The purpose of this guidance is to clarify the role of data integrity in current good manufacturing practice (CGMP) for drugs, as required in 21 CFR parts 210, 211, and 212. Part 210 covers Current Good Manufacturing Practice in Manufacturing, Processing, Packing, or Holding of Drugs; General; part 211 covers Current Good Manufacturing Practice for Finished Pharmaceuticals; and part 212 covers Current Good Manufacturing Practice for Positron Emission Tomography Drugs. This guidance provides the Agency’s current thinking on the creation and handling of data in accordance with CGMP requirements.
FDA expects that data be reliable and accurate (see the “Background” section). CGMP regulations and guidance allow for flexible and risk-based strategies to prevent and detect data integrity issues. Firms should implement meaningful and effective strategies to manage their data integrity risks based upon their process understanding and knowledge management of technologies and business models.
In general, FDA’s guidance documents do not establish legally enforceable responsibilities. Instead, guidances describe the Agency’s current thinking on a topic and should be viewed only as recommendations, unless specific regulatory or statutory requirements are cited. The use of the word should in Agency guidances means that something is suggested or recommended, but not required.
In recent years, FDA has increasingly observed CGMP violations involving data integrity during CGMP inspections. This is troubling because ensuring data integrity is an important component of industry’s responsibility to ensure the safety, efficacy, and quality of drugs, and of FDA’s ability to protect the public health. These data integrity-related CGMP violations have led to numerous regulatory actions, including warning letters, import alerts, and consent decrees. The underlying premise in §§ 210.1 and 212.2 is that CGMP sets forth minimum requirements to assure that drugs meet the standards of the Federal Food, Drug, and Cosmetic Act (FD&C Act) regarding safety, identity, strength, quality, and purity.2 45 Requirements with respect to data integrity in parts 211 and 212 include, among other things:
- § 211.68 (requiring that “backup data are exact and complete,” and “secure from alteration, inadvertent erasures, or loss”);
- § 212.110(b) (requiring that data be “stored to prevent deterioration or loss”);
- §§ 211.100 and 211.160 (requiring that certain activities be “documented at the time of performance” and that laboratory controls be “scientifically sound”);
- § 211.180 (requiring that records be retained as “original records,” “true copies,” or other “accurate reproductions of the original records”);
- §§ 211.188, 211.194, and 212.60(g) (requiring “complete information,” “complete data derived from all tests,” “complete record of all data,” and “complete records of all tests performed”).
Electronic signature and record-keeping requirements are laid out in 21 CFR part 11 and apply to certain records subject to records requirements set forth in Agency regulations, including parts 210, 211, and 212. For more information, see guidance for industry Part 11, Electronic Records; Electronic Signatures — Scope and Application.
The guidance outlines FDA’s current thinking regarding the narrow scope and application of part 11 pending FDA’s reexamination of part 11 as it applies to all FDA-regulated products.
III. QUESTIONS AND ANSWERS:
1. Please clarify the following terms as they relate to CGMP records:
a. What is “data integrity”?
For the purposes of this guidance, data integrity refers to the completeness,consistency, and accuracy of data. Complete, consistent, and accurate data should be attributable, legible, contemporaneously recorded, original or a true copy, and accurate (ALCOA)
b. What is “metadata”?
Metadata is the contextual information required to understand data. A data value is by itself meaningless without additional information about the data. Metadata is often described as data about data. Metadata is structured information that describes, explains, or otherwise makes it easier to retrieve, use, or manage data.
For example, the number “23” is meaningless without metadata, such as an indication of the unit “mg.” Among other things, metadata for a particular piece of data could include a date/time stamp for when the data were acquired, a user ID of the person who conducted the test or analysis that generated the data, the instrument ID used to acquire the data, audit trails, etc.
Data should be maintained throughout the record’s retention period with all associated metadata required to reconstruct the CGMP activity (e.g., §§ 211.188 and 211.194). The relationships between data and their metadata should be preserved in a secure and traceable manner.
c. What is an “audit trail”?
For purposes of this guidance, audit trail means a secure, computer-generated, time-stamped electronic record that allows for reconstruction of the course of events relating to the creation, modification, or deletion of an electronic record.
An audit trail is a chronology of the “who, what, when, and why” of a record. For example, the audit trail for a high performance liquid chromatography (HPLC) run could include the user name, date/time of the run, the integration parameters used, and details of a reprocessing, if any, including change justification for the reprocessing.
Electronic audit trails include those that track creation, modification, or deletion of data (such as processing parameters and results) and those that track actions at the record or system level (such as attempts to access the system or rename or delete a file).
