FDA's New Data Integrity Guidance — Highlights & Observations

While the FDA has been actively enforcing data integrity since the early 2000s, it has been late to the game publishing guidance on this topic. This week the FDA posted the final guidance Data Integrity and Compliance with Drug CGMP Questions and Answers, finalizing a draft first published in April 2016. Virtually all of the major health authorities have published guidance on this topic. The Pharmaceutical Inspection Co-operation Scheme (PIC/S) has its version 3 on this topic out for comments, and the Medicines and Healthcare products Regulatory Agency (MHRA) finalized version 2 in March 2018. The European Medicines Agency (EM) published a data integrity Q&A in August 2016.

The scope of the FDA document includes drugs, biologics, and positron emission tomography drugs. The agency also states the requirements are consistent with the requirements in ICH Q7, Good Manufacturing Practice Guide for Active Pharmaceutical Ingredients, thus expanding the scope of the document to APIs and drug substances. The FDA states it is the “role of management with executive responsibility to create a quality culture where employees understand that data integrity is an organizational core value. …”

The background section of the document, section II, identifies sections of the predicate 21 CFR 211 rules that are data integrity-related. This is valuable for GMP auditors to consider as they assign the associated standard to their observations and examples. It is worth noting that none of the examples cite 21 CFR Part 11. This section also provides useful questions to ask when evaluating GMP operations.

The guidance includes 18 questions covering the broad area of data integrity and data governance. Highlights from each question are provided below:

Question 1 addresses some basic definitions as they apply to GMP records, including data integrity, metadata, and audit trail. It further explains what is meant by static and dynamic record formats; “backup” as the term is used in § 211.68; and the term “systems” in a computer or related systems, again in § 211.68. 

Question 2 addresses the invalidation of GMP results and when the result may be excluded from consideration in batch disposition decisions. The answer provided here for electronic records does not differ from what has always been expected for paper records. Before invalidation, the result must be investigated, and a valid, scientifically sound reason must justify invalidating the result. All results must be provided to the quality unit, including the invalidated result. Record retention requirements do not differ for paper or electronic records, or invalidated records. All must be retained. In my opinion, this does not represent a novel interpretation of the governing rules.

Question 3 addresses whether each GMP workflow on a computer system needs to be validated. The short answer is yes. All validation exercises should be based on the risk the system poses to product quality and patient safety. The concern is that the system needs to be validated for its intended use, which requires addressing each GMP workflow.

Question 4 addresses access to computer systems. For all GMP systems, it is necessary to restrict access to authorized personnel. Firms should develop procedures and processes to ensure an individual's access to the systems is commensurate with their role in the organization. Further, systems administrators should be independent of those who have an interest in the content of the record.

Question 5: Shared logins have long been a concern of the FDA. At issue is the ability to trace generation or modification of a record to a unique individual. Shared passwords for systems that generate records do not permit this identification. For read-only user accounts, it is acceptable to have a shared account. However, the firm should confirm and test during validation that these controls are adequate and not permit generation or modification of records using a shared password.

Question 6: How blank forms should be controlled is a common question. Bound, paginated, and numbered notebooks issued by the document control group provide an ideal control point. These notebooks are returned to document control when they have been completed and approved. Thus, this approach permits reconciliation. Loose forms, including laboratory worksheets, should be numbered and issued by a document control group and reconciled after the worksheets or forms are completed. Un-numbered forms should not be available. Partially completed or damaged forms should be retained with the associated record.

Question 7 addresses who should review audit trails. Audit trails should be reviewed by personnel responsible for the review of the record. While the quality unit should review and approve all records, the regulations permit flexibility in assigning some of these responsibilities to a supervisor or person checking the rest of the record. Who is responsible for reviewing audit trails should be identified in well-defined procedures within a quality system.

Question 8 is related to the previous question, but instead of addressing who should review audit trails, it addresses how often they should be reviewed. Audit trails should be reviewed with the same frequency as the associated data, as specified in the GMP regulations. When the regulations do not specify the frequency of data review, the firm should determine the frequency on the basis of a documented risk assessment. The risk assessment should consider process knowledge, data criticality, control mechanisms in place, and the impact on product quality and patient safety.

This is the one answer that seems problematic to me: “§ 211.22 requires data review before batch release. In these cases, you would apply the same review frequency for the audit trail.” The FDA could have offered more specificity in this response. Dozens of audit trails are present in electronic systems. The metadata that constitutes the audit trails that are to be reviewed should be clearly identified. It is overly burdensome and provides no value in terms of product quality and patient safety to review all audit trails prior to batch release. For laboratory results such as lot release tests, it is  reasonable to review the predefined audit trails as part of the data review process. It is not reasonable to expect the content of audit trail(s) recording actions of systems administrators to be reviewed prior to each batch release.

