On December 12, 2018, the U.S. Food and Drug Administration (FDA) issued “Data Integrity and Compliance With Drug CGMP: Questions and Answers: Guidance for Industry” (the “2018 Guidance”). The purpose of the 2018 Guidance is to clarify the role of data integrity in the drug manufacturing environment, particularly as data integrity relates to current good manufacturing practices (CGMPs).
Product quality and compliance with the Federal Food, Drug, and Cosmetic Act (FDCA) and all applicable regulatory requirements are, at the most basic level, supported by data. FDA expects this data to be reliable and accurate. The integrity of data, from the moment it is generated, and extending through to the end of its life cycle, is critical to ensuring that only high-quality and safe drugs are manufactured. Firms are expected to identify, manage, and minimize the data integrity risks associated with their data, products, equipment, technology, processes, and even their people.
Since 2014, FDA has issued an increasing number of Warning Letters with data integrity concerns. These Warning Letters have identified conduct such as disabling audit trail functions at the time of the inspection, “unofficial” testing of samples, discarded results, testing into compliance, unreported failing results, batch records signed by individuals who did not perform the review, and activities that were not performed, but were still recorded in batch records as having occurred. These types of observations prompted FDA to initially issue a draft guidance (“Data Integrity and Compliance With CGMP”) (the “Draft Guidance”) in April 2016. On December 12, 2018, shortly after FDA Commissioner Scott Gottlieb delivered remarks at the Food and Drug Law Institute’s 2018 Enforcement, Litigation, and Compliance Conference about FDA’s continued focus on data integrity initiatives, FDA released the 2018 Guidance.
In this client advisory, we will discuss the highlights from the 2018 Guidance, including key changes from the Draft Guidance, and provide some considerations as companies enhance their data integrity programs based on the 2018 Guidance.
In the 2018 Guidance, FDA has refined its thinking on data integrity to:
- Clarify the scope of the products subject to the guidance.
- Emphasize the Agency’s authority to enforce data integrity requirements.
- Discuss the role of computerized systems, and its expectation that industry employ and validate appropriate technical and procedural controls to meet CGMP documentation requirements for electronic systems.
- Underscore the role of the Quality Unit in reviewing complete data packages, making fundamental dispositions based on this review, and ensuring that any review and approval is valid, documented, and scientifically justified.
- Ensure that firms understand that an investigation with a scientifically sound justification includes a risk assessment that comprehensively evaluates the potential effects of the data integrity lapse, including potential impact on data that supports pending submissions.
- Stress the role of senior management in preventing and addressing data integrity issues.
- Remind industry that information about data integrity lapses must be investigated under an establishment’s quality system, regardless of intent.
FDA’s statutory authority for CGMPs derives from Section 501(a)(2)(B) of the FDCA. The 2018 Guidance inserts language regarding this statutory authority, and clarifies that FDA has the authority to enforce data integrity requirements embedded in 21 C.F.R. parts 211 and 212, for finished pharmaceuticals and Positron Emission Tomography (PET) drugs, respectively, and those requirements described in ICH Q7, which applies to active pharmaceutical ingredients (APIs). Given the current Administration’s position on the lack of authority to take enforcement action based on guidance, FDA appears to assert that its enforcement authority for actions related to data integrity comes from the FDCA, not the 2018 Guidance. Consistent with this approach, FDA has expanded the list of regulatory provisions that establish requirements related to data integrity.1
The 2018 Guidance contains new language emphasizing the importance of having a data integrity strategy and ensuring that management contributes to the development and implementation of that strategy. A company’s data integrity strategies “should consider the design, operation, and monitoring of systems and controls based on risk to patient, process, and product.” The 2018 Guidance states that involvement of management in these strategies is “essential,” and “[i]t is the role of management with executive responsibility to create a quality culture where employees understand that data integrity is an organizational core value and employees are encouraged to identify and promptly report data integrity issues.” As a means of helping executives in developing their strategy, the Background section now includes a list of the following threshold questions that establishments should ask in considering how to meet data integrity-related CGMP regulatory requirements:
- Are controls in place to ensure that data is complete?
