FDA issues New Draft Guidance on Data Integrity and Compliance with cGMP

Vivek Padalalu

The mission of all health authorities is to ensure the quality, safety and efficacy of drug products by carefully monitoring drug manufacturers’ compliance with their current Good Manufacturing Practice (cGMP) regulations. The cGMP regulations for drugs contain minimum requirements for the methods, facilities, and controls used in manufacturing, processing, and packing of a drug product. The regulations make sure that a product is safe for use, and that it has the ingredients and strength it claims to have.

In recent years, the US Food and Drug Administration (FDA) has increasingly observed cGMP violations with data manipulation and other data integrity issues, particularly with overseas drug manufacturers. In extreme scenarios, there have been instances of companies overwriting data collected by software i.e., deleting pertinent data and altering sample raw data file names to hide deleted data files. Data integrity issues related to cGMP violations are of serious concern and have led to numerous regulatory actions, including the issuance of warning letters, import alerts, and consent decrees. In extreme situations companies have been banned from shipping drugs to the US. This has led the FDA to draft a new guidance to help the pharmaceutical industry ensure data consistency and accuracy, and allow for flexible and risk-based strategies that detect and prevent data integrity issues.

The guidance includes 18 questions and answers on data integrity, alongside well-defined terms on data as they relate to cGMP records. The guidance also provides recommendations on when computer system workflows need to be validated, and how to ensure electronic master production and control records (MPCR) are monitored, including user access permissions.

A few highlights from the FDA’s proposed guidance are listed below:

  • ALCOA: Companies should establish data integrity controls to ensure that data are Attributable, Legible, Contemporaneously recorded, Original or a true copy, and Accurate. Among other things, this means that data must be documented and saved at the time of performance.
  • Metadata: The FDA makes it clear that electronic data generated to fulfill cGMP requirements, which is one of the focal points of many of FDA’s warning letters, should include relevant metadata. The metadata is defined as ‘the contextual information required to understand the data’.
  • Audit Trail Review: The FDA expects that any data created as part of a cGMP record must be evaluated by the quality unit as part of release criteria and maintained for cGMP purposes. To exclude certain data from the release criteria process, there must be a valid, documented, scientific justification for its exclusion.
  • Computer System Controls/Limiting Administrator Privileges: The FDA raises concerns about shared logins to computer systems, which have also been documented in warning letters. FDA expects that companies should have appropriate controls to assure that only authorized personnel make changes to computerized MPCRs, or other records, or input laboratory data into computerized records, and must implement documentation controls that ensure actions are attributable to a specific individual. The requirements for record retention and review do not differ depending on the data format; paper-based and electronic data record-keeping systems are subject to the same requirements.
  • Test/Prep Runs: The draft guidance memorializes the FDA’s position, expressed in numerous 483s and warning letters, that actual samples should never be used in test, prep, or equilibration runs unless permitted by a written procedure and the sample is from a batch different from the one being tested. Companies should establish controls that clearly prohibit employees from using actual samples to perform such analyses, and, through quality oversight, ensure that such controls are being followed.
  • Addressing Data Integrity Deficiencies: To address data integrity issues flagged during inspections or in warning letters, the FDA recommends that companies hire third-party auditors, perform a comprehensive review to determine the scope of the problem, and remove the individuals responsible for the data integrity deficiencies. The FDA also recommends that companies implement global corrective action plans. This underscores the FDA’s belief that data integrity issues are often indicative of a weak quality culture.
  • Self-Identification and Reporting: The FDA encourages individuals to report suspected data integrity issues to the Agency.

Overall, drug manufacturers should implement meaningful and effective strategies to manage their data integrity risks based on well-defined and understood processes, knowledge management, technologies and business models. The FDA is now increasing its focus on data integrity and good documentation practices, and companies must be proactive in ensuring that adequate data integrity controls and oversight are implemented prior to an FDA inspection. It remains to be seen whether the new data integrity guideline will be followed by all manufacturers, and whether manufacturers that choose not to abide by them will be cited with warning letters during inspections.