In April 2016, the FDA put out its draft guidance on Data Integrity and Compliance With cGMP, which helped to clarify the FDA’s stance on data integrity.
“For the purposes of this guidance, data integrity refers to the completeness, consistency, and accuracy of data. Complete, consistent, and accurate data should be Attributable, Legible, Contemporaneously recorded, Original or a true copy, and Accurate (ALCOA).” – FDA Guidance on Data Integrity and Compliance with cGMP
The term “data integrity” has far-reaching applications for computer systems. Any FDA-regulated company should look carefully at their CSV program to revisit the following areas:
Audit trails are subject to either regular or scheduled reviews.
Regular Review: Audit trails that need to be reviewed with the parent GxP record. The FDA recommends that audit trails that capture changes to critical data be reviewed with each record and before final approval.
Audit trails subject to regular review include but are not limited to:
Scheduled Review: Audit trails that need to be reviewed at regular intervals. The FDA recommends routine scheduled audit trail reviews based on the complexity of each system and its intended use.
The expectation with regular reviews is that the audit trail associated with a critical GxP record must be reviewed along with the record itself (for example, a batch record).
A data-integrity-friendly application must present the audit trail data to the reviewer in a way that is easily understandable and user friendly; otherwise, the reviewer will spend far more time reviewing the audit trail than the parent record. Most modern, well-designed IT apps, such as Atlassian Jira, can accomplish this out of the box.
Scheduled reviews can be a bit trickier than regular reviews. For enterprise applications, performing such reviews requires answering several questions, including:
Some large pharma companies are mandating SOPs be developed and audit trail reviews be conducted on a periodic basis, which poses a challenge for system owners and administrators. Most legacy applications generate logs and audit trails that can only be read by software programmers, not end users.
Additionally, the sheer volume of audit trail records makes this a nearly insurmountable task. For example, a cloud enterprise application can generate hundreds of audit trail records for a single workflow execution.
A big data system can be set up to consume audit trail logs and records and display meaningful information in a dashboard format. Such a system can categorize transactions, provide statistical information, and notify the user of any unusual activity. It also can monitor:
Once a strong baseline is established with historical data, a big data system will learn from that baseline and flag unusual activity in near-real time.