Understanding ALCOA Principles and FDA & EU Data Integrity Principles for Pharma

As regulatory and QC professionals, we all understand the important role data plays in maintaining consistent, high-quality, and safe products. What is less well understood is how regulators expect you to collect, maintain, and report that data. Every year, scores of pharmaceutical manufacturers receive unexpected reprimands from FDA and EU regulators on this very issue.

EU auditors and FDA investigators are trained in the principles of data integrity and how it can be compromised. This can take many forms, including:

• • Human error, such as unintended transfer errors, misconfigurations, and security errors
  • Technical issues, such as physical compromise to devices or server failures
  • Malicious acts, such as viruses, malware, hacking, and other cyber threats

While many data integrity violations are not the result of malice, it’s important to note that FDA and EU regulators draw no distinction between unintentional and intentional data integrity problems. So, if you’re expecting to find a sympathetic shoulder to cry on after your next audit or inspection, expect a dose of tough love instead…minus the love.

What Regulators Focus on When It Comes to Data Integrity

• As a manufacturer you generate virtual reams of data, so you may wonder which data is most scrutinized. In general, regulators consider it important to focus resources on systems, features, or functions that directly:
• Impact product properties or manufacturing processes essential to patient safety or product quality
• Impact the integrity of data used to specify or support patient safety or product quality
• Measure, inspect, analyze, or disposition the product or process
• Accept or perform process corrections without human intervention, awareness, or review
• Impact labeling or instructions for use
• Alert or communicate to the user

Relevant Documents Related to Data Integrity

There are enough publications related to pharma data integrity to cure insomnia for a year. Don’t try to tackle them all at once. Start with these two short publications to get a high-level overview of how US and FDA regulators think about data integrity:

• Q&A: FDA Data Integrity and Compliance with Drug CGMP
• Q&A: European Medicines Agency on data integrity

After that, move on to graduate-level homework by diving into these, in order of relevance:

• FDA 21 CFR Part 11
• ISPE GAMP Guide to Records and Data Integrity
• ICH Q7 (Section VI)
• ISPE GAMP 5
• AAMI TIR 36 – Validation of Software for Regulated Processes
• ISO/TR 80002-2 – Validation of software for medical device quality systems

Prioritize Risk Over Documentation

Over time, FDA and other regulators have been encouraging manufacturers to use critical thinking to implement risk-based decisions about data governance. Rather than focusing on simply collecting the required documentation and focusing on testing activities, the emphasis now is tilted more toward applying critical thinking to identify the most important data, associated vulnerabilities, and appropriate controls. The goal is to develop a strategy and incorporate requirements into your business processes.

Understanding the different states of data is important for effectively managing and analyzing data to extract insights and make informed decisions. Each state of data may require different tools, techniques, and approaches to effectively process and analyze the data. Data security is an essential component of an organization’s business continuity plan; therefore, a combination of technical and physical controls to protect data from unauthorized access, loss, or theft should be well thought out and implemented.

Common Pharma Data Integrity Themes

FDA and other regulators see the same problems pop up time and time again. Many of these examples were taken from publicly available FDA warning letters, but there is little doubt that EU regulators see the same issues. They generally fall into four categories.

EU and FDA ALCOA Principles

What does ALCOA mean? The ALCOA acronym describes basic principles for data integrity developed in the 1990s by FDA. The core data principles (attributable, legible, contemporaneous, original, accurate) serve as a framework for data management and documentation practices that help ensure the accuracy, reliability, and completeness of data generated in support of drug development, regulatory submissions, and postmarket monitoring.

Over time, the ALCOA principles expanded and have become widely adopted as a best practice within the pharmaceutical industry and have been incorporated into regulatory guidance documents in various countries around the world.

ALCOA+

Want to Learn More?

The myriad overlapping guidance documents and regulations related to data compliance and integrity may start to make your head hurt. If you feel a data migraine coming on, consider our deep-dive class on pharma data integrity. Using real-life examples, our instructors will untangle the morass of data compliance requirements, giving you a clear vision of what needs to be done within your organization and how.