Professional Documents
Culture Documents
Manufacturing
Five Areas of Risk for Drug and
Device Manufacturers
© 2020 FDAnews. Digital version ISBN: 978-1-60430-125-0. Price: $397. All rights reserved. Photocopying or reproduc-
ing this report in any form, including electronic or facsimile transmission, scanning or electronic storage, is a violation of
federal copyright law and is strictly prohibited without the publisher’s express written permission.
This report may not be resold. FDAnews only sells its publications directly or through authorized resellers. Information
concerning authorized resellers may be obtained from FDAnews, 300 N. Washington St., Suite 200, Falls Church, VA
22046-3431. Main telephone: 703.538.7600. Toll free: 888.838.5578.
While every effort has been made by FDAnews to ensure the accuracy of information in this report, this organization
accepts no responsibility for errors or omissions. The report is sold as is, without warranty of any kind, either express
or implied, respecting its contents, including but not limited to implied warranties for the report’s quality, performance,
merchantability, or fitness for any particular purpose. Neither FDAnews nor its dealers or distributors shall be liable to the
purchaser or any other person or entity with respect to any liability, loss, or damage caused or alleged to be caused directly
or indirectly by this report.
Auditing for Quality Manufacturing: Five Areas of Risk
for Drug and Device Manufacturers
Table of Contents
Introduction...................................................................................................................1
The Importance of Data Integrity.....................................................................................2
A Brief History of Data Integrity Issues.........................................................................4
Industry Guidance......................................................................................................5
Making Data Integrity an Audit Focus...........................................................................5
Creating a Culture of Quality...........................................................................................7
Measuring Quality......................................................................................................9
Mitigating the Risk of Aging Facilities...........................................................................12
Auditing an Aging Facility...........................................................................................13
Making the Case for Modernization............................................................................14
Keeping Abreast of Changing Standards.....................................................................14
Slowing the Aging Process...........................................................................................14
Investigations..............................................................................................................16
Troubleshooting the CAPA Process.............................................................................17
Risk Management........................................................................................................20
Principles of Risk Assessment..................................................................................20
Implementing a Quality Risk Management Plan...........................................................21
Appendices..................................................................................................................23
A. WHO Annex 5: Guidance on Good Data and Record Management Practices
B. MHRA GxP Data Integrity Guidance and Definitions
C. FDA Data Integrity and Compliance with CGMP Guidance
D. ICH Q10: Pharmaceutical Quality System
E. GHTF Quality Management System — Medical Devices — Guidance on Corrective
Action and Preventive Action and Related QMS Processes
Auditing for Quality Manufacturing: Five Areas of Risk for Drug and Device Manufacturers
Introduction
Quality problems at manufacturing facilities can manifest in countless ways, from small
and insidious to sudden and overwhelming. Large or small, quality issues will nearly always
hurt drugmakers and device manufacturers in terms of both output and product quality. At best,
a persistent quality problem may lead to manufacturing stoppages and lost batches. At worst,
quality issues can result in large-scale recalls, cause drug shortages, hurt consumer trust and
cause regulatory blowback.
By regularly monitoring and auditing for quality, companies can stay on top of these risks,
identifying deviations before they have a chance to eat too deeply into the bottom line. Monitor-
ing tools, internal investigations of both manufacturing equipment and processes, and a focus
on risk management can all contribute to an overall culture of quality, helping companies catch
problems before regulators do.
In this report, readers will learn the key principles of auditing for quality. These include a
focus on data integrity, building an overall culture of quality that permeates the entire organi-
zation, mitigating the risk of aging equipment, investigating manufacturing deviations as they
arise and using the most current risk management tools. The report includes specific warning
signs that a company’s culture of quality is eroding, as well as research-backed attributes of a
mature quality culture. The report also walks readers through relevant quality regulations from
the FDA and international regulatory bodies and previews what’s coming as these agencies con-
tinue to reassess their own auditing strategies and priorities.
Portions of this report come from an FDAnews-sponsored webinar featuring Susan
Schniepp, currently a distinguished fellow with Regulatory Compliance, Inc., and a board mem-
ber and editorial advisor for Pharmaceutical Technology and BioPharm International maga-
zines.
1
Auditing for Quality Manufacturing: Five Areas of Risk for Drug and Device Manufacturers
2
Auditing for Quality Manufacturing: Five Areas of Risk for Drug and Device Manufacturers
“As an auditor, there’s always someone who will ask you, ‘Tell me in the regulations where
it says that results and measurements and data need to be recorded at the time the work is per-
formed,’” Schniepp says. “So it’s helpful to have a chart with this information, something you
can point to quickly.”
Increasingly, quality departments and auditors are hearing the term “ALCOA Plus,”
Schniepp adds. This is rooted in the World Health Organization’s (WHO) 2010 report on good
distribution practices, and more specifically from the section of that report focused on data
management (see Appendix A). ALCOA Plus adds several data integrity elements that quality
departments must consider:
º Consistent: The data are presented, recorded, dated or time-stamped in the expected and
defined sequence.
º Enduring: The data or information must be maintained, intact and accessible throughout
their defined retention period.
º Available: The data or information must be able to be accessed at any time during the
defined retention period.
“Data integrity is definitely foremost in the minds of regulatory authorities worldwide,”
Schniepp says.
3
Auditing for Quality Manufacturing: Five Areas of Risk for Drug and Device Manufacturers
4
Auditing for Quality Manufacturing: Five Areas of Risk for Drug and Device Manufacturers
Industry Guidance
Because of the slew of data integrity issues across the pharmaceutical and medical device
industries, the FDA and other regulatory bodies have released a number of industry guidance
documents. These include:
º The UK’s Medicines and Healthcare products Regulatory Agency (MHRA) GxP Data
Integrity Definitions and Guidance for Industry, July 2016 draft version for consultation
(see Appendix B);
º The FDA’s Data Integrity and Compliance with CGMP, April 2016 draft guidance (see
Appendix C);
5
Auditing for Quality Manufacturing: Five Areas of Risk for Drug and Device Manufacturers
product. But none of the others had this deviation. That’s a bit of a data integrity nightmare,
because of everybody there, only Craig was really doing the right thing … everyone else was
kind of faking it.”
No one in the organization examined this particular deviation, which caused a bigger issue.
The story also points to the fact that data metrics, in order to be meaningful and effective, must
be combined with a strong culture of quality.
6
Auditing for Quality Manufacturing: Five Areas of Risk for Drug and Device Manufacturers
7
Auditing for Quality Manufacturing: Five Areas of Risk for Drug and Device Manufacturers
“4. Principles
4.7 Quality culture. Management, with the support of the quality unit, should establish
and maintain a working environment that minimizes the risk of non-compliant records
and erroneous records and data. An essential element of the quality culture is the trans-
parent and open reporting of deviations, errors, omissions and aberrant results at all
levels of the organization, irrespective of hierarchy. Steps should be taken to prevent,
and to detect and correct weaknesses in systems and procedures that may lead to data
errors so as to continually improve the robustness of scientific decision-making within
the organization. Senior management should actively discourage any management prac-
tices that might reasonably be expected to inhibit the active and complete reporting of
such issues, for example, hierarchical constraints and blame cultures.”
A true quality-focused culture, she argues, is one in which employees not only follow
guidelines, but consistently see others focusing on quality and making quality-based decisions.
A corporate culture indicates—to employees and others—what the company values and what’s
important to its management.
Some warning signs that a company does not have a culture of quality include:
º The CEO and other senior executives rarely discuss quality, let alone performance
against quality objectives;
º The company’s quality vision is either nonexistent or has minimal linkages to business
strategy;
º The organization has few, if any, feedback loops to continuous improvement of pro-
cesses;
º The company lacks formal mechanisms for collecting and analyzing customer feed-
back;
º Metrics used for performance evaluation feature little to no mention of quality goals;
º Employees are unfamiliar with the company’s quality vision and values—or, perhaps
worse, they view them as mere slogans;
º The organization experiences frequent, though often minor, setbacks owing to inconsis-
tent quality.
8
Auditing for Quality Manufacturing: Five Areas of Risk for Drug and Device Manufacturers
Measuring Quality
But how can you measure, in an audit, something as seemingly amorphous as a company’s
culture? PDA has been working on a standard that could help quantify a culture of quality,
Schniepp says. “PDA set out to determine: Is there a set of mature quality attributes that are a
surrogate for quality culture behaviors? That’s what we asked ourselves. The theory was that if
quality attributes equal quality behaviors, and quality behaviors equal a quality culture, then by
measuring the quality attributes you’d be able to measure the culture,” she says.
PDA conducted a survey and a statistical analysis of the survey data, which was ultimately
published in its Journal of Pharmaceutical Science and Technology, and which the PDA hopes
will lead to an ANSI-approved standard for measuring quality.
