Interested in linking to "Ensuring Data Integrity"?
You may use the Headline, Deck, Byline and URL of this article on your Web site. To link to this article, select and copy the HTML code below and paste it on your own Web site.
By John Avellanet, Cerulean Associates, LLC
Editor’s Note: This article is adapted from a presentation that Mr. Avellanet made in a webcast on April 7, 2011. This program is available here.
Data integrity is critical to regulatory compliance, and the fundamental reason for 21 CFR Part 11. This article outlines and summarizes strategies and requirements.
First you must understand what FDA requires in terms of data integrity, and what the real-world costs are, whether you are taking proactive or reactive steps. FDA uses the acronym ALCOA to define its expectations of electronic data. The “l” originally stood for legible, which dates back to the time when FDA was dealing with scanned documents. I’ve updated it to “long lasting.”
In addition, this is the definition of data integrity that FDA uses for internal training: “Data are of high quality if they are fit for their intended uses in operations, decision-making and planning . . . as data volume increases, the question of internal consistency within data becomes paramount….”
Following are the regulations that are critical to pharma and biopharma manufacturing.
• 21 CFR 11
• 21 CFR 58
• 21 CFR 201
• 21 CFR 202 & 203
• 21 CFR 210
• 21 CFR 211
• 21 CFR 600 (biologics only)
• 21 CFR 601 (biologics only)
• 21 CFR 610 (biologics only)
• 21 CFR 820 (combo devices only)
• 21 CFR 803 (combo devices only)
• 21 CFR 806 (combo devices only)
• Application Integrity Policy (AIP)
The Application Integrity Policy is what FDA pulls up when it has questions about a manufacturer’s electronic data. Note that electronic information includes everything, such as emails, adverse events reports, complaints, batch records, quality control records—everything that’s stored electronically.
When FDA invokes the AIP, the Agency is, in effect, saying, “We have concerns. We want to review everything this company has submitted, whether an additional application request, or request for a change in manufacturing.” If FDA invokes this policy, you can expect an inspection. Not only will you have an inspection, but that inspection will focus closely on how you are controlling electronic records—i.e., it will focus on Part 11.
What Warning Letters Tell Us
Some excerpts from FDA Warning Letters from a few years ago provide a better understanding of what the Agency is driving at with data integrity.
• January 2008: “It was observed that the data stored on the computer can be deleted, removed, transferred, renamed or altered [without control].”
• April 2008: “There is no audit trail or log of data changes that are made to the information in the database. Data cannot be verified against source records, since such records are not maintained.”
In such cases, data can’t be verified because the original source records (e.g., certificate of analysis) have been scanned in and then thrown away. As a result, I have no way of knowing whether or not this is the original. Anyone can go into Adobe and change the record. Thus, FDA says, you have no tracking or controls on this, so we cannot rely on it.
Below are excerpts from some more recent Warning Letters, from last year. Note the focus on record accuracy:
• May 2010: “Your firm failed to check the accuracy of the input to and output from the computer or related systems of formulas or other records or data and establish the degree and frequency of input/output verifications.”
• April 2010: “Your firm's laboratory analysts have the ability to access and delete raw chromatographic data . . . Due to this unrestrictive access, there is no assurance that laboratory records and raw data are accurate and valid.”
In the last example, FDA says there is no assurance of accuracy or validity. . . . The Agency has to stand in for the public, and cannot trust the data.
What the Agency is driving with Part 11 is the need for data to be trustworthy. Here are some of the questions that FDA inspectors are trained to ask about data control. They are all framed in common sense:
• Are original data entered directly into an electronic record at the time of collection or are data transcribed from paper records into an electronic record?
• Are there edit checks and data logic checks for acceptable ranges of values?
• How are the data secured in case of disasters, e.g., power failure? Are there contingency plans and backup files?
• Are there controls in place to prevent, detect, and mitigate effects of computer viruses on data and software?
• Are there records of critical computerized systems maintenance?
PharmaManufacturing.com is the site for knowledge, news and analysis for manufacturing and other professionals working in the pharmaceutical, biopharmaceutical and biotech industries.