In response to a slew of warning letters regarding data integrity issues, the FDA is addressing questions on the matter that have come up in recent inspections.
The 18 questions and their answers come in the form of draft guidance unveiled April 14 that covers a range of topics, including access to computers holding GMP data, how the validation process works, how often audits should be conducted and what data FDA inspectors are allowed to access.
After outlining some basic concepts, such as the gold standard for data integrity — that is, complete, consistent and accurate data that is attributable and certifiable — the document touches on the basic parameters of data preservation. It notes that companies should not mistake GMP data backup for normal computer system backups.
It also stresses that the backup should be “maintained securely,” include associated metadata and either be in the original file format or in a compatible one to ensure investigator access.
The draft also emphasized the importance of controlling access to GMP data, to ensure unauthorized personnel don’t alter the record — for example, limiting system permissions to the system administrator or an equivalent position. The agency also suggests that companies maintain a list of those able to alter GMP data.
Avoiding shared log-in usernames/passwords can also go a long way in protecting data and ensuring that the person responsible for altering the data can be identified easily, which the regulations require.
For blank forms and other hard-copy records, the agency recommends that companies employ document control methods to ensure accuracy and completeness. As an example, it notes that bound notebooks stamped for official use would visibly show evidence of tampering or missing pages. Similarly, the FDA notes that recording data on paper only to be discarded after transcription is unacceptable.
When it comes to establishing a digital record of all interactions with data — referred to as an “audit trail” — the guidance says that the agency expects those records to be secure, computer-generated and time-stamped to permit “reconstruction of the course of events relating to the creation, modification or deletion of an electronic record.”
Additionally, the guidance recommends that audit trails logging changes to critical data “be reviewed with each record and before final approval of the record.”
Another issue the document raised was testing into compliance, wherein companies test to achieve a specific result or overcome negative results. The agency emphasized that such conduct is prohibited, and warned that the use of actual samples in testing, prep or equilibration as a means of disguising the practice would be treated as a violation.
The agency also noted that any reports of data tampering “must be fully investigated” under the GMP quality regime, rather than handled informally outside the documented system.
Lastly, the document suggests that companies validate the workflow for systems — not just the systems themselves, to ensure compliance.”
The draft guidance applies to manufacturers of products overseen by both CDER and CBER.
Stay up to date on regulatory stories like this one by subscribing to the Drug GMP Report. For over 20 years, drug manufacturers have relied on DGR for the latest on FDA’s interpretation and enforcement of cGMPs and the Quality Systems Regulation — information you need to stay in compliance.