For the study, PDA began by identifying quality attributes that could be measured. These
included:
º Deviations reporting;
º A change control system;
º A CAPA system;
º A complaints management system; and
º An environmental monitoring program.
Quality behaviors, on the other hand, must be carefully observed or experienced and are
more subjective. These include communication and transparency, rewards and recognition,
engagement and a company’s cross-functional vision. The idea of the study was that if the attri-
butes could be measured and linked to quality outcomes these behaviors could be assumed. The
study authors came up with survey questions in seven areas:
1. Prevention programs;
2. Quality management and issue escalation;
3. Training and personnel development;
4. Quality system management;
5. People and communications;
6. Continuous improvement; and
7. Site metric reporting.
The questions yielded information that the researchers mapped to 42 specific quality-related
behaviors. The results were peer-reviewed and confirmed. An analysis of the data revealed 15
quality attributes and actions that Schniepp says are most closely correlated with an overall
culture of quality:
1. Attending and participating in professional conferences to stay current in the field;
2. Collecting error prevention metrics;
9
Auditing for Quality Manufacturing: Five Areas of Risk for Drug and Device Manufacturers
10
Auditing for Quality Manufacturing: Five Areas of Risk for Drug and Device Manufacturers
Regardless of what happens with the standard, Schniepp says she expects FDA inspections
to continue to include more quality metrics. The agency has been developing its New Inspec-
tion Program (NIP), and while it’s far from set in stone, all indications are that it will include an
explicit focus on quality culture.
“In a traditional inspection, the quality culture of a company was really only covered in an
informal, associative way,” she says. “But in the NIP protocol, they are going to give explicit
coverage for quality culture. I think we’re seeing the door open to more questions that try to
pinpoint the culture of an organization.”
11
Auditing for Quality Manufacturing: Five Areas of Risk for Drug and Device Manufacturers
12
Auditing for Quality Manufacturing: Five Areas of Risk for Drug and Device Manufacturers
able uptick in the amount of required maintenance. Decreased yields and increased deviations
are also signs of aging. These are all important trends to examine, Schniepp says.
14
Auditing for Quality Manufacturing: Five Areas of Risk for Drug and Device Manufacturers
Meanwhile, the organization continued the manufacturing process. The copper, everyone
decided, was simply a glitch. “We blamed it on the glass supplier,” Schniepp says. “They must
have copper in their facility. So we called for an immediate for-cause audit of the glass sup-
plier.” That audit didn’t find any copper in their facility, either. Then, about a week later, more
green vials appeared. “Now we’re scratching our heads,” she says, “because we don’t know
where this is coming from.”
In one of the investigation tools, there was a low probability of copper piping in the depyro-
genation tunnel for the ovens. Old lines, she says, have copper piping above the depyrogenation
tunnel, whereas newer lines have those pipes below the tunnel. It turned out that the 30-year-old
tunnel was failing. A dew pressure valve was not turning off correctly, and water was building
up on top of the HEPA filters. When the filters couldn’t handle it anymore, they breached cop-
per-colored water into the vials as they were going through the tunnel.
The upshot, Schniepp says, was that the problem didn’t get solved until 27 potentially
compromised lots of the product had been made. “It was $28 million worth of lost product. We
lost everything produced on the line, because we couldn’t predict when it would have breached
in that time period,” she says. Better monitoring could have predicted the risk. “It cost a lot to
overlook that one area,” she says. “That’s where an aging facility can really cost you money. If
you’re not on top of things, you can have an event like that where it becomes catastrophic.”
15
Auditing for Quality Manufacturing: Five Areas of Risk for Drug and Device Manufacturers
Investigations
Regular investigations are a crucial part of a quality culture—and also required by just about
every regulatory or licensing body worldwide. In the U.S., the regulatory authority for investi-
gations in drug manufacturing comes from several places, including 21 CFR 211.22(a):
“There shall be a quality control unit that shall have the responsibility and authority to
approve or reject all components, drug product containers, closures, in-process materials,
packaging materials, labeling and drug products, and the authority to review production
records to assure no errors have occurred, or if errors have occurred, that they have been
fully investigated. The quality control unit shall be responsible for approving or rejecting
drug products manufactured, processed, packed or held under contract by another com-
pany.”
For medical devices, 21 CFR 820.100 calls for “investigating the cause of nonconformi-
ties relating to product, processes and the quality system,” while 21 CFR 820.198 states: “Any
complaint involving the possible failure of a device, labeling or packaging to meet any of its
specifications shall be reviewed, evaluated and investigated.” All investigations must be docu-
mented under 21 CFR 820.90, while 21 CFR 820.100(a) codifies the need for CAPA: “Each
manufacturer shall establish and maintain procedures for implementing corrective and preven-
tive action.”
The European Medicines Agency, meanwhile, spells out similar requirements in its EudraLex
Volume 4:
“A Pharmaceutical Quality System appropriate for the manufacture of medicinal products
should ensure that:
º The results of product and process monitoring are taken into account in batch release,
in the investigation of deviations, and, with a view to taking preventive action to avoid
potential deviations in the future.
º An appropriate level of root cause analysis should be applied during the investigation
of deviations, suspected product defects and other problems.
º A review of all batches that failed to meet established qualifications and their investiga-
tion.
º A review of all quality-related returns, complaints and recalls and the investigations
performed at the time.”
Other places where manufacturers can find guidelines on investigations and CAPA include:
º The Global Harmonization Task Force (GHTF) Quality Management System — Medi-
cal Devices — Guidance on Corrective Action and Preventive Action and Related QMS
Processes (see Appendix E).
Review
Detect Report Nonconformity
Nonconformity Nonconformity Against Criteria
Record the
Implement Results of Verify Effectiveness
Corrective Action Actions Taken of Actions Taken
17
Auditing for Quality Manufacturing: Five Areas of Risk for Drug and Device Manufacturers
Schniepp says companies can fail at any step in that process and that few excel at them all.
The biggest issue she sees with manufacturing companies is a failure to truly get at the root
cause of an issue. Often, an investigation will find a likely cause, the company will make a
quick fix and then they’ll be surprised a few weeks later when the same problem comes back, or
when a similar problem affects another manufacturing line. This is usually because the investi-
gation stopped too soon and didn’t go deep enough to find the root cause.
The first step, Schniepp says, is to understand the difference between a cause and a root
cause. A cause is the most direct reason that something failed. A root cause is the fundamental
issue or chain of events that led to a failure. Sometimes, of course, a failure is a one-time issue
and a brief investigation can find and fix the cause. “Not everything is a CAPA,” Schniepp says.
“You don’t need to complicate it if it’s not complicated. Sometimes there’s a simple issue that
occurred, with a simple solution. Keep monitoring it and see if the issue’s been fixed.”
But often, a failure is systemic, repeats or is part of a larger pattern of issues that requires a
more in-depth investigation to get at the root cause. In these situations, an initial investigation
may turn up a cause, but until you get at the underlying root cause, the issue will keep occurring
and may even worsen.
One problem Schniepp sees frequently is companies that rely so heavily on investigative
tools that they lose the element of critical thinking. “There are lots of tools for figuring out what
went wrong in a process, and a lot of those tools are great,” Schniepp says. “But no tool is a re-
placement for critical thinking. Yes, use the tools, but you also have to think things through, and
keep an open mind when investigating to the root cause. It may not be what you expected.”
It’s crucial that investigators interview operators involved in the process in question.
They’re often a wealth of knowledge about what works and what doesn’t in a given process,
and sometimes they’ve never told anyone what they know simply because no one has ever
asked. It’s also important that these interviews take place in a timely manner, ideally within a
week or so of identifying the problem. Over time, memories get fuzzy, and an operator may
have a harder time recalling what went wrong with a process on a given day or whether he or
she did anything unusual.
A risk assessment should be part of the investigation. Not all deviations are created equally;
some will have a greater impact on the ultimate health or safety of the patient or end user of a
drug or device. There are one-time deviations that could have a huge impact, Schniepp says,
and there are repeated deviations that may only have a minor impact. Understanding the risk
will help you plan an investigation and plan what you’ll do about the manufacturing process
while an investigation is carried out. That might include disposing of product batches or halt-
ing a process until identifying the root cause and putting corrective and preventive actions into
place.
Schniepp offers the following example from her own work history: She’d been brought on
as quality manager for a company performing contract manufacturing for a drugmaker. One of
the company’s suppliers had stopped making the active pharmaceutical ingredient (API) for
one of their products, and the company had not been able to find a replacement supplier. There
was enough supply of the API for three final batches of the drug. During the manufacturing run
for the second batch, a floor manager halted the process due to a deviation and said they would
need to throw out the product from that batch. “But I said, ‘no, you won’t be throwing that
18
Auditing for Quality Manufacturing: Five Areas of Risk for Drug and Device Manufacturers
batch away, and in fact we can cease and desist testing for that particular deviation,’” Schniepp
recalls.
