The FDA and other global regulators rely on reviews of data during inspections to determine whether a pharmaceutical or medical device manufacturer is operating within regulatory requirements and expectations. The credibility of that data is a crucial parameter in the regulator’s assessment of whether operations are compliant—or not. Data integrity refers to the credibility—meaning reliability, validity, authenticity and trustworthiness—of various data presented for regulator review. Questions about the integrity of data presented in regulator-reviewed documentation always raise red flags about the compliance state of your operation and the levels of control within the medical product manufacturing system.
Since data collection and reporting are foundational for virtually all cGMP and QSR requirements, the notion of data integrity is foundational to all aspects of regulatory compliance. And today, all regulators, FDA and other international bodies, take the concept very seriously. Questions about data integrity are among those most frequently appearing as FDA Form 483 observations and warning letter citations. Out of 15 cGMP-related warning letters issued to drug firms and four QSR-related letters to device companies in 2019 and posted to the FDA website, approximately nine included at least one citation related to data integrity, according to a review by Compliance Architects®.
The issue was highlighted by a Bloomberg article last year, which examined ongoing issues at Mylan manufacturing sites, many involving data integrity.
And this is most definitely not a new trend. In a January 2017 guest column for Pharmaceutical Online, Barbara Unger of Unger Consulting highlighted the emphasis on data integrity in FDA enforcement activity during the 2013-2016 period. Figure 1, below, illustrates this growing emphasis going back years now.
Figure 1: FDA Data Integrity Enforcement Trends
It’s important to note that the words “data integrity” may not appear in such citations. Rather, companies might see such statements as the following:
- Raw materials, intermediates, and finished API analytical results found to be failing specifications or otherwise suspect (e.g. OOT) are retested until acceptable results are obtained. These failing or otherwise suspect results are not reported.
- Failure to document production and analytical testing activities at the time they are performed.
- Failure to prevent unauthorized access or changes to data and to provide adequate controls to prevent omission of data.
- Appropriate controls are not exercised over computers or related systems to assure that changes in master production and control records or other records are instituted only by authorized personnel.
- Failure to maintain complete data derived from all testing, and to ensure compliance with established specifications and standards.
- During our inspection, we observed multiple examples of incomplete, inaccurate, or falsified laboratory records.
And although the wording may vary, all such citations relate to the faith—or lack thereof—that agency investigators have in the information provided by drug and device companies about their manufacturing operations. Characteristics that the FDA considers when determining the credibility of data include attributability, legibility, contemporaneous recording, originality and accuracy, often abbreviated as ALCOA.
Companies can avoid regulatory and other fallout due to poor data integrity practices by comprehensively implementing a seven-program-element approach within their overall quality systems (see box above).
Filling the data integrity gaps
To fully understand the concept of data integrity, medical product manufacturers need a clear picture of what comprises data from the FDA and other regulators perspective. Examples of data include charts that record information, paper and electronic lab notebooks, product release and approval information, batch release documentation, certificates of analysis, raw data, instrument printouts and computer-based data, among others.
Companies can face numerous obstacles to having reliable data and information to present for inspections. Many challenges come down to unintentional errors or negligent conduct due to:
- Lack of awareness;
- Lack of defined expectations from management;
- Lack of procedural or positive controls;
- Lack of adequate supervision and oversight;
- Failure to prioritize importance of data integrity;
- Tolerance for sloppy or unprofessional work;
- Lack of periodic “checks” on performance;
- Lack of technology controls;
- Pressure on personnel to achieve outcomes; and
- A “whatever it takes” culture.
And in some instances, data integrity gaps may be due to purposeful, deliberate conduct aimed at gaining monetary, professional or personal gain. This can occur when the risk from non-compliance is greater than that from wrongful conduct. If management creates a culture that presents data manipulation as a victimless crime, or directs staff to fudge numbers to meet customer service requirements or for financial gain, employees may fail to ensure the integrity of data presented in FDA-facing records that are reviewed during inspections.
But the FDA and other regulators don’t care whether data integrity gaps are due to deliberate or unintentional acts. As far as FDA is concerned, if it cannot rely on the data, then it cannot be assured that manufacturing operations are compliant. And the ramifications for noncompliance can be serious—both in enforcement and customer perception terms—for pharma and medical device manufacturers.
As with other cGMP and QSR requirements, the FDA expects medical product manufacturers to apply a risk-based approach to data integrity. The overall data integrity compliance risk profile is the sum of all data integrity gaps, which can be grouped into three categories: known and documented gaps, known and undocumented gaps, and unknown, undocumented gaps.
Pharma and medical device manufacturers are responsible for identifying, documenting and addressing all gaps. Thus, the first step toward ensuring data integrity across all quality-related systems and activities is a comprehensive assessment of all potential gaps, so that all areas of concern are identified (known) and documented.
Using the comprehensive seven-program-element approach (listed in the box above), companies can be confident that this structural approach will maximize the prospect of ensuring data integrity throughout all operations. Figure 2, below, illustrates how several of the seven program elements, which Compliance Architects® will explore in greater depth in future articles, can work together to create a comprehensive data integrity program that produces data in which the FDA and other regulators will have faith.
Figure 2: How It Fits Together – A Structural Approach