In mid-April 2016, the FDA published a draft guidance clarifying the role of data integrity in current good manufacturing practice (cGMP) for drug products, as required under 21 CFR parts 210, 211, and 212. The draft guidance, entitled “Data Integrity and Compliance with CGMP,” was published in response to an increasing number of data integrity violations being observed during FDA cGMP inspections.
FDA’s expectation is that all data submitted to the Agency is reliable and accurate. This is of paramount importance because, without accurate data, the Agency’s mission to protect and promote the public health and ensure the safety, efficacy, and quality of drugs through regulatory decisions “based on the best available science” is made very difficult. In the recent past, FDA has seen an increase in the occurrence of data integrity-related cGMP violations. These violations typically lead to a number of regulatory actions, including warning letters, import alerts, and consent decrees.
According to 21 CFR parts 210.1 and 212.2, “CGMP sets forth minimum requirements to assure that drugs meet the standards of the Federal Food, Drug, and Cosmetic Act (FD&C Act) regarding safety, identity, strength, quality, and purity.” Furthermore, the requirements set forth in parts 211 and 212 that involve data integrity, include the following:
- § 211.68 – requires that “backup data are exact and complete,” and “secure from alteration, inadvertent erasures, or loss”
- § 212.110(b) – requires that data be “stored to prevent deterioration or loss”
- §§ 211.10 & 211.160 – requires that certain activities be “documented at the time of performance” and that laboratory controls be “scientifically sound”
- § 211.180 – requires that records be retained as “original records,” “true copies,” or other “accurate reproductions of the original records”
- §§ 211.188, 211.194, & 212.60(g) – requires “complete information,” “complete data derived from all tests,” “complete record of all data,” and “complete records of all tests performed”
In its draft guidance, FDA clarifies the definitions of the following terms as they relate to cGMP records:
- Data integrity: “refers to the completeness, consistency, and accuracy of data.”
- Metadata: “the contextual information required to understand data.”
- Audit trail: “a secure, computer-generated, time-stamped electronic record that allows for reconstruction of the course of events relating to the creation, modification, or deletion of an electronic record.”
- Static (as it relates to record formats): “a fixed-data document such as a paper record or an electronic image.”
- Dynamic (as it relates to record formats): “the record format allows interaction between the user and the record content.”
- Backup (as used in § 211.68(b)): “a true copy of the original data that is maintained securely throughout the records retention period (for example, § 211.180).”
- Systems (as used in § 211.68): “people, machines, and methods organized to accomplish a set of specific functions.”
- Computer or related system (as used in § 211.68): “computer hardware, software, peripheral devices, networks, cloud infrastructure, operators, and associated documents.”
Presented in question and answer format, FDA’s recent draft guidance “addresses specific questions about how data integrity relates to compliance with CGMP for drugs, as well as more general data integrity concepts.” Along with the definitions provided above (which are presented as the answer to the first question in the document), the draft guidance contains 17 additional questions and the associated answers. Some of these include:
“When is it permissible to exclude CGMP data from decision making?”
FDA states that any and all data “created as part of a CGMP record must be evaluated by the quality unit as part of release criteria (see §§ 211.22 and 212.70) and maintained for CGMP purposes ((e.g., § 211.180).” Data may only be excluded from the release criteria decision-making process if a valid, documented, and scientific justification is provided.
“Does each workflow on our computer system need to be validated?”
In short, yes. FDA states that “a workflow, such as creation of an electronic master production and control record (MPCR), is an intended use of a computer system to be checked through validation.” Furthermore, FDA goes on to say that “if you validate the computer system, but you do not validate it for its intended use, you cannot know if your workflow runs correctly.”
“Why is FDA concerned with the use of shared login accounts for computer systems?”
FDA explains that “when login credentials are shared, a unique individual cannot be identified through the login and the system would thus not conform to the CGMP requirements in parts 211 and 212.” In order to ensure product quality, FDA mandates that all systems controls be designed in a manner compliant with all cGMP requirements.
“When does electronic data become a CGMP record?”
According to the draft guidance, “when generated to satisfy a CGMP requirement, all data become a CGMP record. You must document, or save, the data at the time of performance to create a record in compliance with CGMP requirements, including, but not limited to, §§ 211.100(b) and 211.160(a). FDA expects processes to be designed so that quality data required to be created and maintained cannot be modified.” Furthermore, FDA states that it is not acceptable to:
- Record data on paper that will be thrown away after the data is copied into a permanent laboratory notebook.
- Store data electronically in temporary memory that is susceptible to manipulation before a permanent record is created.
For additional information on these or other questions and answers provided in the document, view FDA’s full draft guidance.