Data drives the pharmaceutical and medical device industries. It informs the manufacture and release of medical products to patients and consumers, and determines which products are approved for sale in the US and other markets. And regulators, like the FDA, rely on data to determine whether a manufacturing operation is compliant with cGMP and QSR requirements. Thus, regulators place a very high value on accurate and reliable data, which it uses during inspections to determine whether a company’s operations are compliant.
The FDA demands that the data it reviews be attributable, legible, contemporaneous, original and accurate (ALCOA). Collectively, as FDA’s expectation for this topic, those characteristics constitute data integrity. Data that the agency may review during an inspection appears in a broad range of documents and reports, such as chart recorders, paper and electronic lab notebooks, product release and approval documents, batch release documents, certificates of analysis, raw data, instrument printouts and computer-based data, among others.
Enforcement activity surrounding data integrity has been intensive — for years now. Reviews by Compliance Architects® and other industry experts have found data integrity to be among the most common issues cited in warning letters from the FDA, with significant increases in frequency from 2013 through the present day.
The emphasis the FDA places on data integrity is also highlighted by its continuing focus in talks and workshops on this topic over the last few years. For instance, Sarah Barkow of the FDA Office of Manufacturing Quality and Karen Takahashi of the agency’s Office of Policy for Pharmaceutical Quality gave a presentation on agency expectations regarding data integrity compliance at the Society of Quality Assurance’s annual meeting in March 2017. Barkow and Takahasi reiterated the ALCOA concept and stated repeatedly that data integrity underpins cGMP compliance.
Using Existing Requirements and Guidance to Ensure Valid Data
To inform and educate industry the agency clarified its regulatory position in a guidance, entitled Data Integrity and Compliance with Drug cGMP: Questions and Answers. The guidance was issued in draft form in April 2016 and finalized in December 2018. Medical product manufacturers need to thoroughly review, digest and apply the recommendations in this document to help ensure that data integrity is an integral part of their company’s overall quality systems.
FDA regulations and guidances form the bedrock upon which a strong data integrity program is built. As such, application of these regulations and guidances, along with prevailing industry standards, is the first of the seven elements necessary to ensure data integrity within an operation (see accompanying illustration). Detailed analysis of, and actions for, meeting FDA requirements and expectations will ensure that companies establish sound internal standards and incorporate systems and practices into their quality operations that support strong outcomes for data integrity.
FDA’s specific regulatory requirements for data integrity can be found throughout 21 CFR 211 for drug GMPs, 21 CFR 820, the Quality Systems Regulation for medical devices, and 21 CFR 111, covering GMPs for dietary supplements. However, because regulatory requirements are often not directly actionable, FDA’s December 2018 guidance is intended to provide a clearer explanation of exactly what the agency expects in terms of data integrity. At the heart of the document is a definition of data integrity, which the guidance refers to as the “the completeness, consistency, and accuracy of data.” Expanding on this short definition, FDA maintains that a company’s quality system should be designed with controls intended to “detect errors and aberrations throughout the data’s life cycle.”
In the introduction to the guidance FDA, referencing ICH Q7, states that: “FDA expects that data be reliable and accurate …. CGMP regulations and guidance allow for flexible and risk-based strategies to prevent and detect data integrity issues. Firms should implement meaningful and effective strategies to manage their data integrity risks based upon their process understanding and knowledge management of technologies and business models.”
FDA also explicitly outlines that management has final responsibility to require practices aimed at protecting data integrity: “It is the role of management with executive responsibility to create a quality culture where employees understand that data integrity is an organizational core value and employees are encouraged to identify and promptly report data integrity issues.”
In addition to data in quality records and other agency-reviewable reports and documents, the guidance notes, metadata—the contextual information required to understand data—must also meet the same ALCOA characteristics. The guidance recommends that companies maintain data throughout a given record’s retention period, along with all associated metadata that is necessary to reconstruct the cGMP activity described, with relationships between the data and metadata clearly described and traceable. It also discusses the need to validate all workflow on computer systems, including creation of electronic master production and control records.
In addition to FDA guidance, there are many industry, regulator and NGO guidances and standards that can help a company to build a strong data integrity program that permeates all facets of their quality systems. These include:
- ISPE’s GAMP approach to data integrity;
- PDA’s Elements of a Code of Conduct for Data Integrity in the Pharmaceutical Industry and Assuring Data Integrity for Life Sciences;
- The WHO Final Guidance on Good Data and Record Management Practices (Annex 5; 2016);
- MHRA’s Definitions and Draft Guidance (March and July 2016);
- EMA’s Guidance (August 2016); and
- The PIC/S Good Practices for Data Management (August 2016).
Using a broad set of resources, medical product manufacturers can begin constructing their data integrity compliance programs. A good first step is creation of a consolidated requirements document from available requirements, guidance, and the previously outlined third-party created documents. The consolidated requirements document must provide standards of practice and must be consistent across all operations. Following development of a consolidated requirements document, the next step is development of corporate policies that define “corporate intent” relative to data integrity requirements and expectations. From these policies, derivative corporate standards will arise for quality systems, procedures, audits, and focus areas. The standards will define corporate minimum approaches for internal activities. From that point, companies must:
- Develop internal quality system documentation to ensure alignment to the corporate standards and ensure consistent vertical cascade to operational documents;
- Establish a comprehensive trace matrix to link requirements, expectations and enforcement to policies, standards and systems; and
- Ensure that all staff are trained in those requirements and expectations, as drawn from all input documents, standards, policies and procedures.
The FDA Data Integrity Enforcement Risk
Failure to comprehensively implement strong data integrity quality assurance programs will almost certainly create data integrity failures that may lead to significant FDA 483 observations and ultimately, a warning letter. If this occurs, pharmaceutical and medical device companies must be prepared to provide thorough responses to the Agency’s consistent data integrity warning letter demand language. The actions FDA seeks through these requirements are extensive, and can cost companies large sums of money to achieve. The agency will require a comprehensive investigation into the extent of the inaccuracies in data records and reporting, including:
- A detailed investigation protocol and methodology, a summary of all laboratories, manufacturing operations, and systems to be covered by the assessment and a justification for any part of operations excluded;
- Interviews with current and former employees to identify the nature, scope and root cause of data inaccuracies, conducted by a qualified third party;
- Assessment of the extent of data integrity deficiencies at the facility, including identification of omissions, alterations, deletions, record destruction, non-contemporaneous record completion and other deficiencies; and
- A comprehensive retrospective evaluation of the nature of the data integrity deficiencies, ideally by a qualified third party with specific expertise in the area where potential breaches were identified.
Companies also need to be able to provide a current risk assessment of the potential effects of the observed failures on the quality of your products. The assessment should include analyses of the risks to patients caused by the release of product affected by a lapse of data integrity, and risks posed by ongoing operations.
Additionally, a management strategy that details global corrective and preventive actions will be required. This strategy should include a detailed plan to ensure the reliability and completeness of all of data generated, along with a comprehensive description of the root causes of all data integrity lapses, including evidence that the scope and depth of the current action plan is commensurate with the findings of the investigation and risk assessment, as well as any interim measures taken to ensure product quality and patient safety.