Data Integrity and Good Documentation Practices in the Life Science Sector

Use of documents and records in an FDA-regulated environment

What are documents, records, and data, and how are they used in an FDA-regulated environment? Documents are approved instructions either in paper or electronic form which guide how an activity should be performed (e.g., standard operating procedures, work instructions). Records provide evidence that activities have been performed (e.g., batch records, calibration documentation, cleaning and maintenance logs, corrective action forms, training records, and clinical study files). Raw data is primary data collected and typically analyzed, processed and/or transformed into more understandable information from which a conclusion can be made. Raw data may be documented in laboratory worksheets, records, electronic data files, notes, etc.   Data is often subject to evaluation by independent observers and may be the basis for making important conclusions about the clinical safety, performance, and efficacy of a regulated product.

Records are often used as objective evidence (data that shows or proves that something exists or is true). Objective evidence can be collected through observation, measurement, test, or by using any other suitable method.  GDP applies to all records and all data. This includes electronic, paper-based, hybrid (combination of paper and electronic), and other types of records including photographs, images, chromatography plates, etc.

What is ALCOA+?

ALCOA+ is a set of principles applied by the FDA and other regulatory bodies to communicate the basic principles of Good Documentation Practices and their application to GLP, GMP, and GCP activities.

To meet data integrity expectations, records must be:

• Attributable – Identity of the person who created a record or recorded the data must be recorded; Source of the data must be recorded; Date and time of the entry must be recorded; amendments must be justified and the person who made the amendment must be recorded along with the date the amendment was made.
• Legible – Data must be clearly written in permanent, indelible ink and recorded using consistent straightforward language.
• Contemporaneous – Data entries must be recorded in real-time when an activity or action takes place and must not be recorded after-the-fact (back-dating is never allowed).
• Original – Records must be original and not copies or transcriptions (no scratch paper); Electronic records must have systems in place to ensure the original recording of data cannot be changed (procedural requirements or electronic audit trail); Copies of original records must be indicated as such and the original version must be preserved, even when copies exist.
• Accurate – Information recorded must be correct and reflect what actually happened; original information should not be edited, and any changes must be made in a way that make it possible to refer back to the original information (corrections should be made with a single-line cross-out through the error, initials and date of the person making the correction, and justification for the correction/reason for the change).
• + complete, consistent, enduring, and available – All recorded data should have an audit trail showing any changes and to show that nothing has been deleted or lost; Data must be chronological and changes to original data must be timestamped; Data must be available for long after it is recorded (decades, in some situations) and electronic data must be backed up; Data must be accessible and readily available for review at all times.

The “ALCOA”  acronym was introduced by Stan W. Woollen from the FDA’s Office of Enforcement in the 1990s.  The “+” was a later addition to incorporate the concepts of records being complete, consistent, enduring, and available.  ALCOA+ principles apply to records and data throughout their entire lifecycle, from creation, processing, use, retention, retrieval, and destruction.

Electronic Records and Signatures

In addition to ACLOA+, FDA also outlines requirements for GDP in 21 CFR Part 211 and Part 11. FDA’s 21 CFR Part 211 requires that:

• “Backup data are exact and complete” and “secure from alteration, inadvertent erasures, or loss”.
• Records and data must be “stored to prevent deterioration or loss”.
• Activities must be “documented at the time of performance” and lab controls must be “scientifically sound”.
• Records must be retained as “original records”, “true copies”, or “accurate reproductions of the original records”.
• Records must include “complete information”, “complete data derived from all tests”, “complete record of all data”, and “complete records of all tests performed”.

21 CFR Part 11 establishes FDA regulatory requirements for electronic records and electronic signatures. The Part 11 regulation was developed due, in part, to FDA concerns regarding data integrity in electronic records. The use of electronic data capture systems has become ubiquitous in all life science industries. Electronic systems are used to capture, process, and maintain laboratory testing data, manufacturing/production data, storage and distribution data, and clinical trials data.

One Part 11 requirements is that electronic records provide an audit trail. An audit trail provides a secure, computer-generated, time-stamped electronic data point that records the date, time, and operator entries and actions made to create, modify, and delete electronic records. In short, it provides traceability by giving information about who recorded data, when, and why. Audit trails capture changes to critical data and helps prevent data from being deleted or lost.

Additionally, this regulation requires controls to ensure the integrity of electronic records. Only authorized personnel may make changes to electronic data and actions must be attributable to a specific person. This can be achieved through password-protected systems and individual user log-ins. It is imperative that passwords are not shared and that users only log-in under their own account. Even during training, data should be entered under the account of the person performing the task. The trainee must not log data under the trainer’s account. Sharing passwords or logging data under someone else’s account eliminates the ability for a unique individual to be identified through the system. Users must never leave their accounts logged in and unattended to prevent someone else inadvertently entering data under the wrong account.

Conclusion

It is important for organizations to follow these requirements. Failure to follow GDP requirements and the ALCOA+ principles could lead to the falsification of data and records.  This could include back-dating or failure to record data in real-time, recording incorrect/false results, recording results of a task that has not actually been performed, signing a record as someone other than yourself, failure to record data with undesirable results and repeating the task to achieve better results, altering records without properly recording the change, and deliberately destroying or amending records to change or hide data. Consequences of data falsification and failure to follow GDPs range from citation of audit observations on FDA 483s and FDA warning letters, to regulatory restriction of product distribution, damage to market reputation, customer distrust, and financial losses. Legal penalties may also be levied when falsification of data is identified. These penalties are punishable under US Title 18, Section 1001 and include fines and imprisonment.

Third-party audits can be helpful to demonstrate compliance with GDPs or to verify that GDP issues discovered during an inspections by regulatory authorities have been effectively corrected.