Earlier today, FDA published its finalized Data Integrity Guidance. The Final Guidance is entitled “Data Integrity and Compliance With Drug CGMP: Questions and Answers,” and updates the agency’s April 2016 Draft Guidance covering the design, operation, and monitoring of systems and controls to maintain data integrity to comply with current good manufacturing practice (cGMP) for drugs. The Final Guidance says that in recent years, FDA has “increasingly observed cGMP violations involving data integrity” during inspections, and in a statement announcing the guidance, FDA Commissioner Scott Gottlieb, M.D. similarly expressed concern over data integrity violations that have been the result of both deceptive practices and inadequate controls and oversight to ensure reliable and accurate data.
Although the Final Guidance largely aligns with the Draft Guidance, there are some notable differences. In particular:
- An expansive interpretation of FDA’s inspectional authority under 21 USC 374 and lack of clarity on how it applies to foreign establishments. In Footnote 14 in the Final Guidance, FDA indicates that pursuant to 21 USC § 374(a), the agency may inspect “records not intended to satisfy a CGMP requirement but which nonetheless contain CGMP information.” FDA also states on page 12 of the Final Guidance that “an email to authorize batch release is a CGMP record that FDA may review” pursuant to its 21 USC § 374(a) inspectional authority. This interpretation of 21 USC § 374 is noteworthy because it could be read to go beyond what FDA generally has authority to inspect, for example, email containing personnel information that could cover a broad range of information. Under 21 USC § 374, FDA only has the statutory authority to inspect personnel records that go to the qualification of technical and professional personnel. Similarly, FDA’s authority to inspect records does not extend to financial data, sales data (other than shipment data), pricing data, and research data (other than data relating to 21 USC § 355(i) (investigational new drug), § 355(k) (postmarket studies), or § 355(j) (abbreviated new drug applications)). It also raises the question as to how FDA would go about locating emails containing CGMP information (that are not technically CGMP records) without reviewing significant amounts of email records that very well could be outside the scope of 21 USC § 374.
Additionally, while relying on 21 USC § 374, the Final Guidance does not differentiate between foreign and domestic inspections with regard to this potentially expansive interpretation and how it will be applied outside the United States. This is noteworthy because much of FDA’s data integrity enforcement has focused on manufacturing sites outside the United States and FDA has itself recognized that its access to foreign establishments and the records therein does not come from FDA’s inspection authority under 21 USC § 374  This is why, for example, FDA investigators do not issue a Form FDA 482, Notice of Inspection, when conducting a foreign inspection. For an inspection under 21 USC § 374, FDA investigators are required to issue a Form FDA 482 to each firm inspected. But FDA investigators are instructed not to issue a Form FDA 482 during foreign inspections, as 21 USC § 374 does not apply during foreign inspections.  FDA’s ability to conduct foreign inspections has historically derived from the fact that if an inspection or a request to review records is refused, FDA can take measures to deny access to the United States market (via import refusal and withholding of application approvals).
- Increased emphasis on the critical role of senior management in creating a quality culture that identifies and addresses data integrity risks. For example, the preamble to the Final Guidance states that “[m]anagement’s involvement in and influence on” strategies to identify and address data integrity risk is “essential in preventing and correcting conditions that can lead to data integrity problems.” The Final Guidance also states that “[i]t is the role of management with executive responsibility to create a quality culture where employees understand that data integrity is an organizational core value and employees are encouraged to identify and promptly report data integrity issues. In the absence of management support of a quality culture, quality systems can break down and lead to CGMP noncompliance.” This could signal an increased willingness on the part of FDA to hold senior management, including corporate management, responsible for data integrity issues identified at manufacturing sites.
- Clarifying that invalidated data must be evaluated by the quality unit pursuant to release. While the Draft Guidance was silent on the issue of whether legitimately invalidated data should be included within the scope of the quality unit’s batch record review pursuant to release, the Final Guidance expressly addresses this point: “Even if test results are legitimately invalidated on the basis of a scientifically sound investigation, the full CGMP batch record provided to the quality unit would include the original (invalidated) data, along with the investigation report that justifies invalidating the result.” This difference is consistent with how we have seen FDA enforce the Draft Guidance in the field with respect to invalidated data.
- More stringent requirements regarding access controls. Whereas the Draft Guidance recognized that some manufacturers may be too small to support independent security role assignments — e.g., for system administrators — the Final Guidance does not include this provision. The Final Guidance simply states that the “system administrator role, including any rights to alter files and settings, should be assigned to personnel independent from those responsible for the record content.” The Final Guidance further states that manufacturers should “establish and implement a method for documenting authorized personnel’s access privileges for each CGMP computer system in use (e.g., by maintaining a list of authorized individuals).” Regarding shared accounts, the Final Guidance states that even read-only shared accounts are not permissible.
- Enhanced requirements relating to audit trail review. Whereas the Draft Guidance recommended that “audit trails that capture changes to critical data be reviewed with each record and before final approval of the record,” (emphasis added) the Final Guidance states that “[i]f the review frequency for the data is specified in CGMP regulations, adhere to that frequency for the audit trail review.” The Final Guidance further clarifies that audit trails should be reviewed “after each significant step in the manufacture, processing, packing, or holding” of a drug, and before batch release. This difference between the Draft Guidance and Final Guidance is potentially significant in that it could increase the amount of data reviewed during manufacturing and batch release. The Final Guidance does not clarify the scope of audit trail review — i.e., what time points should be included within the scope of the quality unit’s review, particularly at batch release.
Overall, the Final Guidance shows that data integrity remains a top enforcement priority for FDA, and the agency will expect manufacturers to be in compliance with the expectations detailed in the Final Guidance moving forward.
If you have questions regarding the Final Guidance and FDA’s application of the requirements therein—or data integrity more generally—please contact Jim Johnson or Chris Fanelli, or a Hogan Lovells lawyer you regularly work with.
Authored by Jim Johnson and Christopher Fanelli
 “[T]he authority to inspect foreign drug facilities does not come from [21 USC § 374] of the Food, Drug and Cosmetic Act (the Act), but from the agency’s ability to exercise [21 USC § 381] of the Act and commitments made by the sponsors of applications, if applicable.” FDA’s Guide To Inspections of Foreign Pharmaceutical Manufacturers, available at https://www.fda.gov/iceci/inspections/inspectionguides/ucm075021.htm.