Data is one of the most valuable assets in any organization, especially for companies working in the Life Science environment, as data allows them to draw conclusions about the efficacy and safety of their products. Data is also crucial to demonstrate quality and compliance from a regulatory perspective or gain business intelligence that helps companies make better commercial decisions.
Many organizations put a lot of effort into validating and controlling their IT systems used to generate, process and consume regulated (GxP) data; however, when data is migrated from one system to another, the same level of control is not always applied. It is evident to organizations that using IT platforms and systems that are not adequately qualified and validated carries significant risks. Still, those risks may seem less apparent or not as well understood when it comes to data migration. In the same way, expectations from health authorities about the migration of regulated data are not always very explicit or well known, leading to a lack of awareness from the organizations.
Consequently, the integrity of migrated data may be rendered unreliable if migration is done in an uncontrolled manner, even if the IT systems hosting the data are validated and qualified. In most cases, this poses a high risk to organizations, from a reputational, financial, and compliance risk, to a patient safety risk, in a worst-case scenario. The good news is that these risks can be easily mitigated by implementing the proper controls during the migration process.
What is data migration?
It can be defined as the activity of transporting electronic data from one given IT system or platform (known as “source”) to another (known as “target”) as a one-time event where data is not transferred through a validated integration (interface part of the validated system functionality – dataflow) between the two systems or platforms. Usually, data migration is required during replacement or upgrade of IT platforms, rehosting of IT applications (e.g., cloud migration), relocation of a data center, data archival as part of IT systems retirement, etc.
Most of the time, data cannot be loaded into the target system “as is” from the source system, so it has to be adapted to be taken by the target system. This is called data conversion or transformation and is part of the migration process. Examples of data conversion include changing the data format or data type, combining different fields in a table into one, adding metadata (data enrichment), etc.
Figure 1: Data Migration and Conversion Process. Copyright KVALITO Consulting Group, 2022.
What does “controlled” data migration mean?
Data migration is performed in a “controlled” manner when controls are designed and applied throughout the migration process to ensure that the integrity of data is maintained at all times. Controls should be designed on a case-by-case basis and based on the risk posed by the migration activity. Several factors should be considered when determining the migration risk, including the criticality and relevance to the organization of the data involved and the complexity of the migration method (technology).
Some examples of standard controls include:
- Data is migrated following a predefined and approved process: there is a documented plan/procedure (e.g., Data Migration Plan) that clearly identifies the steps, tools, roles and responsibilities, etc., required to migrate data.
- Migration and conversion requirements (e.g., source-target mapping tables, data transformation rules, etc.) are defined and agreed on by the data owner in collaboration with the migration team so that the migration expectations and acceptance criteria are clear before the migration starts.
- Migration software tools or programs and staging IT environments (e.g., platform used to store data temporarily) used in the migration process are fit for purpose.
- Testing and verification steps are embedded into the migration process to ensure data is completely and accurately migrated as per the migration and conversion requirements.
All these controls help maintain data integrity and ensure the quality and compliance of the migration and conversion process.
When data is migrated in an “uncontrolled” fashion, unpredictable and unintended results might occur, and errors in migrated data can remain undetected, resulting in loss of data integrity (data cannot be trusted anymore). If migrated data becomes indistinguishable from (reliable) data that already existed in the target system, all data stored in the target system may be rendered unreliable too. Hence, the consequences of migrating data in an uncontrolled manner affect data in the scope of the migration and pre-existing data in the target system.
Figure 2: Uncontrolled Data Migration. Copyright KVALITO Consulting Group, 2022.
What do regulators expect regarding migration of GxP data?
Data owners must protect and maintain the integrity of regulated data throughout its entire life cycle, whether it is data used in research and development, pharmacovigilance, manufacturing, commercial, quality and compliance, supply chain data, or data used in any other business domain with indirect or direct implications for product quality or patient safety. Data migration is yet another activity in the data life cycle, which is why it must be controlled as well to maintain its integrity.
Figure 3: Data Life Cycle. Copyright ISPE 2017
Below are a few examples of what Life Science regulators expect from data owners when migrating GxP (electronic) data:
“If data are transferred to another data format or system, validation should include checks that data are not altered in value and or meaning during this migration process. “Extracted from EU Vol 4 GMP Annex 11 section 4.8.
“Part 11 applies to records in electronic form that are created, modified, maintained, archived, retrieved, or transmitted under any records requirements set forth in Agency regulations. “Extracted from FDA 21 CFR Part 11 Section I Introduction.
“Data transfer/migration procedures should […] be robustly designed and validated to ensure that data integrity is maintained during the data lifecycle.” Extracted from MHRA ‘GXP’ Data Integrity Guidance and Definitions.
Similarly, industry guidance and best practice documents also provide direction regarding migration of regulated data:
“All phases in data life cycle from initial data creation, capture, and recording through processing (including transformation or migration) […] should be controlled and managed in order to ensure accurate, reliable, and compliant records and data.” Extracted from ISPE GAMP Records & Data Integrity.
“Quality management controls should be in place to assure that data migration efforts are successful, compliant, and repeatable. Each data migration should be managed within the framework of a Data Migration Plan and Report.” Extracted from ISPE GAMP Records & Data Integrity.
“Migration should be based on a defined process, including a documented risk assessment, and managed within the framework of a data migration plan and report.” Extracted from ISPE GAMP Risk-Based Approach to Compliant GxP Computerized Systems.
