Increasing concerns about data integrity in the pharmaceutical industry have prompted the U.S. Food and Drug Administration (“FDA”) to release Draft Guidance addressing the issue as it relates to current good manufacturing practices (cGMP) for pharmaceutical companies. The Draft Guidance – titled Data Integrity and Compliance with CGMP, Guidance for Industry – is framed a series of 18 questions and answers, starting with the most basic: “what is data integrity?”

For the purpose of the guidance, the FDA defines “data integrity” as “the completeness, consistency, and accuracy of data.”

Recent FDA Warning Letters have documented a number of cGMP violations by drug manufacturers and overseas drug facilities related to data completeness, consistency, and accuracy. For example, a Warning Letter from January 29, 2016 found “systemic data manipulation” at an Indian-based laboratory, including evidence of (1) altering time and date settings of computerized equipment using the software administrator’s access privilege; (2) manipulating test integration parameters to obtain passing or desirable results; and (3) over-writing and deleting raw data files containing original results. Similarly, a Warning Letter from September 28, 2015, issued to different Indian-based drug manufacturing facility, warned the company for failing to implement proper safeguards and controls, including (1) failing to prevent unauthorized access or changes to data and (2) failing to maintain complete sets of data derived from all testing.

These and similar Warning Letters suggest that FDA inspectors are not only looking for evidence of data destruction and manipulation, but that they are also evaluating the adequacy of the safeguards and controls in place to protect data integrity at the inspected facilities. As such, companies should implement the below-listed safeguards and controls to help avoid government scrutiny and enforcement actions.

The Draft Guidance, released April 14th, outlines the FDA’s expectations for data integrity. Key takeaways include:

  1. ALCOA – Drug companies should implement safeguards and controls to ensure that data are attributable, legible, contemporaneously-recorded, original or a true copy, and accurate (“ALCOA”). This means that data must be documented and saved at the time of performance and should be created and preserved in a way so that it cannot be modified at a later date. The Draft Guidance specifically states that it is “not acceptable to record data on pieces of paper that will be discarded after the data are transcribed to a permanent laboratory notebook.” Similarly, it is not acceptable to store data electronically in a temporary manner “that allows for manipulation, before creating a permanent record.”
  2. Data Preservation – Drug companies should have safeguards and controls in place that prevent data from being lost or obscured. The FDA recommends using “audit trails,” which the Draft Guidance defines as “a secure, computer-generated, time-stamped electronic record that allows for reconstruction of the course of events relating to the creation, modification, or deletion of an electronic record” to comply with this cGMP record-keeping requirement. It also recommends that drug companies conduct routine audit trail reviews.
  3. Metadata – Drug companies should maintain metadata, which the Draft Guidance defines as “contextual information required to understand data” such as “date/time stamp for when the data were acquired, a user ID of the person who conducted the test or analysis that generated the data, the instrument ID used to acquire the data, and audit trails[.]”
  4. System Restrictions – Computer systems should be designed to restrict system rights and access to the appropriate, authorized personnel only. For example, the FDA “suggests that the system administrator role, including any rights to alter files and settings, be assigned to personnel independent from those responsible for the record content.” The FDA also recommends tracking which individuals have access to each cGMP computer system in use and the extent of that individual’s access.
  5. Electronic vs. Paper Documents – Drug companies can use either electronic copies or paper printouts as “true copies” for “static records,” which are defined as “fixed-data document[s] such as a paper record or an electronic image.” Dynamic records, on the other hand, which are defined as records that allow “interaction between the user and the record content” must be maintained in the original or in a compatible format to qualify as “true copies.”
  6. Electronic Signatures – Electronic signatures may be used instead of handwritten signatures in any cGMP required record. According to the Draft Guidance, when generated to satisfy a cGMP requirement, all data become a cGMP record.
  7. Testing into Compliance – The Draft Guidance emphasizes that the FDA “prohibits sampling and testing with the goal of achieving a specific result or to overcome an unacceptable result” – also known as “testing into compliance.” The Draft Guidance makes clear that actual samples should never be used to perform system suitability testing, unless permitted by a written procedure and the sample is from a batch different from the one being tested.
  8. Third Party Auditors – the FDA suggests that drug companies that receive Warning Letters should hire third-party auditors to investigate the findings and make recommendations for corrective action.

While the Draft Guidance does not offer a comprehensive system for managing data integrity, it does provide key insights and recommendations for complying with the FDA’s expectations for data integrity. Drug companies should be proactive in their approach to data integrity by identifying and remedying potential shortcomings in their current approach prior to an FDA inspection.