In April 2016, the FDA issued Data Integrity and Compliance With CGMP Guidance for Industry. This is on the heels of a lot of related 483s, warning letters, and more severe actions with respect to this issue. There are some interesting things to note from this document.
The FDA has provided this document based on their duty to protect the public health. Generally speaking, data must be reliable and accurate. Pharmaceutical and biotech manufacturers can use risk-based strategies based on process understanding, knowledge management technologies, and business models to prevent and detect integrity issues. Compliant records must keep data from being lost, obliterated, or obscured during the record retention period for that data.
Data Integrity is defined as complete, consistent and accurate data that is attributable, legible, contemporaneously recorded, original or true copy, and accurate, using the acronym ALCOA for easy recall of these components of the definition. All data including metadata, contextual data associated with the data that gives meaning or value to the data, should be maintained according to the record retention policy associated with that data.
This is inclusive of the relationship between data and metadata in a secure and traceable method. An audit trail is a piece of this security aspect, as the audit trail provides the information on “who, what, when and why ” of a record as well as all actions associated with the data including system access as well as creation, modification, renaming, and deleting of files or data in the records. A Quality Unit review of the audit trail on a periodic basis is also recommended.
Two different types of data are defined in the guideline – static and dynamic. Static data is fixed, while dynamic data is formatted to allow interaction between the user and the content. With dynamic data, a user may be able to define a baseline to reprocess data or a user may be able to modify formulas or entries that will alter calculation results. Data can be excluded from decision making (e.g. release process) only when an appropriate investigation such as OOS (Out-of-Specification) documents the justification through appropriate explanation of the problems, errors, and proper scientific rationale.
A backup copy that is used for disaster recovery is not necessarily a true copy. A true copy is maintained in a secure environment consistent with the record retention period. A true copy must include the metadata and be retained in the original format or in a format consistent with the original format.
In the guideline, the FDA reiterates the importance of validating workflows since you must validate a solution for its intended use and in this case would be ensuring proper function of intended steps, specifications, and calculations. Additionally the FDA stresses the importance of restricting specific functions to authorized personnel and specifically recommends restricting permissions for changing settings or data to those independent of record content.
They also specifically recommend that a user access list with permissions be maintained. There are some specific exemptions of the independent resource statement for smaller companies that is then replaced by second person review or second checks. Shared user logins for records and data are expressly prohibited in this guidance document. It is imperative to have proper controls to ensure actions are attributable to a specific individual. This is pertinent to ensure that documented controls are in place for product quality assurance.
Control of blank forms is also part of record keeping. All records should be controlled and retained by the Quality Unit according to the record retention policy. This includes forms that are partially completed, blank, or erroneous as well as the justification for replacement of a form.
Paper records can satisfy retention requirements if the data is static. In cases of dynamic data, the static paper record cannot satisfy these requirements; therefore, for dynamic data, the original or true copies of this data must be retained. Both paper and electronic records are subject to second-person reviews to ensure proper reporting of test results.
Companies that use electronic signatures must document controls in place used to ensure that they can identify a specific individual’s signature.
Data must be documented or saved at the time of performance in order to comply with GMP requirements. This data cannot be modified. Writing to temporary storage, whether on scrap paper or in temporary memory, where it can be manipulated before creating a permanent record, is not acceptable. It is acceptable to use a combination of technical and procedural controls in order to meet CGMP documentation practices.
The FDA prohibits testing into compliance (testing with a goal to achieve a specific result or to overcome an unacceptable result). Witten procedures are required for managing precision testing, system suitability testing and standards characterization. All testing data is required to be retailed as part of the records and subject to review unless there is specific scientific analysis that documents that rationale for excluding the data. For many laboratory tests, the analysis includes processing of raw data to provide a test result. The complete set of data must be retained and may include raw data, graphs, charts, spectra, standards, etc. Written procedures must be established for reprocessing of data and each result must be reviewed.
Any suspected or known falsification or changing of records must be fully investigated with respect to the effect on product quality. This must be handled just like any other investigation in terms of identifying a root cause and corrective actions.
Appropriate personnel must be trained in detecting data integrity issues.
The FDA can inspect all GMP records, whether electronic or paper. Copies can be requested of both types of records. If the FDA has identified any problems with electronic records at your company, they strongly recommend that a third party auditor be engaged to resolve the issue covering items such as problem scope definition, corrective actions, and releasing responsible individuals, as necessary.
From Jim: You can connect and interact with other pharmaceutical and biotech industry experts in the Life Sciences group in the Emerson Exchange 365 community.