The topic data integrity is still in the focus of international authorities. Although integrity of data has been observed since the beginning of GMP, monitoring authorities started addressing the topic in specific guidelines approximatively 5 years ago. In the meantime, the first guidelines have been finalised (MHRA / WHO) i.e. are about to be finalised (PIC/S PI 041).
On the 12 of December 2018 the US-American FDA also finalised its draft which was presented in April 2016.
Structure of the Guidance for Industry "Data Integrity and Compliance in CGMP"
The fundamental structure of the guidance has remained the same compared to the draft of April 2016. The FDA addresses diverse data integrity topics in 18 questions and provides answers to them as "Recommendations". Both questions and answers have been revised and partly complemented.
First examination of the modifications
What has changed?
The "Introduction" points out that all citations to CFR Part 211/212 in the document pertain to finished pharmaceutical and PET drugs. However, those requirements are consistent with FDA guidance on CGMP for APIs.
The introduction firmly mentions the role of management: "It is the role of management with executive responsibility to create a quality culture where employees understand that data integrity is an organisational core value and employees are encouraged to identify and promptly report data integrity issues".
The "Background" provides a list of requirements from CFR Part 211 and 212 with regard to data integrity. To comply with those requirements, one should ask the following questions: - "Are controls in place to ensure that data is complete?" - "Are activities documented at the time of performance?" - "Are activities attributable to a specific individual?" - "Can only authorized individuals make changes to records?" - "Is there a record of changes to data?" - "Are records reviewed for accuracy, completeness, and compliance with established standards?" - "Are data maintained securely from data creation through disposition after the record's retention period?"
The answer to the question "What is data integrity" now firmly refers to the cGMP data life cycle. The system design and controls should simplify the detection of errors, omissions and aberrant results throughout the data's life cycle.
The answer to the question "How often should audit trails be reviewed?" has been extensively revised. If the review frequency for the data is specified in CGMP regulations, then the frequency for the audit trail review should be the same. If not, you should determine the review frequency for the audit trail using knowledge of your processes and risk assessment tools.