Data Integrity & compliance with CGMP

FDA guidance (25591) April 2016 and

December 2018

L.C.Clauss

L.C.Clauss Hisut Ltd 1 06/12/2023

 Table of Content (1)
1. Definition and purpose
2. EU vs FDA requirements
3. FDA April 2016 and 2018 Guidance document
4. Data Integrity during development
5. Why Data Integrity Guidance from FDA?
6. FDA definition of Audit Trail
7. FDA definition of Back up
8. Computer and related system
9. FDA is concerned with the use of shared login accounts for computer systems
10. When does electronic data become a CGMP record?
11. How should blank forms be controlled?
12. Can electronic signatures be used instead of handwritten signatures for
master production and control record
13. The practice, also referred to as testing into compliance, is not consistent with
CGMP

L.C.Clauss Hisut Ltd 2 06/12/2023

 Table of Content (2)
14. Typical issues with Password
15. Is it acceptable to only save the final results from reprocessed laboratory
chromatography?
16. Can an internal tip regarding a quality issue, such as potential data falsification,
be handled informally outside of the documented CGMP quality system?
17. FDA request that personnel should be trained in detecting data integrity issues
as part of a routine CGMP training program
18. FDA Warning letter Form 483

L.C.Clauss Hisut Ltd 3 06/12/2023

 1.)Definition from FDA guidance

 For the purposes of this guidance, data integrity

refers to the completeness, consistency, and accuracy
of data. Complete, consistent, and accurate data
should be Attributable, Legible, Contemporaneously
Recorded, Original or a true copy, and Accurate
(ALCOA).

L.C.Clauss Hisut Ltd 4 06/12/2023

 Data Integrity Definition

 Data integrity is the accuracy and consistency of stored

data, indicated by an absence of any alteration in data
between two updates of a data record.
 Data integrity is imposed within a system at its design
stage through the use of standard rules and procedures,
and is maintained through the use of error checking and
validation routines.

L.C.Clauss Hisut Ltd 5 06/12/2023

 What is Metadata

L.C.Clauss Hisut Ltd 6 06/12/2023

 European Regulations

 Records retention requirements state that if the records are

supporting a Marketing Authorization (MA), then the records
have to be maintained, including the data integrity for as long as
the MA is in force. The recently published EU GMP Annex for
computerized systems 11, effective 30 June 2011, has several
sections dealing with data integrity. 5/15/2014 22Drug
Regulations : Online Resource for Latest Information

L.C.Clauss Hisut Ltd 7 06/12/2023

 Data Integrity during
development
 FDA and other global regulatory agencies now oversee the
pharmaceutical product lifecycle from early development to
final product release more thoroughly
 Therefore R & D laboratories have come under increased
scrutiny within recent years
 Regulations have been in place since the 1970s, However
historically, FDA has concentrated its review process on the
manufacturing aspect of pharmaceutical products. This has
changed with the added scrutiny on data integrity 5/15/2014
31Drug Regulation

L.C.Clauss Hisut Ltd 8 06/12/2023

 Why Data Integrity Guidance from
FDA?
 “The purpose of this guidance is to clarify the role of data integrity
in current good manufacturing practice (CGMP) for drugs, as
required in. Current Good Manufacturing Practice in
Manufacturing, Processing, Packing, or Holding of Drugs; General;
and Finished Pharmaceuticals (21 CFR/210/211/212).
 FDA expects that data be reliable and accurate, cGMP regulations
and guidance allow for flexible and risk based strategies to
prevent and detect integrity issues”

L.C.Clauss Hisut Ltd 9 06/12/2023

 FDA expectations

L.C.Clauss Hisut Ltd 10 06/12/2023

 FDA definition of Audit Trail
 “For purposes of this guidance, audit trail means a secure,
computer-generated, time-stamped electronic record that
allows for reconstruction of the course of events relating to the
creation, modification, or deletion of an electronic record. An
audit trail is a chronology of the “who, what, when, and why” of
a record.
 For example, the audit trail for a high performance liquid
chromatography (HPLC) run includes the user name, date/time
of the run, the integration parameters used, and details of a
reprocessing, if any, including change justification for the
reprocessing.”

L.C.Clauss Hisut Ltd 11 06/12/2023

 Who should review audit Trails ?

L.C.Clauss Hisut Ltd 12 06/12/2023

 How often should audit trails be
reviewed?

L.C.Clauss Hisut Ltd 13 06/12/2023

 How does FDA use the terms “static” and
“dynamic” as they relate to record formats?

