Our View: Data Integrity and Compliance With CGMP

With the ever increasing concern on data integrity and FDAs uptick of warning letters concerning the subject matter, FDA has released a draft guidance for those in the industry.

Last month,  “Data Integrity and Compliance CGMP Guidance for Industry” was released by FDA for industry comment.  As those in regulated industry know, these guidances are not law but give direction on the thinking surrounding the subject matter with regards to data in cGMP environments.  This way the industry can review their processes, evaluate, and make adjustments if necessary.  As stated before, the guidance is up for comment so those in the industry have 60 days to give their commentary on the guidance.  

In the introduction, FDA states the purpose of the guidance is to clarify the role of data integrity for cGMPs, specifically for the manufacturing of drugs under 21 CFR Parts 210, 211, and 212.  In my opinion this will also impact the medical device industry where it falls under 21 CFR part 820. I also anticipate it affecting other FDA regulated industries (e.g. Food, Tissue), and those who service these industries. It is a good read to understand the organization’s thinking on this matter as most of these industries deal with similar issues when it comes to data integrity.  

The guidance is interesting to say the least, as the majority of the document is a Q&A.   This hasn’t been a common format for FDA guidances but in this instance it’s quite helpful.  Published within the document there are 18 different questions with FDA making a great effort to clarify the subject matter through their answers.  Many of the definitions in question one clarify definitions for data integrity, audit trails, static vs dynamic data, backup, and systems.  For those in the industry, we have all struggled with these definitions at some point in our career and have looked to our fellow colleagues or industry literature for clarity.  Ultimately, this guide attempts to clarify these issues for some and may solidify what others have been thinking all along.

Without going through all 18 questions and answers I’ll just highlight a few questions I found interesting.    

Question # 7 |“How often should audit trails be reviewed?”.

FDA’s response goes into recommendations for the types of audit trail data to review and to review audit trails regularly on a routine schedule based on the complexity of the system.  This includes ones related to the following topics:  Changes to history of product test results, changes to sample run sequences, changes to sample identification and changes to critical process parameters. So yes, FDA is being vague here in regards to systems, but it isn’t possible to give an example for every system. However, the indication that audit trails should be reviewed regularly should catch the attention of those the guidance was written for. It is foreign to some in an FDA regulated environment to perform regular audit trail reviews.  

In the drug industry this may be more common practice, but for those outside the drug industry the audit trail may only be viewed as a tool for troubleshooting in the event an investigation must be performed for a CAPA activity.  But with FDA’s recommendation, one can see the expectation is to review these audit trails regularly. It would seem their intention would be to review them, along with original records for a batch, much like one would perform for paper documents.  

Question #8 | “Who should review audit trails?”

In the answer to this question, FDA states, “...All production and control records, which includes audit trails, must be reviewed and approved by the quality unit (§211.192).  This is similar to the expectation that cross-outs on paper be assessed when reviewing data.”  This answer adds on to the notion that FDA is looking for the industry to regularly review their electronic audit trails much like paper records.  This points back to FDA guidance for part 11 in following predicate cGMP rules for electronic systems.  

Question #16 | “Should personnel be trained in detecting data integrity issues as part of a routine CGMP program?”

The FDA recommendation on this topic is a definitive “Yes” since training is part of requirements §211.25 and 212.10.  Again, I would venture to say that, for some in the drug industry, training to recognize data integrity issues may be standard practice, but, it isn’t common practice for the majority of those outside the industry in an FDA regulated environment, it is not common practice.  This sounds like it may be challenging for some in the industry (particularly smaller organizations) as this can be a very specialized skill set. I expect that outside resources may need to be utilized for this training in some instances, so it will be interesting to see how the industry responds to this portion of the published guidance.  

As stated before, this guidance is still only a draft and yet to be finalized, but if you get a chance to read the entire document it should give you a better picture of FDA’s thoughts on the subject matter and could help your organization head off any concerns that could eventually exist.  Even if you are not directly involved in an FDA regulated drug industry but within the realm of another FDA regulated industry, supply services or support to such industries, this is a document that’s worth your time.