FDA Compliance: When Does Electronic Data become a cGMP Record?

March 28, 2019 Becky Hurt

Authored By: Kimberley Buytaert-Hoefen, Ph.D., Principal Consultant, Strategic Compliance

When generated to satisfy a Current Good Manufacturing Practice (cGMP) requirement, all data becomes a cGMP record.  At the time of performance, the data should be documented or saved to create a record in compliance with cGMP requirements.  Per the FDA guidance “system, can be designed to automatically save after each entry.  This would be similar to indelibly recording each entry contemporaneously on a paper batch record to satisfy cGMP requirements” (1).  When the data becomes a cGMP record there is a lapse from electronic data entry until it is saved.  An autosave function would eliminate this gap.  This point is discussed in the FDA guidance which states that technical and procedural controls can be employed to meet cGMP documentation practices for electronic data systems.  Legacy systems can incorporate a documented secondary verification to cover gaps in electronic audit trial capabilities. 

Historically, the process of data review was to view the programmable logic controller display and manually record what is displayed at procedurally defined intervals.  Presently, the industry has moved to electronic systems that store electronic data including process parameters and alarms.  The FDA guidance recommends considering ways collect and review electronic data and to manage this cGMP data in accordance with the record retention period.  If the electronic data was collected, analyzed and reported, it could also be used for other purposes such as process improvements, process optimization and troubleshooting.  If the electronic data is overwritten, there needs to be a formal risk assessment on this activity and all data including metadata that has been identified and that there is a written justification why this is acceptable. 

Including the audit trail data in the data review and approval process should be a standard approach for all cGMP processes.  Not including the audit trail as part of the data review process, is not reviewing all data to make quality based decisions.  The data and metadata is required to be managed, securely stored, and readily retrievable for regulatory inspection upon request the same as with paper records.  If the review frequency for the data is specified in cGMP regulations, adhere to that frequency for the audit trail review.  For example, § 211.188(b) requires review after each significant step in manufacture, processing, packing, or holding, and § 211.22 requires data review before batch release.  In these cases, you would apply the same review frequency for the audit trail.  Furthermore, there should be a proceduralized audit trail review which is performed by quality assurance.  The audit trails must be reviewed for each batch before the batch can be released for distribution.  The FDA is referring to audit trail reviews which would not be covered by the exemption of automation to take the place of a second person witnessing the operation’s significant step.  This audit trail review needs to be performed by a person.  The responsibility concerning the reference to 211.188(b) would fall to production while the responsibility concerning the reference to 211.22 would fall to quality assurance.

 

(1) Data Integrity and Compliance with Drug CGMP: Questions and Answers Guidance for Industry (U.S. FDA, December 2018).

Previous Article
Regulatory Pathway for New Drug Importation into China
Regulatory Pathway for New Drug Importation into China

Next
Regenerative Medicine versus Regenerative Medicine Therapies versus Regenerative Advanced Therapy, What is the Difference?
Regenerative Medicine versus Regenerative Medicine Therapies versus Regenerative Advanced Therapy, What is the Difference?