Data integrity is an important consideration in today’s pharmaceutical GxP laboratories. Compliance violations involving data integrity have led to numerous regulatory actions by the FDA in recent years, including warning letters, import alerts, and consent decrees.

As part of its mission to ensure the safety, efficacy and quality of products produced by the pharmaceutical industry, the FDA expects that all data submitted to the agency to obtain market approval is both reliable and accurate. The FDA considers the integrity of data, from the moment it is generated, and extending through to the end of its life cycle, to be a critical component of ensuring that only high-quality and safe drugs are manufactured.

Citing a trend of increasing regulatory compliance violations involving data integrity during current good manufacturing practice (cGMP) inspections, the FDA published an updated version of its Data Integrity and Compliance with cGMP Guidance in December 2018. This guidance had been originally issued as a draft guidance in April 2016.

The purpose of this newly released guidance is to clarify the role of data integrity in cGMP for human and veterinary drugs, medical devices and biological products, as required in 21 CFR parts 210, 211 and 212. Let’s review this newly published FDA guidance on data integrity in order to flush out the implications for pharmaceutical GxP laboratories.

FDA cGMP Regulations

In this guidance document, the FDA clarifies the role of data integrity in current good manufacturing practice for drugs (finished pharmaceuticals and PET drugs), as documented in 21 CFR parts 210, 211, and 212. The cGMP data integrity requirements emphasized by the FDA in this guidance include:

• Part 211.68 – Backup data should be “exact and complete” and “secure from alteration, inadvertent erasures, or loss”. Computer output should “be checked for accuracy”.
• Part 212.110(b) – Data should be “stored to prevent deterioration or loss”.
• Parts 211.100 and 211.160 – Certain activities should be “documented at the time of performance” and laboratory controls need to be “scientifically sound”.
• Part 211.180 – Records should be retained as “original records,” or “true copies,” or other “accurate reproductions of the original records”.
• Parts 211.188, 211.194, and 212.60(g) – Companies should maintain “complete information,” “complete data derived from all tests,” “complete record of all data,” and “complete records of all tests performed”.
• Parts 211.22, 211.192, and 211.194(a) – Production and control records should be “reviewed” and laboratory records should be “reviewed for accuracy, completeness, and compliance with established standards”.
• Parts 211.182, 211.186(a), 211.188(b)(11), and 211.194(a)(8) – Records should be “checked,” “verified,” or “reviewed”.

The FDA also lists a series of threshold questions in the Background section of the guidance that may be helpful to ask when considering how to meet these regulatory requirements:

• Are controls in place to ensure that data is complete?
• Are activities documented at the time of performance?
• Are activities attributable to a specific individual?
• Can only authorized individuals make changes to records?
• Is there a record of changes to data?
• Are records reviewed for accuracy, completeness, and compliance with established standards?
• Are data maintained securely from data creation through disposition after the record’s retention period?

FDA Guidance on Data Integrity and Drug Compliance with cGMP

This new guidance emphasizes the importance of creating a flexible and risk-based company-wide data integrity strategy, and strongly suggests that management should be involved with both the development and implementation of this strategy. Effective strategies “should consider the design, operation, and monitoring of systems and controls based on risk to patient, process, and product.”

The new guidance maintains the same structure of 18 questions and answers used in the original 2016 draft version in an effort to provide clear and concise solutions to common issues in an easy to follow Q&A format. The wording of each of the questions in the new guidance is essentially the same as in the draft version, with 3 notable exceptions:

Question 2: When is it permissible to invalidate a cGMP result and exclude it from the determination of batch conformance?

Here, the FDA reiterates a number of points made in the 2016 draft guidance:

• All data created as part of a cGMP record must be maintained for cGMP compliance and evaluated by the quality unit for conformance with specifications as part of release criteria.
• Out-of-Specification (OOS) test results require a “valid, documented, scientifically sound justification” in order to be excluded from quality unit decisions about conformance to a specification.
• The FDA’s, “Guidance for Industry: Investigating Out-of-Specification (OOS) Test Results for Pharmaceutical Production” provides criteria that can be used to determine when OOS results may be considered invalid.

In the new 2018 guidance, the FDA adds that in the case of an invalidated test result, “the full cGMP batch record provided to the quality unit would include the original (invalidated) data, along with the investigation report that justifies invalidating the result.”

Question 15: Can an internal tip or information regarding a quality issue, such as potential data falsification, be handled informally outside of the documented cGMP quality system?