L.C.Clauss Hisut Ltd 14 06/12/2023

 Is it acceptable to retain paper printouts or static
records instead of original electronic records
from stand-alone computerized laboratory
instruments such as an FTIR Instruments? (1)

L.C.Clauss Hisut Ltd 15 06/12/2023

 Is it acceptable to retain paper
printouts or static records instead of original
electronic records from stand-alone
computerized laboratory instruments such as
an FTIR Instruments? (2)

L.C.Clauss Hisut Ltd 16 06/12/2023

 FDA definition of Back up

 FDA uses the term backup to refer to a true copy of the

original data that is maintained securely throughout the
records retention period. The backup file should contain
the data (which includes associated metadata) and
should be in the original format or in a format compatible
with the original format.
( 21CFR§ 211.68(b) and § 211.180)

L.C.Clauss Hisut Ltd 17 06/12/2023

 Computer and related system
 Computer or related systems can refer to:
 computer hardware,
 software,
 peripheral devices,
 networks,
 cloud infrastructure,
 operators, and associated documents
 (e.g., user manuals and standard operating
procedures).
L.C.Clauss Hisut Ltd 18 06/12/2023
 FDA is concerned with the use of shared
login accounts for computer systems
 Companies must exercise appropriate controls to
assure that changes to computerized MPCRs*, or other
records, or input of laboratory data into computerized
records, can be made only by authorized personnel
(CFR § 211.68(b)).
 FDA recommends to restrict the ability to alter
specifications, process parameters, or manufacturing
or testing methods by technical means where possible
(for example, by limiting permissions to change
settings or data).
 *MPCS= Master Production and Control Record
L.C.Clauss Hisut Ltd 19 06/12/2023
 Does each CGMP workflow on a
computer system need to be validated?

L.C.Clauss Hisut Ltd 20 06/12/2023

MPCR Master production and control record

 FDA is concerned with the use of shared
login accounts for computer systems (2)

 FDA suggests that the system administrator role, including any

rights to alter files and settings, be assigned to personnel
independent from those responsible for the record content.
 To assist in controlling access, FDA recommends maintaining a
list of authorized individuals and their access privileges for each
CGMP computer system in use

L.C.Clauss Hisut Ltd 21 06/12/2023

 When does electronic data
become a CGMP record?
 When generated to satisfy a CGMP requirement, all data
become a CGMP record. Data should be documented, or saved,
at the time of performance to create a record in compliance
with CGMP requirements, including, but not limited to.
CFR §§ 211.100(b) and 308 211.160(a).
 FDA expects processes to be designed so that quality data
required to be created and maintained cannot be modified.
 For example, chromatograms should be sent to long-term
storage (archiving or a permanent record) upon run completion
instead of at the end of a day’s runs.
L.C.Clauss Hisut Ltd 22 06/12/2023
 When is it permissible to invalidate a CGMP
result and exclude it from the determination
of batch conformance?

L.C.Clauss Hisut Ltd 23 06/12/2023

 How should blank forms be controlled?

 There must be document controls in place to assure

product quality
(21CFR§§ 211.100, 212 211.160(a), 211.186, 212.20(d), and 212.60(g)) .
 FDA recommends that, if used, blank forms (including,
but not limited to, worksheets, laboratory notebooks,
and MPCRs*) be controlled by the quality unit or by
another document control method.
 For example, numbered sets of blank forms may be
issued as appropriate and should be reconciled upon
completion of all issued forms.
*MPCS = Master Production and Control Record
24 06/12/2023
L.C.Clauss Hisut Ltd
 How should blank forms be controlled?
(2)

 Incomplete or erroneous forms should be kept as part of the

permanent record along with written justification for their
replacement
 bound paginated notebooks, stamped for official use by a
document control group, allow detection of unofficial
notebooks as well as of any gaps in notebook pages.

L.C.Clauss Hisut Ltd 25 06/12/2023

 Can electronic signatures be used instead
of handwritten signatures for master
production and control records?
 Electronic signatures with the appropriate controls can
be used instead of handwritten signatures or initials in
any CGMP required record.
 Requirement is to be able to clearly identify the
individual responsible for signing the record. An
electronic signature with the appropriate controls to
securely link the signature with the associated record
fulfills this requirement.

L.C.Clauss Hisut Ltd 26 06/12/2023

 The practice, also referred to as testing into
compliance, is not consistent with CGMP (1)
 The use of actual samples to perform system suitability testing
as a means of testing into compliance is not acceptable.
 It is considered as a violative practice to use an actual sample in
test, prep, or equilibration runs as a means of disguising testing
into compliance.
 According to the United States Pharmacopeia (USP), system
suitability tests should include replicate injections of a standard
preparation or other standard solutions to determine if
requirements for precision are satisfied (see USP General
Chapter <621> Chromatography).

L.C.Clauss Hisut Ltd 27 06/12/2023

 The practice, also referred to as testing into
compliance, is not consistent with CGMP (2)

 System suitability tests, including the identity of the

preparation to be injected and the rationale for its selection,
should be performed according to the firm’s established
written procedures and the approved application or applicable
compendial monograph
(21CFR§§ 211.160 and 212.60).

