FDA issued its final Guidance on Data Integrity on December 12. The federal government has sworn off regulating by guidance (see blogpost here about Brand memo). In fact, at the Food and Drug Law Institute (FDLI) Enforcement and Litigation Conference that was occurring simultaneously with release of the guidance,FDA Chief Counsel Stacy Kline Amin repeated the principle that the government does not regulate by guidance, and cited the “Brand Memo” as authority. Despite those assurances, it would be hard to argue that the data integrity guidance does not represent an attempt to regulate by guidance.
To begin with, the guidance cites as support for its propositions (you guessed it!) ten other FDA Guidances; some of them are cited multiple times. Perhaps more importantly, the final guidance, which governs manufacturing of finished dosage form drugs and by extension Active Pharmaceutical Ingredients (the guidance said that it is “consistent with CGMP for active pharmaceutical ingredients”), imposes onerous regulatory burdens. In particular, one section jumps out at the authors of this article.
Written in Question and Answer Format, Question 8 of the final guidance asks, “How often should audit trails be reviewed?” (Audit trails are records showing when and how electronic manufacturing and testing data were created, whether data have been altered or deleted, and other important information.) The answer is startling. Answer 8 states that “[i]f the review frequency for the data is specified in CGMP regulations, adhere to that frequency for the audit trail review. For example, 211.188(b) requires review after each significant step in manufacture, processing, packing, or holding, and 211.22 requires data review before batch release. In these cases, you would apply the same review frequency for the audit trail”. In other words, in these instances, the audit trails must be reviewed for each batch before the batch can be released for distribution, despite there being no regulatory authority for this requirement.
This is a significant regulatory burden: in addition to reviewing entries on either the electronic or paper batch records to ensure all proper manufacturing steps have been performed, critical manufacturing checks have been reviewed and confirmed by a second individual, ingredients have been properly weighed and added, labels are accurate, all printed labels have been accounted for, and finished product meets required specifications (all of which are long-standing and well-understood requirements), Quality Control reviewers will now be compelled to review records maintained on electronic recording equipment (such as weight scales, laboratory testing and analysis equipment including High Performance Liquid Chromatographic equipment, and meters establishing density or acidity of finished product or in-process samples) for every batch. This is a requirement that hardly springs naturally from the relevant regulations, 21 C.F.R. §§ 211.88(b) and 211.22.
Even more curiously, the apparent requirement that audit trail data integrity be reviewed for every batch before the batch can be released appears to be more stringent than the answer to the same question in the draft of this guidance that was issued only a couple of years ago. We previously blogged about the draft guidance here and here. That draft guidance answered the same question (although it was Question 7) as follows: “FDA recommends that audit trails that capture changes to critical data be reviewed with each record and before final approval of the record.” So, in the draft guidance it was a mere “recommendation,” and now it appears to be a requirement (“adhere to that frequency for the audit trail review” instead of “FDA recommends that you adhere to that frequency for audit trail review”).
What has changed? Certainly not the Federal Food, Drug, and Cosmetic Act in this regard. Not the regulations at 21 C.F.R. Part 211 on this issue. This seems like more regulation by guidance to us. And, although the guidance states (as do all guidance) that it does not establish legally enforceable responsibilities unless specific regulatory or statutory requirements are cited (note that none of the regulations FDA cites to make any reference, express or implied, to audit trail review), woe to the quality unit that even dares to claim that audit trail review is consistent with cGMP if done under another standard.
Nor is this the only example of regulation by guidance in the document. Question 15 asks: “Can an internal tip or information regarding a quality issue, such as potential data falsification, be handled informally outside of the documented CGMP quality system?”
FDA’s response to this question is: “No. Regardless of intent or how or from whom the information was received, suspected or known falsification or alteration of records required under parts 210, 211, and 212 must be fully investigated under the CGMP quality system to determine the effect of the event on patient safety, product quality, and data reliability; to determine the root cause; and to ensure the necessary corrective actions are taken (see §§ 211.22(a), 211.125(c), 211.192, 211.198, 211.204, and 212.100).”
Yet none of these regulatory provisions actually require that firms investigate an internal tip or information regarding a quality issue within the cGMP quality system.
Another example is question 1(a), in which the agency asks “what is data integrity?” The answer states that “[f]or the purposes of this guidance, data integrity refers to the completeness, consistency, and accuracy of data. Complete, consistent, and accurate data should be attributable, legible, contemporaneously recorded, original or a true copy, and accurate (ALCOA).” Under footnote 5, the agency’s stated support for the proposition that ALL data for drug manufacturing should be “contemporaneously recorded” is the regulatory requirements at 21 CFR 211.100(b) and 21 CFR 211.160(a), which granted, do provide that documentation take place “…at the time of performance…”.
However, these regulatory provisions are very narrowly tailored and refer specifically to, in the first instance, production and process control functions and, in the second instance, laboratory controls. The agency does not cite to any additional regulatory authority for the general notion enunciated in the answer to question 1(a) that ALL data must be contemporaneously recorded.
Later in the document, in response to question 1(c) the guidance states: “CGMP-compliant record-keeping practices prevent data from being lost or obscured and ensure that activities are documented at the time of performance (see §§ 211.68, 211.100, 211.160(a), 211.188, and 211.194)” [Emphasis added], and yet none of these additional regulatory citations speak to the requirement that all data must be contemporaneously recorded.
Another example is the requirement that ALL data generated and recorded in all drug facilities be “attributable” (meaning ascribed to a particular individual in the facility) as described by answer 1(a) and footnote 5. Yet, again the regulatory citations for this requirement are sorely lacking. Of the ones cited in the guidance (§§ 211.101(d), 211.122, 211.186, 211.188(b)(11), and 212.50(c)(10)) only the last three regulatory provisions speak directly to the “attribution” issue, and again they are very narrowly tailored and only speak to, in the first instance, master production and control records, in the second instance, batch production and control records and, in the third instance, Positron Emission Tomography drug production and process control records!
We could go on and on but suffice it to say that the guidance on data integrity is replete with instances of regulation by guidance. We had hoped that an administration that claims to be concerned about over-regulation would make sure to prevent this, whether it is the result of notice and comment rulemaking, or the result of the more pernicious “regulation by guidance.”