The new guidance makes it clear that all identified data integrity errors “must be fully investigated under the cGMP quality system to determine the effect of the event on patient safety, product quality, and data reliability.” This expands the scope beyond just errors identified through internal tips and compliance hotlines. The FDA now requires investigations to be conducted for data integrity errors discovered through any source of information, including internal audits and independent third-party assessments.

Question 18: How does FDA recommend data integrity problems be addressed?

In the new 2018 guidance, the FDA provides detailed recommendations on how to address data integrity problems:

• Determine the problem’s scope and root causes.
• Conduct a scientifically sound risk assessment of its potential effects (including impact on data used to support submissions to FDA).
• Implement a management strategy, including a global corrective action plan, that addresses the root causes.

The strategy to address root causes may include:

• retaining a third-party auditor.
• removing individuals responsible for data integrity lapses from positions where they can influence cGMP related or drug application data at your firm.
• improvements in quality oversight.
• enhanced computer systems.
• the creation of mechanisms to prevent recurrences and address data integrity breaches (e.g., anonymous reporting system, data governance officials and guidelines).

Other Relevant Changes in the 2018 Guidance

In addition to changes from the original 2016 draft guidance highlighted above, there are a number of other changes that manufacturers would be wise to carefully consider:

Audit Trail Reviews. The 2018 guidance suggests that review frequency for audit trails should mirror review frequency for the data specified in cGMP. In addition to requiring audit trail review before batch release, the 2018 guidance suggests audit trail review after each significant step in manufacture, processing, packing, or holding.

Additionally, the 2018 guidance suggests that if review frequency for the data is not specified in cGMP regulations, you should determine the review frequency for the audit trail using knowledge of your processes and a risk assessment that includes evaluation of data criticality, control mechanisms, and impact on product quality.

System Suitability Testing. The FDA considers it a regulatory violation to use actual samples in system suitability test, prep, or equilibration runs as a means of disguising testing into compliance. In this guidance, the FDA has clarified its thinking regarding the use of actual samples during system suitability testing. Such samples should be a properly characterized secondary standard from a different batch than sample(s) being tested. cGMP records must provide transparency and be complete. “All data – including obvious errors and failing, passing, and suspect data – must be in the CGMP record.”

Computer System Validation (CSV). In this new guidance, the FDA has expanded its discussion of CSV to emphasize that validation studies on computer systems “should be commensurate with the risk posed by the automated system” and should validate the system for its intended use. Additionally, all non-CGMP functions performed by a system should be assessed for the potential to affect CGMP operations and mitigated appropriately.

Employee Training. The 2018 guidance states that, in addition to receiving training in detecting data integrity issues, personnel must be training in preventing data integrity issues. The FDA wants firms to train their personnel to develop corrective and preventative actions so that data integrity issues are mitigated and do not recur.

Backup Records. The FDA clarifies that the term “backup” refers to “a true copy of the original record that is maintained securely throughout the record retention period.” Additionally, “backup data must be exact, complete, and secure from alteration, inadvertent erasures, or loss.”

Access to Computer Systems. Rights to alter files and settings (e.g., system administrator role) in the computer system should not be assigned to those responsible for record content. Small companies are no longer excluded from this requirement.

Shared Logins. The FDA requires unique logins for all users that have permission to modify data. Shared login accounts for users accessing the system for read-only data viewing are acceptable. Be aware, however, that these shared login accounts do not “conform with the part 211 and 212 requirements for actions, such as second person review, to be attributable to a specific individual.”

FDA Access to Records. The FDA clarifies that it can review “records generated and maintained on computerized systems, including electronic communications that support cGMP activities.” Relevant email communications (e.g., email to authorize batch release) can be reviewed, for example.

Conclusion

With this new finalized guidance, the FDA has made it clear that it takes data integrity seriously and intends to improve patient safety by enforcing cGMP regulations with a “guilty until proven innocent” approach. Pharmaceutical firms are expected to identify, manage, and minimize  data integrity risks associated with their data, products, equipment, technology, processes, and people. It is therefore critical for companies to implement robust systems with effective data integrity controls and oversight in order to avoid unpleasant financial consequences from enforcement actions.

Astrix Technology Group is a laboratory informatics consulting, regulatory advisory, and professional services firm focused on serving the scientific community since 1995. We specialize in data integrity assessments for your laboratory. If you would like to have Astrix conduct a data integrity assessment in your laboratory, or if you would like to have a free, no-obligations consultation with an Astrix data integrity specialist during your project planning and budgeting phase, please complete the form at the bottom of this page: Astrix Data Integrity Assessment