Guest Column | November 16, 2016

Comparing Recent Data Management/Integrity Guidances: FDA, EMA, & China FDA

By Barbara Unger, Unger Consulting Inc.

In 2015 and 2016, six major international regulatory authorities published guidance documents addressing data management and data integrity. Two of the guidances — the draft guidance published by the U.S. Food and Drug Administration (FDA) in April 2016 and the guidance posted by the European Medicines Agency (EMA) in August 2016, take a question and answer approach. The guidances from the China Food and Drug Administration (CFDA), the UK’s Medicines and Healthcare products Regulatory Agency (MHRA), the Pharmaceutical Inspection Co-operation Scheme (PIC/S), and the World Health Organization (WHO) take a more standard narrative approach to their regulatory guidance. That being said, all of the guidance documents are markedly similar in their overall expectations.

In this article, we will look at the EMA and FDA Q&A guidances, as well as the recently published Drug Data Management Standard from CFDA. The next article will explore guidances from the other three authorities.

EMA and FDA Guidances: Similarities and Differences

The EMA guidance addresses 23 questions related to data integrity; the FDA draft guidance addresses 18 questions. Both provide detailed information about the predicate rules and chapters/annexes that are applicable in given situations. This reiterates the fact that enforcement in this area does not represent a change in requirements, but rather a bolstering and clarification of existing requirements as applied to good manufacturing practice (GMP) records, both electronic and paper. The identification of existing requirements is uniquely valuable for audit groups as they write reports describing observations in these areas and assign the relevant requirements from regulatory authorities.

The two guidance documents have significant similarities, including but not limited to the following:

  • Both address controls over electronic records and paper records.
  • Both discuss access controls that should be applied to computer systems (EMA questions 6, 8, and 10; FDA question 4).
  • Paper printouts of some data, particularly data that was originally generated electronically, do not represent “complete data” (EMA 6, 8, 16; FDA 1, 9, 10).
  • Training of staff should include data integrity principles (EMA introduction; FDA 16).
  • Both stress the importance of audit trails (critical metadata) and their periodic review, though neither addresses the expectation that the system audit trail be reviewed to determine actions taken by the administrator (EMA 8, 15, 16; FDA 1, 7, 8).
  • Both address control over blank forms and templates (EMA 14; FDA 6).

Differences exist between the two documents in several areas. These differences, however, do not mean that that there are divergences between expectations, just in terminology and focus.

  • The EMA guidance appears to take a more ICH-focused approach, with multiple mentions of the concepts of “lifecycle” and “risk” assessments.
    • Nine of the 23 questions — numbers 3 through 11 — are specifically identified as relevant to lifecycle.
    • EMA guidance uses the term “risk” a total of 45 times, while the FDA guidance uses the term three times.
  • The EMA guidance addresses responsibilities for contracted services and their oversight with regard to data management and integrity in five questions — 19, 20, 21, 22, and 23. FDA does not address the concept, and a word-search of “contract” yields no results.
  • In the FDA guidance, question 13 addresses the use of pre-injections or test injections because FDA frequently identifies this deficiency in warning letters. The concern is that this appears to be a test-into-compliance approach. The EMA is silent on this specific topic, though it does address the need to consider all data generated as part of review.
  • The FDA guidance question 17 specifies that investigators are allowed to view electronic records. EMA does not address the topic.
  • The EMA guidance makes reference to PIC/S and also provides a link to the WHO guidance on good data and records management practices (which will be reviewed at length in my next article). The FDA does not reference publications from other regulatory authorities.

China FDA Draft Standard on Drug Data Management

In October 2016, CFDA published a Draft Standard on Drug Data Management for consultation. (This translation was graciously provided by the Rx-360 China Working Group.) The standard seems to rely on the previously published regulatory authority guidance in this area. This draft standard applies across the GxP continuum and specifically includes mention of contract research organizations (CROs). Further, this standard applies during drug development. It is governed by the principles of quality risk management (QRM) and incorporation of the activities into the quality management system (QMS).

The following items are included in the CFDA standard but are not clearly addressed by other regulatory authorities:

  • Article 12 states that “Advanced techniques are encouraged to be adopted to control risks in data integrity….” It is not clear what constitutes “advanced techniques.”
  • Article 15 makes specific mention that management should ensure that “employees' work relating to data integrity is not affected by the pressure or motivation from commercial, political, financial and other organizations.”
  • ALCOA (accurate, legible, contemporaneous, original, and attributable) is defined as a “common acronym for ‘trueness, accuracy, promptness and traceability’.” The intent seems similar with other regulatory agency guidance, though the terms are different.
  • Definitions seem to be slightly different than in other regulatory agency guidance, the most obvious being “filing” vs. “archive” and “senior manager” vs. “senior management.” Again, while the intent seems similar with other regulatory agency guidance, the terms are different.

