COMPARISION OF EMA and FDA Guidance on Data Management and Data Integrity

Major regulatory authorities published guidance addressing data management and data integrity in 2015 and 2016. Two of the guidances, the draft from FDA published in April 2016 and the guidance from EMA posted in August 2016, take a Question and Answer approach. The guidance from MHRA (HERE and HERE), PIC/S and WHO take the more standard narrative approach to regulatory guidance. That having been said, all of the guidance documents are markedly similar in their overall expectations. In this blog entry we look at the EMA and FDA Question & Answer guidances, the next entry will look at guidance from the other three authorities.

The EMA guidance addresses 23 questions; the FDA guidance addresses 18 questions. Both provide detailed information about the predicate rules and Chapters / Annexes that are applicable in given situations. This reinforces that enforcement in this area does not represent a change in requirements, but rather represents enforcement of existing requirements as applied to GMP records, both electronic and paper. The identification of existing requirements is uniquely valuable for audit groups as they write they audit reports describing observations in these areas and assigning the relevant requirements from regulatory authorities.

The two guidance documents have significant similarities including, but not limited to the following:

  • Both address controls over electronic records and paper records
  • Both discuss access controls that should be applied to computer systems. (EMA #’s 6, 8, 10; FDA #’s 4).
  • Paper printouts of some data, particularly that which was originally generated electronically, do not represent ‘complete data’. (EMA #’s 6, 8,16; FDA #’s 1, 9, 10)
  • Training of staff should include data integrity principles. (EMA introduction; FDA #’s 16)
  • Importance of audit trails (critical meta-data) and their periodic review, though neither addresses the expectation that the system audit trail be reviewed to determine actions taken by the administrator. (EMA #’s 8, 15, 16; FDA #’s 1, 7, 8)
  • Control over blank forms and templates. (EMA #’s 14; FDA #’s 6)

Differences exist between the two documents in several areas. The differences, however do not mean that that there are differences between expectations, just a choice in terminology and focus.

  • The EMA guidance appears to take a more ICH-focused approach with multiple mention of the concepts of both ‘lifecycle’ and ‘risk’ assessments.
    • Nine (9) of the twenty-three (23) questions, numbers 3 through 11, are specifically identified as relevant to ‘lifecycle’.
    • EMA guidance uses the term ‘risk’ a total of forty-five times, the FDA guidance uses the term three times.
  • The EMA guidance addresses responsibilities for contracted services and their oversight with regard to data management and integrity in five question. Specifically, see EMA questions 19, 20, 21, 22, 23. FDA does not address the concept and a word-search of ‘contract’ yields no results.
  • The FDA guidance question 13 addresses the use of pre-injections or test injections because FDA frequently identify this deficiency in warning letters. The EMA is silent on the specific topic though they do address the need to consider ALL data generated as part of review.
  • The FDA guidance question 17 specifies that their investigators are allowed to view electronic records. EMA does not address the topic.
  • The EMA guidance makes reference to PIC/S and also provides a link to the WHO guidance on good Data and Records Management Practices. The FDA does not reference publications from other regulatory authorities.

In conclusion, the two Question & Answer Guidances are complementary and similar in requirements and expectations. The focus on requirements for contract service providers is unique to the EMA document. Other FDA guidance however stresses the responsibilities that license holders have for their contractor providers. With regard to enforcement actions in this area, many warning letters are issued to API manufacturers citing deficiencies in data governance and data integrity. FDA have not issued enforcement actions against those who purchase these APIs for lack of appropriate contractor oversight, particularly when FDA felt the deficiencies were serious enough to put an import alert in place. This may be something to watch for in the future, it is an area that seems to be begging for regulator attention.