L.C.Clauss Hisut Ltd 28 06/12/2023

 Typical issues with Password
 “Common passwords Analysts share passwords, it is not
possible to identify who creates or changes records.
 User privileges The system configuration for the software does
not adequately define or segregate user levels and users have
access to inappropriate software privileges such as modification
of methods and integration.
 Computer system control Laboratories have failed to implement
adequate controls over data, and unauthorized access to
modify, delete, or not save electronic files is not prevented; the
file, therefore, may not be original, accurate, or complete”.
5/15/2014 17Drug Regulations”
21CFR §11
L.C.Clauss Hisut Ltd 29 06/12/2023
 Is it acceptable to only save the final results
from reprocessed laboratory chromatography?

 NO, FDA considered that Analytical methods should be capable

and stable. For most lab analyses, reprocessing data should not
be regularly needed. If chromatography is reprocessed, written
procedures must be established and followed and each result
retained for review

 FDA requires complete data in laboratory records, which

includes raw data, graphs, charts, and spectra from laboratory
instruments

L.C.Clauss Hisut Ltd 30 06/12/2023

 Can an internal tip regarding a quality issue, such
as potential data falsification, be handled
informally outside of the documented CGMP
quality system?

 Suspected or known falsification or alteration of records

required must be fully investigated under the CGMP quality
system to determine the effect of the event on patient safety,
product quality, and data reliability; to determine the under
root cause; and to ensure the necessary corrective actions are
taken
(see 21§§ 211.22(a), 378 211.125(c), 211.192, 211.198, 211.204, and
212.100). parts 210, 375 211, and 212

L.C.Clauss Hisut Ltd 31 06/12/2023

 FDA request that personnel should be trained
in detecting data integrity issues as part of a
routine CGMP training program
 Training personnel to detect data integrity issues is consistent with
the personnel requirements according to cGMP, which state that
personnel must have the education, training, and experience, or
any combination thereof, to perform their assigned duties.
( 21CFR§§ 211.25 and 212.10)
 Is the FDA investigator allowed to look at my electronic
records?
 Yes. All records required under CGMP are subject to FDA
inspection. Authorized inspection should be able to review, and
copying of records, which includes copying of electronic data
(21CFR§§ 211.180(c) and 212.110(a) and (b)).
L.C.Clauss Hisut Ltd 32 06/12/2023
 FDA Warning letter Form 483

 How does FDA recommend data integrity problems identified

during inspections, in warning letters, or in other regulatory
actions be addressed?
 FDA encourages you to demonstrate that you have effectively
remedied your problems by: hiring a third party auditor,
determining the scope of the problem, implementing a
corrective action plan (globally), and removing at all levels
individuals responsible for problems from CGMP positions.
 FDA may conduct an inspection to decide whether CGMP
violations involving data integrity have been remedied.

L.C.Clauss Hisut Ltd 33 06/12/2023

 QUESTIONS ?
L.C.Clauss Hisut Ltd 34 06/12/2023
 CFR211.188 (1)

 SUBCHAPTER C--DRUGS: GENERALPART 211 -- CURRENT GOOD

MANUFACTURING PRACTICE FOR FINISHED
PHARMACEUTICALS
 Subpart J--Records and Reports
 Sec. 211.188 Batch production and control records. Batch
production and control records shall be prepared for each
batch of drug product produced and shall include complete
information relating to the production and control of each
batch. These records shall include:
 (a) An accurate reproduction of the appropriate master
production or control record, checked for accuracy, dated, and
signed;
L.C.Clauss Hisut Ltd 35 06/12/2023
 CFR211.188 (2)
 (b) Documentation that each significant step in the
manufacture, processing, packing, or holding of the batch was
accomplished, including:
 (1) Dates;
 (2) Identity of individual major equipment and lines used;
 (3) Specific identification of each batch of component or in-
process material used;
 (4) Weights and measures of components used in the course of
processing;
 (5) In-process and laboratory control results;
 (6) Inspection of the packaging and labeling area before and
after use;
L.C.Clauss Hisut Ltd 36 06/12/2023
 CFR211.188 (3)
 (7) A statement of the actual yield and a statement of the
percentage of theoretical yield at appropriate phases of
processing;
 (8) Complete labeling control records, including specimens or
copies of all labeling used;
 (9) Description of drug product containers and closures;
 (10) Any sampling performed;
 (11) Identification of the persons performing and directly
supervising or checking each significant step in the operation,
or if a significant step in the operation is performed by
automated equipment under 211.68, the identification of the
person checking the significant step performed by the
automated equipment.
L.C.Clauss Hisut Ltd 37 06/12/2023
 CFR211.188 (5)

 (12) Any investigation made according to 211.192.

 (13) Results of examinations made in accordance with 211.134.
 [43 FR 45077, Sept. 29, 1978, as amended at 73 FR 51933, Sept. 8,
2008]

L.C.Clauss Hisut Ltd 38 06/12/2023