Pharmaceutical and related organisations that need to retain digital content for compliance often have strict regulatory requirements that they need to follow. For example, the FDA, MHRA and EU all lay down requirements for the management and archiving of electronic records such as studies, trials, projects and processes.
This forms part of ‘GxP’ and covers the whole drug development and manufacturing lifecycle including Good Laboratory Practice (GLP), Good Clinical Practice (GCP), Good Manufacturing Practice (GMP) and extends to monitoring and recording any adverse effects when a product is on market through Good Pharmacovigilance Practice (GPvP). For example, ‘ALCOA+’ requires data to be captured, recorded and retained in a way that is Attributable, Legible, Contemporaneous, Original, Accurate, Complete and in addition is Consistent, Enduring and Available. Many of these requirements align well with the objectives and outcomes of Digital Preservation and not surprisingly compliance archives look to the Digital Preservation community for appropriate good practice and standards to follow.
Digital preservation best practice for pharmaceuticals
Compliance archives are often built around strict regulatory compliance, they are used to complex GxP standards, and they are frequently audited by inspectors. They are familiar with regulations, rulebooks, formal processes and procedures, and a regime of documentation and control. This means that when they look at digital preservation and electronic archiving, they naturally tend to gravitate to the more formal standards in this area such as the Open Archival Information Systems (OAIS) model as an ISO standard (ISO 14721:2012) to follow.
But compliance archives in the pharmaceutical sector are only just making the transition from paper to digital. They don’t have a long history and experience of preserving and providing access to digital content. They don’t always have well developed digital preservation infrastructure or deep skills and experience in this area. In this situation, jumping straight into OAIS is like diving into the deep end when you are only just learning to swim.
Planning, implementing and operating a successful and sustainable digital archive is not a ‘sink or swim’ activity and it is not a case of getting an OAIS swimming certificate and being done with it. Digital preservation and electronic archiving should be considered as a process of continual improvement that aims to ensure that the measures used in the archive remain appropriate and proportionate for the digital content being held and the purpose for which it is being retained. There is no one-size-fits-all solution and the measures employed by one organisation will not necessarily be the same as another. Like learning to swim, everyone is different and starting in the shallow end allows confidence and technique to be built up in a safe and controlled way. Then you can move into the deep end and become a certified lifesaver if you need to.
An approach of archiving based on continual improvement that is aligned to business objectives is consistent with other standards and good practice that pharmaceutical organisations are likely to be following. Examples of this include ISO 27001 and ISO 9001, and, crucially, these match regulatory requirements for proportionate and risk-management based approaches. This means it is important for archives to be able to objectively and quantitatively assess their current capabilities (swimming skills), establish what needs to be done to meet the archive’s mission and objectives (new swimming strokes and distances), and measure and record progress (swimming badges and competency certificates).
Choosing the right maturity model for your organisation
The digital preservation and archiving communities have developed several assessment frameworks and maturity models that help substantially in these areas. This is great place to start for digital preservation swimmers of all abilities.
Maturity models are particularly useful because they provide a clear set of steps that an archive can go through to establish and then improve their digital archiving capabilities. For example:
- The National Digital Stewardship Alliance levels of digital preservation (NDSA levels). This is a simple one-page guide with four levels of good practice that covers functional areas of archiving such as storage, integrity, control, metadata and content.
- The Digital Preservation Capability and Maturity Model (DPCMM). This provides 5 levels of maturity for 13 capability areas that cover all aspects of digital preservation infrastructure and services. DPCMM is notable by defining the minimum necessary to be considered conformant with OAIS.
- The Digital Preservation Coalition Rapid Assessment Model (DPC RAM). This is a new resource from the DPC and builds upon other maturity models including the NDSA levels and DPCMM. DPC RAM is notable by being designed to be simple to use and includes a self-assessment worksheet and graphical analysis.
Self-assessment and the use of maturity models can be complemented by Trusted Digital Repository assessment and audit frameworks that involve independent validation that an archive is following recognised good practice or standards. Here too it is possible to follow a path that starts with the relatively lightweight self-assessment and works upwards to formal certifications – a from shallow-end to deep-end.
- CoreTrustSeal (CTS), which is an international, community based, non-governmental, and non-profit organization promoting sustainable and trustworthy data infrastructures. CTS provides a light-weight process for certifying digital repositories using a combination of self-assessment followed by peer-review by community archiving experts
- Nestor (nestor-Seal DIN 31644), which provides an extended certification that builds on CoreTrustSeal with a more detailed self-assessment model. Whilst a primarily German standard, there is a lot of detailed and useful guidelines on what is expected from a conformant repository in the accompanying explanatory notes.
- ISO 16363 Trusted Digital Repositories (ISO 16363 TDR), which is a standard for formal certification of repositories against the OAIS reference model. The standard is targetted at auditors, but includes detailed information on what should be present in a conformant archive and hence provides useful guidelines even if an organisation doesn’t plan to undertake ISO 16363 certification.
CoreTrustSeal, Nestor and ISO 16363 provide a progressive approach to audit and certification. With each successive level, the requirements and cost of certification also increase. Therefore, it will usually make sense to start with a simple approach such as CoreTrustSeal before seeking formal certification such as ISO 16363.
The NDSA levels, DPC RAM and CoreTrustSeal do not require that an organisation adopts and applies the OAIS model. Their focus is on good practice and they provide a much simpler starting point than the ISO standards for OAIS and TDR. Starting with good swimming technique is the key to becoming an Olympic swimmer!
By following maturity models and a programme of assessment and audit (internal or involving third-parties), an archive can be confident that it has appropriate measures in place and can provide evidence to inspectors that recognised good practice and standards have been followed.
Rather than needing to jump into the deep-end of OAIS from the outset, I’d suggest that compliance archives should start in the safer waters of maturity models and assessment frameworks, e.g. DPC RAM and CoreTrustSeal. When you feel safe and confident in the water, it becomes a lot easier to decide whether a full OAIS solution is necessary and if the organisation should undergo associated auditing such as Nestor or ISO 16363.