- Management Involvement. The final guidance explicitly recognizes that management’s involvement in creating meaningful and effective risk management strategies is essential to preventing conditions that can lead to data integrity problems. FDA emphasizes management’s role in cultivating a “quality culture” where employees understand data integrity as an “organizational core value” and are encouraged to report data integrity issues.
- Audit Trail Review. The final guidance provides clearer direction on when audit trails should be reviewed. If the timing for data review is specified in a CGMP regulation ― for example, prior to batch release ― then the associated audit trails for that data should be reviewed with the same frequency. If the timing for data review is not specified in a regulation, manufacturers can use a risk-based approach to determine the frequency of audit trail review. The approach may be based on a risk assessment that takes into account the criticality of the data and its impact on product quality. The guidance cites examples of audit trails that may be reviewed on a risk-based frequency, such as instrument communication logs and instrument alert records.
- Aborted or Incomplete Chromatographic Injections. FDA expects processes to be designed so that CGMP data is protected during the complete lifecycle of the data and cannot be modified without a record of the modification. The guidance discusses chromatographic data specifically and states that data should be saved upon completion of each step or injection instead of at the end of an injection set, and any changes to the chromatographic data or injection sequence should be documented in an audit trail. FDA clarifies that aborted or incomplete injections should not only be captured in an audit trail but also investigated and justified.
Commissioner Gottlieb remarked that the guidance is one part of a “multilayered” approach to ensuring data integrity, including preapproval and postapproval inspections and approval of product applications and supplements.
The final FDA guidance does not provide the level of detail that can be found in data integrity guidance from other international regulatory agencies (such as the Australian Therapeutics Goods Administration). Companies that distribute products to ex-U.S. markets should be aware of the data integrity expectations for each country and have procedures and systems in place to meet those expectations.
Companies and investment funds looking to acquire pharmaceutical or biotech companies should consider the target’s existing data management controls and practices as part of the due diligence process.