The FR announced availability of the long awaited 10-page FDA draft Guidance on Data Integrity and Compliance with CGMP for comment. I include links to the MHRA guidance HERE and the draft WHO guidance HERE for comparison. The guidance is structured in a Q&A format with a total of 18 questions. This guidance focuses heavily on identifying and citing the predicate rules as they apply to electronic records and data integrity, and for this it is an excellent reference. In my opinion, though, the excessive citation of regulations detracts from the content and provides little insight into FDA’s intent and actual expectations in this area.
We all read guidance documents to identify regulators expectations and actions we might take to ensure compliance. This one in particular was anticipated for over two years and addresses an area of significant enforcement action over the past 10-plus years. Perhaps I had unrealistic expectations for this guidance. Requirements and expectations in this area can be more easily discerned from a careful reading of warning letter deficiencies and form 483 observations than from reading this guidance.
Following are some the areas that I hope are addressed as part of the comment process and revised in the final guidance:
- The guidance fails to address the concept of lifecycle for either computer systems or data. In fact, the term ‘lifecycle’ is not found in the document even though it is a concept central to the FDA’s guidance on process validation and is also central to associated ICH Quality guidance.
- The guidance does not holistically address the requirement in 21 CFR 11 that procedures and controls shall include the ‘…the ability to discern invalid or altered records.’ The concepts of computer system access control and privilege levels are addressed in question 4, but are not linked to the Part 11 requirement. Additionally, questions 7 and 8 address review of audit trails, but no mention is made of how the electronic data themselves are to be reviewed…or even whether they are to be reviewed. A graphic would be appreciated that shows how computer system validation (including but not limited to user requirements, configuration specifications and testing) along with procedural controls over data generation, review, approval, backup and archival work together to ensure the ‘ability to discern invalid or altered records.” Many of the concepts are present in the document but require someone with experience in the topic to be able to link the concepts together, rather than having them stand in isolation. The approach may not be optimal for someone new to the topic or who has limited experience in this area.
- The guidance does not address an expectation for a risk based data governance process, and periodic evaluations of effectiveness of the program to prevent, detect and remediate data integrity issues. Frequently, FDA warning letters that identify data integrity failures require development of a management strategy to investigate the scope of the shortcoming including impact on product quality and patient safety and address how such failures will be prevented, identified and remediated in the future. In short, the firm who received the warning letter must describe a data governance program and a data integrity plan. An example of this requirement is provided at the end of the warning letter recently issued to Emcure Pharmaceuticals.
- Question 16 states that personnel should be trained to detect data integrity issues. While it seems appropriate that all staff should be trained on the concepts and importance of data integrity to ensure product quality and patient safety, it seems excessive and impractical that ALL personnel should be trained to detect data integrity issues. Data reviewers, particularly those that review electronic data, and audit staff should receive special training in the area of detecting data integrity shortcomings. Training for each functional area needs to reflect the roles and responsibilities performed by the staff.
- “FDA invites individuals to report suspected data integrity issues…” and provides an email address to which such communications should be sent. It seems most unusual for FDA to directly solicit what is effectively whistleblower activity in a guidance document. I am not saying this is inappropriate, just that it’s unusual.
- With regard to definitions, the guidance does not differentiate between the terms ‘back-up’ and ‘archive’ as it relates to electronic records.