未分類

FDA Issues Comprehensive Guidance on Data Integrity and CGMP Compliance

FDA Issues Comprehensive Guidance on Data Integrity and CGMP Compliance

December 12, 2018

In December 2018, the U.S. Food and Drug Administration (FDA) finalized and published the guidance document titled “Data Integrity and Compliance With Drug CGMP Questions and Answers Guidance for Industry.” This guidance represents a significant milestone in FDA’s regulatory framework, addressing the growing concerns about data integrity violations observed during Current Good Manufacturing Practice (CGMP) inspections in recent years.

Background and Purpose

The FDA developed this guidance in response to an increasing number of CGMP violations related to data integrity that have led to numerous regulatory actions, including warning letters, import alerts, and consent decrees. The underlying principle of CGMP, as established in 21 CFR parts 210, 211, and 212, is to ensure that drugs meet the Federal Food, Drug, and Cosmetic Act (FD&C Act) standards for safety, identity, strength, quality, and purity.

The guidance clarifies FDA’s expectations regarding the creation, handling, and management of data throughout its lifecycle in accordance with CGMP requirements. It emphasizes that ensuring data integrity is not merely a compliance obligation but a fundamental responsibility of pharmaceutical manufacturers to protect public health.

Understanding Data Integrity: The ALCOA Principles

At the core of the guidance is the definition of data integrity, which the FDA describes as the completeness, consistency, and accuracy of data. The guidance introduces and explains the well-established ALCOA principles, which serve as the foundation for data integrity:

ALCOA PrincipleMeaningCGMP Reference
AttributableData must be traceable to the specific individual who performed the activity§§ 211.101(d), 211.122, 211.186, 211.188(b)(11), 212.50(c)(10)
LegibleData must be recorded permanently in a form that can be read throughout the record retention period§§ 211.180(e), 212.110(b)
ContemporaneousData must be recorded at the time the activity is performed§§ 211.100(b), 211.160(a)
OriginalData must be the original record or a true copy of the original§§ 211.180, 211.194(a)
AccurateData must be free from errors and reflect what actually occurred§§ 211.22(a), 211.68, 211.188, 212.60(g)

These principles apply throughout the entire data lifecycle, including creation, modification, processing, maintenance, archival, retrieval, transmission, and disposition after the record’s retention period ends.

Key Concepts and Definitions

The guidance clarifies several critical terms that are essential for understanding FDA’s expectations:

Metadata: The guidance defines metadata as “data about data” – the contextual information required to understand data. For example, the number “23” is meaningless without metadata such as the unit “mg,” the date and time of measurement, the user who performed the test, and the instrument used. Importantly, data must be maintained with all associated metadata throughout the record’s retention period, and the relationships between data and metadata must be preserved in a secure and traceable manner.

Audit Trail: A secure, computer-generated, time-stamped electronic record that allows for reconstruction of the course of events relating to the creation, modification, or deletion of an electronic record. Audit trails are essential for maintaining CGMP-compliant record-keeping practices and must be reviewed as part of routine record review processes.

Static vs. Dynamic Records: Static records are fixed-data records such as paper records or electronic images, while dynamic records allow interaction between the user and the record content. For instance, a dynamic chromatographic record may allow the user to reprocess data, while a static printout cannot. This distinction is crucial for determining appropriate record retention practices.

Critical Requirements and Expectations

The guidance addresses eighteen specific questions that clarify FDA’s expectations in key areas:

System Validation: Each CGMP workflow on a computer system must be validated for its intended use. Simply qualifying the computer system platform does not demonstrate that specific workflows, such as electronic Master Production and Control Records (MPCRs), contain correct calculations and perform properly.

Access Control: Access to CGMP computer systems must be restricted to authorized personnel only. The guidance strongly discourages the use of shared login accounts, as they prevent the attribution of actions to specific individuals, which is a fundamental CGMP requirement. Even shared, read-only accounts do not satisfy requirements for actions such as second-person review to be attributable to specific individuals.

Data Invalidation: The guidance provides clear criteria for when it is permissible to invalidate CGMP results and exclude them from batch conformance determinations. Invalidation requires a valid, documented, scientifically sound justification based on a thorough investigation. Importantly, even legitimately invalidated data must be retained in the complete CGMP batch record along with the investigation report justifying the invalidation.

