It has been two years since the U.S. Food and Drug Administration (FDA) published its draft guidance on Data Integrity and Compliance with cGMP, with much fanfare and some legitimate criticism from stakeholders, particularly criticism regarding some overarching assertions that the agency made that are difficult to justify on the basis of the regulatory texts in question. For example, we wrote about the guidance when it was first published, here.
So, while we wait patiently for FDA to finalize this draft guidance, we noticed that the British Medicines and Healthcare Products Regulatory Agency (MHRA) recently published its final guidance on “GXP Data Integrity,” and so we thought it would be instructive to see what the U.K. had to say about these issues.
The final guidance is billed as a companion document to data integrity documents issued by Pharmaceutical Inspection Convention and Pharmaceutical Inspection Co-operation Scheme (PIC/S), the World Health Organization (WHO), the Organisation for Economic Co-operation and Development (OECD) and the European Medicines Agency (EMA), and aims to promote a risk-based approach to data management that includes data risk, criticality and lifecycle.
This article is related to the White Paper:
The principles of data integrity referenced in the MHRA guidance include the following:
- The firm’s organizational culture should ensure that data is complete, consistent and accurate in all its forms (i.e., both paper and electronic);
- Reverting from automated or computerized systems to paper-based manual systems or vice versa will not in itself remove the need for appropriate data integrity controls;
- Where data integrity weaknesses are identified, companies should ensure that appropriate corrective and preventive actions (CAPA) are implemented across all relevant activities and systems and not in isolation;
- “ALCOA+”. While the FDA’s draft guidance introduced the concept of ALCOA, or data needing to be Attributable, Legible, Contemporaneous, Original, and Accurate, the MHRA guidance references “ALCOA+” which includes the additional concepts of the data being Complete (i.e., the data must be whole – a complete set), Consistent (i.e., the data must be self-consistent), Enduring (i.e., lasting throughout the data lifecycle) and Available (i.e., readily available for review or inspection purposes);
- Reduced effort and/or frequency of control measures may be justified for data that has a lesser impact to product or patient;
- Systems and processes should be designed in a way that facilitate compliance with the principles of data integrity;
- Access to blank paper proformas for raw/source data recording should be appropriately controlled. Reconciliation, or the use of controlled books with numbered pages, may be necessary to prevent the re-creation of a record;
- The use of scribes to record activity on behalf of another operator can be considered where justified, such as where the act of contemporaneous recording compromises the product or activity. In this case, the recording by the second person should be contemporaneous with the task being performed, and the records should identify both the person performing the task and the person completing the record. The person performing the task should countersign the record wherever possible, although it is accepted that this countersigning step will be retrospective.
- Data may only be excluded where it can be demonstrated through valid scientific justification that the data are not representative of the quantity measured, sampled or acquired. In all cases, this justification should be documented and considered during data review and reporting. All data (even if excluded) should be retained with the original data set, and be available for review in a format that allows the validity of the decision to exclude the data to be confirmed;
- Full use should be made of access controls to ensure that people have access only to functionality that is appropriate for their job role, and that actions are attributable to a specific individual. Companies must be able to demonstrate the access levels granted to individual staff members and ensure that historical information regarding user access level is available;
- Organizations are expected to implement, design and operate a documented system that provides an acceptable state of control based on the data integrity risk with supporting rationale. An example of a suitable approach is to perform a data integrity risk assessment (DIRA), where the processes that produce data or where the data obtained are mapped out and each of the formats and their controls are identified and the data criticality and inherent risks documented.
Two years have passed since the publication of the FDA’s draft guidance, and since the agency has, in the interim, relied on many of the principles in the draft guidance in taking regulatory action against industry, such as the issuance of dozens of warning letters, imposing import alerts, etc., it is incumbent on the FDA to finalize the draft guidance as soon as possible and, in so doing, to eliminate those overarching assertions that are difficult to justify on the basis of the regulatory texts in question.
Reprinted with permission. This blog post is from a column series, “FDA Law Blog.” This post is authored by Mark Schwartz and may be found on the Hyman, Phelps & McNamara website here.
Mark L. Schwartz, director at Hyman, Phelps & McNamara P.C., advises clients on biologic, drug and device compliance, as well as on regulatory issues. He joined the firm after spending close to 13 years at the Food and Drug Administration in various capacities. Most recently, Schwartz was CBER’s deputy director in the Office of Compliance and Biologics Quality, an office with approximately 140 staff members. As deputy director, he advised the commissioner, the Center director, the director of the Office of Compliance and Biologics Quality, as well as various offices within CBER and CDER on a variety of compliance issues involving biologics, drugs and medical devices.