The deviation in question, Schniepp says, had to do with splashback that caused a small
amount of liquid to land between the stopper and the vial. “Just this tiny white spot, the size
of a pinhead,” she says. It was a cosmetic issue, rather than one that would affect the safety or
efficacy of the medication. And the drug in question was one that helped patients manage the
symptoms of leukemia. “I know it’s a deviation, and I know how to fix it—for the next run, we
had to adjust a filter head,” Schniepp says. “But there’s absolutely no reason to trash this prod-
uct that patients badly need and which will work just as well.”
She says this is just one example of what can happen if people blindly follow protocols
rather than engaging in critical, situational thinking. In another situation, perhaps the cosmetic
deviation would have warranted throwing out a batch of product. But in this case, the scale was
clearly tipped in favor of keeping the product. Schniepp notes that the FDA agreed with the
assessment; she reported the issue to regulators, who said that the company should indeed ship
the product.
So, a quality investigation should make use of risk management tools and should aim to dig
deep enough to find a root cause. The industry standard for an investigation is a 90-day process,
but Schniepp emphasizes that this comes from experience, not any regulatory requirement.
Some investigations will be simpler and shorter, and some may need to stretch beyond 90 days.
“What you really want to look for is whether [an investigation] is getting to the root cause,”
she says. “Are they using their tools well? Is there a transparent flow of information? Did they
interview operators right away, or was there a lag? If it takes two weeks to jump on a problem
or a deviation, that could be an issue. You may not get all the information you need to solve the
problem.”
19
Auditing for Quality Manufacturing: Five Areas of Risk for Drug and Device Manufacturers
Risk Management
Any manufacturing facility investing in a culture of quality must lean on risk management
principles in its ongoing auditing and monitoring plans. From a regulatory perspective, the
current risk management guidelines for drugmakers come from the International Council on
Harmonization’s (ICH), Q9 – Quality Risk Management. Those guidelines were published in
2005 and are scheduled for an update in spring or summer 2020. Schniepp says the upgrade is
overdue, as there have long been questions in the industry about how best to apply the current
guidance.
Currently, the training material published on the ICH website is meant to support imple-
mentation of ICH Q9, but that material could be improved, Schniepp says. She expects this will
be the focus of the 2020 update—not a rewrite of the guidance itself, but a clarification on how
it should be implemented by manufacturers. That clarification would likely come through an
addendum or partnering document. “You’re not going to see a total rewrite of ICH Q9. You’re
going to see an enhanced version,” she predicts.
Principles of Risk Assessment
A risk assessment should focus on the impact of the issue being studied on the health and
safety of the patient or end user of the drug or device. That’s both the starting place and the
endpoint: how will a given issue affect the patient or user?
The scope of a risk assessment should include:
º Product in the field;
º Multiple lots;
º Multiple locations; and
º The frequency of occurrence of an issue, as identified via hazard analysis tools.
ICH Q9 sets out to offer what it calls a “systematic approach to quality risk management”
that can then lead to better, more informed decisionmaking. Good risk-based decisionmaking
is both transparent and comprehensive. “And really, the purpose of ICH Q9 was to make better
and more informed decisions about things going on in the manufacturing process,” Schniepp
says.
But there are significant challenges to implementing the quality risk assessment measures
called for in ICH Q9. Schniepp points to a 2016 article in Pharmaceutical Engineering, by
James Vesper and Kevin O’Donnell. The authors identified a number of potential issues, includ-
ing:
Using formal quality risk management (QRM) tools in situations where less formal tools
would suffice;
º Using QRM to justify an action, rather than to assess risk;
º Failing to create quality culture, limiting how QRM is applied;
º Using a specific risk-assessment tool as the QRM process;
20
Auditing for Quality Manufacturing: Five Areas of Risk for Drug and Device Manufacturers
21
Auditing for Quality Manufacturing: Five Areas of Risk for Drug and Device Manufacturers
shut down manufacturing, not everyone had a plan in place for how to mitigate that. As part of
a risk management plan, she suggests looking at where your suppliers are located and thinking
through your options should there be a major disruption in that country or region.
A quality risk management plan must also involve people at all levels of a company. It’s im-
portant to get management buy-in, but it’s equally important that line operators and employees
“in the trenches” have their voices heard. For example, during the 2008 financial crisis, some fi-
nancial institutions were quicker than others to stop offering so-called subprime mortgages—in
large part, Schniepp says, because of reports from field offices and loan officers, as well as em-
ployees who were looking at data and seeing that some of the numbers weren’t making sense.
Every department in an organization should come up with its own risk management plan,
and then these plans should be combined by the quality department. The plan should include
metrics and data measurement points and specify who’s tasked with monitoring them, as well
as what happens in the event of deviations or bad data trends. Each department collects its
own data, and then sends it to management either monthly or quarterly. Ideally, Schniepp says,
what’s sent to management includes raw data, “undiluted,” rather than just whatever takeaways
individual departments have gleaned from that data, which could be influenced by people’s
biases and expectations.
“We have a lot of data we all collect and report, but getting a metric that’s unbiased is really,
really tough,” Schniepp says.
It’s also important that these metrics don’t have unintended consequences. As an example,
she offers a story from her own experience working for a company that did contract manufac-
turing for several drugmakers. The company maintained a web portal for its customers, and one
of its desired metrics was to post batch information for every batch of product within 30 days
of its manufacture. As an incentive to meet this metric, the company’s management offered
rewards in the form of pizza parties. “Management said, ‘Hey, if you can hit this metric, we’ll
throw you a party,’ which sounds benign, at least on the surface,” she says.
What happened, however, was that the incentive caused the company’s employees to do
whatever they could to hit that metric. Investigations into deviations were closed early, for
instance, so they could post the batch information within 30 days. “That was actually how I fig-
ured out what was going on,” Schniepp says. “Because the numbers were just too good. No one
can post batch information within 30 days for every single batch.”
The lesson, she says, is that data metrics can’t come with “carrots” that could incentivize the
wrong behavior.
“At the end of the day, again, it’s really just the importance of that human element, of criti-
cal thinking,” she says. “The tools and the metrics are useful, but only if they’re used correctly.”
22
Auditing for Quality Manufacturing: Five Areas of Risk for Drug and Device Manufacturers
Appendices
A. WHO Annex 5: Guidance on Good Data and Record Management Practices
B. MHRA GxP Data Integrity Guidance and Definitions
C. FDA Data Integrity and Compliance with CGMP Guidance
D. ICH Q10: Pharmaceutical Quality System
E. GHTF Quality Management System — Medical Devices — Guidance on
Corrective Action and Preventive Action and Related QMS Processes
23
Appendices A: WHO Annex 5: Guidance on Good
Data and Record Management Practices
Annex 5
Guidance on good data and record management practices
Background
During an informal consultation on inspection, good manufacturing practices
and risk management guidance in medicines’ manufacturing held by the
World Health Organization (WHO) in Geneva in April 2014, a proposal for
new guidance on good data management was discussed and its development
recommended. The participants included national inspectors and specialists
in the various agenda topics, as well as staff of the Prequalification Team
(PQT)–Inspections.
The WHO Expert Committee on Specifications for Pharmaceutical
Preparations received feedback from this informal consultation during its
forty-ninth meeting in October 2014. A concept paper was received from PQT–
Inspections describing the proposed structure of a new guidance document,
which was discussed in detail. The concept paper consolidated existing normative
principles and gave some illustrative examples of their implementation. In
the Appendix to the concept paper, extracts from existing good practices and
guidance documents were combined to illustrate the current relevant guidance
on assuring the reliability of data and related GXP (good (anything) practice)
matters. In view of the increasing number of observations made during
inspections that relate to data management practices, the Committee endorsed
the proposal.
Following this endorsement, a draft document was prepared by
members of PQT–Inspection and a drafting group, including national inspectors.
This draft was discussed at a consultation on data management, bioequivalence,
good manufacturing practices and medicines’ inspection held from 29 June to
1 July 2015.
A revised draft document was subsequently prepared by the authors in
collaboration with the drafting group, based on the feedback received during
this consultation, and the subsequent WHO workshop on data management.
Collaboration is being sought with other organizations towards future
convergence in this area.
