The move to electronic data collection, analysis, storage, and reporting continues to grow in the pharmaceutical and life science industries. Software is becoming more robust with features and functionality enabling labs to become more paperless. But, regardless of where you are on your quest to reduce the use of paper in your lab, the responsibility for knowing where your data are at all times and whether they are accurate and reliable is paramount for being compliant. In April of this year, in response to increased concerns about electronic data manipulation and integrity overseas, the FDA released “Data Integrity and Compliance with CGMP, Guidance for Industry” to help US companies ensure their electronic data remains Attributable, Legible, Contemporaneous, Original and Accurate (ALCOA) while using computerized systems. How does your company address data integrity and are you ready to comply with the new FDA Guidance?
Data Integrity and Compliance with CGMP
What’s Inside the New Draft Guidance?
The new draft guidance builds upon existing regulations like 21 CFR parts 211 and 212 which already include some requirements for data integrity. Also 21 CFR part 11 and the associated Scope and Guidance document issued in 2003 lay out further requirements specific to electronic records and signatures. This new draft guidance continues the effort to clarify requirements for data integrity specific to the CGMPs. It includes clarification of commonly used terms as they relate to CGMP records (e.g., metadata, audit trails, static and dynamic data, etc.) and addresses questions that companies face when ensuring data integrity, such as:
- Are all workflows in the computer system validated?
- Can shared login accounts be used?
- When do audit trails need to be reviewed, and by whom?
- Can actual samples be used during system suitability?
- When does electronic data become a CGMP record?
What Does it Mean?
In general, an FDA guidance document does not establish any legally enforceable requirements or responsibilities; however, their guidance documents do describe current thinking of the Agency and they provide suggestions and recommendations for compliance with what the Agency sees as current trends in audit findings and potential issues. This draft guidance document encourages companies to “implement meaningful and effective strategies to manage their data integrity risks.” This means you need to understand the following, at a minimum:
- What does your company consider data and metadata?
- Who has access to my systems and at what level?
- How are data integrity issues currently handled in your quality system?
- What happens to paper records associated with electronic records?
What Needs to be Done?
The recommended place to start is with a targeted data integrity audit. Understanding what systems you have, what purpose they serve in your process, what are considered regulated data, and the procedures you have surrounding your systems establishes the foundation for complying with the draft guidance. After you have completed an audit and documented the results, you can assemble a data integrity task force to identify problem areas and focus efforts on effective remediations. To this end, the FDA recommends the following within the guidance:
- Hire a third party to conduct a non-biased, risk-based audit
- Fully determine and document the scope of any problems discovered
- Implement a global corrective action plan
The ability to use computer systems and electronic records to replace paper records has greatly increased the speed and productivity of labs. Software vendors are continuing to add more features to better ensure protection and reliability of the data generated and stored with their systems. However, the responsibility of ensuring data meet the ALCOA and data integrity expectations still lies with the companies that own that data. The FDA “Data Integrity and Compliance with CGMP, Guidance for Industry” is clearly setting those expectations and the auditors will be even more active in this area. Taking the steps necessary to establish your data integrity baseline, determine problem areas, and address them is critical to your organization and business.
Do you know what regulated systems your company uses, and for what reason? Do you know what your company considers data and metadata, and who has access to it? Have you done a data integrity audit and do you have effective strategies to manage risks? Are you ready for auditors armed with the new guidance?