CGMP-compliant record-keeping practices prevent data from being lost or oabscured (see §§ 211.160(a), 211.194, and 212.110(b)). Electronic record-keeping systems, which include audit trails, can fulfill these CGMP requirements.
d. How does FDA use the terms “static” and “dynamic” as they relate to record formats?
For the purposes of this guidance, static is used to indicate a fixed-data document such as a paper record or an electronic image, and dynamic means that the record format allows interaction between the user and the record content. For example, a dynamic chromatographic record may allow the user to change the baseline and reprocess chromatographic data so that the resulting peaks may appear smaller or larger. It also may allow the user to modify formulas or entries in a spreadsheet used to compute test results or other information such as calculated yield.
e. How does FDA use the term “backup” in § 211.68(b)?
FDA uses the term backup in § 211.68(b) to refer to a true copy of the original data that is maintained securely throughout the records retention period (for example, § 211.180). The backup file should contain the data (which includes associated metadata) and should be in the original format or in a format compatible with the original format.
This should not be confused with backup copies that may be created during normal computer use and temporarily maintained for disaster recovery (e.g., in case of a computer crash or other interruption). Such temporary backup copies would not satisfy the requirement in § 211.68(b) to maintain a backup file of data.
f. What are the “systems” in “computer or related systems” in § 211.68?
The American National Standards Institute (ANSI) defines systems as people,machines, and methods organized to accomplish a set of specific functions.
Computer or related systems can refer to computer hardware, software, peripheral devices, networks, cloud infrastructure, operators, and associated documents (e.g., user manuals and standard operating procedures).
When is it permissible to exclude CGMP data from decision making?
Any data created as part of a CGMP record must be evaluated by the quality unit as part of release criteria (see §§ 211.22 and 212.70) and maintained for CGMP purposes (e.g., § 211.180). Electronic data generated to fulfill CGMP requirements should include relevant metadata. To exclude data from the release criteria decision-making process, there must be a valid, documented, scientific justification for its exclusion (see the guidance for industry Investigating Out-of-Specification (OOS) Test Results for Pharmaceutical Production, and §§ 211.188, 211.192, and 212.71(b)). The requirements for record retention and review do not differ depending on the data format; paper-based and electronic data record-keeping systems are subject to the same requirements.
Does each workflow on our computer system need to be validated?
Yes, a workflow, such as creation of an electronic master production and control record (MPCR), is an intended use of a computer system to be checked through validation (see §§ 211.63, 211.68(b), and 211.110(a)). If you validate the computer system, but you do not validate it for its intended use, you cannot know if your workflow runs correctly.
For example, qualifying the Manufacturing Execution System (MES) platform, a computer system, ensures that it meets specifications; however, it does not demonstrate that a given MPCR generated by the MES contains the correct calculations. In this example, validating the workflow ensures that the intended steps, specifications, and calculations in the MPCR are accurate. This is similar to reviewing a paper MPCR and ensuring all supporting procedures are in place before the MPCR is implemented in production (see §§ 211.100, 211.186, and 212.50(b), and the guidance for industry PET Drugs — Current Good Manufacturing Practice (CGMP)).
FDA recommends you implement appropriate controls to manage risks associated with each element of the system. Controls that are appropriately designed to validate a system for its intended use address software, hardware, personnel, and documentation.
How should access to CGMP computer systems be restricted?
You must exercise appropriate controls to assure that changes to computerized MPCRs, or other records, or input of laboratory data into computerized records, can be made only by authorized personnel (§ 211.68(b)). FDA recommends that you restrict the ability to alter specifications, process parameters, or manufacturing or testing methods by technical means where possible (for example, by limiting permissions to change settings or data).
FDA suggests that the system administrator role, including any rights to alter files and settings, be assigned to personnel independent from those responsible for the record content. To assist in controlling access, FDA recommends maintaining a list of authorized individuals and their access privileges for each CGMP computer system in use.
If these independent security role assignments are not practical for small operations or facilities with few employees, such as PET or medical gas facilities, FDA recommends alternate control strategies be implemented.
For example, in the rare instance that the same person is required to hold the system administrator role and to be responsible for the content of the records, FDA suggests having a second person review settings and content. If second-person review is not possible, the Agency recommends that the person recheck settings and his or her own work.
Why is FDA concerned with the use of shared login accounts for computer systems?
You must exercise appropriate controls to assure that only authorized personnel make changes to computerized MPCRs, or other records, or input laboratory data into computerized records, and you must implement documentation controls that ensure actions are attributable to a specific individual (see §§ 211.68(b), 211.188(b)(11), 211.194(a)(7) and (8), and 212.50(c)(10)). When login credentials are shared, a unique individual cannot be identified through the login and the system would thus not conform to the CGMP requirements in parts 211 and 212. FDA requires that systems controls, including documentation controls, be designed to follow CGMP to assure product quality (for example, §§ 211.100 and 212.50).
