未分類

Tips for FDA Inspection Response (Continued)

Tips for FDA Inspection Response (Continued)

Introduction

This article is a continuation based on presentation materials by Robert C. Fish, a former FDA inspector who currently works as a consultant. The author has extensive experience handling FDA inspections. However, I have observed that the quality of FDA inspectors has deteriorated considerably in recent years, coinciding with rapid expansion of inspector ranks. There are many inspectors who cannot provide appropriate observations. In the past, we were requested to install a FAX machine with international calling capability in the inspection room so that inspectors could consult FDA headquarters about whether they should cite certain observations. Currently, inspectors appear to make inquiries via email, but based on my observations, they do not seem to be asking substantive questions. Robert C. Fish’s experience and advice would be beneficial even for new FDA inspectors.

Understanding Data Integrity

1. History of Data Integrity at FDA

Data integrity concerns emerged in the 1990s, stemming from fraudulent practices in the generic drug industry. During this period, many generic drug manufacturers faced criminal prosecution for data integrity violations. These incidents highlighted the critical importance of ensuring the reliability and authenticity of pharmaceutical data throughout the product lifecycle.

2. FDA Statement on Data Integrity

The FDA has emphasized that “A lack of data integrity often is Just Fraud.” When there is insufficient management oversight and inadequate review processes, the reliability of regulatory submissions becomes compromised. This statement underscores the FDA’s position that data integrity is not merely a technical compliance issue but a fundamental aspect of pharmaceutical quality and public health protection.

3. Application Integrity Policy

When fraud is suspected, FDA applies its Application Integrity Policy (AIP). Under this policy, FDA may:

  • Halt review of New Drug Applications (NDAs)
  • In severe cases, refuse to accept any future submissions from the applicant

The AIP represents one of FDA’s most serious enforcement mechanisms and can have significant business implications for pharmaceutical companies.

4. Documents Requiring Data Integrity

Data integrity principles must be applied to various types of documentation, including but not limited to:

  1. Raw data and source data
  2. Results and analytical outcomes
  3. Written procedures and Standard Operating Procedures (SOPs)
  4. Records (both paper-based and electronic)
  5. Testing documentation and analytical data
  6. Investigation reports and deviation records

5. Definition of Raw Data

According to FDA regulations, particularly 21 CFR Part 11 and related GMP regulations (21 CFR 211), raw data must possess several critical characteristics:

Raw data should be:

  • Recorded at the time it was obtained
  • Generated by the operator who obtained it
  • Directly entered into the record system
  • Documented on currently authorized forms and records
  • Attributed with clear identification of who performed what action and when (analysts must sign and date the analyses or portions of analyses they performed)

It is important to note that while 21 CFR 58.3(k) provides a specific definition for raw data in the context of Good Laboratory Practice (GLP), the principles apply broadly across GMP environments. The definition emphasizes contemporaneous documentation and clear attribution of actions.

6. Foreign Drug Inspectional Compliance Program

The Foreign Drug Inspectional Compliance Program includes data integrity verification as one of its primary objectives. The inspection process typically follows this sequence:

During Pre-Approval Inspections (PAI):

  • Initial review of raw data
  • Confirmation of result copies
  • Deep-dive verification of raw data against reported results
  • Comprehensive data integrity assessment

When serious concerns about data integrity are identified, the Office of Criminal Investigation (OCI) may become involved. OCI personnel have received criminal investigation training and are authorized to carry weapons within the United States (they likely do not bring weapons to Japan or other foreign countries).

7. Warning Letters Related to Data Integrity

During 2013 and 2014, approximately 15-20 Warning Letters issued by FDA concerned data integrity violations. This represents a significant portion of total enforcement actions during that period. Data integrity violations were particularly prevalent among API (Active Pharmaceutical Ingredient) manufacturing facilities in India and China, though issues have been identified globally.

In recent years, the number of data integrity-related citations has continued to increase, reflecting FDA’s heightened focus on this critical area.

8. Examples of Companies with Data Integrity Violations

Several notable cases illustrate common data integrity problems:

Abel Labs (2005):

  • Discrepancies between paper-based records and electronic records
  • Different analytical results reported on paper versus electronic systems
  • Deliberate destruction of records and results to avoid FDA detection

Leiner Health Products (2007):

  • Multiple data integrity violations related to laboratory records
  • Inadequate controls over electronic data systems

Ranbaxy Laboratories (2008):

  • One of the most significant data integrity cases in pharmaceutical history
  • Systematic falsification of data across multiple facilities
  • Led to major changes in how FDA approaches international inspections

These cases demonstrate that data integrity violations can range from isolated incidents to systematic corporate practices, and that consequences can be severe, including criminal penalties and import bans.