165
WHO Expert Committee on Specifications for Pharmaceutical Preparations Fiftieth report
1. Introduction 167
2. Aims and objectives of this guidance 169
3. Glossary 169
4. Principles 173
5. Quality risk management to ensure good data management 177
6. Management governance and quality audits 178
7. Contracted organizations, suppliers and service providers 180
8. Training in good data and record management 182
9. Good documentation practices 182
10. Designing and validating systems to assure data quality
and reliability 183
11. Managing data and records throughout the data life cycle 186
12. Addressing data reliability issues 189
References and further reading 190
Appendix 1 Expectations and examples of special risk management considerations
for the implementation of ALCOA (-plus) principles in paper-based and
electronic systems 192
WHO Technical Report Series No. 996, 2016
166
Annex 5
1. Introduction
1.1 Medicines regulatory systems worldwide have always depended upon the
knowledge of organizations that develop, manufacture and package, test,
distribute and monitor pharmaceutical products. Implicit in the assessment
and review process is trust between the regulator and the regulated that
the information submitted in dossiers and used in day-to-day decision-
making is comprehensive, complete and reliable. The data on which
these decisions are based should therefore be complete as well as being
attributable, legible, contemporaneous, original and accurate, commonly
referred to as “ALCOA”.
1.2 These basic ALCOA principles and the related good practice expectations
that assure data reliability are not new and much high- and mid-level
normative guidance already exists. However, in recent years, the number of
observations made regarding good data and record management practices
(GDRP) during inspections of good manufacturing practice (GMP) (1),
good clinical practice (GCP) and good laboratory practice (GLP) has been
increasing. The reasons for the increasing concern of health authorities
regarding data reliability are undoubtedly multifactorial and include
increased regulatory awareness and concern regarding gaps between
industry choices and appropriate and modern control strategies.
1.3 Contributing factors include failures by organizations to apply robust
systems that inhibit data risks, to improve the detection of situations where
data reliability may be compromised, and/or to investigate and address
root causes when failures do arise. For example, organizations subject to
medical product good practice requirements have been using validated
computerized systems for many decades but many fail to adequately review
and manage original electronic records and instead often only review and
manage incomplete and/or inappropriate printouts. These observations
highlight the need for industry to modernize control strategies and apply
modern quality risk management (QRM) and sound scientific principles to
current business models (such as outsourcing and globalization) as well as
technologies currently in use (such as computerized systems).
1.4 Examples of controls that may require development and strengthening to
ensure good data management strategies include, but are not limited to:
■■ a QRM approach that effectively assures patient safety and product
quality and validity of data by ensuring that management aligns
expectations with actual process capabilities. Management should
take responsibility for good data management by first setting realistic
and achievable expectations for the true and current capabilities of
167
WHO Expert Committee on Specifications for Pharmaceutical Preparations Fiftieth report
3. Glossary
The definitions given below apply to the terms used in these guidelines. They
may have different meanings in other contexts.
ALCOA. A commonly used acronym for “attributable, legible,
contemporaneous, original and accurate”.
ALCOA-plus. A commonly used acronym for “attributable, legible,
contemporaneous, original and accurate”, which puts additional emphasis on
the attributes of being complete, consistent, enduring and available – implicit
basic ALCOA principles.
archival. Archiving is the process of protecting records from the
possibility of being further altered or deleted, and storing these records
under the control of independent data management personnel throughout
the required retention period. Archived records should include, for example,
associated metadata and electronic signatures.
archivist. An independent individual designated in good laboratory
practice (GLP) who has been authorized by management to be responsible
for the management of the archive, i.e. for the operations and procedures for
archiving. GLP requires a designated archivist (i.e. an individual); however, in
169
WHO Expert Committee on Specifications for Pharmaceutical Preparations Fiftieth report
other GXPs the roles and responsibilities of the archivist are normally fulfilled
by several designated personnel or groups of personnel (e.g. both quality
assurance document control personnel and information technology (IT) system
administrators) without there being one single person assigned responsibility for
control as is required in GLP.
It is recognized that in certain circumstances it may be necessary for the
archivist to delegate specific archiving tasks, for example, the management of
electronic data, to specific IT personnel. Tasks, duties and responsibilities should
be specified and detailed in standard operating procedures. The responsibilities
of the archivist and the staff to whom archival tasks are delegated include –
for both paper and electronic data – ensuring that access to the archive is
controlled, ensuring that the orderly storage and retrieval of records and
materials is facilitated by a system of indexing, and ensuring that movement
of records and materials into and out of the archives is properly controlled and
documented. These procedures and records should be periodically reviewed by
an independent auditor.
audit trail. The audit trail is a form of metadata that contains information
associated with actions that relate to the creation, modification or deletion of
GXP records. An audit trail provides for secure recording of life-cycle details
such as creation, additions, deletions or alterations of information in a record,
either paper or electronic, without obscuring or overwriting the original record.
An audit trail facilitates the reconstruction of the history of such events relating
to the record regardless of its medium, including the “who, what, when and why”
of the action.
For example, in a paper record, an audit trail of a change would be
documented via a single-line cross-out that allows the original entry to remain
legible and documents the initials of the person making the change, the date
of the change and the reason for the change, as required to substantiate and
justify the change. In electronic records, secure, computer-generated, time-
WHO Technical Report Series No. 996, 2016
stamped audit trails should allow for reconstruction of the course of events
relating to the creation, modification and deletion of electronic data. Computer-
generated audit trails should retain the original entry and document the user
identification, the time/date stamp of the action, as well as the reason for the
change, as required to substantiate and justify the action. Computer-generated
audit trails may include discrete event logs, history files, database queries or
reports or other mechanisms that display events related to the computerized
system, specific electronic records or specific data contained within the record.
backup. A backup means a copy of one or more electronic files created
as an alternative in case the original data or system are lost or become unusable
(for example, in the event of a system crash or corruption of a disk). It is
important to note that backup differs from archival in that back-up copies of
electronic records are typically only temporarily stored for the purposes of
170
Annex 5
4. Principles
4.1 GDRP are critical elements of the pharmaceutical quality system and a
systematic approach should be implemented to provide a high level of
assurance that throughout the product life cycle, all GXP records and data
are complete and reliable.
173
WHO Expert Committee on Specifications for Pharmaceutical Preparations Fiftieth report
4.2 The data governance programme should include policies and governance
procedures that address the general principles listed below for a good data
management programme. These principles are clarified with additional
detail in the sections below.
4.3 Applicability to both paper and electronic data. The requirements for
GDRP that assure robust control of data validity apply equally to paper
and electronic data. Organizations subject to GXP should be fully aware
that reverting from automated or computerized to manual or paper-based
systems does not in itself remove the need for robust management controls.
4.4 Applicability to contract givers and contract acceptors. The principles of
these guidelines apply to contract givers and contract acceptors. Contract
givers are ultimately responsible for the robustness of all decisions made on
the basis of GXP data, including those made on the basis of data provided
to them by contract acceptors. Contract givers should therefore perform
risk-based, due diligence to assure themselves that contract acceptors have
in place appropriate programmes to ensure the veracity, completeness and
reliability of the data provided.
4.5 Good documentation practices. To achieve robust decisions, the
supporting data set needs to be reliable and complete. GDocP should be
followed in order to ensure all records, both paper and electronic, allow
the full reconstruction and traceability of GXP activities.
4.6 Management governance. To establish a robust and sustainable good data
management system it is important that senior management ensure that
appropriate data management governance programmes are in place (for
details see Section 6).
Elements of effective management governance should include:
WHO Technical Report Series No. 996, 2016
4.7 Quality culture. Management, with the support of the quality unit, should
establish and maintain a working environment that minimizes the risk
of non-compliant records and erroneous records and data. An essential
element of the quality culture is the transparent and open reporting
of deviations, errors, omissions and aberrant results at all levels of the
organization, irrespective of hierarchy. Steps should be taken to prevent,
and to detect and correct weaknesses in systems and procedures that may
lead to data errors so as to continually improve the robustness of scientific
decision-making within the organization. Senior management should
actively discourage any management practices that might reasonably be
expected to inhibit the active and complete reporting of such issues, for
example, hierarchical constraints and blame cultures.
4.8 Quality risk management and sound scientific principles. Robust decision-
making requires appropriate quality and risk management systems, and
adherence to sound scientific and statistical principles, which must be
based upon reliable data. For example, the scientific principle of being an
objective, unbiased observer regarding the outcome of a sample analysis
requires that suspect results be investigated and rejected from the reported
results only if they are clearly attributable to an identified cause. Adhering
to good data and record-keeping principles requires that any rejected
results be recorded, together with a documented justification for their
rejection, and that this documentation is subject to review and retention.
4.9 Data life cycle management. Continual improvement of products to
ensure and enhance their safety, efficacy and quality requires a data
governance approach to ensure management of data integrity risks
throughout all phases of the process by which data are created, recorded,
processed, transmitted, reviewed, reported, archived and retrieved and
this management process is subject to regular review. To ensure that the
organization, assimilation and analysis of data into information facilitates
evidence-based and reliable decision-making, data governance should
address data ownership and accountability for data process(es) and risk
management of the data life cycle.
4.10 To ensure that the organization, assimilation and analysis of data into a
format or structure that facilitates evidence-based and reliable decision-
making, data governance should address data ownership and accountability
for data process(es) and risk management of the data life cycle.