This list identifies selected, but by no means all the, similarities between the CFDA standard and other regulatory authority guidances on this topic:

  • Industry should employ appropriate risk management for ensuring data integrity through the data lifecycle, and risk management should be incorporated into the quality system.
  • Self-inspections should evaluate data integrity implementation, and results should be reviewed by top managerial staff.
  • Data integrity shortcomings should be investigated through the deviation procedures, and findings that impact patient safety and product quality should be reported to the “drug administration” department.
  • Requirements and expectations regarding data integrity should be incorporated into the quality agreement, with defined actions for each party. The “entrusting party” has final responsibility for data integrity and decisions made based on these data.
  • Data must be attributable to a single person, and computer system accounts should not be shared.
  • Alternatives to audit trails within computer systems are permissible if they can ensure that traceability of the data cannot be altered.
  • This standard addresses the issue of “primary records” as defined in the effective MHRA guidance (which we will explore in the next article). The draft revision no longer uses or defines this term, perhaps due to the confusion and misinterpretation it may cause.
  • Review of electronic data cannot be substituted by review of a printed paper record. Review of the electronic data should include review of appropriate metadata.
  • True copies of both paper and electronic records should be verified and confirmed to ensure that the true copy “has all the contents and meanings of the original record.”
  • Processes shall be put in place to “prevent and/or help to discover the intentional or unintentional alteration, deletion, loss, deficit, replacement transcription or other nonconforming treatment of data.” This is reminiscent of 21 CFR 11.10(a) regarding the ability to discern invalid or altered records.
  • Article 47 appears to represent a description of segments of computer system validation.
  • Article 49, which addresses “system replacement,” appears to be similar to data migration in other guidances, where the accuracy of the migration, and of the data in the system after migration, is ensured.


The EMA and FDA Q&A guidances are similar and complementary in requirements and expectations. The intense emphasis on requirements for contract service providers is unique to the EMA document. Other FDA guidance, however, stresses the responsibilities that license holders have for their contractor providers. With regard to enforcement actions in this area, many warning letters are issued to API manufacturers citing deficiencies in data governance and data integrity (see related article). FDA has not issued enforcement actions against those who purchase these APIs for lack of appropriate contractor oversight, particularly when FDA felt the deficiencies were serious enough to put an import alert in place. This is something to watch for in the future, as it is an area that seems to be begging for regulator attention.

Both the China FDA and US FDA guidances are drafts, not finalized versions. We will watch for both to be finalized in the near future. It is encouraging that the most recent published guidance from China closely reflects the general positions taken by other regulatory authorities. The Eudra GMDP website publishes summary reports of noncompliance that do not provide the detail of either a form 483 or a warning letter. The general nature of the deficiencies, however, seems to be similar between the two countries. China does not yet publish its inspection reports or compliance actions, so we look forward to future transparency in inspection reports to determine how China will enforce its new standard.

In the next article, we will review the recent MHRA, PIC/S, and WHO guidances and draw some conclusions about the current state of global data management and data integrity regulations across all six international organizations.

About The Author

Barbara Unger formed Unger Consulting, Inc. in December 2014 to provide GMP auditing and regulatory intelligence services to the pharmaceutical industry. This includes GMP auditing and remediation in the area of data management and data integrity. She has extensive expertise in this area, having developed, implemented, and maintained the GMP regulatory intelligence program for eight years at Amgen Inc. This included surveillance, analysis, and communication of GMP related legislation, regulations, guidance, and industry compliance enforcement trends. Barbara was the first chairperson of the Rx-360 Monitoring and Reporting work group (2009 to 2014) that summarized and published relevant GMP and supply chain related laws, regulations, and guidance. She also served as the chairperson of the Midwest Discussion Group GMP-Intelligence sub-group from 2010 to 2014. Barbara is currently the co-lead of the Rx-360 Data Integrity Working Group.

Before Amgen, Barbara worked for the consulting firm Don Hill and Associates, providing regulatory and quality services to the pharmaceutical industry, and for Eli Lilly and Company in quality and CMC regulatory affairs positions. She began her career in the pharmaceutical/device industry with Hybritech Inc. and received a bachelor's degree in chemistry from the University of Illinois at Urbana-Champaign.