9. Common Issues Found in Warning Letters

Analysis of Warning Letters reveals recurring data integrity themes:

  • Record destruction: Intentional deletion or destruction of original data
  • Inadequate audit trails: Failure to maintain complete, tamper-evident records of data changes
  • Incomplete laboratory records: Laboratory records that do not contain comprehensive raw data
  • User access controls: Inadequate management of usernames, passwords, and system access privileges
  • Lack of contemporaneous documentation: Backdating or late entry of critical data
  • Data manipulation: Unauthorized changes to data without proper justification or documentation

10. What Companies Should Do

To maintain robust data integrity practices, pharmaceutical companies should implement the following measures:

Regulatory Compliance:

  • Thoroughly review and understand 21 CFR Part 11 (Electronic Records; Electronic Signatures)
  • Study FDA’s guidance documents on Part 11 scope and application
  • Implement systems and procedures that ensure full compliance with both Part 11 and underlying predicate rules

Risk-Based Approach: Since FDA’s 2003 guidance, a risk-based approach to Part 11 compliance has been recommended. Companies should:

  • Conduct risk assessments of their data systems and processes
  • Focus resources on high-risk areas that could impact product quality and patient safety
  • Implement controls proportionate to identified risks

Quality Control Measures:

  • Implement dual verification for critical data entry and review (minimum two-person verification for critical data)
  • Establish clear procedures for data generation, modification, and deletion
  • Ensure data and records are protected from unauthorized alteration or destruction
  • Maintain comprehensive audit trails for all electronic systems

Regular Oversight:

  • Conduct periodic data integrity reviews
  • Perform self-inspections focusing on data integrity
  • Review quality metrics related to data integrity performance
  • Investigate anomalies and deviations promptly

Modern Data Integrity Framework: ALCOA+ Principles

Contemporary data integrity practices are built upon the foundational ALCOA principles, which have evolved into ALCOA+. These principles are recognized globally and form the basis of data integrity expectations in major regulatory guidance documents, including FDA’s 2018 Data Integrity Guidance and PIC/S PI 041-1 (2021).

The ALCOA+ Framework

PrincipleDescriptionKey Requirements
AttributableIt must be clear who created, modified, or deleted data– Unique user identification- Secure login credentials- Timestamped actions- No shared accounts
LegibleData must be readable and understandable throughout the retention period– Clear, permanent records- Readable handwriting- Accessible electronic formats- Maintained metadata
ContemporaneousData must be recorded at the time the work is performed– Real-time documentation- No backdating- Timestamped entries- Original observations recorded immediately
OriginalOriginal data or true copies must be preserved– Preservation of source data- Certified true copies when needed- Protection of original records- Complete data capture
AccurateData must be free from errors and correctly represent observations– Verification procedures- Error correction protocols- Quality control checks- Review processes
CompleteAll data must be included; nothing can be omitted– Full test sequences captured- All results recorded (including failed runs)- Complete audit trails- No selective reporting
ConsistentData must be recorded in a consistent sequence and with consistent timestamps– Sequential documentation- Logical temporal order- Consistent formats- Standardized procedures
EnduringData must remain available throughout the retention period– Appropriate storage media- Regular data backups- Migration plans for obsolete systems- Protection from degradation
AvailableData must be readily available for review upon request– Rapid retrieval capability- Accessible format- Complete with metadata- Available for inspection

Latest Regulatory Developments

FDA Data Integrity Guidance (2018)

In December 2018, FDA finalized its comprehensive guidance document “Data Integrity and Compliance With Drug CGMP: Questions and Answers.” This guidance:

  • Clarifies FDA’s expectations for data integrity in CGMP environments
  • Adopts a risk-based approach to data integrity
  • Addresses both paper-based and electronic systems
  • Provides specific recommendations for computerized systems
  • Emphasizes the importance of management oversight and quality culture

FDA Data Integrity Guidance for BA/BE Studies (2024)

In April 2024, FDA released draft guidance titled “Data Integrity for In Vivo Bioavailability and Bioequivalence Studies.” This guidance:

  • Addresses data integrity concerns observed during testing site inspections
  • Provides recommendations for applicants and testing site management
  • Applies to clinical and bioanalytical portions of BA/BE studies
  • Emphasizes the responsibilities of sponsors and contract laboratories
  • Highlights the importance of vendor qualification and oversight

PIC/S Data Integrity Guidance (PI 041-1, 2021)

The Pharmaceutical Inspection Co-operation Scheme (PIC/S) published its final guidance “Good Practices for Data Management and Integrity in Regulated GMP/GDP Environments” (PI 041-1) in July 2021. This comprehensive 63-page document:

  • Provides detailed guidance for inspectors on data integrity assessment
  • Covers both paper-based and computerized systems
  • Addresses hybrid systems combining electronic and manual processes
  • Emphasizes data governance within pharmaceutical quality systems
  • Includes extensive guidance on organizational culture and management responsibility

The PIC/S guidance is particularly significant as it represents harmonized international expectations and is used by regulatory authorities in over 50 countries.

Risk-Based Approach to Electronic Systems

Understanding 21 CFR Part 11

21 CFR Part 11, established in 1997, sets forth the criteria under which FDA considers electronic records and electronic signatures to be trustworthy, reliable, and equivalent to paper records with handwritten signatures. The regulation covers:

  • Validation of computerized systems
  • Audit trail requirements
  • System security and access controls
  • Electronic signature requirements
  • Documentation and record retention

2003 Guidance: Risk-Based Compliance

In response to industry concerns about the breadth and cost of Part 11 compliance, FDA issued guidance in September 2003 titled “Part 11, Electronic Records; Electronic Signatures – Scope and Application.” This guidance:

  • Narrowed the scope of Part 11 enforcement
  • Introduced a risk-based approach to validation and controls
  • Focused on systems that directly impact product quality and patient safety
  • Allowed for enforcement discretion on certain technical controls
  • Emphasized the importance of underlying predicate rules

The risk-based approach means that:

  • High-risk systems (e.g., batch record systems, stability data systems) require more stringent controls
  • Low-risk systems (e.g., some administrative systems) may have less stringent requirements
  • Risk assessments should focus on potential impact to product quality, data integrity, and patient safety
  • Controls should be commensurate with identified risks

Modern Considerations

Recent FDA guidance has expanded to address:

  • Cloud-based systems and software as a service (SaaS)
  • Mobile technologies and digital health technologies
  • Remote data acquisition
  • Vendor management and oversight of third-party systems
  • Data integrity in global supply chains

Practical Implementation Strategies

Data Governance System

Organizations should establish a comprehensive data governance framework that includes:

Leadership and Culture:

  • Executive management commitment to data integrity
  • Clear quality culture that values transparency and open communication
  • Encouragement to report data integrity issues without fear of retaliation
  • Regular communication of data integrity expectations

Policies and Procedures:

  • Written data integrity policies aligned with regulatory requirements
  • Standard Operating Procedures (SOPs) for data generation, handling, and retention
  • Clear procedures for data review and approval
  • Change control procedures for electronic systems

Risk Assessment:

  • Regular assessment of data integrity risks across all processes
  • Focus on business processes, not just IT systems
  • Evaluation of data flows from generation through retention
  • Implementation of controls proportionate to identified risks

Training and Competency:

  • Initial and ongoing training on data integrity principles
  • Role-specific training for data generators and reviewers
  • Training on specific system requirements and controls
  • Documentation of training effectiveness

Quality Metrics and Monitoring:

  • Key performance indicators (KPIs) for data integrity
  • Regular management review of data integrity metrics
  • Trending of deviations and data integrity issues
  • Self-inspection programs focusing on data integrity

System Controls

For electronic systems, implement robust controls including:

Access Controls:

  • Unique user identification for all system users
  • Prohibition of shared login credentials
  • Role-based access permissions
  • Regular review of user access rights
  • Prompt removal of access for departed personnel

Audit Trails:

  • Comprehensive, computer-generated audit trails
  • Timestamped records of all data creation, modification, and deletion
  • Audit trails that cannot be disabled or modified by users
  • Regular review of audit trail data
  • Investigation of unusual patterns or anomalies

Data Backup and Recovery:

  • Regular backup of electronic records
  • Tested data recovery procedures
  • Secure storage of backup media
  • Plan for long-term data accessibility

Validation:

  • Appropriate validation of computerized systems
  • Risk-based validation approach
  • Documentation of system requirements and specifications
  • Verification that systems function as intended
  • Change control for system modifications