4.11 Design of record-keeping methodologies and systems. Record-keeping
methodologies and systems, whether paper or electronic, should be
designed in a way that encourages compliance with the principles of
data integrity.
175
WHO Expert Committee on Specifications for Pharmaceutical Preparations Fiftieth report
other erasable inks should not be used. Paper should also not be
temperature-sensitive, photosensitive or easily oxidizable. If this is not
feasible or limited (as may be the case in printouts from legacy printers
of balance and other instruments in quality control laboratories), then
true or certified copies should be available until this equipment is retired
or replaced.
4.14 Maintenance of record-keeping systems. The systems implemented and
maintained for both paper and electronic record-keeping should take
account of scientific and technical progress. Systems, procedures and
methodology used to record and store data should be periodically reviewed
for effectiveness and updated as necessary.
176
Annex 5
should therefore design appropriate tools and strategies for the management
of data integrity risks based upon their own GXP activities, technologies
and processes.
5.6 A data management programme developed and implemented upon the
basis of sound QRM principles is expected to leverage existing technologies
to their full potential. This in turn will streamline data processes in a
manner that not only improves data management but also the business
process efficiency and effectiveness, thereby reducing costs and facilitating
continual improvement.
7.2 The organization that outsources work has the responsibility for
the integrity of all results reported, including those furnished by any
subcontracting organization or service provider. These responsibilities
extend to any providers of relevant computing services. When outsourcing
databases and software provision, the contract giver should ensure that
any subcontractors have been agreed upon and are included in the quality
agreement with the contract accepter, and are appropriately qualified and
trained in GRDP. Their activities should be monitored on a regular basis
at intervals determined through risk assessment. This also applies to
cloud‑based service providers.
7.3 To fulfil this responsibility, in addition to having their own governance
systems, outsourcing organizations should verify the adequacy of the
180
Annex 5
8.3 Management should also ensure that, at the time of hire and periodically
afterwards, as needed, all personnel are trained in procedures to
ensure GDocP for both paper and electronic records. The quality unit
should include checks for adherence to GDocP for both paper records
and electronic records in their day-to-day work, system and facility
audits and self-inspections and report any opportunities for improvement
to management.
WHO Technical Report Series No. 996, 2016
184
Annex 5
10.8 Other validation controls to ensure good data management for both
electronic data and associated paper data should be implemented as
deemed appropriate for the system type and its intended use.
11.10 For example, during self-inspection, some key questions to ask are: Am I
collecting all my data? Am I considering all my data? If I have excluded
some data from my decision-making process, what is the justification
for doing so, and are all the data retained, including both rejected and
reported data?
11.11 The approach to reviewing specific record content, such as critical data
fields and metadata such as cross-outs on paper records and audit trails
in electronic records, should meet all applicable regulatory requirements
and be risk-based.
11.13 During the data life cycle, data should be subject to continuous
monitoring, as appropriate, to enhance process understanding and
facilitate knowledge management and informed decision-making.
11.15 Data retention and retrieval. Retention of paper and electronic records
is discussed in the section above, including measures for backup and
archival of electronic data and metadata.
WHO Technical Report Series No. 996, 2016
1) Data folders on some stand-alone systems may not include all audit
trails or other metadata needed to reconstruct all activities. Other
metadata may be found in other electronic folders or in operating
system logs. When archiving electronic data, it is important to
ensure that associated metadata are archived with the relevant
data set or securely traceable to the data set through appropriate
documentation. The ability to successfully retrieve from the archives
the entire data set, including metadata, should be verified.
188
Annex 5
2) Only validated systems are used for storage of data; however, the
media used for the storage of data do not have an indefinite lifespan.
Consideration must be given to the longevity of media and the
environment in which they are stored. Examples include the fading
of microfilm records, the decreasing readability of the coatings of
optical media such as compact disks (CDs) and digital versatile/
video disks (DVDs), and the fact that these media may become
brittle. Similarly, historical data stored on magnetic media will also
become unreadable over time as a result of deterioration.
189
WHO Expert Committee on Specifications for Pharmaceutical Preparations Fiftieth report
Further reading
Computerised systems. In: The rules governing medicinal products in the European Union. Volume 4:
Good manufacturing practice (GMP) guidelines: Annex 11. Brussels: European Commission (http://
ec.europa.eu/enterprise/pharmaceuticals/eudralex/vol-4/pdfs-en/anx11en.pdf).
Good automated manufacturing practice (GAMP) good practice guide: electronic data archiving.
Tampa (FL): International Society for Pharmaceutical Engineering (ISPE); 2007.
Good automated manufacturing practice GAMP good practice guide: A risk-based approach to GxP
compliant laboratory computerized systems, 2nd edition. Tampa (FL): International Society for
Pharmaceutical Engineering (ISPE); 2012.
MHRA GMP data integrity definitions and guidance for industry. London: Medicines and Healthcare
Products Regulatory Agency; March 2015 (https://www.gov.uk/government/uploads/system/uploads/
attachment_data/file/412735/Data_integrity_definitions_and_guidance_v2.pdf).
WHO Technical Report Series No. 996, 2016
OECD series on principles of good laboratory practice (GLP) and compliance monitoring. Paris:
Organisation for Economic Co-operation and Development (http://www.oecd.org/chemicalsafety/
testing/oecdseriesonprinciplesofgoodlaboratorypracticeglpandcompliancemonitoring.htm).
Official Medicines Control Laboratories Network of the Council of Europe: Quality assurance documents:
PA/PH/OMCL (08) 69 3R – Validation of computerised systems – core document (https://www.edqm.
eu/sites/default/files/medias/fichiers/Validation_of_Computerised_Systems_Core_Document.pdf )
and its annexes:
■■ PA/PH/OMCL (08) 87 2R – Annex 1: Validation of computerised calculation systems: example
of validation of in-house software
(https://www.edqm.eu/sites/default/files/medias/fichiers/NEW_Annex_1_Validation_of_
computerised_calculation.pdf).
■■ PA/PH/OMCL (08) 88 R – Annex 2: Validation of databases (DB), laboratory information
management systems (LIMS) and electronic laboratory notebooks (ELN)
(https://www.edqm.eu/sites/default/files/medias/fichiers/NEW_Annex_2_Validation_of_
Databases_DB_Laboratory_.pdf).
190
Annex 5
191
WHO Expert Committee on Specifications for Pharmaceutical Preparations Fiftieth report
Appendix 1
Expectations and examples of special risk management
considerations for the implementation of ALCOA (-plus)
principles in paper-based and electronic systems
Organizations should follow good documentation practices (GDocP) in order
to assure the accuracy, completeness, consistency and reliability of the records
and data throughout their entire period of usefulness – that is, throughout
the data life cycle. The principles require that documentation should have the
characteristics of being attributable, legible, contemporaneously recorded,
original and accurate (sometimes referred to as ALCOA).
The tables in this appendix provide further guidance on the
implementation of the general ALCOA requirements for both paper and
electronic records and systems. In addition, examples of special risk management
considerations as well as several illustrative examples are provided of how these
measures are typically implemented.
These illustrative examples are provided to aid understanding of the
concepts and of how successful risk-based implementation might be achieved.
These examples should not be taken as setting new normative requirements.
Attributable. Attributable means information is captured in the record so that
it is uniquely identified as having been executed by the originator of the data
(e.g. a person or computer system).
Attributable
WHO Technical Report Series No. 996, 2016
192
Annex 5
195
WHO Expert Committee on Specifications for Pharmaceutical Preparations Fiftieth report
Table continued
Legible, traceable, permanent
Expectations for paper records Expectations for electronic records
• preservation of paper/ink that • strictly controlled configuration and use
fades over time where their use is of data annotation tools in a manner
unavoidable. that prevents data in displays and
printouts from being obscured;
• validated backup of electronic records
to ensure disaster recovery;
• validated archival of electronic records
by independent, designated archivist(s)
in secure and controlled electronic
archives.
196
Annex 5
197
WHO Expert Committee on Specifications for Pharmaceutical Preparations Fiftieth report
Contemporaneous
Contemporaneous data are data recorded at the time they are generated
or observed.
Contemporaneous
Expectations for paper records Expectations for electronic records
Contemporaneous recording of actions Contemporaneous recording of actions
in paper records should occur, as in electronic records should occur, as
appropriate, through use of: appropriate, through use of:
• written procedures, and training and • configuration settings, SOPs and
review and audit and self-inspection controls that ensure that data recorded
controls that ensure personnel record in temporary memory are committed
data entries and information at the to durable media upon completion
time of the activity directly in official of the step or event and before
controlled documents (e.g. laboratory proceeding to the next step or event
notebooks, batch records, case in order to ensure the permanent
report forms); recording of the step or event at the
• procedures requiring that activities time it is conducted;
be recorded in paper records with the • secure system time/date stamps that
date of the activity (and time as well, cannot be altered by personnel;
if it is a time-sensitive activity); • procedures and maintenance
• good document design, which programmes that ensure time/date
encourages good practice: documents stamps are synchronized across the
should be appropriately designed GXP operations;
and the availability of blank forms/ • controls that allow for the
documents in which the activities are determination of the timing of one
recorded should be ensured; activity relative to another (e.g. time
• recording of the date and time of zone controls);
WHO Technical Report Series No. 996, 2016
198
Annex 5
Original
Original data include the first or source capture of data or information and all
subsequent data required to fully reconstruct the conduct of the GXP activity.
