On December 13, 2018 the U.S. Food and Drug Administration (FDA) released the final version of its guidance titled, “Data Integrity and Compliance with Drug CGMP: Questions and Answer.^”1 The guidance is preceded by a statement released a day earlier from FDA Commissioner Scott Gottlieb, M.D., on “…the agency’s efforts to improve drug quality through data integrity and good manufacturing practice oversight.”² 
The guidance and statement place an exclamation point on FDA’s focus on “ensuring data associated with drug manufacturing are complete, consistent, and accurate, and therefore reliable,” as emphasized by Commissioner Gottlieb. This article looks at the important elements of FDA’s final data integrity guidance, its impact to contract pharmaceutical organizations, and notable updates from FDA’s draft version of the guidance.

While FDA expects all data to be reliable and accurate, the introduction of the final guidance emphasizes that firms should “implement meaningful and effective strategies to manage their data integrity risks based on their process understanding and knowledge management of technologies and business models.” For more information on risk assessment and analysis, see Contract Pharma’s September 2017 feature, “Data Integrity: A Practical and Risk-Based Approach.”³

Guidance Background
Dr. Gottlieb noted, “Over the past decade, we’ve [FDA] uncovered situations in which drug quality data and information are not accurate.” Indeed, trends show an increase of data integrity sightings by the FDA since 2008. Recently, the number of data integrity associated Warning Letters have been dramatically increasing with 15 (0 U.S.) in 2015, 41 (7 U.S.) in 2016, 56 (19 U.S.) in 2017.⁴ Most often such data integrity observations result from inadequate processes and systems to ensure reliable and accurate data, which in all cases, FDA regards as a risk to patient safety.

As in the draft guidance, the background section of the final guidance clearly states that requirements with respect to data integrity already exist in 21 CFR parts 211, 212; as well as 21 CFR part 11 and goes on to list each part as it relates to data integrity. The message is clear that expectations of data integrity have long existed in predicate rules, and therefore companies are assumed to meet such requirements when complying with respective rules today.

New in the background section of the final guidance, FDA says when considering how to meet many regulatory requirements related to data integrity, it may be useful to ask a series of questions. Data integrity stewards in organizations will want to carefully consider these questions to ensure they meet data integrity requirements. 2018 Warning Letter violations show a continued trend of infringements involving data integrity during CGMP inspections. A review of causes for these warnings found examples of 2018 data integrity violations related to each of the seven questions FDA states companies should consider (see Table 1 below).

Guidance Q&As
The bulk of the final guidance covers 18 questions and answers about data integrity that highlight the most important ideas the agency expects firms to understand. The concepts cover the design, operation, and monitoring of systems and controls to maintain data integrity. It clarifies key terms, including the definition of data integrity and ALCOA,⁶ while placing an emphasis on all aspects of data governance throughout the data life cycle. The final guidance states, “System design and controls should simplify the detection of errors, omissions and aberrant results throughout the data’s life cycle.”

All the Q&As in this final guidance should be reviewed by contract pharmaceutical organizations to ensure they are adopting these principals in their data integrity programs. However, some notable Q&As for the contract pharmaceutical industry to consider in this final guidance include the following:

• In Q&A #7 on “Who should review audit trails?” the guidance states, “…all production and control records, which includes audit trails, must be reviewed and approved by the quality unit.” And contract pharmaceutical firms will want to pay attention to FDA’s recommendation to “use a quality system approach to implementing oversight and review of CGMP records.” Specifically, FDA footnoted its guidance on Quality Systems Approach to Pharmaceutical CGMP Regulations. And for information about auditing as it relates to contract facilities, it footnoted its guidance on Contract Manufacturing Arrangements for Drugs: Quality Agreements. Related, see Contract Pharma June 2018 column, “Putting Data Integrity in Quality Agreements.”⁷

• In Q&A #13 on “Why has FDA cited use of actual samples during ‘system suitability’ or test, prep, or equilibration runs in warning letters?” the FDA addresses the issue of “testing into compliance.” Contract manufacturers will want to remember, FDA states using a strategy of repeated testing until a passing result is obtained, then disregarding the out of specification results without scientific justification is unscientific and unacceptable under CGMPs.⁸ In addition, data integrity best practices require the complete life cycle of CGMP data be preserved.

• In Q&A #14 on “Is it acceptable to only save the final results from reprocessed laboratory chromatography?” FDA says no, and emphasizes the data integrity concept of completeness. Again, the complete life cycle of CGMP data must be protected and maintained. FDA expects that aborted or incomplete results must be captured in an audit trail and also investigated and justified.

Notable Updates from FDA Draft Data Integrity Guidance
The final guidance, for the most part, aligns with the draft guidance released in April 2016. However, there are four modifications that standout in the final guidance: management involvement, restrictive access controls, enhanced audit trail reviews, and handling of invalidated data.

FDA adds to the final guidance emphasis on the role of management to create a quality culture in the organization. Management should ensure employees understand that data integrity is an organizational core value and be encouraged to identify and promptly report data integrity issues.

In the draft guidance, the FDA recognized that some manufacturers may be too small to have independent security role assignments. The final guidance does not, and emphasizes the importance of separating responsibilities related to administration from record content production accounts.

Also, the final guidance clarifies when audit trails should be reviewed based on frequency and/or risk. If the timing for data reviews is already explicitly stated in a CGMP regulation, the frequency of audit trail review should match this timing. However, where not called out, a risk based approach may be used, taking into account the critical nature of the data and its impact on product quality. The guidance provides examples that give direction on this topic.

Finally, the draft guidance did not spell out that invalidated data must be evaluated by the quality unit pursuant to release. However, the final guidance is clear; such data is within the scope of the quality unit’s batch record review before release.

Conclusion
In 2018 the Medicines and Healthcare products Regulatory Agency (MHRA) (see, “New GXP Data Integrity Guidance Published by MHRA,” in the April 2018 edition of Contract Pharma⁹) and the Pharmaceutical Inspection Co-operation Scheme (PIC/S) also finalized their draft guidance on data integrity, rounding out a year when we saw all of these organizations, along with the FDA, settle their thinking on the topic. FDA Commissioner Gottlieb states, “As the industry has globalized, we’ve expanded our partnerships with our international regulatory counterparts.”

Expect regulatory agencies to exchange information about quality and data integrity related violations observed in facilities around the world. Expect these agencies to work together to advance best practices to help pharmaceutical companies improve their compliance with data integrity regulations as a key step to ensure the safety, efficacy, and quality of drugs. 

Source: https://www.contractpharma.com/issues/2019-01-01/view_features/fda-data-integrity/