When working with data entry forms, good pharmaceutical data integrity requires that original values be moved from memory to a durable medium as soon as possible to preserve the integrity of the values and permit creation of a complete activity history for review and release of data. This concern is expressed in a recent draft FDA Data Integrity guidance(1):

“Similarly, it is not acceptable to store data electronically in temporary memory, in a manner that allows for manipulation, before creating a permanent record.”

One design that simplifies maintenance of enterprise-level applications is the layered approach. While there are variations, a common design has three layers:

  • Data entry (forms) layer
  • Business rules layer
  • Database layer

Segregation permits each layer to be modified without forcing major changes in other layers.

While there are maintenance advantages, this layered approach carries hidden data integrity risks:  designers can use a database trigger to validate a value or perform a calculation for the information just entered by the user.  This trigger is usually executed as the user attempts to move to the next form field.  If the entry needs to be corrected, an error message can be displayed and the user is returned to correct the entry.  Is this a problem?  Perhaps. Why?  Because no entry is stored until the entire form is complete—until storage, records are buffered in computer memory.  As a result of these:

  1. Entry is validated upon exit of a field
  2. Entry is not saved until form is complete, we now have a situation where users can alter entries multiple times without any evidence of the behavior.

The impact to pharmaceutical data integrity could be moderate or significant, depending upon the calculations/validations/range checks performed by the form and the data entries involved.

As an example, consider a form where a surface-area dose is calculated upon entry of patient weight and height.  The study has a maximum allowable surface area, and the clinic is paid for each person enrolled.  If the calculated surface area exceeds the maximum, a warning is raised on the form and the user is asked to re-enter values.  This has all the ingredients for data manipulation: the user can keep picking weight/height combinations until an acceptable surface area is obtained to enroll the patient (and receive payment).  Because the form immediately tells the user when values are unacceptable and nothing is written to media, the form leaves no record of user misbehavior in the system.  The lack of an audit trail makes detection impossible without direct observation.

The key to reducing the risk is changing the design so entries are first written to the database then calculated and validated.  This design then permits the creation of an audit trail to capture entry changes, so reviewers can see the complete record and determine if the entry changes are proper.

by:  Mark E. Newton, Associate Sr. Consultant, Global Quality Laboratories for Eli Lilly and Company

(1)    Data Integrity and Compliance With CGMP Guidance for Industry, Draft. April 2016. http://www.fda.gov/downloads/drugs/guidancecomplianceregulatoryinformation/guidances/ucm495891.pdf