How should blank forms be controlled?
There must be document controls in place to assure product quality (see §§ 211.100, 213 211.160(a), 211.186, 212.20(d), and 212.60(g)). FDA recommends that, if used, blank forms (including, but not limited to, worksheets, laboratory notebooks, and MPCRs) be controlled by the quality unit or by another document control method. For example, numbered sets of blank forms may be issued as appropriate and should be reconciled upon completion of all issued forms. Incomplete or erroneous forms should be kept as part of the permanent record along with written justification for their replacement (for example, see §§ 211.192, 211.194, 212.50(a), and 212.70(f)(1)(vi)).
Similarly, bound paginated notebooks, stamped for official use by a document control group, allow detection of unofficial notebooks as well as of any gaps in notebook pages.
How often should audit trails be reviewed?
FDA recommends that audit trails that capture changes to critical data be reviewed with each record and before final approval of the record. Audit trails subject to regular review should include, but are not limited to, the following: the change history of finished product test results, changes to sample run sequences, changes to sample identification, and changes to critical process parameters.
FDA recommends routine scheduled audit trail review based on the complexity of the system and its intended use.
See audit trail definition 1.c. above for further information on audit trails.
Who should review audit trails?
Audit trails are considered part of the associated records. Personnel responsible for record review under CGMP should review the audit trails that capture changes to critical data associated with the record as they review the rest of the record (for example, §§ 242 211.22(a), 211.101(c), 211.194(a)(8), and 212.20(d)). For example, all production and control records, which includes audit trails, must be reviewed and approved by the quality unit (§ 211.192). This is similar to the expectation that cross-outs on paper be
assessed when reviewing data.
Can electronic copies be used as accurate reproductions of paper or electronic records?
Yes. Electronic copies can be used as true copies of paper or electronic records, provided the copies preserve the content and meaning of the original data, which includes associated metadata and the static or dynamic nature of the original records.
True copies of dynamic electronic records may be made and maintained in the format of the original records or in a compatible format, provided that the content and meaning of the original records are preserved and that a suitable reader and copying equipment (for example, software and hardware, including media readers) are readily available (§§211.180(d) and 212.110).
Is it acceptable to retain paper printouts or static records instead of original electronic records from stand-alone computerized laboratory instruments, such as an FT-IR instrument?
A paper printout or static record may satisfy retention requirements if it is a complete copy of the original record (see §§ 211.68(b), 211.188, 211.194, and 212.60). For example, pH meters and balances may create a paper printout or static image during data acquisition as the original record. In this case, the paper printout or static image created during acquisition, or a true copy, should be retained (§ 211.180).
However, electronic records from certain types of laboratory instruments are dynamic records, and a printout or a static record does not preserve the dynamic format which is part of the complete original record. For example, the spectral file created by FT-IR (Fourier transform infrared spectroscopy) can be reprocessed, but a static record or printout is fixed, which would not satisfy CGMP requirements to retain original records or true copies (§ 211.180(d)). Also, if the full spectrum is not displayed, contaminants
may be excluded.
Control strategies must ensure that original laboratory records, including paper and electronic records, are subject to second-person review (§ 211.194(a)(8)) to make certain that all test results are appropriately reported.
For PET drugs, see the guidance for industry PET Drugs — Current Good Manufacturing Practice (CGMP) for discussion of equipment and laboratory controls, including regulatory requirements for records.
Can electronic signatures be used instead of handwritten signatures for master production and control records?
Yes, electronic signatures with the appropriate controls can be used instead of handwritten signatures or initials in any CGMP required record. While § 211.186(a) specifies a “full signature, handwritten,” as explained in the Federal Register on September 29, 1978 (43 FR 45069), part of the intent of the full signature requirement is to be able to clearly identify the individual responsible for signing the record. An electronic signature with the appropriate controls to securely link the signature with the associated record fulfills this requirement. This comports with part 11, which establishes criteria for when electronic signatures are considered the legally binding equivalent of handwritten signatures. Firms using electronic signatures should document the controls used to ensure that they are able to identify the specific person who signed the records electronically.
There is no requirement for a handwritten signature for the MPCR in the PET CGMP regulations (21 CFR part 212).
When does electronic data become a CGMP record?
When generated to satisfy a CGMP requirement, all data become a CGMP record. You must document, or save, the data at the time of performance to create a record in compliance with CGMP requirements, including, but not limited to, §§ 211.100(b) and 211.160(a). FDA expects processes to be designed so that quality data required to be created and maintained cannot be modified. For example, chromatograms should be sent to long-term storage (archiving or a permanent record) upon run completion instead of at the end of a day’s runs.