Original Record Retention: The guidance clarifies when paper printouts or static records can substitute for original electronic records. For instruments that create dynamic electronic records, such as FT-IR (Fourier Transform Infrared Spectroscopy), a paper printout or static record does not preserve the complete original record and therefore does not satisfy CGMP requirements.

Audit Trail Review: Personnel responsible for record review under CGMP must review audit trails that capture changes to data as part of their regular record review activities. The frequency of audit trail review should match the frequency specified for the data itself in CGMP regulations or be determined using risk-based approaches.

Management Responsibility and Quality Culture

A particularly significant aspect of the guidance is its emphasis on management’s role in fostering a quality culture. The guidance explicitly states that “it is the role of management with executive responsibility to create a quality culture where employees understand that data integrity is an organizational core value and employees are encouraged to identify and promptly report data integrity issues.”

The guidance warns that in the absence of management support for a quality culture, quality systems can break down and lead to CGMP noncompliance. This represents a shift toward holding senior management accountable for data integrity issues rather than viewing them solely as operational or technical problems.

Addressing Data Integrity Problems

When data integrity problems are identified, the FDA recommends a comprehensive remediation approach that includes:

  • Conducting thorough investigations to determine the scope and root causes of problems
  • Performing scientifically sound risk assessments of potential effects, including impacts on data used to support regulatory submissions
  • Implementing a global corrective action and preventive action (CAPA) plan that addresses root causes
  • Potentially retaining third-party auditors for independent assessment
  • Removing individuals responsible for data integrity lapses from positions where they can influence CGMP-related or drug application data
  • Improving quality oversight and enhancing computer systems
  • Creating mechanisms to prevent recurrences, such as anonymous reporting systems and data governance frameworks

Industry Impact and Implementation

The issuance of this guidance has had a profound impact on the pharmaceutical industry. Companies have had to invest significantly in:

  • Upgrading legacy computer systems to ensure they meet modern data integrity standards
  • Implementing robust audit trail functionality and review processes
  • Training personnel at all levels on data integrity principles and practices
  • Establishing data governance frameworks with dedicated oversight roles
  • Reviewing and revising hundreds of standard operating procedures (SOPs) to align with guidance expectations
  • Conducting gap assessments and implementing remediation plans for existing systems

Regulatory Landscape Since 2018

Since the publication of this guidance, data integrity has remained a top enforcement priority for FDA. The agency continues to issue warning letters citing data integrity violations, and these citations often reference specific sections of the 2018 guidance. The guidance has also influenced regulatory approaches globally, with other health authorities such as the European Medicines Agency (EMA), the UK’s Medicines and Healthcare products Regulatory Agency (MHRA), and the Pharmaceutical Inspection Co-operation Scheme (PIC/S) issuing their own data integrity guidance documents that align with FDA’s expectations.

The guidance document remains non-binding, meaning companies can implement alternative approaches provided they satisfy the requirements of applicable statutes and regulations. However, the guidance represents FDA’s current thinking and has become the de facto standard for data integrity compliance in the pharmaceutical industry.

Conclusion

FDA’s Data Integrity Guidance represents a comprehensive framework for ensuring the reliability and accuracy of data throughout the pharmaceutical manufacturing lifecycle. By clarifying expectations around key concepts such as ALCOA principles, metadata, audit trails, and system validation, the guidance provides manufacturers with a clear roadmap for compliance. Perhaps most importantly, the guidance emphasizes that data integrity is not merely a technical or compliance issue but a fundamental aspect of pharmaceutical quality culture that requires active engagement and leadership from senior management.

For pharmaceutical companies, ongoing vigilance and continuous improvement in data integrity practices remain essential. As technology evolves and new manufacturing paradigms emerge, the principles outlined in this guidance continue to serve as the foundation for maintaining trust in pharmaceutical data and, ultimately, protecting public health.

Reference: FDA Guidance for Industry: Data Integrity and Compliance With Drug CGMP Questions and Answers (December 2018). Available at: https://www.fda.gov/regulatory-information/search-fda-guidance-documents/data-integrity-and-compliance-drug-cgmp-questions-and-answers-guidance-industry

Quality Risk Management: Understanding ICH Q9 and the Revised GMP Regulations Previous post Understanding the Concept of "Organization" in ISO Standards Next post

Related post

Comment

There are no comment yet.