FDA’s Draft Guidance on Data Integrity: The Cupola on a Tower of Guidances

April 17, 2016

By Mark I. Schwartz & Douglas B. Farquhar

After several years of observing an increase in data integrity issues, particularly with overseas drug manufacturers regulated by CDER, on Thursday, April 14th, FDA issued a question-and-answer-based draft guidance entitled “Data Integrity and Compliance with cGMP”. We will provide more details below but, in summary, the draft guidance, which relies on numerous prior guidances, contains the following recommendations:

  • For recording data, manufacturing, or testing steps, numbered, controlled forms to be issued and reconciled by Quality Assurance;
  • Disclosure to FDA of findings of data integrity violations, and “removing at all levels individuals responsible for [data integrity] problems from cGMP positions”
  • Both audit trail review and review of electronic testing by Quality Assurance prior to batch release;
  • “Four eyes” review (i.e., at least two employees) of any original hard-copy laboratory records; and
  • Immediate, irreversible recording of electronic testing data (including upon completion of each HPLC testing sequence) as opposed to recording only at the end of the day).

While guidances are not binding, FDA does tend to rely on guidance during inspections and in making enforcement decisions.

In sum, what we have found is that this draft guidance makes some overarching assertions that are difficult to justify as supported by the regulatory texts in question. The guidance essentially sets up data integrity measures that drug manufacturers can ignore only at their peril, measures that go beyond what the regulations require.

The 21 CFR Part 211 regulations that FDA emphasizes in the draft guidance as forming an integral part of the data integrity requirements include:

  • § 211.68 (requiring that “backup data are exact and complete,” and “secure from alteration, inadvertent erasures, or loss”);
  • § 212.110(b) (requiring that data be “stored to prevent deterioration or loss”);
  • §§ 211.100 and 211.160 (requiring that certain activities be “documented at the time of performance” and that laboratory controls be “scientifically sound”);
  • § 211.180 (requiring that records be retained as “original records,” “true copies,” or other “accurate reproductions of the original records”); and
  • §§ 211.188, 211.194, and 212.60(g) (requiring “complete information,” “complete data derived from all tests,” “complete record of all data,” and “complete records of all tests performed”).

The guidance, which applies to human and animal drugs and biologics, begins by defining some key terms, such as: “data integrity” meaning “…the completeness, consistency, and accuracy of data. Complete, consistent and accurate data should be attributable, legible, contemporaneously recorded, original or a true copy, and accurate…”

Other defined terms include: “metadata” (“…data about data…”), “audit trail” (“…a chronology of the ‘who, what, when, and why’ of a record…”), “static” (“…a fixed-data document such as a paper record or an electronic image…”), “dynamic” (“…the record format allows interaction between the user and the record content…”), as well as the following terms from 21 CFR 211.68(b) “backup” (“…a true copy of the original data that is maintained securely throughout the records retention period…”) and “computer or related systems” (“…computer hardware, software, peripheral devices, networks, cloud infrastructure, operators, and associated documents…”).

Next the draft guidance turns to eighteen questions and answers. Some of the more interesting ones will be discussed below. It is worth noting that FDA’s answers to the questions it poses to itself do tend to rely on prior guidances.

A question frequently posed by stakeholders is when is it permissible to exclude cGMP data from a facility’s decision making? The guidance provides that: “…[t]o exclude data from the release criteria decision-making process, there must be a valid, documented, scientific justification for its exclusion…The requirements for record retention and review do not differ depending on the data format; paper-based and electronic data record-keeping systems are subject to the same requirements.”

Next, 21 CFR 211.68(b) provides that “…[a]ppropriate controls shall be exercised over computer or related systems to assure that changes in master production and control records or other records are instituted only by authorized personnel…” However, this raises the question as to what constitutes “appropriate controls,” and how access to cGMP computer systems should be restricted?

FDA recommends that stakeholders restrict the ability to alter specifications, process parameters, or manufacturing or testing methods by technical means where possible, and suggests that the system administrator role, including any rights to alter files and settings, be assigned to personnel independent from those responsible for the record content.

However, FDA makes an exception where operations or facilities are small, with few employees, and presumably it is not feasible to separate such functions among different employees. In such an instance, FDA recommends that alternate control strategies be implemented, such as by having a second person review the tasks performed by the employee responsible for both system administration and record content, or, where that is not possible, the employee would need to recheck his own work.

