In response to a recent rise in data integrity concerns at drug manufacturing sites around the world, the U.S. Food and Drug Administration (FDA) issued a draft guidance on April 15 (Guidance) to outline its recommendations for the creation and handling of data in accordance with current good manufacturing practice (CGMP) requirements for drugs, set forth in 21 CFR Parts 210, 211, and 212. Drug manufacturers are responsible for ensuring the safety, efficacy, and quality of drugs, and ensuring data integrity is an integral component of this responsibility.

The Guidance defines commonly used terms and includes 18 questions and answers on data integrity, which is defined as the “completeness, consistency, and accuracy of data” and further states that “[c]omplete, consistent, and accurate data should be attributable, legible, contemporaneously recorded, original or a true copy, and accurate (ALCOA).” Important points to note from the Guidance include:

  • Data Exclusion—Any data generated to fulfill CGMP requirements become a CGMP record, and thus, must be evaluated and may only be excluded from the release criteria decision making process if there is a “valid, documented, scientific justification for its exclusion.”
  • Electronic Data—Any electronic data generated to fulfill CGMP requirements must include relevant metadata, which is defined as “structured information that describes, explains, or otherwise makes it easier to retrieve, use, or manage data.” Electronic data and their metadata should be retained in a way that preserves their relationship in a “secure and traceable manner” for the duration of the CGMP record’s retention period.
  • Workflow Validation—To validate that workflow runs correctly, FDA recommends implementing “appropriate controls to manage risks associated with each element of a computer system.” FDA further advises that appropriate controls to validate a computer system for its intended use will “address software, hardware, personnel, and documentation.”
  • Access Restriction—Appropriate controls are recommended by FDA to “restrict the ability to alter specifications, process parameters, or manufacturing or testing methods by technical means (for example, by limiting permissions to change settings or data).” Personnel independent of those responsible for a record’s content should be assigned the system administrator role to monitor access. Additionally, documentation and other controls should be implemented to ensure that actions are attributable to a specific individual and that login credentials are not shared.
  • Audit Trails—Routine, scheduled reviews of audit trails are recommended by FDA and should include “the change history of finished product test results, changes to sample run sequences, changes to sample identification, and changes to critical process parameters.” Audit trail is defined as a “secure, computer-generated, time-stamped electronic record that allows for reconstruction of the course of events relating to the creation, modification or deletion of an electronic record.” The audit trails should be included in the production and control records and thus must be reviewed and approved by the quality unit.
  • System Suitability Testing—FDA advises that use of “an actual sample in test, prep, or equilibration runs” is a violative practice. System suitability tests should be done with a standard preparation or other standard solution to “determine if requirements or precision are satisfied.” If an actual sample is used for system suitability testing, it should be a “properly characterized secondary standard” and “should be from a different batch than the sample(s) being tested.”
  • Reporting Quality Issues—Known or suspected falsification or alteration of records cannot be handled informally outside of the documented CGMP quality system. Such matters must be fully investigated under the CGMP quality system to “determine the effect of the event on patient safety, product quality, and data reliability; determine the root cause; and to ensure the necessary corrective actions are taken.” Personnel should be trained to detect data integrity issues as part of a routine CGMP training program.
  • Remediation of Data Integrity Problems—Effective remediation of data integrity problems identified by FDA during inspections, in warning letters, or in other regulatory actions may be demonstrated by “hiring a third party auditor, determine the scope of the problem, implementing a corrective action plan (globally), and removing at all levels individuals responsible for problems from CGMP positions.” FDA advises that it may conduct an inspection to evidence remediation of CGMP violations.

The Guidance was distributed solely for comment purposes and contains only nonbinding recommendations. FDA is seeking electronic or written comments from the public on the Guidance until June 14.

Copyright 2016, American Health Lawyers Association, Washington, DC. Reprint permission granted.