The GXP requirements for original data include the following:
■■ original data should be reviewed;
■■ original data and/or true and verified copies that preserve the
content and meaning of the original data should be retained;
■■ as such, original records should be complete, enduring and readily
retrievable and readable throughout the records retention period.
Examples of original data include original electronic data and metadata in
stand-alone computerized laboratory instrument systems (e.g. ultraviolet/visible
spectrophotometry (UV/Vis), Fourier transform infrared spectroscopy (FT-IR),
199
WHO Expert Committee on Specifications for Pharmaceutical Preparations Fiftieth report
200
Annex 5
Table continued
Review of original records
Expectations for paper records Expectations for electronic records
• documentation of data review. For • documentation of data review. For
paper records this is typically signified electronic records, this is typically
by signing the paper records that have signified by electronically signing
been reviewed. Where record approval the electronic data set that has been
is a separate process this should also be reviewed and approved. Written
similarly signed. Written procedures for procedures for data review should
data review should clarify the meaning clarify the meaning of the review and
of the review and approval signatures approval signatures to ensure that
to ensure that the people concerned the personnel concerned understand
understand their responsibility as their responsibility as reviewers and
reviewers and approvers to assure the approvers to assure the integrity,
integrity, accuracy, consistency and accuracy, consistency and compliance
compliance with established standards with established standards of the
of the paper records subject to review electronic data and metadata subject
and approval; to review and approval;
• a procedure describing the actions • a procedure describing the actions
to be taken if data review identifies to be taken if data review identifies
an error or omission. This procedure an error or omission. This procedure
should enable data corrections or should enable data corrections or
clarifications to be made in a GXP- clarifications to be made in a GXP-
compliant manner, providing visibility compliant manner, providing visibility
of the original record and audit-trailed of the original record and audit trailed
traceability of the correction, using traceability of the correction, using
ALCOA principles. ALCOA principles.
■■ Written procedures for data review should define the frequency, roles
and responsibilities and approach to review of meaningful metadata,
such as audit trails. These procedures should also describe how
aberrant data are to be handled if found during the review. Personnel
who conduct such reviews should have adequate and appropriate
training in the review process as well as in the software systems
containing the data subject to review. The organization should make
the necessary provisions for personnel reviewing the data to access
the system(s) containing the electronic data and metadata.
■■ Quality assurance should also review a sample of relevant audit trails,
raw data and metadata as part of self-inspection to ensure ongoing
compliance with the data governance policy and procedures.
■■ Any significant variation from expected outcomes should be fully
recorded and investigated.
■■ In the hybrid approach, which is not the preferred approach, paper
printouts of original electronic records from computerized systems
may be useful as summary reports if the requirements for original
electronic records are also met. To rely upon these printed summaries
of results for future decision-making, a second person would have to
review the original electronic data and any relevant metadata such
as audit trails, to verify that the printed summary is representative
of all results. This verification would then be documented and the
printout could be used for subsequent decision-making.
■■ The GXP organization may choose a fully electronic approach to
allow more efficient, streamlined record review and record retention.
This would require authenticated and secure electronic signatures
to be implemented for signing records where required. This, in turn,
would require preservation of the original electronic records, or
true copy, as well as the necessary software and hardware or other
suitable reader equipment to view the records during the records
retention period.
■■ System design and the manner of data capture can significantly
influence the ease with which data consistency can be assured. For
example, and where applicable, the use of programmed edit checks
or features such as drop-down lists, check boxes or branching of
questions or data fields based on entries are useful in improving
data consistency.
■■ Data and their metadata should be maintained in such a way that
they are available for review by authorized individuals, and in a
format that is suitable for review for as long as the data retention
requirements apply. It is desirable that the data should be maintained
203
WHO Expert Committee on Specifications for Pharmaceutical Preparations Fiftieth report
204
Annex 5
Table continued
Retention of original records or true copies
Expectations for paper records Expectations for electronic records
• written procedures, training, review • the provision of suitable reader
and audit, and self-inspection of equipment, such as software, operating
processes defining conversion, as systems and virtualized environments,
needed, of an original paper record to view the archived electronic data
to true copy should include the when required;
following steps: • written procedures, training, review and
– a copy/copies is/are made of the audit and self-inspection of processes
original paper record(s), preserving defining conversion, as needed, of
the original record format, the static original electronic records to true copy
format, as required (e.g. photocopy, to include the following steps:
scan), – a copy/copies is/are made of
– the copy/copies need to be the original electronic data set,
compared with the original record(s) preserving the original record format,
to determine if the copy preserves the dynamic format, as required (e.g.
the entire content and meaning of archival copy of the entire set of
the original record, that metadata are electronic data and metadata made
included, that no data are missing using a validated back-up process),
in the copy. The way that the record – a second person verifier or technical
format is preserved is important for verification process (such as use of
record meaning if the copy is to meet technical hash) to confirm successful
the requirements of a true copy of backup) whereby a comparison is
the original paper record(s), made of the electronic archival copy
– the verifier documents the with the original electronic data set
verification in a manner securely to confirm the copy preserves the
linked to the copy/copies indicating entire content and meaning of the
it is a true copy, or provides original record (i.e. all of the data
equivalent certification. and metadata are included, no data
are missing in the copy, any dynamic
record format that is important for
record meaning and interpretation
is preserved and the file was not
corrupted during the execution of the
validated back-up process),
– if the copy meets the requirements
as a true copy of the original, then
the verifier or technical verification
process should document the
verification in a manner that is
securely linked to the copy/copies,
certifying that it is a true copy.
205
WHO Expert Committee on Specifications for Pharmaceutical Preparations Fiftieth report
207
WHO Expert Committee on Specifications for Pharmaceutical Preparations Fiftieth report
Accurate
The term “accurate” means data are correct, truthful, complete, valid and reliable.
For both paper and electronic records, achieving the goal of accurate
data requires adequate procedures, processes, systems and controls that comprise
the quality management system. The quality management system should be
appropriate to the scope of its activities and risk-based.
Controls that assure the accuracy of data in paper records and electronic
records include, but are not limited to:
Examples of these controls applied to the data life cycle are provided
below.
208
Annex 5
209
Appendices B: MHRA GxP Data Integrity Guidance
and Definitions
Medicines & Healthcare products
Regulatory Agency (MHRA)
March 2018
MHRA GXP Data Integrity Guidance and Definitions; Revision 1: March 2018
Page 1 of 21
Table of contents
1. Background .................................................................................................................................. 3
2. Introduction .................................................................................................................................. 3
3. The principles of data integrity ...................................................................................................... 4
4. Establishing data criticality and inherent integrity risk ................................................................... 5
5. Designing systems and processes to assure data integrity; creating the ‘right environment’......... 7
6. Definition of terms and interpretation of requirements................................................................... 8
6.1. Data ...................................................................................................................................... 8
6.2. Raw data (synonymous with ‘source data’ which is defined in ICH GCP) .............................. 8
6.3. Metadata ............................................................................................................................... 9
6.4. Data Integrity ......................................................................................................................... 9
6.5. Data Governance .................................................................................................................. 9
6.6. Data Lifecycle...................................................................................................................... 10
6.7. Recording and collection of data ......................................................................................... 10
6.8. Data transfer / migration ...................................................................................................... 10
6.9. Data Processing .................................................................................................................. 11
6.10. Excluding Data (not applicable to GPvP): ........................................................................ 11
6.11. Original record and true copy ........................................................................................... 11
6. 11.1. Original record ............................................................................................................... 11
6.11.2. True copy ....................................................................................................................... 12
6.12. Computerised system transactions: ................................................................................. 13
6.13. Audit Trail ........................................................................................................................ 13
6.14. Electronic signatures........................................................................................................ 14
6.15. Data review and approval ................................................................................................ 15
6.16. Computerised system user access/system administrator roles ........................................ 16
6.17. Data retention .................................................................................................................. 17
6.17.1. Archive ........................................................................................................................... 18
6.17.2. Backup ........................................................................................................................... 18
6.18. File structure .................................................................................................................... 19
6.19. Validation – for intended purpose (GMP; See also Annex 11, 15) .................................... 19
6.20. IT Suppliers and Service Providers (including Cloud providers and virtual service/platforms
(also referred to as software as a service SaaS/platform as a service (PaaS) / infrastructure as a
service (IaaS)). .............................................................................................................................. 19
7. Glossary ..................................................................................................................................... 20
8. References ................................................................................................................................. 21
MHRA GXP Data Integrity Guidance and Definitions; Revision 1: March 2018
Page 2 of 21
1. Background
The way regulatory data is generated has continued to evolve in line with the ongoing development of
supporting technologies such as the increasing use of electronic data capture, automation of systems
and use of remote technologies; and the increased complexity of supply chains and ways of working,
for example, via third party service providers. Systems to support these ways of working can range
from manual processes with paper records to the use of fully computerised systems. The main
purpose of the regulatory requirements remains the same, i.e. having confidence in the quality and
the integrity of the data generated (to ensure patient safety and quality of products) and being able to
reconstruct activities.
