The FDA has long taken a risk-based approach to manufacturer GMP compliance expectations and enforcement actions, as well as requiring pharmaceutical and medical device manufacturers to do the same in their quality system operations. Similarly, companies can also use risk management approaches to rapidly reduce organizational risk in their data integrity efforts, by directing their keenest focus on systems, data and recorded information that FDA is known to scrutinize during inspections. By focusing on these areas, and doing so throughout the data life cycle, medical product manufacturers maximize their data quality assurance outcomes, while most effectively using their precious resources, satisfying both regulators and internal business stakeholders.
The FDA expects pharmaceutical and medical device companies to incorporate risk quantification and management principles into their quality systems and corporate culture. This approach is no less important when considering data integrity controls, than when considering any other required regulatory control. A close examination of where FDA spends its time performing data review and scrutiny during inspections provides a roadmap to those areas that create the most significant FDA data integrity enforcement risk. These focus areas should exhibit the maximum rigor of company controls, proactive challenge actions and governance practices to maximize the likelihood of meeting regulator requirements and expectations.
The six areas listed above are generally considered to pose the greatest risk for data integrity concerns. When developing data integrity review protocols within their quality systems, manufacturers need to examine these areas closely to ensure that adequate controls are exerted over key activities and that rigorous, proactive challenges are applied.
Because all laboratory operations generate data that are core to product quality outcomes throughout the manufacture and release continuum, the integrity of this information is of paramount concern to regulators. Types of lab testing that will receive FDA attention during an inspection may include sampling, raw material/incoming testing, in-process testing, component, batch and product release testing, stability testing and bio-analytical testing.
Data associated with product development and clinical studies will also be rigorously reviewed. For clinical studies, data and system management at study centers, as well as the reporting and analysis of raw data are considered especially critical, as this is the information the FDA will use to determine whether a product may be cleared for marketing in the US.
Manual or quasi-manual build activities—such as compounding, assembly and rework—also pose significant risks that must be identified, addressed and mitigated. Warning letters alleging improper data surrounding compounding operations are a fairly common occurrence.
FDA expects all data, regardless of type or source, to be attributable, legible, contemporaneous, original and accurate (ALCOA).
In the current context, of particular importance is the original and contemporaneous recording of all data. Raw lab and other data must be entered as generated, whether manually or via computer-facilitated equipment, and the context of that entry must be validated by providing the date recorded, who recorded it and a unique identifier. Closely related to the originality requirement is the notion of attribution and non-repudiation; procedures to ensure attributability of data include signature and handwriting logs, password controls, biometric logs and database encryption. Limits on recording options are a key part of demonstrating data protections, and thus, the integrity of data presented to the FDA. These can include numbered log books and limited computer-based tools available for employees to use. These controls need to be spelled out in SOPs and management must ensure that all employees adhere strictly to those SOPs.
Other areas that medical product manufacturers are well-advised to focus on include data supporting the suitability of the physical manufacturing plant and equipment, including equipment logs, information about maintenance and calibration activities and water sampling data. This includes validation and technical transfer data, as well as data supporting commercialization and product launch by proving conformance to predetermined criteria for acceptability.
It is important to remember that transference of data must be conducted under strict controls to ensure data integrity. Companies must validate transference procedures to demonstrate that the task can be accomplished securely, addressing forward migration, re-purposing and conveyance of data outside the originating entity, such as data moving between a product sponsor and a contract manufacturer.
Quantifying Data Integrity Risk
As with actual manufacturing operations, pharmaceutical and medical device companies must quantify risks associated with data integrity. This must necessarily start with a thorough evaluation of the current controls, looking at the sophistication and extent of data integrity controls already used across company operations.
A thorough understanding of regulatory requirements, practical FDA expectations and current industry best practices must inform this evaluation. This understanding will help companies identify and document all gaps—including those previously unknown—in data integrity, as well as providing an outline for how to close those gaps.
For medical products, risk to patients is a paramount concern of regulators charged with protection of public health. Therefore, evaluation of data integrity controls must include the link between the data and both product quality outcomes and patient therapeutic outcomes.
But companies must also look at process considerations as part of their overall risk evaluation. These should include the sophistication of existing business processes, the importance of the data to current business or financial objectives and the volume of data that is recorded, generated and used as part of normal, day-to-day operations.
With all of these considerations in mind, companies should identify and inventory all processes and systems that create, capture, store, manipulate, report, or convey information or data, applying a factor-based analysis, as illustrated in Figure 1, below, to each individual system or process identified.
Figure 1: Factor-Based Analysis to Data Integrity Process Risk Differentiation / Prioritization
Using this approach, companies can group, prioritize and sort the processes for required quality system rigor, and develop a control plan for noted gaps and risks. Companies may also need to develop remediation plans if serious problems are identified during this activity. Groupings may be as basic as high, medium and low priority, or, may use other classifications such as computer-based data risk or fraud risk. A system control map, including remediation activities, if any, can be a helpful tool. Management and staff involved in this process should report regularly on the plan’s status, any changes and progress on any necessary remediation.
Controlling Data Integrity Throughout the Data Life Cycle
A fundamental principle of data integrity is that it is not enough to simply control data as it is initially recorded. Data integrity must be maintained throughout the life cycle of all information subject to regulatory review and scrutiny. Data life cycle management refers to how a company handles a discrete piece of data or information from its “birth”—when it is first generated and entered into some sort of record—through its “death,” which occurs when a company no longer needs to retain data about a given activity. Data life cycle management controls are an essential element of Compliance Architects® seven-element program to ensure data integrity. Companies need to establish comprehensive controls that flow from unequivocal requirements for how all data is recorded, migrated from one medium or format to another, reported, repurposed (e.g., for basic research rather than clinical data) and forwarded. These requirements must clearly outline how data integrity will be protected from inception through retirement of the data or information in question.
Companies need to apply a comprehensive approach to data and information management that addresses whatever type of systems they use to record, store and use data. For many companies, this will involve computer-based systems, though some may also use traditional, paper-based methods.
For instance, raw data controls must include validation of associated metadata, which provide context for the data as reviewed by the FDA or other regulators. This includes the previously discussed requirements for the date the information was recorded, the name of the individual who did the recording, and some sort of a unique and traceable identifier. Signature and handwriting logs, passwords, biometric logs and database encryption requirements can ensure attribution and non-repudiation of data not only as it is created, but at every step throughout its life cycle, as can limits on who can record or edit data and how they may do so.
When developing data life cycle management controls, companies must first identify critical control points for each type of data and establish robust controls at each of those points. SOPs must describe those controls for all paper and computer-based systems; all pertinent employees must follow those SOPs precisely. These controls should be incorporated into a broader Good Document/Data Practices program that is integrated into both individual control activities and the companies overall quality system.