Question 9 asks whether electronic copies can be used as accurate reproductions of paper records. The short answer is yes. However, the copies must preserve the meaning and content of the original record, be it static or dynamic in nature, and this includes all metadata that would be required to reconstruct the activity..

Question 10 addresses whether it is acceptable to retain paper printout or static records instead of original electronic records from stand-alone computerized laboratory instruments such as an FTIR (Fourier transform infrared) spectrometer). For pH meters and balances that create a printed record, that record must be retained. The situation becomes more complex for electronic records from other types of lab equipment. For example, electronic data generated by an FT-IR is dynamic and can be reprocessed. However, the printout of the data is fixed. Thus, the paper record does not meet the GMP requirements to retain original records or true copies. The answer goes on to state original records are subject to second person review to ensure correct reporting of results.

Question 11 addresses the adequacy of electronic signatures used in place of handwritten signatures for master production and control records. Yes, electronic signatures can be used in place of handwritten signatures if appropriate controls are in place which identify who signed the record in this manner.

Question 12 addresses when electronic data become a GMP record. It’s a simple answer: the electronic data becomes a GMP record at the time of its generation. Data must be created and maintained in a way where any modification would be recorded. The FDA provides detailed guidance regarding high-performance liquid chromatography (HPLC) data which must be saved to “durable media" at the completion of each step, such as peak integration or processing steps rather than waiting until the end of an injection set. All changes should be visible in an audit trail. This answer also addresses recording data on any piece of paper that is discarded after the data is officially entered into a worksheet or notebook.

Question 13: The FDA has cited firms for using actual samples during system suitability or test injections in form 483s and warning letters. This question addresses the FDA’s concerns about this practice. While the FDA provides one of the longer responses in the guidance to this question, their concern is that firms may be testing samples into compliance (see the Barr Decision) or otherwise obscuring out of specification (OOS) results that should have been formally investigated. Any use of test injections should be governed by a procedure. All data from samples must be documented and considered in batch disposition decisions.

Question 14: For chromatography data that has been reprocessed, the question is whether it is acceptable to save only the final result. The short answer is no. Regulations require complete data to be considered, and saving only the final result does not meet this requirement. Written procedures should be developed and followed regarding the reprocessing of chromatography data.

Question 15 addresses whether an internal tip or information regarding potential data falsification can be handled informally, outside of the quality system. The answer is no. This information must be documented and investigated within the quality system. The FDA also provides an email address for individuals who wish to communicate data problems directly to the FDA. The FDA does not address sensitive human resource issues that may be raised by such investigations. It seems logical that even when the investigation is conducted within the quality system, it may require sensitivity to personal information.

Question 16 addresses whether personnel should be trained in preventing and detecting data integrity issues as a part of routine GMP training. No surprise here, the answer is yes.

Question 17 addresses whether the FDA may view electronic records. Consistent with GMPs, the FDA may review all records, both paper and electronic. Failure to permit evaluation of electronic records may be considered an attempt to delay, deny, limit, or refuse a drug inspection.

Question 18: How does the FDA recommend data integrity problems to be managed? This seems closely related to question 15. The FDA mentions the importance of investigation to determine the root cause of the deficiency in data integrity, an assessment of the risk to product quality and patient safety, and remediation of the conditions that allowed this shortcoming to occur. While the FDA does not mention this, it is instructive to read the long version of the “Data Integrity Remediation” section of warning letters. It is also useful to read and follow the 1991 FDA Application Integrity Policy Points to Consider.

In conclusion, the FDA has broadened the scope of the guidance from that which was included in the draft version. They have added more detail and examples to assist firms in applying the guidance. This guidance should be considered in conjunction with the 2018 MHRA guidance and the 2016 WHO guidance. I find nothing novel in the guidance, except for the sweeping statement on audit trail review prior to batch release that would represent a departure from how the FDA has been enforcing in this area. The FDA has a long history of taking action, extending back at least to 2000. Companies would be well served by evaluating warning letter and consent decree history on the topic and should continue to follow current enforcement actions to remain aware of the FDA’s areas of focus.

About The Author:

Barbara Unger formed Unger Consulting, Inc. in December 2014 to provide GMP auditing and regulatory intelligence services to the pharmaceutical industry, including auditing and remediation in GMP areas including data management and data integrity. Her auditing experience includes leadership of the Amgen corporate GMP audit group for APIs and quality systems. She also developed, implemented, and maintained the GMP regulatory intelligence program for eight years at Amgen. This included surveillance, analysis, and communication of GMP-related legislation, regulations, guidance, and industry compliance enforcement trends. Unger was the first chairperson of the Rx-360 Monitoring and Reporting work group (2009 to 2014) that summarized and published relevant GMP- and supply chain-related laws, regulations, and guidance. She also served as the chairperson of the Midwest Discussion Group GMP-Intelligence sub-group from 2010 to 2014. She is currently the co-lead of the Rx-360 Data Integrity Working Group. You can contact her at bwunger123@gmail.com.