2. Introduction
2.1 This document provides guidance for UK industry and public bodies regulated by the
UK MHRA including the Good Laboratory Practice Monitoring Authority (GLPMA).
Where possible the guidance has been harmonised with other published guidance.
The guidance is a UK companion document to PIC/S, WHO, OECD (guidance and
advisory documents on GLP) and EMA guidelines and regulations.
2.2 This guidance has been developed by the MHRA inspectorate and partners and has
undergone public consultation. It is designed to help the user facilitate compliance
through education, whilst clarifying the UK regulatory interpretation of existing
requirements.
2.3 Users should ensure their efforts are balanced when safeguarding data from risk with
their other compliance priorities.
2.4 The scope of this guidance is designated as ‘GXP’ in that everything contained within
the guide is GXP unless stated otherwise. The lack of examples specific to a GXP
does not mean it is not relevant to that GXP just that the examples given are not
exhaustive. Please do however note that the guidance document does not extend to
medical devices.
2.5 This guidance should be considered as a means of understanding the MHRA’s position
on data integrity and the minimum expectation to achieve compliance. The guidance
does not describe every scenario so engagement with the MHRA is encouraged where
your approach is different to that described in this guidance.
2.6 This guidance aims to promote a risk-based approach to data management that
includes data risk, criticality and lifecycle. Users of this guidance need to understand
their data processes (as a lifecycle) to identify data with the greatest GXP impact.
From that, the identification of the most effective and efficient risk-based control and
review of the data can be determined and implemented.
2.7 This guidance primarily addresses data integrity and not data quality since the controls
required for integrity do not necessarily guarantee the quality of the data generated.
MHRA GXP Data Integrity Guidance and Definitions; Revision 1: March 2018
Page 3 of 21
2.8 This guidance should be read in conjunction with the applicable regulations and the
general guidance specific to each GXP. Where GXP-specific references are made
within this document (e.g. ICH Q9), consideration of the principles of these documents
may provide guidance and further information.
2.9 Where terms have been defined; it is understood that other definitions may exist and
these have been harmonised where possible and appropriate.
3.2 Arrangements within an organisation with respect to people, systems and facilities
should be designed, operated and, where appropriate, adapted to support a suitable
working environment, i.e. creating the right environment to enable data integrity
controls to be effective.
3.3 The impact of organisational culture, the behaviour driven by performance indicators,
objectives and senior management behaviour on the success of data governance
measures should not be underestimated. The data governance policy (or equivalent)
should be endorsed at the highest levels of the organisation.
3.4 Organisations are expected to implement, design and operate a documented system
that provides an acceptable state of control based on the data integrity risk with
supporting rationale. An example of a suitable approach is to perform a data integrity
risk assessment (DIRA) where the processes that produce data or where data is
obtained are mapped out and each of the formats and their controls are identified and
the data criticality and inherent risks documented.
3.5 Organisations are not expected to implement a forensic approach to data checking on
a routine basis. Systems should maintain appropriate levels of control whilst wider data
governance measures should ensure that periodic audits can detect opportunities for
data integrity failures within the organisation’s systems.
3.6 The effort and resource applied to assure the integrity of the data should be
commensurate with the risk and impact of a data integrity failure to the patient or
environment. Collectively these arrangements fulfil the concept of data governance.
3.8 Where data integrity weaknesses are identified, companies should ensure that
appropriate corrective and preventive actions are implemented across all relevant
activities and systems and not in isolation.
MHRA GXP Data Integrity Guidance and Definitions; Revision 1: March 2018
Page 4 of 21
3.9 Appropriate notification to regulatory authorities should be made where significant data
integrity incidents have been identified.
3.10 The guidance refers to the acronym ALCOA rather than ‘ALCOA +’. ALCOA being
Attributable, Legible, Contemporaneous, Original, and Accurate and the ‘+’ referring to
Complete, Consistent, Enduring, and Available. ALCOA was historically regarded as
defining the attributes of data quality that are suitable for regulatory purposes. The ‘+’
has been subsequently added to emphasise the requirements. There is no difference
in expectations regardless of which acronym is used since data governance measures
should ensure that data is complete, consistent, enduring and available throughout the
data lifecycle.
4.2 The risks to data are determined by the potential to be deleted, amended or excluded
without authorisation and the opportunity for detection of those activities and events.
The risks to data may be increased by complex, inconsistent processes with open-
ended and subjective outcomes, compared to simple tasks that are undertaken
consistently, are well defined and have a clear objective.
Paper
Data generated manually on paper may require independent verification if deemed
necessary from the data integrity risk assessment or by another requirement.
Consideration should be given to risk-reducing supervisory measures.
Electronic
The inherent risks to data integrity relating to equipment and computerised systems
may differ depending upon the degree to which the system generating or using the
data can be configured, and the potential for manipulation of data during transfer
between computerised systems during the data lifecycle.
The use of available technology, suitably configured to reduce data integrity risk,
should be considered.
MHRA GXP Data Integrity Guidance and Definitions; Revision 1: March 2018
Page 5 of 21
Simple electronic systems with no configurable software and no electronic data
retention (e.g. pH meters, balances and thermometers) may only require calibration,
whereas complex systems require ‘validation for intended purpose’.
Validation effort increases with complexity and risk (determined by software
functionality, configuration, the opportunity for user intervention and data lifecycle
considerations). It is important not to overlook systems of apparent lower complexity.
Within these systems, it may be possible to manipulate data or repeat testing to
achieve the desired outcome with limited opportunity for detection (e.g. stand-alone
systems with a user-configurable output such as ECG machines, FTIR, UV
spectrophotometers).
Hybrid
Where hybrid systems are used, it should be clearly documented what constitutes the
whole data set and all records that are defined by the data set should be reviewed and
retained. Hybrid systems should be designed to ensure they meet the desired
objective.
Other
Where the data generated is captured by a photograph or imagery (or other media),
the requirements for storage of that format throughout its lifecycle should follow the
same considerations as for the other formats, considering any additional controls
required for that format. Where the original format cannot be retained due to
degradation issues, alternative mechanisms for recording (e.g. photography or
digitisation) and subsequent storage may be considered and the selection rationale
documented (e.g. thin layer chromatography).
4.4 Reduced effort and/or frequency of control measures may be justified for data that has
a lesser impact to product, patient or the environment if those data are obtained from a
process that does not provide the opportunity for amendment without high-level system
access or specialist software/knowledge.
4.5 The data integrity risk assessment (or equivalent) should consider factors required to
follow a process or perform a function. It is expected to consider not only a
computerised system but also the supporting people, guidance, training and quality
systems. Therefore, automation or the use of a ‘validated system' (e.g. e-CRF;
analytical equipment) may lower but not eliminate data integrity risk. Where there is
human intervention, particularly influencing how or what data is recorded, reported or
retained, an increased risk may exist from poor organisational controls or data
verification due to an overreliance on the system's validated state.
4.6 Where the data integrity risk assessment has highlighted areas for remediation,
prioritisation of actions (including acceptance of an appropriate level of residual risk)
should be documented, communicated to management, and subject to review. In
situations where long-term remediation actions are identified, risk-reducing short-term
measures should be implemented to provide acceptable data governance in the
interim.
MHRA GXP Data Integrity Guidance and Definitions; Revision 1: March 2018
Page 6 of 21
5. Designing systems and processes to assure data integrity; creating the
‘right environment’.
5.1 Systems and processes should be designed in a way that facilitates compliance with
the principles of data integrity. Enablers of the desired behaviour include but are not
limited to:
At the point of use, having access to appropriately controlled/synchronised clocks
for recording timed events to ensure reconstruction and traceability, knowing and
specifying the time zone where this data is used across multiple sites.
Accessibility of records at locations where activities take place so that informal data
recording and later transcription to official records does not occur.
Access to blank paper proformas for raw/source data recording should be
appropriately controlled. Reconciliation, or the use of controlled books with
numbered pages, may be necessary to prevent recreation of a record. There may
be exceptions such as medical records (GCP) where this is not practical.
