The FDA's New Guidance on Data Integrity

Before getting started, it will help to understand the meanings of a few key terms in the guidance:

• Data integrity refers to the completeness, consistency, and accuracy of data. Data should be “attributable, legible, contemporaneously recorded, original or a true copy, and accurate.”
• Metadata is the contextual information required to understand data. For example, the agency noted that a number without explanation or context, or lack of a date/time stamp for when the data were generated, or a user ID that identifies who conducted the test or analysis that generated the data is “meaningless without metadata.” Companies should maintain metadata required to reconstruct the GMP activity throughout a record's retention period.
• An audit trail is “a secure, computer-generated, time-stamped electronic record that allows for reconstruction of the course of events relating to the creation, modification, or deletion of an electronic record.” Electronic record-keeping systems that include these elements can satisfy the GMP requirements to prevent data from being lost or obscured, because, in FDA's terms, it is a chronology of the “who, what, when, and why” of a record.

FDA Recommendations

The FDA guidance tells companies they must maintain any data created as part of a GMP record, and there must be “valid, documented, scientific justification” for excluding data from the release criteria decision-making process. Manufacturers should also validate each workflow on a computer system and should implement appropriate controls for risks associated with each element of a system, such as software, hardware, personnel and documentation.

Further recommendations were also offered in the guidance, including the following.

For Data Security

• Limit permissions to change settings or data.
• Assign the system administrator role (including the rights to alter files and settings) to personnel independent from those responsible for running the tests that create the records.
• For small operations, where the system administrator is also responsible for the content of the records, have a second person review the settings and content.
• Do not use shared login accounts for computer systems; actions must be attributable to specific individuals.
• Control blank forms (e.g., issue them in numbered sets).

For Audit Trails

Appropriate personnel should review audit trails, capturing changes to critical data with each record and before final approval of the record.

Examples of audit trails that should be subject to regular review include the change history of finished product test results, changes to sample run sequences, changes to sample identification, and changes to critical process parameters.

For Electronic Records

Electronic copies can be used as true copies of paper/electronic records, as long as the copies preserve the content and meaning of the original data, including metadata.

Electronic signatures, used with appropriate controls to identify who signed the record, can be used in GMP records.

When generated to satisfy a GMP requirement, all data become a GMP record, and the data must be saved at the time of performance. (For example, chromatograms should be sent to archiving/permanent record upon run completion, not at the end of a day's runs; data should not be stored in temporary memory that allows manipulation before a permanent record is created.)

All GMP records, including electronic records, are subject to FDA inspection.

Compliance

In warning letters, the FDA has cited companies for the use of sampling or testing with the goal of achieving a specific result or overcoming an unacceptable result. This practice of “testing into compliance” undermines data integrity.

For companies subject to enforcement action for data integrity problems, the FDA recommends hiring a third-party auditor, determining the scope of the problem, implementing a global corrective action plan and removing any individuals responsible from GMP positions.

This guidance follows increased FDA enforcement action for data integrity violations, particularly against foreign manufacturers. Consequently, companies with manufacturing sites outside the United States should give particular attention to facility protocols and emphasize the importance of consistent compliance to personnel.

The Takeaways

Obtaining proactive FDA insight and expectations always benefits industry; this draft guidance describes the FDA's concerns about data integrity problems and explains how companies can aim for compliance with GMPs, which may minimize non-compliance issues.

The guidance is also instructive from a product liability perspective. Data integrity, such as falsification or manipulation of technical information or breaches of security, can present potential safety risks to patients. Bad and corrupt data in ' bad and corrupt data out. Failure to properly generate reliable data, or to track any changes to manufacturing processes, for example, may lead to questionable or unpredictable results, at a minimum, and dangerous out-of-product specifications at worst. Product subpotencies, superpotencies, instabilities, and variations may result in public health concerns and significant product liability exposure.

Of course, understanding the recent FDA guidance will not alone eliminate data integrity problems. At the end of the day, company personnel must properly develop and implement facility-specific programs to comply with all FDA quality-related requirements. Such programs need to be tailored to the risk profile of a particular facility and must incorporate adequate controls to ensure the integrity of all data documenting an adequate GMP system. However, the draft offers useful recommendations to fine-tune the integrity of the data that serves as a principal feature of your GMP compliance. Implementation of these recommendations will maximize product quality and, in turn, minimize liability exposure.

Alan G. Minsk, a member of this newsletter's Board of Editors, is a partner and practice leader of Arnall, Golden, Gregory LLP's Food and Drug Practice. He focuses his practice on advising pharmaceutical, biologic, medical device, cosmetic and food companies, on all legal and regulatory matters relating to the FDA and DEA.