Earlier today, the U.S. Food and Drug Administration (FDA) issued a Draft Guidance addressing a topic affecting the entire pharmaceutical industry—Data Integrity. The guidance, entitled Data Integrity and Compliance with CGMP, Guidance for Industry (Draft Guidance), and styled as a series of questions and answers, is the first guidance document FDA has issued specifically concentrating on Data Integrity. While it does not cover every issue companies may face with regard to Data Integrity, it does provide some initial insight into what FDA expects to see during an inspection.
As the pharmaceutical industry knows well by now, ensuring Data Integrity—as a part of current good manufacturing practice (GMP)—in drug development and manufacturing is one of FDA’s top enforcement priorities. And a lack of Data Integrity in applications and GMP records is viewed with the utmost seriousness within FDA. Indeed, at a July 2014 conference on “Understanding cGMPs” held at Hogan Lovells and sponsored by the Food and Drug Law Institute (FDLI), Howard Sklamberg, FDA’s Deputy Commissioner for Global Regulatory Operations and Policy, stated his belief that a lack of Data Integrity is often “just fraud.”
We have repeatedly seen FDA’s heightened focus on Data Integrity during inspections. And during such inspections, FDA is not just looking for actual evidence of data deletion or manipulation. Rather, FDA is spending significant time assessing whether companies have implemented proper controls and oversight to ensure Data Integrity and good documentation practice. This is consistent with FDA’s long-standing position that the Agency does not need to establish that a drug is actually deficient to prevail in a GMP case. Accordingly—in the context of Data Integrity—if a company lacks adequate controls and oversight to ensure Data Integrity, FDA views this as GMP violation, even if FDA has not found any instances of actual data deletion or manipulation.
And this is precisely what the Draft Guidance focuses on—FDA’s expectations for Data Integrity controls and oversight. The areas FDA highlights include:
- ALCOA. Companies should establish Data Integrity controls to ensure that data areAttributable, Legible, Contemporaneously recorded, Original or a true copy, and Accurate. Draft Guidance at 2. Among other things, this means that data must be documented and saved at the time of performance. Draft Guidance at 8. For example, chromatograms should be sent to long-term storage upon run completion instead of at the end of the day’s runs, and analysts should not record information on one piece of paper and later transcribe it to a controlled lab notebook. Id.
- Metadata and Audit Tails. Metadata—i.e., the contextual information required to understand data, such as date/time stamp and user ID of the person who conducted the test that generated the data—should be maintained throughout a record’s retention period. Draft Guidance at 3. Notably, FDA’s draft guidance states that metadata could include audit trails, meaning that FDA expects companies to also maintain audit trails throughout a record’s retention period. Id.
- Audit Trail Review Function. In many cases, FDA has identified Data Integrity issues—e.g., trial injections, deletion of certain injections, or deletion of entire injection sequences—by reviewing electronic audit trails during inspections. Thus, FDA recommends that companies’ quality units also review audit trails, especially audit trails that capture changes to critical data. Draft Guidance at 6 – 7. The draft guidance states that such audit trails should be reviewed with each record and before the final approval of the record. Id.
- Computer System Controls/Limiting Administrator Privileges. FDA also recommends that companies implement computer system access controls. For example, the system administrator role, including any rights to alter files or settings, should be assigned to personnel independent from the individuals responsible for the record content. Draft Guidance at 5. This means that, in FDA’s view, laboratory personnel, even laboratory supervisors, should not have administrator privileges on laboratory computer systems. And no employee should share a login account with any other employee. Draft Guidance at 6. Similarly, employees should not share account login information with each other.
- Test/Prep Runs. The Draft Guidance memorializes FDA’s position, expressed in numerous 483s and warning letters, that actual samples should never be used in test, prep, or equilibration runs unless permitted by a written procedure and the sample is from a batch different from the one being tested. Draft Guidance at 9. Companies should establish controls that clearly prohibit employees from using actual samples to perform analyses, and, through quality oversight, ensure that such controls are being followed.
- Addressing Data Integrity Deficiencies. To address data integrity issues during inspections or in warning letters, FDA recommends that companies hire third-party auditors, perform a comprehensive review to determine the scope of the problem, and remove the individuals responsible for the data integrity deficiencies. Draft Guidance at 10. FDA also recommends that companies implement global corrective action plans. Id. This underscores FDA’s belief that Data Integrity issues are often indicative of a weak quality culture.
- Self-Identification and Reporting. FDA encourages individuals to report suspected data integrity issues to the Agency. Id.
The message is clear—FDA takes Data Integrity and good documentation practice very seriously, and companies must be proactive in ensuring that adequate Data Integrity controls and oversight are implemented prior to an FDA inspection. This Draft Guidance provides some initial insights into FDA’s expectations, and what companies can do to meet them.