Editor’s Note: This article is adapted from a presentation that Mr. Avellanet made in a webcast on April 7, 2011. This program is available here.
Data integrity is critical to regulatory compliance, and the fundamental reason for 21 CFR Part 11. This article outlines and summarizes strategies and requirements.
First you must understand what FDA requires in terms of data integrity, and what the real-world costs are, whether you are taking proactive or reactive steps. FDA uses the acronym ALCOA to define its expectations of electronic data. The “l” originally stood for legible, which dates back to the time when FDA was dealing with scanned documents. I’ve updated it to “long lasting.”
In addition, this is the definition of data integrity that FDA uses for internal training: “Data are of high quality if they are fit for their intended uses in operations, decision-making and planning . . . as data volume increases, the question of internal consistency within data becomes paramount….”
Following are the regulations that are critical to pharma and biopharma manufacturing.
• 21 CFR 11
• 21 CFR 58
• 21 CFR 201
• 21 CFR 202 & 203
• 21 CFR 210
• 21 CFR 211
• 21 CFR 600 (biologics only)
• 21 CFR 601 (biologics only)
• 21 CFR 610 (biologics only)
• 21 CFR 820 (combo devices only)
• 21 CFR 803 (combo devices only)
• 21 CFR 806 (combo devices only)
• Application Integrity Policy (AIP)
The Application Integrity Policy is what FDA pulls up when it has questions about a manufacturer’s electronic data. Note that electronic information includes everything, such as emails, adverse events reports, complaints, batch records, quality control records—everything that’s stored electronically.
When FDA invokes the AIP, the Agency is, in effect, saying, “We have concerns. We want to review everything this company has submitted, whether an additional application request, or request for a change in manufacturing.” If FDA invokes this policy, you can expect an inspection. Not only will you have an inspection, but that inspection will focus closely on how you are controlling electronic records—i.e., it will focus on Part 11.
What Warning Letters Tell Us
Some excerpts from FDA Warning Letters from a few years ago provide a better understanding of what the Agency is driving at with data integrity.
• January 2008: “It was observed that the data stored on the computer can be deleted, removed, transferred, renamed or altered [without control].”
• April 2008: “There is no audit trail or log of data changes that are made to the information in the database. Data cannot be verified against source records, since such records are not maintained.”
In such cases, data can’t be verified because the original source records (e.g., certificate of analysis) have been scanned in and then thrown away. As a result, I have no way of knowing whether or not this is the original. Anyone can go into Adobe and change the record. Thus, FDA says, you have no tracking or controls on this, so we cannot rely on it.
Below are excerpts from some more recent Warning Letters, from last year. Note the focus on record accuracy:
• May 2010: “Your firm failed to check the accuracy of the input to and output from the computer or related systems of formulas or other records or data and establish the degree and frequency of input/output verifications.”
• April 2010: “Your firm's laboratory analysts have the ability to access and delete raw chromatographic data . . . Due to this unrestrictive access, there is no assurance that laboratory records and raw data are accurate and valid.”
In the last example, FDA says there is no assurance of accuracy or validity. . . . The Agency has to stand in for the public, and cannot trust the data.
What the Agency is driving with Part 11 is the need for data to be trustworthy. Here are some of the questions that FDA inspectors are trained to ask about data control. They are all framed in common sense:
• Are original data entered directly into an electronic record at the time of collection or are data transcribed from paper records into an electronic record?
• Are there edit checks and data logic checks for acceptable ranges of values?
• How are the data secured in case of disasters, e.g., power failure? Are there contingency plans and backup files?
• Are there controls in place to prevent, detect, and mitigate effects of computer viruses on data and software?
• Are there records of critical computerized systems maintenance?
• Are there written procedures (SOPs and guidelines) to assure the integrity of safety and efficacy data?
• Are there records describing the names of authorized personnel, their titles, and a description of their access privileges to the data?
• How are the data transmitted from the firm to/from its suppliers?
Remember that Part 11 was introduced quite a while ago, before FDA could envision computing’s limits. Today, Apple’s iPhone contains more computing power than all of the computers worldwide in 1990. Remember that regulators are not concerned with technology integrity, but rather record integrity.