FDA finds the increase of data integrity violations troubling. Nevertheless, the agency’s current position on the content of the guidance is that it should be viewed only as recommendations. The use of the word “should” in Agency guidances means that something is suggested, but not required.
Still, some of the “shoulds” addressed in the guidance might seem like a tall order for many regulated companies—particularly those using paper-based systems. FDA commonly encounters issues with the control of paper records, which can easily be discarded or lost. Other issues include an organization’s handling of blank forms and conducting audit trails. This is where having an electronic quality management system (EQMS)
can help organizations heed the suggestions in the guidance.
This article summarizes FDA’s responses to several of the questions raised about the guidance on data integrity and explains how an EQMS makes it easier to follow the suggested guidelines.
#1 How does FDA define data integrity?
A common statement in a regulatory audit is “if it isn’t written down, it didn’t happen.” The guidance on data integrity takes that notion a bit further. FDA expects data to be attributable, legible, contemporaneously recorded, original or a true copy, and accurate (ALCOA) (1). FDA expects that data be reliable and accurate, which means companies need to implement meaningful and effective strategies to manage their data integrity risks.
#2 What is metadata?
Metadata is the contextual information required to understand data—data about data. A value by itself meaningless (e.g., 3) without additional information about the data (e.g., 3 mg). To have relevance, documentation needs to be accompanied by attributes like title, author, date/time stamp, etc. It is structured information that describes, explains or otherwise makes it easier to retrieve, use or manage data.
To ensure integrity, changes made to document metadata should be tracked and made available for review. Each time a change is made to any metadata, a user must enter a reason for the change so the data stays current. An EQMS helps eliminate the common problem of out-of-sync metadata during a revision process. When a document is revised, updated metadata information such as document number, revision number and basic information about a document is updated as well.
#3 What is an audit trail?
As defined in the FDA guidance, an audit trail is a secure, computer-generated, time-stamped electronic record that allows for reconstruction of the events relating to the creation, modification, or deletion of an electronic record. An audit trail is a chronology of the “who, what, when and why” of a record.
The guidance says that electronic copies can be used as true copies of paper or electronic records. However, it does stipulate that the copies need to preserve the content and meaning of the original data, which includes associated metadata and the static or dynamic nature of the original records. Manufacturers are allowed to keep paper printouts or static records. However, some electronic records are dynamic in nature and the printout or static record does not preserve the dynamic nature of the original electronic record. According to FDA, this would not fully satisfy the cGMP requirements.
An EQMS does preserve the meaning of the original record, which includes the associated metadata. You can configure an EQMS to keep records indefinitely or for only a specified period. Also, if necessary, you can restore any deleted data.
This article is related to the White Paper:
#5 Does each workflow on the organization’s computer need to be validated?
According to the guidance, a workflow, such as an electronic master production and control record (MPCR), is an intended use of a computer system to be checked through validation. It goes on to say that if you validate your computer system, but you do not validate it for its intended use, you cannot know if your workflow is running correctly.
Depending on your experience with validation, an EQMS can help you speed up the validation process. It allows you to manually execute validation processes in much less time than it would take with a home-grown system.
#6 How should access to CGMP computer systems be restricted?
You must ensure that changes to computerized MPCRs or other records and input of laboratory data into computerized records be made only by authorized personnel. FDA recommends that whenever possible you should use technology to restrict the ability to alter specifications, process parameters or manufacturing and testing methods (e.g., limiting permissions to change settings or data).
An EQMS has numerous levels of security to automatically track and ensure the authenticity of each user in the system. The software tracks every signature combination and does not allow duplication or reassignment of the user ID and signature combination. All user IDs and passwords are encrypted and are not available to anyone in the system.
#7 When Does Electronic Data Become a CGMP Record?
All data generated to satisfy a CGMP requirement is a CGMP record. The data integrity guidance states that in order to comply with CGMP requirements with manufacturing processes, you must document or save recorded data at the time a task or process is performed. Also, all data that is recorded and maintained cannot be modified or discarded.
An EQMS can be configured to automatically save record data after each separate entry. Automation makes it easier to comply with CGMP standards because all records and data are automatically tracked and updated. This makes finding and retrieving records during audits much faster.
The data integrity guidance does go beyond the standard CGMP requirements because of the criticality of data integrity. Although the guidance is not binding, the Agency tends to rely on guidances during inspections and making enforcement decisions (2). An EQMS will enable you better ensure data integrity, maintain an audit-ready state and more easily comply with the regulations that are required.
What data integrity concerns do you find the most challenging? Please comment below.
David Jensen is a marketing communication specialist at MasterControl. He has been writing technical, marketing and public relations content in technology, professional development, business and regulated environments for more than two decades. He has a bachelor’s degree in communications from Weber State University and a master’s degree in professional communication from Westminster College.
(1)Data Integrity and Compliance with CGMP Guidance for Industry
(2)Law Blog: FDA’s Draft Guidance on Data Integrity: The Cupola on Tower of Guidances