Data Lifecycle in a GxP-Regulated AI System

The data lifecycle is the key to any compliant system. In a system depending on 'human intelligence', there is extensive and implicit human control . However, this implicit control decreases as human dependency decreases and machine (artificial) dependency increases. This leads to increasing need for better explicit control over the data lifecycle. I am trying to bring to the fore this concept through mapping of NIST data lifecycle vis-a-vis GxP IT/21 CFR Part 11 requirements. The article should be read in conjunction with my earlier articles, including (but not limited to) 'AI Risk Management Framework by NIST: In Relationship with the Pharmaceuticals and Medical Devices Industry' and 'ERES regulations and AI systems' to better understand the regulatory requirements and implementation concepts. Do note the fundamental aspect that I have mentioned earlier as well - you should base your decision on the intended purpose and the human-in-loop factor should be considered wherever the risk crosses the tolerance limit.

Managing data in a GxP-regulated AI system involves meticulous adherence to regulatory requirements to ensure data integrity, security, and compliance throughout its lifecycle. The National Institute of Standards and Technology (NIST) defines the data lifecycle in the following stages: Collection, Maintenance, Use, Sharing, Archival, and Disposal. This article maps each NIST-defined data lifecycle stage to specific GxP regulations and provides a comprehensive use case to illustrate how compliance is maintained in practice.

Data Lifecycle Stages and Compliance Measures

Stage 1: Data Collection

Regulations and Standards

• 21 CFR Part 11.10(b): Ensures that the system can discern invalid or altered records.
• EU Annex 11, Principle: Data must be collected in a manner that ensures its integrity and compliance with regulatory requirements.

Processes

• Data is generated and collected from various sources, including electronic patient records, laboratory instruments, clinical trials, or manufacturing processes.
• Ensuring data accuracy, completeness, and integrity from the point of capture is essential.
• Data should be time-stamped and accompanied by metadata specifying the source and context.

Stage 2: Data Maintenance

Regulations and Standards

• 21 CFR Part 11.10(c): Requires that data can be retained throughout its lifecycle without being altered or deleted.
• EU Annex 11, Section 8.3: Emphasizes the importance of maintaining data integrity throughout its lifecycle.

Processes

• Data is stored in secure, validated databases. Regular maintenance tasks include data validation checks and consistency reviews.
• Data encryption and access controls are implemented to protect sensitive information, ensuring that only authorized personnel can access the data.

Stage 3: Data Use

Regulations and Standards

• 21 CFR Part 11.10(e): Requires audit trails for the use and modification of electronic records.
• EU Annex 11, Section 12: Stresses the need for accurate data to support decision-making and regulatory submissions.

Processes

• AI algorithms are validated to ensure they process data accurately and consistently. This includes testing algorithms with known datasets and documenting the results.
• All data processing activities are recorded in audit trails, and reviewed periodically to detect unauthorized changes or anomalies.

Stage 4: Data Sharing

Regulations and Standards

• 21 CFR Part 11.30: Controls for open systems must ensure data integrity during transmission.
• EU Annex 11, Section 17: Emphasizes the need for data security during sharing and transmission.

Processes

• Data sharing is conducted over secure channels, with encryption and access controls to prevent unauthorized access.
• Documented procedures and agreements are in place for data sharing with third parties, ensuring compliance with relevant regulations.

Stage 5: Data Archival

Regulations and Standards

• 21 CFR Part 11.10(c): Electronic records must be archived in a manner that ensures their integrity and accessibility.
• EU Annex 11, Section 8.2: Specifies the need for procedures to ensure data integrity during archival.

Processes

• Data is archived in secure, validated systems that ensure its integrity over the long term. This includes using tamper-evident storage media and maintaining access controls.
• Regular audits and checks are performed on archived data to ensure it remains intact and accessible.

Stage 6: Data Disposal

Regulations and Standards

• 21 CFR Part 11.10(e): Requires proper procedures for the disposal of electronic records to ensure they cannot be reconstructed or retrieved.
• EU Annex 11, Section 17: Specifies the need for documented procedures for data disposal.

Processes

• Data that is no longer needed for regulatory or research purposes is securely disposed of. This includes both electronic data and physical records.
• Disposal methods include secure digital deletion and physical destruction, ensuring that data cannot be reconstructed or retrieved.

Let us look at an example - Clinical Trial Data Management in a GxP Regulated AI System

In a clinical trial setting, data is collected, maintained, used, shared, archived, and eventually disposed of, all while adhering to stringent GxP regulations. Here's how the entire data lifecycle is managed:

Data Collection: Data is collected from multiple sources such as wearable devices, electronic patient records, and laboratory instruments. Each data point is time-stamped and accompanied by metadata specifying the source and context, ensuring traceability and accountability. This process aligns with 21 CFR Part 11.10(b) and the principles of EU Annex 11.

Data Maintenance: Collected clinical trial data is stored in a secure, validated database. Regular maintenance includes data validation and consistency checks to maintain data integrity. Encryption protects sensitive patient information, and access controls restrict data access to authorized personnel only, complying with 21 CFR Part 11.10(c) and EU Annex 11, Section 8.3.

Data Use: The AI system processes the clinical trial data to identify patterns and generate insights about the trial's progress and outcomes. Detailed audit trails capture all data modifications and usage, ensuring transparency and traceability. This stage adheres to 21 CFR Part 11.10(e) and EU Annex 11, Section 12.

Data Sharing: Processed data and generated insights are shared with clinical trial stakeholders, including sponsors, researchers, and regulatory bodies. Secure communication channels, such as encrypted emails and secure file transfer protocols, are used for data sharing. Documented procedures ensure compliance with 21 CFR Part 11.30 and EU Annex 11, Section 17.

Data Archival: At the end of the clinical trial, all relevant data is archived in a secure, validated system that ensures long-term preservation. Archived data includes raw data, processed data, audit trails, and all related documentation, following 21 CFR Part 11.10(c) and EU Annex 11, Section 8.2.

Data Disposal: Data no longer needed for regulatory or research purposes is securely disposed of, including secure digital deletion and physical destruction. Documented procedures ensure proper and secure data disposal, preventing reconstruction or retrieval, as required by 21 CFR Part 11.10(e) and EU Annex 11, Section 17.

In conclusion

Managing the data lifecycle in a GxP-regulated AI system involves stringent adherence to regulatory requirements to ensure data integrity, security, and compliance. By following the guidelines set forth by regulations such as 21 CFR Part 11 and EU Annex 11, organizations can effectively manage their data throughout its lifecycle, ensuring that it remains accurate, reliable, and secure. This approach not only meets regulatory requirements but also supports the generation of reliable and trustworthy data for decision-making and regulatory submissions.

References

1. 21 CFR Part 11

2. EU Annex 11

3. NIST Data Lifecycle Stages

4. GxP Guidelines (GMP, GCP, GLP)

Disclaimer: The article is the author's point of view on the subject based on his understanding and interpretation of the regulations and their application. Do note that AI has been leveraged for the article's first draft to build an initial story covering the points provided by the author. Post that, the author has reviewed, updated, and appended to ensure accuracy and completeness to the best of his ability. Please use this after reviewing it for the intended purpose. It is free for use by anyone till the author is credited for the piece of work.