The U.S. Food and Drug Administration (FDA) has recently published the draft guidance, Data Integrity and Compliance with CGMP, which comes after years of increased data integrity issues worldwide, including issues with oversight, or control, of paper records and inadequacies of audit trails. It is intended to “clarify the role of data integrity in current good manufacturing practice (CGMP) for drugs” through answers to various questions on this topic. This draft guidance applies to both human and animal drugs and biologics.

The draft guidance begins by setting forth the following definitions:

  • “data integrity” – “the completeness, consistency, and accuracy of data”
  • “metadata” – “the contextual information required to understand data” and also described as “data about data”
  • “audit trail” – “a secure, computer-generated, time-stamped electronic record that allows for reconstruction of the course of events relating to the creation, modification, or deletion of an electronic record” and also described as “a chronology of the ‘who, what, when, and why’ of a record”
  • “static” record formats – “a fixed-data document such as a paper record or an electronic image”
  • “dynamic” record formats – one that “allows interaction between the user and the record content”
  • “backup” – “a true copy of the original data that is maintained securely throughout the records retention period”
  • “systems” – “people, machines, and methods organized to accomplish a set of specific functions”
  • “computer or related systems” – “computer hardware, software, peripheral devices, networks, cloud infrastructure, operators, and associated documents (e.g., user manuals and standard operating procedures)”

The FDA states that the only time CGMP data may be excluded from decision making is when there is “a valid documented, scientific justification for its exclusion.” To determine when such justification is present, FDA suggests reviewing Investigating Out-of-Specification (OOS) Test Results for Pharmaceutical Production, §§ 211.118, 211.192 and 212.71(b). In any other situation, FDA states that “[a]ny data created as part of a CGMP record must be evaluated by the quality unit as part of release criteria.”

The FDA states that every workflow, including creation of an electronic master production and control record (MPCR), must be checked through validation for its intended purpose. In addition, appropriate controls must be utilized to “assure that changes to computerized MPCRs, or other records, or input of laboratory data into computerized records, can be made only by authorized personnel.” Where possible, this should be done by technical means, such as limiting permissions to change settings or data. For smaller operations or facilities, alternate control strategies may be used, such as having a second person review settings and content. As such, shared login accounts are not to be used. Instead, the appropriate controls should assure only authorized personnel can make changes and that such actions are attributable to a specific individual. Also, if blank forms are used (including worksheets, laboratory notebooks and MPCRs), they must be controlled by the quality unit or by another document control method.

Any data generated to satisfy a CGMP requirement is considered to be “a CGMP record.” Therefore, according to this draft guidance, the FDA requires this data to be documented or saved at the time of performance to be in compliance with CGMP requirements. It is important to note that the FDA finds it unacceptable to record data on paper that will be thrown out after it is incorporated into a permanent notebook. Similarly, it is unacceptable to store electronic data in temporary memory or in a manner that allows for manipulation of data before being permanently recorded. Automatically saved electronic data in temporary memory do not meet the CGMP requirements under this draft guidance.

Audit trails are part of the associated record and the “[p]ersonnel responsible for record review under CGMP should review the audit trails that capture changes to critical data associated with the record as they review the rest of the record.” More specifically, these audit trails should be “reviewed with each record and before final approval of the record.” This regular review should be done for at least the following changes: the change history of finished product test results, changes to sample run sequences, changes to sample identification and changes to critical process parameters.

For copies, “[e]lectronic copies can be used as true copies of paper or electronic records, provided that the copies preserve the content and meaning of the original document.” Likewise, a paper printout or static record of the complete record may satisfy the retention requirements. However, “true copies of dynamic electronic records may be made and maintained in the format of the original records or in a compatible format, provided that the content and meaning of the original records are preserved and that a suitable reader and copying equipment” are readily available. For these dynamic documents, a printout or static record would not be appropriate, as they do not preserve the format of the original record.

If there is any indication of a quality issue, such as suspected or known falsification or alteration of a record, the draft guidance states that it must be formally and fully investigated under the CGMP quality system to determine the following: (1) the effect of the event on patient safety, product quality and data reliability; and (2) the root cause. The purpose of this investigation is to ensure the necessary corrective actions are taken.

To show that a problem has been rectified, the FDA encourages “hiring a third party auditor, determining the scope of the problem, implementing a corrective action plan (globally), and removing at all levels individuals responsible for problems from CGMP positions.”

Shortly after this draft guidance was issued, the FDA issued a warning letter to Sri Krishna Pharmaceuticals Ltd., finding deficiencies in four general areas of CGMP: (1) failure to include complete data in laboratory notebooks; (2) failure to exercise appropriate control over computer systems; (3) failure to establish adequate written procedures for production and process controls; and (4) failure in certain instances to follow established written procedures. In order to remedy these deficiencies, the FDA requested that Sri Krishna take the following actions: (1) have a qualified third party carry out a comprehensive investigation into the extent of the inaccuracies in the records and reporting, as well as conduct interviews of employees; (2) perform a risk assessment of potential effects on the quality of the drugs and the risk to patients; and (3) complete a management strategy that includes details of global corrective and preventive action plans. This appears to be a trend in the FDA’s warning letters and indicates that the FDA is anticipating long-term measures to be part of a corrective action plan that includes enhancing procedures, systems and “human resources.”

Noncompliance with data integrity CGMPs may result in significant sanctions, including consent decrees, import alerts or the like.