It has been two years since FDA published its draft guidance on Data Integrity and Compliance with cGMP, with much fanfare and some legitimate criticism from stakeholders, particularly criticism regarding some overarching assertions that the agency made that are difficult to justify on the basis of the regulatory texts in question. For example, we wrote about the guidance when it was first published, here.
So while we wait patiently for FDA to finalize this draft guidance, we noticed that the British Medicines and Healthcare Products Regulatory Agency (MHRA) recently published its final guidance on “GXP Data Integrity”, and so we thought it would be instructive to see what the UK had to say about these issues.
The final guidance is billed as a companion document to data integrity documents issued by PIC/S, WHO, OECD and EMA, and aims to promote a risk-based approach to data management that includes data risk, criticality and lifecycle.
The principles of data integrity referenced in the guidance include the following:
- The firm’s organizational culture should ensure that data is complete, consistent and accurate in all its forms i.e., both paper and electronic;
- Reverting from automated or computerized systems to paper-based manual systems or vice-versa will not in itself remove the need for appropriate data integrity controls;
- Where data integrity weaknesses are identified, companies should ensure that appropriate corrective and preventive actions are implemented across all relevant activities and systems and not in isolation;
- “ALCOA+”. While the FDA’s draft guidance introduced the concept of ALCOA, or data needing to be Attributable, Legible, Contemporaneous, Original, and Accurate, the MHRA guidance references “ALCOA+” which includes the additional concepts of the data being Complete (i.e., the data must be whole – a complete set), Consistent (i.e., the data must be self-consistent), Enduring (i.e., lasting throughout the data lifecycle) and Available (i.e., readily available for review or inspection purposes);
- Reduced effort and/or frequency of control measures may be justified for data that has a lesser impact to product or patient;
- Systems and processes should be designed in a way that facilitates compliance with the principles of data integrity;
- Access to blank paper proformas for raw/source data recording should be appropriately controlled. Reconciliation, or the use of controlled books with numbered pages, may be necessary to prevent the re-creation of a record;
- The use of scribes to record activity on behalf of another operator can be considered where justified, such as where the act of contemporaneous recording compromises the product or activity. In this case, the recording by the second person should be contemporaneous with the task being performed, and the records should identify both the person performing the task and the person completing the record. The person performing the task should countersign the record wherever possible, although it is accepted that this countersigning step will be retrospective.
- Data may only be excluded where it can be demonstrated through valid scientific justification that the data are not representative of the quantity measured, sampled, or acquired. In all cases, this justification should be documented and considered during data review and reporting. All data (even if excluded) should be retained with the original data set, and be available for review in a format that allows the validity of the decision to exclude the data to be confirmed;
- Full use should be made of access controls to ensure that people have access only to functionality that is appropriate for their job role, and that actions are attributable to a specific individual. Companies must be able to demonstrate the access levels granted to individual staff members and ensure that historical information regarding user access level is available;
- Organizations are expected to implement, design and operate a documented system that provides an acceptable state of control based on the data integrity risk with supporting rationale. An example of a suitable approach is to perform a data integrity risk assessment (DIRA) where the processes that produce data or where the data obtained are mapped out and each of the formats and their controls are identified and the data criticality and inherent risks documented.
Two years have passed since the publication of FDA’s draft guidance, and since the agency has, in the interim, relied on many of the principles in the draft guidance in taking regulatory action against industry, such as the issuance of dozens of Warning Letters, imposing import alerts, etc., it is incumbent on FDA to finalize the draft guidance as soon as possible and, in so doing, to eliminate those overarching assertions that are difficult to justify on the basis of the regulatory texts in question.