Comparing and Contrasting Data Integrity and Part 11
Often, people refer to Data Integrity and Part 11 as one and the same thing. However, if dissecting the issue more deeply, Data Integrity (DI) encompasses so much more than Part 11.
By: Regina Fullin, VP of RA/QA Consulting, Compliance Team, LLC
First, Data Integrity is a general term, which covers all aspects of GMP data elements from generation, collection reporting, archival, obsolescence, and, eventually, destruction. Data has a lifecycle much in the way that validation or products have a lifecycle of their own. The data lifecycle ties in with the validation of, and lifecycle of the product.
Second, DI covers both electronic and handwritten records. Every requirement applying to use or management of a handwritten record, has one or more corresponding electronic equivalents. For example, in a handwritten document, individuals are to identify themselves in written documentation, as well as the time the documented activity was performed. The electronic equivalent is a record of the electronic signature, and an entry in the audit trail. Part 11 may discuss the requirements for electronic signature and audit trail, but it provides no guidance for how individuals identify themselves and the time of document entry in written form.
Download a free copy of our Data Integrity Checklist
The FDA fills the gap between DI requirements for electronic and manual systems with its Guidance Document “Data Integrity and Compliance with Drug CGMP – Questions and Answers Guidance for Industry.” Do not be misled by the document title – this document’s scope extends beyond the pharmaceutical industry and is equally useful for medical device and biologics industry users.
The key principle of DI is authentication. Any data generated in a GMP setting should be recorded in a manner that assures the reader/reviewer that the data are authentic. The FDA invented a mnemonic that describes the various ways in which data much be authentic called the “ALCOA” principle. The first A stands for “Attributable,” meaning that it is unambiguous as to Who performed the activity. The L stands for “Legible,” because, if you can’t read it, you don’t know what it means. The C is a stickler for many organizations. It stands for “Contemporaneous,” The data are to be collected in real-time, no sticky notes, no scratch paper-direct reporting on the approved forms only. The Warning Letter archive is full of examples where companies fail to record data as it is collected. O stands for Original (or true copy). Data scans or photocopies must be compared against the raw data to verify true copy before using the data within, as a means of preventing transcription errors (or worse, overt falsification) at the point of copying. The last A stands for Accurate. This means that the information is truthful, and calculations or manual transcriptions are verified as correct before moving to the next step. If a computer is used for calculations, it presumes that the algorithm for calculation is either verified manually or validated.
The DI guidance gets into very specific examples pertaining to audit trails, use of static or dynamic date, computer backups, control of blank forms and paper records, document storage/retrieval, and what to do if a company discovers a data integrity issue. None of these situations is discussed in Part 11. Some of them may be discussed in the predicate CFR, but not in the level of detail provided in the FDA guidance.
Data Integrity also covers the intersection between Good Documentation Practices and Electronic Signatures and Electronic Records. So, if your data integrity program consists of a thorough training on 21 CFR Part 11 and a general overview of Good Documentation Practices, your program may be deficient in scope and breadth. For example, the Data Integrity Guidance specifically states that employees should be trained in how to determine whether data are inauthentic so appropriate CAPA can be undertaken for DI issues.
If you are unsure of the compliance status of your company’s DI program, Compliance Team offers two customizable solutions to meet your needs. First, we can conduct a review of your DI system. This can be achieved through an audit, or through a review of your company’s SOPs that pertain to Data Integrity. Second, we can design a training program that educates both leaders and staff on principles of data integrity to raise the overall DI standing of the company.
Unfortunately, some companies have received a recommendation from the FDA for a CGMP consultant to facilitate Data Integrity Remediation due to poor inspection performance. While Compliance Team has resources to help such companies, it is preferable to avoid compliance risk altogether by learning from others’ mistakes by reading the Warning Letters already posted on the FDA They say that “An ounce of prevention is worth a pound of cure.” Data Integrity is one of those area where the adage especially proves true.