Challenge
The following list contains some of the most relevant quality and compliance challenges that some organizations face when dealing with migration of GxP data and some recommendations:
- The organization lacks straightforward risk-based procedures for controlled GxP data migration, including templates to produce consistent migration records.
Implement a Data Migration procedure for planning, executing and verifying data migration activities. Include aspects such as expected deliverables and records to be produced during the migration, roles and responsibilities, risk assessment, data verification, metadata migration (e.g., audit trails), fitness for intended use of migration tools and IT platforms, treatment and quality controls required for migrating unreliable source data, etc.
- The power of effective and actionable risk assessment in the context of data migration is not harnessed. Migration activities, including data verification, are not scaled based on risk, resulting in a lack of efficiency and potential impact to the quality of the migration if critical areas are not sufficiency tested
Scale migration activities based on risk, including the level of documentation and rigour of migration testing and data verification. Define concise risk assessment criteria to determine the migration risk, for example, data criticality (Low, Med, High) and migration complexity (Low, Med, High). Migration complexity is higher when data filtering or data transformation is based on complex logic.
- There are no clear and harmonized criteria for data sampling when large volumes of data have to be verified.
Always use science-based sampling procedures such as ASQ/ANSI and define clear criteria to select the inspection level based on risk (e.g., lower risk => lower inspection level).
- IT platforms used to temporarily store data (intermediate staging areas) pose a risk to the migration if they are not controlled from a data integrity perspective.
Always ensure the staging areas have audit trail capabilities unless data permissions are read-only. Data permissions (e.g., read, write) must be granted based on controlled procedures. The IT platforms and software tools involved in the migration exercise must remain controlled under configuration and change management.
- Data may need to be migrated from unreliable sources (e.g., non-validated legacy systems, systems not controlled by the organization, etc.) to validated target systems, which poses a high risk to reliable (existing) data in the target.
Define and apply controls (as part of the migration requirements and specifications) to ensure that migrated data from unreliable sources does not mix up with existing data in the target system, such as utilizing metadata tags, differences in record dates, etc. Thus, migrated data will be distinguishable from existing data.
- Audit Trail records associated with data in scope of the migration cannot be migrated from source to target system due to technical constraints.
Archive the audit trail records and ensure they can be retrieved over time. Information about how to retrieve the legacy audit trail records, from an IT and Business standpoint, should be available in relevant procedures or the related Data Migration Report or both.
- Migration software tools enable data migration with increased speed and efficiency, but they can also present some risks to data integrity.
Only use tools that have demonstrated fitness for their intended use. This can be achieved by qualifying the software tool for its intended functionality or by qualifying the tool in the context of the migration exercise. The latter involves validating the migration process in a target test environment, including complete data verification, before data is migrated to the operational target environment.
What KVALITO did
- KVALITO has supported Life Science clients to achieve high-quality and compliant migration campaigns in the different business domains, including pre-clinical, clinical, regulatory submissions, safety, commercial, etc., as follows:
- Development of Data Migration and Test procedures, including risk-based test strategy to perform data migration and conversion verification based on data criticality and migration method complexity.
- Preparation of Data Migration Plan and Report templates for structured and unstructured data migration that contained built-in quality controls.
- Development of standardized test specifications for data migration and conversion verification, including clear criteria to determine appropriate sample sizes based on the level of risk, and using science-based sampling procedures.
- Creation of Data Migration playbooks/guides with information about required controls, deliverables, test activities, roles and responsibilities, etc., and clear guidance on addressing compliance challenges such as migration from unreliable sources or adequacy assessment of migration software tools and platforms.
- Qualification of migration vendors and software tools for intended use.
- Support continuous improvement initiatives related to data migration.
- Quality and compliance oversight and QA review and approval for more than 50 GxP migration projects, including structured and unstructured data migration.
Focusing on patient safety, data integrity, product quality, regulations and industry best practices i.e.
- FDA 21 CRF Part 11 “Electronic Records and Electronic Signatures”
- EU GMP Annex 11
- FDA General Principles of Software Validation
- WHO Guidelines on Validation – Appendix 5 Validation of Computerized Systems
- Data Integrity guidelines (MHRA, EMA, FDA, WHO, PICS)
- GAMP5
Roles, Processes, and Tools
Roles
- Technology Quality Consultant
- eCompliance Manager
- Project Quality Manager
- Business Analyst
Processes
- Software Validation and IT Platform Qualification
- Supplier Qualification
- Change Management
- Quality Risk Management
- Risk Assessment
- Testing and Defect Management
- Deviation and CAPA Management
Tools
- Micro Focus Application Lifecycle Management
- ServiceNow
- Veeva Vault
- Beyond Compare
- FME Migration Center
- Intralinks Data Room
- Windows Robocopy
- ASQ/ANSI QUALITY STANDARDS – Sampling Procedures and Tables for Inspection by AttributesZ1.4
- Microsoft Azure
- Microsoft SharePoint
- Microsoft OneDrive
- Windows Network Drives
- JIRA
- PL/SQL
Value Delivered
- A clear understanding of the quality and compliance requirements and expectations and the required controls to fulfil them and protect data integrity during migration of GxP data.
- A lean and risk-based framework (procedures, templates, playbooks, test specifications, risk assessment) to execute migrations with increased speed and quality and produce the right quality and compliance records.
- Continuous quality and compliance support and advice to migrate GxP data ensuring business continuity and protecting data integrity and patient safety.
- Assessment of migration vendors and verification of software tools used during the migration to ensure fitness for intended use and readiness for use in GxP migrations.
Clients / References:
- Novartis
- Johnson and Johnson