It is not acceptable to record data on pieces of paper that will be discarded after the data are transcribed to a permanent laboratory notebook (see §§ 211.100(b), 211.160(a), and 211.180(d)). Similarly, it is not acceptable to store data electronically in temporary memory, in a manner that allows for manipulation, before creating a permanent record.
Electronic data that are automatically saved into temporary memory do not meet CGMP documentation or retention requirements.
You may employ a combination of technical and procedural controls to meet CGMP documentation practices for electronic systems. For example, a computer system, such as a Laboratory Information Management System (LIMS) or an Electronic Batch Record (EBR) system, can be designed to automatically save after each separate entry. This would be similar to recording each entry contemporaneously on a paper batch record to satisfy CGMP requirements. The computer system could be combined with a procedure requiring data be entered immediately when generated.
For PET drugs, see the “Laboratory Controls” section of the guidance for industry PET Drugs — Current Good Manufacturing Practice (CGMP)
Why has the FDA cited use of actual samples during “system suitability” or test, prep, or equilibration runs in warning letters?
FDA prohibits sampling and testing with the goal of achieving a specific result or to overcome an unacceptable result (e.g., testing different samples until the desired passing result is obtained). This practice, also referred to as testing into compliance, is not consistent with CGMP (see the guidance for industry Investigating Out-of-Specification (OOS) Test Results for Pharmaceutical Production). In some situations, use of actual samples to perform system suitability testing has been used as a means of testing into compliance. We would consider it a violative practice to use an actual sample in test, prep, or equilibration runs as a means of disguising testing into compliance.
According to the United States Pharmacopeia (USP), system suitability tests should include replicate injections of a standard preparation or other standard solutions to determine if requirements for precision are satisfied (see USP General Chapter Chromatography). System suitability tests, including the identity of the preparation to be injected and the rationale for its selection, should be performed according to the firm’s established written procedures and the approved application or applicable compendial monograph (§§ 211.160 and 212.60).
If an actual sample is to be used for system suitability testing, it should be a properly characterized secondary standard, written procedures should be established and followed, and the sample should be from a different batch than the sample(s) being tested (§§ 211.160, 211.165, and 212.60). All data should be included in the record that is retained and subject to review unless there is documented scientific justification for its exclusion.
For more information, see also the ICH guidance for industry Q2(R1) Validation of Analytical Procedures: Text and Methodology.
Is it acceptable to only save the final results from reprocessed laboratory chromatography?
No. Analytical methods should be capable and stable. For most lab analyses, reprocessing data should not be regularly needed. If chromatography is reprocessed, written procedures must be established and followed and each result retained for review (see §§ 211.160(a), 211.160(b), 211.165(c), 211.194(a)(4), and 212.60(a)). FDA requires complete data in laboratory records, which includes raw data, graphs, charts, and spectra from laboratory instruments (§§ 211.194(a) and 212.60(g)(3)).
Can an internal tip regarding a quality issue, such as potential data falsification, be handled informally outside of the documented CGMP quality system?
No. Suspected or known falsification or alteration of records required under parts 210, 211, and 212 must be fully investigated under the CGMP quality system to determine the effect of the event on patient safety, product quality, and data reliability; to determine the root cause; and to ensure the necessary corrective actions are taken (see §§ 211.22(a), 211.125(c), 211.192, 211.198, 211.204, and 212.100).
FDA invites individuals to report suspected data integrity issues that may affect the safety, identity, strength, quality, or purity of drug products at DrugInfo@fda.hhs.gov . “CGMP data integrity” should be included in the subject line of the email. See also Application Integrity Policy, available at http://www.fda.gov/ICECI/EnforcementActions/ApplicationIntegrityPolicy/default.htm.
Should personnel be trained in detecting data integrity issues as part of a routine CGMP training program?
Yes. Training personnel to detect data integrity issues is consistent with the personnel requirements under §§ 211.25 and 212.10, which state that personnel must have the education, training, and experience, or any combination thereof, to perform their assigned duties.
Is the FDA investigator allowed to look at my electronic records?
Yes. All records required under CGMP are subject to FDA inspection. You must allow authorized inspection, review, and copying of records, which includes copying of electronic data (§§ 211.180(c) and 212.110(a) and (b)). See also section 704 of the FD&C Act.
How does FDA recommend data integrity problems identified during inspections, in warning letters, or in other regulatory actions be addressed?
FDA encourages you to demonstrate that you have effectively remedied your problems by: hiring a third party auditor, determining the scope of the problem, implementing a corrective action plan (globally), and removing at all levels individuals responsible for problems from CGMP positions. FDA may conduct an inspection to decide whether
CGMP violations involving data integrity have been remedied.