Data drives the pharma and medical device industries. It informs the manufacture and release to consumers of medical products and determines which products are approved for sale in the US and other markets. And regulators like the FDA rely on data to determine whether a manufacturing operation is compliant with cGMP and QSR requirements. Thus, they place a very high value on accurate and reliable data, which it uses during inspections to determine whether a company’s operations are compliant.
The FDA demands that the data it reviews be attributable, legible, contemporaneous, original and accurate (ALCOA); collectively, those parameters make up data integrity. Data that the agency may review during an inspection appears in a broad range of documents and reports, such as chart recorders, paper and electronic lab notebooks, product release and approval documents, batch release documents, certificates of analysis, raw data, instrument printouts and computer-based data, among others.
Enforcement activity has been high. Reviews by Compliance Architects and other industry experts have found data integrity to be among the most common issues cited in warning letters from the FDA, with significant increases in frequency from 2013 through the present day. Some notable warning letters have been for:
- A TEVA site in Hungary (October 2016);
- A Wockhardt Ltd. site in India (December 2016);
- A Megafine Pharma site in India (February 2017);
- A Jinan Jinda Pharmaceutical Chemistry site in India (February 2017);
- A USV Private Ltd. site in India (March 2017);
- A Mylan Pharmaceuticals site in India (April 2017); and
- A Divi Laboratories site in India (April 2017).
The emphasis the FDA places on data integrity is also highlighted by its continuing focus in talks and workshops on this topic over the last few years. For instance, Sarah Barkow of the FDA Office of Manufacturing Quality and Karen Takahashi of the agency’s Office of Policy for Pharmaceutical Quality gave a presentation on agency expectations regarding data integrity compliance at the Society of Quality Assurance’s annual meeting in March 2017. Barkow and Takahasi reiterated the ALCOA concept and stated repeatedly that data integrity underpins cGMP compliance.
Using the FDA Guidance to Ensure Good Data
More formally, the agency also clarified its regulatory position in a guidance, entitled Data Integrity and Compliance with Drug cGMP: Questions and Answers. The guidance was issued in draft form in April 2016 and finalized in December 2018. Medical product manufacturers need to attend closely to the recommendations in that document to help ensure that data integrity is an integral part of their overall quality systems.
FDA regulations and guidances form the bedrock upon which a strong data integrity program lies. As such, application of these regulations and guidances, along with prevailing industry standards, is the first of the seven elements necessary to ensure data integrity within an operation, as the box above shows. Fully understanding FDA expectations will ensure that companies establish sound internal standards and incorporate systems and practices into their quality operations that support data integrity.
The precise regulatory requirements can be found in 21 CFR 211 for drug GMPs, 21 CFR 820, the Quality Systems Regulation for medical devices, and 21 CFR 111, covering GMPs for dietary supplements. However, the December 2018 guidance may offer clearer explanation of exactly what the agency expects in terms of data integrity. At the heart of the document is a definition of data integrity, which the guidance refers to as the cGMP/QSR data life cycle. A company’s quality system should be designed with controls intended to detect errors and aberrations throughout the data’s life cycle.
The introduction to the guidance states that: “FDA expects that data be reliable and accurate (see the “Background” section). CGMP 24 regulations and guidance allow for flexible and risk-based strategies to prevent and detect data 25 integrity issues. Firms should implement meaningful and effective strategies to manage their data 26 integrity risks based upon their process understanding and knowledge management of 27 technologies and business models.”
It also takes the extra step of specifically mentioning that management has final responsibility to require practices aimed at protecting data integrity: “It is the role of management with executive responsibility to create a quality culture where employees understand that data integrity is an organizational core value and employees are encouraged to identify and promptly report data integrity issues.“
In addition to the data presented in agency-facing reports and documents, the guidance notes, metadata—the contextual information required to understand data—must also meet the same ALCOA parameters. The guidance recommends that companies maintain data throughout a given record’s retention period, along with all associated metadata that is necessary to reconstruct the cGMP activity described, with relationships between the data and metadata clearly described and traceable. It also discusses the need to validate all workflow on computer systems, including creation of electronic master production and control records.
In addition to the FDA guidance, companies can turn to various industry-developed standards to help build a strong data integrity program that permeates all facets of their quality systems. These include:
- ISPE’s GAMP approach to data integrity;
- PDA’s Elements of a Code of Conduct for Data Integrity in the Pharmaceutical Industry and Assuring Data Integrity for Life Sciences;
- The WHO Final Guidance on Good Data and Record Management Practices (Annex 5; 2016);
- MHRA’s Definitions and Draft Guidance (March and July 2016);
- EMA’s Guidance (August 2016); and
- The PIC/S Good Practices for Data Management (August 2016).
Using these resources, medical product manufacturers can begin constructing their data integrity compliance programs. A good first step is creation of a consolidated requirements document from the FDA regulations and guidance, along with any applicable industry documents. The consolidated requirements must be consistent across all operations. A next step is development of corporate policies that define “corporate intent” relative to data integrity requirements and expectations. From these policies, derivative corporate standards will arise for quality systems, procedures, audits, and focus areas. The standards will define corporate minimum approaches for internal activities. From that point, companies must:
- Develop internal quality system documentation to ensure alignment to the corporate standards and ensure consistent vertical cascade to operational documents;
- Establish a comprehensive trace matrix to link requirements, expectations and enforcement to policies, standards and systems; and
- Ensure that all staff are trained in those requirements and expectations, as drawn from all input documents, standards, policies and procedures.
What if You Get a Warning Letter?
Sometimes, despite a company’s best efforts, data integrity problems may arise and lead to a warning letter. Pharma and medical device companies must be prepared to give a thorough response to the typical data integrity warning letter demand. That means they must be familiar with the FDA’s standard response demand when it makes data integrity-related findings.
The agency will require a comprehensive investigation into the extent of the inaccuracies in data records and reporting. That investigation should include:
- A detailed investigation protocol and methodology, a summary of all laboratories, manufacturing operations, and systems to be covered by the assessment and a justification for any part of operations excluded;
- Interviews with current and former employees to identify the nature, scope and root cause of data inaccuracies, conducted by a qualified third party;
- Assessment of the extent of data integrity deficiencies at the facility, including identification of omissions, alterations, deletions, record destruction, non-contemporaneous record completion and other deficiencies; and
- A comprehensive retrospective evaluation of the nature of the data integrity deficiencies, ideally by a qualified third party with specific expertise in the area where potential breaches were identified.
Companies also need to be able to provide a current risk assessment of the potential effects of the observed failures on the quality of your drugs. Your assessment should include analyses of the risks to patients caused by the release of drugs affected by a lapse of data integrity, and risks posed by ongoing operations.
Additionally, a management strategy that details global corrective and preventive actions will be required. This strategy should include a detailed plan to ensure the reliability and completeness of all of data generated, along with a comprehensive description of the root causes of all data integrity lapses, including evidence that the scope and depth of the current action plan is commensurate with the findings of the investigation and risk assessment, as well as any interim measures taken to ensure product quality and patient safety.