized manipulation of test outcomes and help capture raw data to detect the manipulation of results.

Building a Data Integrity Program

Now that we understand why data integrity problems occur, we are better equipped to build an effective program. The program should advance through four phases, each consisting of one or more stages, as depicted in Figure 3.

Figure 3: Phases and stages of a data integrity program

PLAN: This phase includes (1) designating a project sponsor, a member of the CEO’s executive team to act as the conduit between the project team and executive management, (2) forming the core team that includes a project manager and management-level members from the quality assurance and information technology departments, at a minimum, and (3) forming the project team consisting of members from stakeholder groups, including external consultants who are data integrity subject matter experts.

DEVELOP: This phase includes (1) data integrity audits, or the discovery stage of the project, where the project team and equipment users conduct Gemba walks seeking information and capturing results in a template for consistency, and (2) developing a prioritized plan by conducting a risk assessment of the data integrity issues and vulnerabilities discovered during the Gemba walks.

DEPLOY: This phase consists of mini-projects performed by several breakout implementation teams. After completing these mini-projects, systems are deployed after being certified “fit for use” by the company’s quality assurance group.

MONITOR: Activities in this phase are designed to obtain better transparency and visibility into the data integrity program and provide corrections or revisions to improve the program’s effectiveness. Reviews of data-integrity-related 483s, warning letters, and corrective and preventive actions (CAPAs) could also provide input to revise the program.

Monitoring for Effectiveness — The Data Integrity Maturity Model

The data integrity maturity model (DIMM) provides a consistent method of scoring the effectiveness of a data integrity program. The model guides the company to continually improve by climbing the maturity scale. When internal auditors use the DIMM to place the auditee department at a certain maturity level, it provides the department with a consistent measure of what needs to be done to climb the maturity ladder. The figure below itemizes the steps inherent in the DIMM.

Figure 4: The Data Integrity Maturity Model

Key Takeaways

• The rise in warning letters and Form 483s is forcing companies to seek a greater understanding of data integrity. Regulatory agencies are actively hiring personnel familiar with the intricacies of electronic data.
•  Pharmaceutical industry management must provide an adequate budget for personnel with the right blend of IT and compliance expertise and task them with designing, developing, and implementing data integrity programs.
•  Program developers must understand the sociotechnical aspects of the company that impact data integrity. They must also consider the controls triad to protect data from assaults on its integrity.
• Most importantly, designers must create a program that changes the company to be process-focused. This means not focusing solely on processes and procedures but also on people, equipment, and leadership through “management by walking around.”

Read the full PDA Letter article to learn how to build an effective corporate data integrity program to manage risk and pursue continual improvement to maturity.