Data integrity refers to the completeness, consistency, and accuracy of data. Complete, consistent, and accurate data should be attributable, legible, contemporaneously recorded, original or a true copy, and accurate (ALCOA).
Data integrity is required in current good manufacturing practice (CGMP) for drugs, as required in 21 CFR parts 210, 211, and 212. Part 210 covers Current Good Manufacturing Practice in Manufacturing, Processing, Packing, or Holding of Drags; General; part 211 covers Current Good Manufacturing Practice for Finished Pharmaceuticals; and part 212 covers Current Good Manufacturing Practice for Positron Emission Tomography Drags.
FDA expects that data to be reliable and accurate. CGMP regulations and guidance allow for flexible and risk-based strategies to prevent and detect data integrity issues. Pharmaceutical industries should implement meaningful and effective strategies to manage their data integrity risks based upon their process understanding and knowledge management of technologies and business models.
In recent years, FDA has increasingly observed CGMP violations involving data integrity during CGMP inspections. This is troubling because ensuring data integrity is an important component of industry’s responsibility to ensure the safety, efficacy, and quality of drugs, and of FDA’s ability to protect the public health.
Permissible to exclude CGMP data from decision making
To exclude data from the release criteria decision-making process, there must be a valid, documented, scientific justification for its exclusion. The requirements for record retention and review do not differ depending on the data format; paper-based and electronic data record-keeping systems are subject to the same requirements.
Access to CGMP computer systems be restricted
FDA recommends that pharmaceutical industries restrict the ability to alter specifications, process parameters, or manufacturing or testing methods by technical means where possible (for example, by limiting permissions to change settings or data). FDA suggests that the system administrator role, including any rights to alter files and settings, be assigned to personnel independent from those responsible for the record content. To assist in controlling access, FDA recommends maintaining a list of authorized individuals and their access privileges for each CGMP computer system in use.
If these independent security role assignments are not practical for small operations or facilities with few employees, such as PET or medical gas facilities, FDA recommends alternate control strategies be implemented.
For example, in the rare instance that the same person is required to hold the system administrator role and to be responsible for the content of the records. FDA suggests having a second person review settings and content. If second-person review is not possible, the Agency recommends that the person recheck settings and his or her own work.
Audit trails should be reviewed
Audit trail means a secure, computer-generated, time-stamped electronic record that allows for reconstruction of the course of events relating to the creation, modification, or deletion of an electronic record. An audit trail is a chronology of the “who, what, when, and why” of a record.
For example, the audit trail for a high performance liquid chromatography (HPLC) run could include the user name, date/time of the run, the integration parameters used, and details of a reprocessing, if any, including change justification for the reprocessing.
FDA recommends that audit trails that capture changes to critical data be reviewed with each record and before final approval of the record. Audit trails subject to regular review should include, but are not limited to, the following: the change history of finished product test results, changes to sample run sequences, changes to sample identification, and changes to critical process parameters.
FDA recommends routine scheduled audit trail review based on the complexity of the system and its intended use.
Acceptability to retain paper printouts or static records instead of original electronic records
A paper printout or static record may satisfy retention requirements if it is a complete copy of the original record.
For example, pH meters and balances may create a paper printout or static image during data acquisition as the original record. In this case, the paper printout or static image created during acquisition, or a true copy, should be retained.
However, electronic records from certain types of laboratory instruments are dynamic records, and a printout or a static record does not preserve the dynamic format which is part of the complete original record. For example, the spectral file created by FT-IR (Fourier transform infrared spectroscopy) can be reprocessed, but a static record or printout is fixed, which would not satisfy CGMP requirements to retain original records or true copies. Also, if the full spectrum is not displayed, contaminants may be excluded.
Considering Electronic data as a CGMP record
When generated to satisfy a CGMP requirement, all data become a CGMP record. Pharmaceutical industry must document, or save, the data at the time of performance to create a record in compliance with CGMP requirements
. FDA expects processes to be designed so that quality data required to be created and maintained camiot be modified. For example, chromatograms should be sent to long-term storage (archiving or a permanent record) upon run completion instead of at the end of a day’s runs.
It is not acceptable to record data on pieces of paper that will be discarded after the data are transcribed to a permanent laboratory notebook. Similarly, it is not acceptable to store data electronically in temporary memory, in a manner that allows for manipulation, before creating a permanent record. Electronic data that are automatically saved into temporary memory do not meet CGMP documentation or retention requirements.
Industries may employ a combination of technical and procedural controls to meet CGMP documentation practices for electronic systems. For example, a computer system, such as a Laboratory Information Management System (LIMS) or an Electronic Batch Record (EBR) system, can be designed to automatically save after each separate entry. This would be similar to recording each entry contemporaneously on a paper batch record to satisfy CGMP requirements. The computer system could be combined with a procedure requiring data to be entered immediately when generated.
Use of samples during “system suitability”
FDA prohibits sampling and testing with the goal of achieving a specific result or to overcome an unacceptable result (e.g., testing different samples until the desired passing result is obtained). This practice, also referred to as testing into compliance, is not consistent with CGMP. In some situations, use of actual samples to perform system suitability testing has been used as a means of testing into compliance. FDA would consider it a violative practice to use an actual sample in test, prep, or equilibration runs as a means of disguising testing into compliance.
According to the United States Pharmacopeia (USP), system suitability tests should include replicate injections of a standard preparation or other standard solutions to determine if requirements for precision are satisfied. System suitability tests, including the identity of the preparation to be injected and the rationale for its selection, should be performed according to the firm’s established written procedures and the approved application or applicable compendial monograph.
If an actual sample is to be used for system suitability testing, it should be a properly characterized secondary standard, written procedures should be established and followed, and the sample should be from a different batch than the sample(s) being tested. All data should be included in the record that is retained and subject to review unless there is documented scientific justification for its exclusion.
Only results from reprocessed laboratory chromatography will not be considered
Analytical methods should be capable and stable. For most lab analyses, reprocessing data should not be regularly needed. If chromatography is reprocessed, written procedures must be established and followed and each result retained for review. FDA requires complete data in laboratory records, which includes raw data, graphs, charts, and spectra from laboratory instruments
FDA recommends data integrity problems identified during 403 inspections, in warning letters, or in other regulatory actions to be addressed.
FDA encourages pharmaceutical companies to demonstrate that they have effectively remedied detected problems by: hiring a third party auditor, determining the scope of the problem, implementing a corrective action plan (globally), and removing at all levels individuals responsible for problems from CGMP positions. FDA may conduct an inspection to decide whether CGMP violations involving data integrity have been remedied.