GxP compliance supports the medical and pharmaceutical industries. “Good” x “Practices” covers several scenarios, where x represents manufacturing, distribution, laboratory, clinical, or document scenarios. There’s also cGxP, where c represents “current”, which is about as good as saying “new”. How long is “new”, and when does “new” become “legacy”? I’ll dive into these details, exploring how the evolving IETF SCITT (Supply Chain, Integrity, and Trust) draft can be applied to GxP and how DataTrails can bring these capabilities to your implementation, providing the security guarantees and adherence to GxP compliance requirements in a timely and efficient manner.
Principles of GxP
GxP was first implemented in June 1963 as Federal Register 6385, long before standard computing technologies. In some ways, physical documents with traceable handwriting, signatures, ink, and paper could be dated and traced to their origins, assuming you could find the actual documents and they weren’t damaged or destroyed. Even documents that were created with a typewriter can be traced forensically. While digital documents are more easily retained and searched, they can be easily forged without digital signatures and integrity protection, raising some interesting questions: What are the best practices to implement GxP?
Quoting David Husman’s article: Data integrity and compliance with GxP: A pragmatic approach, there is a core set of principles originating from various FDA and EU regulations.
- Data Integrity 101 – If the data/record is not complete, consistent, enduring, and available, it is unreliable and, therefore, has no integrity.
- Data Integrity 102 – if the data is not reliable, it is essentially equivalent to not writing it down (see GxP 101); in other words, it did not happen.
- Data Integrity 103 – “21 CFR 210.1 (b) – the failure to comply with any regulation set forth in this part and in parts 211, 225, and 226 of this chapter … shall render such drug to be adulterated under section 501 (a)(2)(B) of the act … shall be subject to regulatory action.”
- Data Integrity 104 – If it can’t be found, retrieved, or changed without understanding why, it is not reliable (see Data Integrity 101-103).
These core principles apply to any content readers would choose to trust. David’s article goes on to surface the principles of ALCOA:
- Attributable. It should be possible to identify the individual or computerized system that performed the recorded task.
- Legible. All records must be legible – the information must be readable for it to be of any use.
- Contemporaneous. The evidence of actions, events, or decisions should be recorded as they take place.
- Original. The original record can be described as the first capture of information, whether recorded on paper (static) or electronically (usually dynamic, depending on the system’s complexity).
- Accurate. Ensuring accurate results and records can be achieved through many elements of a robust pharmaceutical quality system.
Exploring SCITT as a Means to Be GxP Compliant
David’s article provides an excellent background to GxP’s requirements. If GxP provides industry expectations for compliance, what are the best practices for implementing these compliance requirements?
DataTrails, other vendors, and individuals have contributed to IETF standards for Supply Chain, Integrity, and Trust (SCITT). SCITT provides a means to record Statements made by an entity (Identity) about an Artifact on an append-only, tamper-evident log.
The SCITT elements provide a concrete model for defining trust in the referenced information. Humans, or computers, must be assured that decisions are made based on trustworthy data. As noted above, the statement must be Attributable. If you don’t know who made the statement or when the statement was made, how do you associate appropriate trust in the information?
Perhaps the entity making the statement is trusted for a different scenario. Statements attributable to veterinary research may not apply to humans. That doesn’t make the statements untrustworthy; instead, they are only applicable to veterinary scenarios. These compliance statements may later be amended to apply to humans, likely made by an identity associated with human trials.
In SCITT, the statements can be any content, including:
- A Standard Operational Procedure (SOP) SOP-802
- A named SOP that was applied to the cleaning of an assembly line F102
- An audit report stating assembly line F102 was inspected by Inspector 99, and it was found compliant with the SOP-802
- Details of clinical trial CT-867
- A compliance report stating the source of the ingredients for Drug D-5309 originated from a specific list of approved countries and companies
Additional Metadata and the Subject
SCITT provides a protected header, which includes information about the identity of the entity making the statement and an opportunity to provide additional metadata about the statement. This metadata consists of a subject, which can represent whatever the identity wishes to associate the statement with. The statement could be applied to a subject of Assembly Line F102, Clinical Trial CT-867, or Drug D-5309. In DataTrails, the subject can be searched, returning all the statements made about the subject, providing a means to find past and current statements attributable to a subject.
Amending and Appending Information
Using our veterinary-to-human applicability of the drug scenario above, Drug D-5309 may have been only applicable to specific animals as of March 2000, as attested by the TAC Association of Gibraltar. In June 2020, the EMA completed testing and attested to D-5309 being applicable to humans age six and over. Using the subject of D-5309, a researcher or auditor with appropriate permissions could find all statements attributable to Drug D-5309.
Suppose a later study in January of 2024 determines that one of the compounds used in D-5309 causes cancer in patients with Type 2 Diabetes. In that case, a new statement may be appended to the SCITT Service, making it available to researchers and auditors. Each statement is associated with an identity that made the statement and a timestamp, assuming the statements can be ordered and associated with a given date.
If someone challenged why D-5309 was prescribed to their teenager, when they know the drug is used on their pet fido, they would find the amended statement for application to humans. Likewise, if someone challenged why D-5309 was prescribed in November of 2023, when it’s currently known to cause cancer, an evaluation of the ledger would prove D-5309 was only discovered to cause cancer in January of 2024. In these scenarios, the time the statement was made by trusted entities is critical to establishing why decisions were made at that point in time based on the trusted information that was known at that point in time.
With SCITT, statements have time associated with when they were made, by whom, and how that compares to the standard of “today.” cGxP now has meaning, as the recorded statement can be compared to current standards.
SCITT captures who made a statement about an artifact, recorded at a point in time. Auditors can then review the series of statements and any other related information to validate whether all parties were acting on published information and whether the entities making the statements are applicable to the specific scenario in question.
As we explore GxP, it appears that implementing SCITT with DataTrails restores a way to align authenticity, integrity protection, and time with the current standards of GxP, evolving from the historical paper-based systems or the mutable databases many may be implementing today.
Are You Implementing GxP
If you’re exploring how you can be compliant with GxP and would like to understand how DataTrails can help meet current and future requirements, please reach out to discuss how we can partner together: Contact Us – DataTrails
