FDA Perspective on Data Integrity and cGMP Compliance

The U.S. Department of Health and Human Services, Food and Drug Administration (FDA) published a guidance to share common questions and the FDA's answers represent the current thinking of the administration. As the FDA states "The purpose of this guidance is to clarify the role of data integrity in current good manufacturing practice (CGMP) for drugs, as required in 21 CFR parts 210, 211, and 212"

For the newsletter subscribers, I have summarized the questions and answers here. This will not only highlight the most important questions on data integrity and GMP compliance but also make it easy to read and understand. Let's start with the first question;

Why is the FDA concerned with the use of shared login accounts for computer systems?

FDA: When login credentials are shared, a unique individual cannot be identified through the login and the system would not conform to the CGMP requirements in parts 211 & 212.

What is Data Integrity?

FDA: Data integrity refers to the completeness, consistency, and accuracy of data. Complete, consistent, and accurate data should be attributable, legible, contemporaneously recorded, original or a true copy, and accurate (ALCOA).

Editors note: ALCOA has become ALCOA++ with Complete, Consistent, Enduring, Available and Traceable terms in recent years. We will cover that part in the coming newsletters.

What is an Audit Trail?

FDA: Audit trail means;

• Secure,
• Computer-generated,
• Time-stamped,
• Electronic record

that allows for the reconstruction of the course of events relating to the creation, modification, or deletion of an electronic record.

Example: The audit trail for a high-performance liquid chromatography (HPLC) run should include the user name, date/time of the run, the integration parameters used, and details of a reprocessing, if any. Documentation should include a change justification for the reprocessing.

Who should review audit trails?

FDA: Audit trail review is similar to assessing cross-outs on paper when reviewing data. Personnel responsible for record review under CGMP should review the audit trails that capture changes to data associated with the record as they review the rest of the record. FDA recommends a quality system approach to implementing oversight and review of CGMP records.

Example: All production and control records, which include audit trails, must be reviewed and approved by the quality unit.

Can electronic copies be used as accurate reproductions of paper or electronic records?

FDA: Yes. Electronic copies can be used as true copies of paper or electronic records, provided the copies preserve the content and meaning of the original record, which includes all metadata required to reconstruct the CGMP activity and the static or dynamic nature of the original records.

When does electronic data become a cGMP record?

FDA: When generated to satisfy a CGMP requirement, all data become a CGMP record.14 You must document, or save, the data at the time of performance to create a record in compliance with CGMP requirements.

Should personnel be trained in preventing and detecting data integrity issues as part of a routine CGMP training program?

FDA: Yes. Training personnel to prevent and detect data integrity issues is consistent with the personnel requirements under §§ 211.25 and 212.10, which state that personnel must have the education, training, and experience, or any combination thereof, to perform their assigned duties.

How does the FDA use the term backup?

FDA: The term backup in § 211.68(b) refers to a true copy of the original record that is maintained securely throughout the record retention period. Backup data must be exact, complete, and secure from alteration, inadvertent erasures, or loss. Temporary backup copies (e.g., in case of a computer crash or other interruption) would not satisfy the requirement in § 211.68(b) to maintain a backup file of data.

How should blank forms be controlled?

There must be document controls in place to assure product quality. For example, bound paginated notebooks, stamped for official use by a document control group, provide good document control because they allow easy detection of unofficial notebooks as well as any gaps in notebook pages. If used, blank forms (e.g., electronic worksheets, laboratory notebooks, and MPCRs) should be controlled by the quality unit or by another document control method. As appropriate, numbered sets of blank forms may be issued and should be reconciled upon completion of all issued forms. Incomplete or erroneous forms should be kept as part of the permanent record along with written justification for their replacement.

How does the FDA recommend data integrity problems be addressed?

FDA encourages you to demonstrate that you have effectively remediated your problems by investigating to determine the problem’s scope and root causes, conducting a scientifically sound risk assessment of its potential effects (including impact on data used to support submissions to FDA), and implementing a management strategy, including a global corrective action plan that addresses the root causes. This may include retaining a third-party auditor and removing individuals responsible for data integrity lapses from positions where they can influence cGMP-related or drug application data at your firm. It also may include improvements in quality oversight, enhanced computer systems, and the creation of mechanisms to prevent recurrences and address data integrity breaches (e.g., anonymous reporting system, data governance officials and guidelines).

You can access the entire document from the FDA library.

Please share this content if you think that your colleagues will also find it useful. If you haven't, make sure you subscribe to this newsletter so that the new edition can hit your mailbox! See you next time!..