June 09, 2022

Data integrity and data access control in drug manufacture

By Razan Jammal, Cytiva

As digital technologies have advanced, regulatory requirements on data integrity have also evolved. Assuring the integrity of records when generating and maintaining them is essential to developing and producing high-quality, safe, and effective drugs.

Evolving regulatory requirements

The most recent guidance documents from the US Food and Drug Administration (FDA) and the British Medicines and Healthcare Products Regulatory Agency (MHRA) regarding the data integrity of electronic records were issued in 2018. Other agencies like the European Medicines Agency (EMA) issued similar guidelines. The National Institute of Standards and Technology (NIST), meanwhile, published updated digital identification guidelines in 2017.

The FDA document, “Data integrity and compliance with drug CGMP,” is in question-and-answer format designed to clarify the role of data integrity in current good manufacturing practice (cGMP) for drugs as required in 21 CFR Parts 210, 211, and 212. This document was issued because the agency was finding noncompliance at many pharma companies, including large, established firms.

Despite the guidance, the FDA continues to uncover data integrity compliance problems, as reflected by the number of warning letters issued in the last two years. Clearly many drug manufacturers—and potentially equipment vendors—remain not fully aware of the regulatory requirements around electronic records and signatures.

The ALCOA Plus principle

Because of their pivotal role in assuring the safety of drug products, regulators expect all records relevant for the product safety and quality to be accurate and reliable, and cGMP guidelines specifically expect risk-based strategies to be put in place aimed at detecting and preventing data integrity issues. These requirements for data handling align with the ALCOA Plus principle, which has been adopted by many bodies including the FDA and World Health Organization (WHO). ALCOA is an acronym that stands for: attributable, legible, contemporaneously recorded, original or true copy, and accurate. ALCOA Plus extends the criteria to include complete, consistent, enduring, and available.

Following this principle means that it should be possible to identify the person who generated or modified the record and the date and time when this occurred. The record should include the first (or source capture) of the data or information and all subsequent data required to fully reconstruct the conduct of the good practice (GxP) activity. In simple terms, it should be possible to identify and track the “what, who, why, and when.”

As importantly, the record must be accurate, valid, reliable, and complete without any deletions and including any changes made during the life of the data. It must also be recorded chronologically with the date and time and stored in a manner that enables both long-term data preservation and easy access over the lifetime of the product.

Required records for filter integrity test instruments

When performing filter integrity tests using a filter integrity test instrument, a variety of records are generated that must follow data integrity regulations.

These records include:

  • Test result records
  • Filter test programs
  • Access control records
  • User records
  • Configuration records
  • Event audit trail

As a result, it is vital that the test instrument that is used is designed to facilitate data integrity of electronic records and assure quality and regulatory compliance across all aspects of the process. It must ensure that these records are static records and cannot be modified by the operator other than to add a signature. The filter test program defines the filter test, and all parameters defined and used at the moment for the test included should be in the test result record. Changes to these records should have audit trails.

The access management records are relevant for the control of the safety of electronic records and electronic signatures and include the access control and password management settings. Instrument configuration records include basic instrument settings, including units, language, and date and time.

Access control

Compliance with the ALCOA Plus principle starts with access control to electronic records. The most basic form of access control is the combination of a user ID and password that grant access to a specific program or computerized system to generate and/or modify electronic records and employ electronic rather than written signatures. Password management systems that allow the definition of specific requirements enhance the safety of this approach and are expected to be implemented.

The newer guidelines also require control of who can access certain parts of the system. For instance, system administrators should not be granted access to activities and records related to test program handling and test completion, while operators and supervisors should not have access to general system administration features. Operators are, in fact, generally limited to only those aspects of the program that relate to performance of the test, such as defining and starting/stopping a test, approving the test results, and reviewing the audit trail.

Learn more about our solutions.