One of the problems that FDA has encountered with data integrity issues over the past few years has been oversight, or control, of paper records, which can be discarded relatively easily, in some instances without the agency becoming aware. Hence the question: “How should blank forms be controlled?” FDA recommends that blank forms, such as worksheets, notebooks and master production and control records be controlled by the quality unit or by another document control method. As an example, FDA states that numbered sets of blank forms may be used, and should be reconciled upon completion. FDA recommends that incomplete or erroneous forms be kept as part of the permanent record along with a written justification for their replacement.

The inadequacies of a facility’s audit trails and, in some cases, their complete absence has been a basis for citation in many warning letters over the past few years. How often should an audit trail be reviewed and who should do the reviewing? FDA recommends that audit trails that capture changes to “critical data” be reviewed with each record and before final approval of the record. In a development that may complicate the process of batch release, FDA more specifically states that both audit trail review and review of electronic testing be performed by Quality Assurance prior to batch release.

Furthermore, the draft guidance does not explain the distinction between “critical” and “non-critical” data. In addition, the agency recommends routine scheduled audit trail review based on the complexity of the system and its intended use.

In terms of who should review audit trails, FDA recommends that personnel responsible for record review should review the audit trails that capture changes to critical data associated with the record as they review the balance of the record.

What about electronic documents versus paper? Can electronic copies be used as accurate reproductions of paper records? Yes, provided that the copies preserve the content and the meaning of the original data, which includes associated metadata and the static or dynamic nature of the original records.

Is it acceptable to retain the paper printouts, or static records, instead of the original electronic records from stand-alone computerized laboratory instruments? If the paper printout or static record is a complete copy of the original record, according to FDA it may satisfy the agency’s retention requirements. However, because certain types of electronic records are dynamic in nature, a printout or static record does not preserve the dynamic nature of the original electronic record, and according to FDA would not satisfy the cGMP requirements.

Because the cGMP regulatory requirements are centered around the notion of “records” and not “data” per se, a perennial question is when does “data” become a “record” such that industry must comply with record requirements under 21 CFR Part 211? The draft guidance states that when data is generated to satisfy a cGMP requirement, all such data becomes a cGMP record.

The draft guidance goes on to say that, in such instances, industry must document the data at the time of performance to create a record in compliance with the cGMP provisions. Yet, in support of this proposition, FDA cites to two regulatory provisions (21 CFR 211.100(b) and 21 CFR 211.160(a)) that, on their face, cannot reasonably be interpreted to apply to all records required to be kept under 21 CFR Part 211. This is fodder for another day, and perhaps a future blog posting.

On the question of whether an internal tip regarding a quality issue, such as potential data falsification, can be handled informally outside the documented cGMP quality system, the answer in the draft guidance is a firm “no,” again despite the paucity of regulatory language that speaks to this issue.

On the related question as to whether facility personnel need to be trained to detect data integrity issues as part of a routine cGMP training program, the agency is somewhat more circumspect, stating that training to detect data integrity issues “…is consistent with the personnel requirements…” under 21 CFR 211.25 and 21 CFR 212.10, though the agency does not go so far as to call it a “requirement” under the regulations.

Finally, FDA recommends that data integrity problems be addressed by hiring a third party auditor, determining the scope of the problem, implementing a corrective action plan (globally), and removing at all levels individual responsible for problems from cGMP positions. Regarding this last point, one has to wonder how the agency defines the term “individual responsible”. For instance, if a quality assurance manager at a plant is within the chain of command of someone on the shop floor who manipulated data, but there is no evidence that he knew or participated in any of the data manipulation, is he an “individual responsible”? In addition, is it really appropriate to require a laboratory technician to be removed from a cGMP position when he or she was pressured – at risk of loss of employment in an autocratic facility – because he complied with orders to run an “unofficial” test?

If the drug manufacturing industry and the consultants and lawyers that serve them agree that this draft guidance makes some overarching assertions that are difficult to justify as supported by the regulatory texts in question, it will be incumbent on them to submit comments to the docket in the hope of obtaining more clarity, and holding the agency to greater fidelity with 21 CFR Part 211.

To close on a related issue, FDA states that guidance documents do not establish legally enforceable responsibilities on industry. Instead, guidance is supposed to describe the agency’s current thinking on a topic, and should be viewed only as a series of recommendations (“best practices” if you will), unless specific regulatory or statutory requirements are cited. It remains to be seen whether the above-referenced data integrity best practices are truly FDA “recommendations”, or whether manufacturers that choose not to abide by them will end up being cited for them as “transgressions” in warning letters subsequent to their next inspection.

As always, we will keep you posted.

Categories: cGMP Compliance