How GMPs & Data Integrity Align for Safer Products & Swifter Approvals
FDA’s recent released Guidance for Industry on Data Integrity and Compliance with Drug CGMP Questions and Answers (CGMPs also known as current Good Manufacturing Practices), clarifies data integrity’s role for drugs and biologics as required in 21 CFR part 210 (the Manufacturing, Processing, Packing, or Holding of Drugs), 21 CFR part 211 (for Finished Pharmaceuticals), and 21 CFR part 212 (for Positron Emission Tomography (PET) Drugs). This Guidance for Industry, the Agency says, is also consistent with consistent guidance on cGMPs for active pharmaceutical ingredients with respect to data integrity.
Of course, everyone knows of GMPs are minimum requirements that companies must meet in the development and execution of acceptable procedures for pharma manufacturing processes - from hygienic practices of employees and their work environments, to record keeping to how to handle returns and overages to specifications and testing of in-process and finished products. Data integrity plays a key role in all areas of GMP compliance and FDA expects data to be meaningful, taking into consideration the design, operation, and monitoring of systems and controls based on risk to patient, process, and product. In addition, FDA expects the data to be reliable, including a demonstration of integrity, validation, safety, identity, strength, quality, and purity, reproducibility and so on. The Agency noted in the Guidance Document Q&A that in recent years findings from inspections of pharma facilities show increasing challenges with meeting data integrity requirements, which has lead to regulatory actions including warning letters, import alerts, and consent decrees.
The integrity of data in support of a drug application submission is paramount to FDA’s evaluation and assessment of benefit versus risk. With a keen eye to record completeness and whether the data package as a whole accurately and factually supports the application, a sponsor’s data is FDA’s only evaluation tool. When viewed in this light, data integrity as part of an overall demonstration of GMPs is the lifeline of a drug company in that it has direct consequences in a firm’s ability to bring products to market. Companies that cannot demonstrate good data integrity or robust GMPs will see delays and additional costs when seeking FDA approval.
Well developed SOPs, validation of equipment and other systems, as well as continuous employee education and training all lead to an improved ability to meet GMP and data integrity compliance. Using the familiar acronym for data standards of ALCOA, firms must ensure that data is Attributable to the person responsible for recording it; Legible so that a review of the data will give clear indications of results, timing of those results and any other pertinent information recorded; Contemporaneous so that data entry is fluid as opposed to fixed and that name and date stamps are added appropriately and not at fixed intervals which may not reflect the actual reading. Data must also be Original, sometimes known as primary source data, or how it was initially recorded; and it must be Accurate and error free with all edits notated appropriately.
All data generated becomes part of the GMP record and must be recorded and saved at the time of performance to be compliant with FDA 21 CFR requirements pertaining to pharmaceuticals and biologics. For example:
The person(s) entering data into the record must be unique and identifiable, or attributable, through their login in accordance with CGMP requirements in parts 21 CFR 211 and 212. Shared, read-only user accounts that do not allow the user to modify data or settings are acceptable for viewing data, but each user that has the ability add or edit data must have a unique log in.
§§ 211.100 and 211.160 speak to the “O” in ALCOA, or “original”. Everything must be documented at the time of performance with scientifically sound laboratory controls. It is not acceptable to record data on a sticky note or other piece of paper with the plan to later transcribe it to a permanent laboratory notebook (see §§ 211.100(b), 211.160(a), and 211.180(d)). Similarly, it is not acceptable to store electronic records in a manner that allows for manipulation without creating a permanent record.
Per § 211.180, original records must be kept, or “true copies”/”accurate reproductions” throughout a company’s record retention period. This includes complete copies of all tests performed as well as all data from those tests (see §§ 211.188, 211.194, and 212.60(g)). These laboratory production and control records, both those in paper and electronic format, must be reviewed for their accuracy, completeness, and compliance with established standards, including all metadata required to reconstruct the GMP activity captured in the record (§§ 211.22, 211.192, and 211.194(a)). This second check, verification and review ensures that all test results and associated information are appropriately reported.
Please note that FDA prohibits sampling and testing with the goal of achieving a specific result or to overcome an unacceptable result (ie testing into compliance). In addition, a decision to invalidate a test result to exclude it from quality unit decisions about conformance to a specification is not taken lightly and requires a valid, documented, scientifically sound justification. When it is the case that a scientifically sound investigation justifies the legitimacy for invalidation, a full GMP batch record must be kept, including the original (invalidated) data, along with the investigation report that justifies invalidating the result.
Validation of equipment and processes must replicate intended use with the actual equipment in a company’s laboratory (do not rely on the manufacturer’s validation prior to installation in your facility). The depth of that validation can be commensurate with the risk posed by the system, meaning more critical process receive more robust the validation. As part of that validation, controls must be appropriately designed to address software, hardware, personnel, and documentation. FDA recommends restricting permissions to alter or change testing settings or data as much as possible. It is best practice that only a person independent of the responsibility of record content should be able to alter specifications, process parameters, data, or manufacturing or testing methods by technical means.
Without question, even the best aligned protocols and practices will not always yield acceptable results. When corrections need to be made, FDA encourages demonstration of effective investigation into the scope and root cause through a scientifically sound risk assessment, including any potential impacts down the production line as well as how the inaccuracy impacts data used to support submissions to FDA. Finally, a remediation and global corrective action plan that addresses the faults must be established, documented and executed, including documentation and validation of new results. In many cases bringing in a third-party consultant as an auditor to address these CAPAs proves to be beneficial as those individuals responsible for data integrity lapses are removed from positions where they could influence GMP or drug application data. Third-party auditors can also demonstrate a deeper commitment to improvements in quality oversight, enhanced computer systems, and creation of mechanisms to prevent recurrences and address data integrity breaches.
Finally, data storage is critical to the successful demonstration of a sound data integrity and overall GMP program. In 21 CFR 211.68 and § 212.110(b) FDA states that not only should exact, unaltered and complete copies of back up data be kept, any risk of inadvertent deletion (including by an individual), loss or deterioration of the data (ie computer hard drive or server crash) must be eliminated. Remember, in this case FDA defines the term “backup” and “archive” interchangeably. More information can be found in the 2002 Guidance Document General Principles of Software Validation.
Of course, as systems improve and evolve, new equipment is purchased, or testing protocols or products come into practice, all aspects of the GMP system must be updated in kind to reflect the new and changing nature of business. Employees at every level who are impacted by the updates must also be retrained and these critical and seemingly intuitive steps are some that can be missed in the fast-paced world of drug development and production. FDA’s intentional decision to not prescribe specific GMP requirements but allow each firm to develop their own protocols suitable to their operations can in some cases cause confusion as companies may forget that they must update their GMPs accordingly. Again, third-party consultants can bring fresh eyes to developing updated standards or reviewing those already prepared for accuracy and completeness.
Data integrity can make or break a company’s GMPs and increase the risk of FDA regulatory action. Don’t close the books, paper or electronic, on your company’s compliance.