Warning Letters on Data Integrity: What does the FDA expect from Third Party Auditors and Consultants?
In some of the Warning Letters from fiscal year 2014 serious deviations with regard to the handling of electronic data (e.g. data manipulation) are listed. Typically, you can find in the Warning Letters the following statements:
Your firm failed to ensure that laboratory records included complete data derived from all tests necessary to assure compliance with established specifications and standards (21 CFR 211.194(a)).
Your firm failed to exercise appropriate controls over computer or related systems to assure that only authorized personnel institute changes in master production and control records, or other records (21 CFR 211.68(b)).
Your firm frequently performs “unofficial testing” of samples, disregards the results, and reports results from additional tests.
The inspection revealed your firm’s use of scratch paper containing critical manufacturing data. The data on these scratch paper records did not always match the data on the corresponding official batch records...
These quotations are taken from 4 Warning Letters which were all addressed to Indian pharmaceutical companies (please find here as an example a Warning Letter from February 2014). The GMP deviations detected during inspections with regard to electronic data are so elementary that the FDA urgently recommends to the companies concerned to occasionally get a Third Party Auditor who would first perform an in-depth GMP audit and then support the company remove the deficits with respect to data integrity. The consultants should be experts in this area. In the Warning Letters mentioned, the FDA defines which services the consultant has to bring ("Your data integrity expert should..." ). These requirements are largely identical in the 4 Warning Letters and consist of the following measures:
Gapless identification of all time periods where electronic data have been recorded and documented incorrectly.
Identification and interview of all employees who were employed at the site before, during, or shortly after these time periods. Activities in connection with systems, procedures and behaviour of the management which contributed to or caused the GMP deviations while handling electronic data should be detected.
Employees who left the company before, during, or shortly after these time periods should also be interviewed accordingly.
Additional supporting indications of GMP non-compliant handling of electronic data should be identified. The involvement of other sites should be taken into consideration.
The managers in charge during the time periods in question have to be identified by means of organigrams and SOPs. It must be revealed to what extent the top and middle management knew about or was involved in the data manipulation.
The data integrity expert should find out whether managers who have been identified this way are still able to have an influence on the integrity of GMP relevant data (also with regard to applications for marketing authorisations). Internal reviews are to be extended to other sites which are known to be involved in violations of GMP-compliant handling of data.
For the auditor processing these points, the task is similar to detective work - which is likely to be demanding and not pleasant - as it may be doubtful that he or she gets the fullest support from the company concerned. Yet, this detective work is essential in the interests of patient safety and is taken very seriously by the FDA, especially with Indian companies as the Agency doesn't rely on their capability to resolve the data integrity problems without external support.
The requirements for GMP-compliant handling of electronic data will be covered at an ECA training course "Electronic GMP Systems" from 18 - 20 March 2015 in Prague, Czech Republic.