- Are activities documented at the time of performance?
- Are activities attributable to a specific individual?
- Can only authorized individuals make changes to records?
- Is there a record of changes to data?
- Are records reviewed for accuracy, completeness, and compliance with established standards?
- Are data maintained securely from data creation through disposition after the record’s retention period?
These questions provide insight into FDA’s current thinking about the type of data integrity program it expects to see, and they should be incorporated into any self-evaluation that senior management directs.
Invalidated testing results (Question 2)
When is it permissible to exclude CGMP data from decision making?
When is it permissible to invalidate a CGMP result and exclude it from the determination of batch conformance?
The revised question in the 2018 Guidance is more narrowly tailored, and is consistent with FDA’s, “Guidance for Industry: Investigating Out-of-Specification (OOS) Test Results for Pharmaceutical Production” (October 2006) (OOS Guidance), which provides criteria for when OOS results may be considered invalid. FDA’s OOS Guidance distinguishes between laboratory testing results that should be invalidated when there is clear evidence of a laboratory error, as opposed to a full-scale OOS investigation in circumstances when evidence of the laboratory error remains unclear. The 2018 Guidance is focused on the documentation of the original data, as well as the investigation report that justifies the decisions in the CGMP record, including reasons for the invalidation of test results, and the rationale for a disposition decision.
Investigating suspected data integrity issues (Question 15)
Can an internal tip regarding a quality issue, such as potential data falsification, be handled informally outside of the documented CGMP quality system?
Can an internal tip or information regarding a quality issue, such as potential data falsification, be handled informally outside of the documented CGMP quality system?
In the Draft Guidance, Q15 asked if “an internal tip regarding a quality issue,” such as potential data falsification, can be handled without formally documenting it within the CGMP quality system. FDA expanded this question in the 2018 Guidance to include the handling of “an internal tip or information regarding a quality issue.”
In the 2018 Guidance, FDA explains in its revised answer to Q15 that quality issues must be investigated under the establishment’s quality system “[r]egardless of intent or how or from whom the information was received.” In doing so, FDA makes it clear that intent is not required: deliberate falsification and unintended errors are data integrity lapses that must be addressed under the quality system. The changes in the 2018 Guidance expand the scope of potential data sources beyond compliance hotlines, to include any source of information, including internal audits and independent third-party assessments.
Addressing known data integrity issues (Question 18)
How does FDA recommend data integrity problems identified during inspections, in warning letters, or in other regulatory actions be addressed?
How does FDA recommend data integrity problems be addressed?
In the 2018 Guidance, FDA eliminated the reference to data integrity problems “identified during inspections, in warning letters, or in other regulatory actions.” In conjunction with Q15, this highlights FDA’s thinking that all sources of data should be considered in identifying data integrity problems. In the Q18 response, FDA states that an establishment should conduct a comprehensive investigation, as well as a risk assessment to determine the potential impact associated with data integrity lapses. Firms should implement a management strategy that includes a global corrective action plan to address the root causes of the data integrity lapses. The language in the 2018 Guidance is consistent with language that FDA has incorporated in Warning Letters related to data integrity since 2016, and is also consistent with FDA’s Application Integrity Policy, which has been in effect since 1991.
In addition to the key changes highlighted above, there are a number of other changes that manufacturers should carefully consider.
FDA has consistently focused on the use of appropriate audit trails to capture modifications to data, which in turn must be regularly reviewed by the Quality Unit. In the Draft Guidance, FDA included a specific requirement for review “before final approval” of a record, but in the 2018 Guidance, FDA revised its answer to ensure review “after each significant step” of the manufacturing process. This subtle, but significant change memorializes recent trends in Warning Letters and 483s citing insufficient review of metadata by the Quality Unit, including audit trails.