For Paper-Based Systems

Paper-based systems require specific controls:

Form Design and Control:

  • Use of controlled, pre-printed forms
  • Unique form identification numbers
  • Distribution control for blank forms
  • Destruction procedures for obsolete forms

Documentation Practices:

  • Original observations recorded in permanent ink
  • No use of pencil or erasable media
  • Single line through errors, with initials and date
  • No use of correction fluid or tape
  • All entries signed and dated by the person performing the work
  • Void unused spaces to prevent later additions

Record Storage:

  • Secure storage preventing unauthorized access
  • Protection from environmental damage
  • Organized filing system for easy retrieval
  • Controlled access to archive areas

Preparing for Data Integrity-Focused Inspections

Before the Inspection

Self-Assessment:

  • Conduct thorough self-inspections focusing on data integrity
  • Review recent deviations and investigations for data integrity concerns
  • Assess compliance with ALCOA+ principles
  • Identify and remediate gaps before inspection

Documentation Review:

  • Ensure all records are complete and readily available
  • Verify audit trails are functional and reviewed
  • Confirm procedures are current and followed
  • Organize documents for efficient retrieval

Personnel Preparation:

  • Brief staff on data integrity expectations
  • Review roles and responsibilities during inspection
  • Ensure staff understand their own work and can explain practices
  • Emphasize importance of honest, accurate responses

During the Inspection

Data Presentation:

  • Provide inspectors with complete, unfiltered data upon request
  • Do not attempt to withhold or sanitize data
  • Ensure rapid retrieval of requested information
  • Provide access to electronic systems as needed

Transparency:

  • Be open and honest about systems and processes
  • Acknowledge known issues and describe remediation plans
  • Do not make excuses for obvious deficiencies
  • Provide clear explanations of procedures and controls

Documentation:

  • Take detailed notes of inspector questions and observations
  • Ensure accurate recording of discussions
  • Request clarification if questions are unclear
  • Document commitments made to inspectors

After the Inspection

Response Preparation:

  • Carefully review Form FDA 483 observations
  • Conduct thorough investigation of cited issues
  • Develop comprehensive corrective and preventive actions (CAPA)
  • Include timelines and responsible parties in responses
  • Address root causes, not just symptoms

Continuous Improvement:

  • Implement lessons learned from the inspection
  • Update procedures and systems as needed
  • Enhance training programs based on identified gaps
  • Monitor effectiveness of corrective actions

Emerging Trends and Future Considerations

Artificial Intelligence and Machine Learning

As pharmaceutical companies increasingly adopt AI and machine learning technologies, new data integrity considerations emerge:

  • Validation of AI/ML algorithms
  • Data quality and bias in training datasets
  • Traceability of AI-driven decisions
  • Documentation of model changes and updates

Digital Transformation

The industry’s digital transformation requires attention to:

  • Integration of disparate data systems
  • Data integrity across cloud platforms
  • Real-time data analytics and monitoring
  • Blockchain and other emerging technologies for data integrity assurance

Global Harmonization

Increasing international harmonization of data integrity expectations:

  • Alignment between FDA, EMA, and other regulatory authorities
  • Adoption of PIC/S guidance globally
  • WHO guidance for developing markets
  • ICH guidance on data integrity principles

Conclusion

Data integrity represents a fundamental aspect of pharmaceutical quality and regulatory compliance. As technology continues to evolve and regulatory expectations become more sophisticated, companies must maintain robust data governance systems that ensure the ALCOA+ principles are embedded throughout their operations.

Successful data integrity management requires:

  • Strong leadership commitment and quality culture
  • Risk-based approach to system controls and validation
  • Comprehensive training and competency programs
  • Regular monitoring and continuous improvement
  • Transparency and honesty with regulatory authorities

By implementing these principles and staying current with evolving regulatory expectations, pharmaceutical companies can maintain high standards of data integrity, protect product quality, ensure patient safety, and maintain regulatory compliance in an increasingly complex global environment.

The advice shared by experienced professionals like Robert C. Fish remains valuable, but must be continually updated to reflect current regulatory landscape and technological advances. Both new and experienced FDA inspectors, as well as pharmaceutical professionals, benefit from staying informed about the latest developments in data integrity requirements and best practices.

The Relationship Between CSV, Qualification, and Process Validation Previous post Keys to Successful FDA Inspection Preparedness Next post

Related post

Comment

There are no comment yet.