In conjunction with changes to what constitutes a “complete” CGMP record, FDA has expanded and clarified its thinking with respect to the use of actual samples during “system suitability” testing. When monitoring a specification for injection reproducibility (system suitability), for example, transparency is paramount: “All data—including obvious errors and failing, passing, and suspect data—must be in the CGMP records.”
Computer system validation
Computer system validation (CSV) is not a new term, but the 2018 Guidance suggests that simply maintaining (old) validation studies on each piece of equipment is insufficient. FDA has expanded its discussion of CSV so that firms understand that the extent of these validation studies must be “commensurate with the risk posed by the automated system” and must fully support the automated system for its intended use. Changes to hardware, software, and user specifications, all of which have the potential to affect the risk posed by the system, must be addressed through routine updates to CSV packages.
In the Draft Guidance, FDA recommended that firms train personnel to detect data integrity issues as part of any routine CGMP training program. In the 2018 Guidance, FDA states that personnel must receive training in “preventing and detecting” data integrity issues. This is consistent with concepts embedded in FDA’s “Guidance for Industry: Quality Systems Approach to Pharmaceutical CGMP Regulations,” (September 2006), which states that preventive actions “help ensure that potential problems and root causes are identified, possible consequences assessed, and appropriate actions considered.” In other words, personnel should be trained to develop corrective and preventive actions that are sustainable so that data integrity lapses do not recur.
Considerations for Implementation
The 2018 Guidance recommends a comprehensive investigation, a risk assessment, and a management strategy that includes a corrective action plan, in order to address data integrity problems, but it does not provide any further details. To understand FDA’s current thinking regarding steps that are necessary to ensure that data integrity remediation efforts are effective, establishments should review carefully the steps outlined in recent FDA Warning Letters. For example, as stated in Warning Letter 320-19-01 issued on October 3, 2018, FDA currently recommends the following:
A. A comprehensive investigation into the extent of the inaccuracies in data records and reporting. Your investigation should include:
- A detailed investigation protocol and methodology that ensures all laboratory equipment and systems are covered by the assessment. Also describe all other parts of your manufacturing operation that will be assessed for data integrity and documentation practices and justify any exclusion.
- An assessment of the extent of data integrity deficiencies at your facility. Identify omissions, alterations, deletions, record destruction, non-contemporaneous record completion, and other deficiencies. Interview employees to identify the nature, scope, and root cause of data inaccuracies.
B. A current risk assessment of the potential effects of the observed failures on the quality of your drugs. Your assessment should include analyses of the risks to patients caused by the release of drugs affected by a lapse of data integrity, and risks posed by ongoing operations.
C. A management strategy for your firm that includes the details of your global CAPA plan. Your strategy should include:
- A comprehensive description of the root causes of your data integrity lapses.
- A detailed corrective action plan that describes how you will ensure the reliability and completeness of all data you generate, including analytical data, manufacturing records, and all data submitted to FDA.
- Long-term measures describing any remediation efforts and enhancements to procedures, processes, methods, controls, systems, management oversight, and human resources (e.g., training, staffing improvements) designed to ensure the integrity of your company’s data.
- A status report for any of the above activities already underway or completed.
Data integrity lapses will never disappear completely, but the manner in which these lapses are addressed is critical. The 2018 Guidance and FDA’s current Warning Letter recommendations on how to address data integrity problems should be regarded by industry as best practices, and should be taken into consideration when developing any data integrity program. Ensuring the integrity of all data generated in a drug product manufacturing environment is essential to ensure that patients are protected, and that distributed drug products meet all CGMP requirements for product quality.
1The following citations now appear in the 2018 Guidance related to the checking, review, and verification of records: §§ 211.22, 211.182, 211.186(a), 211.188(b)(11), 211.192, 211.194(a), and 211.194(a)(8).