User access rights that prevent (or audit trail, if prevention is not possible)
unauthorised data amendments. Use of external devices or system interfacing
methods that eliminate manual data entries and human interaction with the
computerised system, such as barcode scanners, ID card readers, or printers.
The provision of a work environment (such as adequate space, sufficient time for
tasks, and properly functioning equipment) that permit performance of tasks and
recording of data as required.
Access to original records for staff performing data review activities.
Reconciliation of controlled print-outs.
Sufficient training in data integrity principles provided to all appropriate staff
(including senior management).
Inclusion of subject matter experts in the risk assessment process.
Management oversight of quality metrics relevant to data governance.
5.2 The use of scribes to record activity on behalf of another operator can be considered
where justified, for example:
The act of contemporaneous recording compromises the product or activity e.g.
documenting line interventions by sterile operators.
Necropsy (GLP)
To accommodate cultural or literacy/language limitations, for instance where an
activity is performed by an operator but witnessed and recorded by a second
person.
Consideration should be given to ease of access, usability and location whilst ensuring
appropriate control of the activity guided by the criticality of the data.
In these situations, the recording by the second person should be contemporaneous with the
task being performed, and the records should identify both the person performing the task and
the person completing the record. The person performing the task should countersign the
record wherever possible, although it is accepted that this countersigning step will be
retrospective. The process for supervisory (scribe) documentation completion should be
described in an approved procedure that specifies the activities to which the process applies.
MHRA GXP Data Integrity Guidance and Definitions; Revision 1: March 2018
Page 7 of 21
6. Definition of terms and interpretation of requirements
In the following section, definitions where applicable, are given in italic text directly below the
term.
6.1. Data
Facts, figures and statistics collected together for reference or analysis. All original records
and true copies of original records, including source data and metadata and all subsequent
transformations and reports of these data, that are generated or recorded at the time of the
GXP activity and allow full and complete reconstruction and evaluation of the GXP activity.
Data governance measures should also ensure that data is complete, consistent, enduring
and available throughout the lifecycle, where;
6.2. Raw data (synonymous with ‘source data’ which is defined in ICH GCP)
Raw data is defined as the original record (data) which can be described as the first-capture of
information, whether recorded on paper or electronically. Information that is originally captured
in a dynamic state should remain available in that state.
Raw data must permit full reconstruction of the activities. Where this has been captured in a
dynamic state and generated electronically, paper copies cannot be considered as ‘raw data’.
In the case of basic electronic equipment that does not store electronic data, or provides only
a printed data output (e.g. balances or pH meters), then the printout constitutes the raw data.
Where the basic electronic equipment does store electronic data permanently and only holds a
certain volume before overwriting; this data should be periodically reviewed and where
necessary reconciled against paper records and extracted as electronic data where this is
supported by the equipment itself.
MHRA GXP Data Integrity Guidance and Definitions; Revision 1: March 2018
Page 8 of 21
6.3. Metadata
Metadata are data that describe the attributes of other data and provide context and meaning.
Typically, these are data that describe the structure, data elements, inter-relationships and
other characteristics of data e.g. audit trails. Metadata also permit data to be attributable to an
individual (or if automatically generated, to the original data source).
Metadata form an integral part of the original record. Without the context provided by metadata
the data has no meaning.
Data integrity is the degree to which data are complete, consistent, accurate, trustworthy,
reliable and that these characteristics of the data are maintained throughout the data life cycle.
The data should be collected and maintained in a secure manner, so that they are attributable,
legible, contemporaneously recorded, original (or a true copy) and accurate. Assuring data
integrity requires appropriate quality and risk management systems, including adherence to
sound scientific principles and good documentation practices.
The arrangements to ensure that data, irrespective of the format in which they are generated,
are recorded, processed, retained and used to ensure the record throughout the data lifecycle.
Data governance should address data ownership and accountability throughout the lifecycle,
and consider the design, operation and monitoring of processes/systems to comply with the
principles of data integrity including control over intentional and unintentional changes to data.
Data Governance systems should include staff training in the importance of data integrity
principles and the creation of a working environment that enables visibility, and actively
encourages reporting of errors, omissions and undesirable results.
Senior management should be accountable for the implementation of systems and procedures
to minimise the potential risk to data integrity, and for identifying the residual risk, using risk
management techniques such as the principles of ICH Q9.
MHRA GXP Data Integrity Guidance and Definitions; Revision 1: March 2018
Page 9 of 21
Contract Givers should ensure that data ownership, governance and accessibility are included
in any contract/technical agreement with a third party. The Contract Giver should also perform
a data governance review as part of their vendor assurance programme.
Data governance systems should also ensure that data are readily available and directly
accessible on request from national competent authorities. Electronic data should be available
in human-readable form.
All phases in the life of the data from generation and recording through processing (including
analysis, transformation or migration), use, data retention, archive/retrieval and destruction.
Data governance, as described in the previous section, must be applied across the whole data
lifecycle to provide assurance of data integrity. Data can be retained either in the original
system, subject to suitable controls, or in an appropriate archive.
No definition required.
The selected method should ensure that data of appropriate accuracy, completeness, content
and meaning are collected and retained for their intended use. Where the capability of the
electronic system permits dynamic storage, it is not appropriate for static (printed / manual)
data to be retained in preference to dynamic (electronic) data.
As data are required to allow the full reconstruction of activities the amount and the resolution
(degree of detail) of data to be collected should be justified.
When used, blank forms (including, but not limited to, worksheets, laboratory notebooks, and
master production and control records) should be controlled. For example, numbered sets of
blank forms may be issued and reconciled upon completion. Similarly, bound paginated
notebooks, stamped or formally issued by a document control group allow detection of
unofficial notebooks and any gaps in notebook pages.
Data transfer is the process of transferring data between different data storage types, formats,
or computerised systems.
Data migration is the process of moving stored data from one durable storage location to
another. This may include changing the format of data, but not the content or meaning.
Data transfer is the process of transferring data and metadata between storage media types or
computerised systems. Data migration where required may, if necessary, change the format of
data to make it usable or visible on an alternative computerised system.
MHRA GXP Data Integrity Guidance and Definitions; Revision 1: March 2018
Page 10 of 21
Data transfer/migration procedures should include a rationale, and be robustly designed and
validated to ensure that data integrity is maintained during the data lifecycle. Careful
consideration should be given to understanding the data format and the potential for alteration
at each stage of data generation, transfer and subsequent storage. The challenges of
migrating data are often underestimated, particularly regarding maintaining the full meaning of
the migrated records.
Data transfer should be validated. The data should not be altered during or after it is
transferred to the worksheet or other application. There should be an audit trail for this
process. Appropriate Quality procedures should be followed if the data transfer during the
operation has not occurred correctly. Any changes in the middle layer software should be
managed through appropriate Quality Management Systems.
There should be adequate traceability of any user-defined parameters used within data
processing activities to the raw data, including attribution to who performed the activity.
Audit trails and retained records should allow reconstruction of all data processing activities
regardless of whether the output of that processing is subsequently reported or otherwise
used for regulatory or business purposes. If data processing has been repeated with
progressive modification of processing parameters this should be visible to ensure that the
processing parameters are not being manipulated to achieve a more desirable result.
Note: this is not applicable to GPvP; for GPvP refer to the pharmacovigilance legislation
(including the GVP modules) which provide the necessary requirements and statutory
guidance.
Data may only be excluded where it can be demonstrated through valid scientific justification
that the data are not representative of the quantity measured, sampled or acquired.
In all cases, this justification should be documented and considered during data review and
reporting. All data (even if excluded) should be retained with the original data set, and be
available for review in a format that allows the validity of the decision to exclude the data to be
confirmed.
MHRA GXP Data Integrity Guidance and Definitions; Revision 1: March 2018
Page 11 of 21
The first or source capture of data or information e.g. original paper record of manual
observation or electronic raw data file from a computerised system, and all subsequent data
required to fully reconstruct the conduct of the GXP activity. Original records can be Static or
Dynamic.
A static record format, such as a paper or electronic record, is one that is fixed and allows little
or no interaction between the user and the record content. For example, once printed or
converted to static electronic format chromatography records lose the capability of being
reprocessed or enabling more detailed viewing of baselines.
Where the data obtained requires manual observation to record (for example results of a
manual titration, visual interpretation of environmental monitoring plates) the process should
be risk assessed and depending on the criticality, justify if a second contemporaneous
verification check is required or investigate if the result could be captured by an alternate
means.
A copy (irrespective of the type of media used) of the original record that has been verified (i.e.
by a dated signature or by generation through a validated process) to have the same
information, including data that describe the context, content, and structure, as the original.
A true copy may be stored in a different electronic file format to the original record if required,
but must retain the metadata and audit trail required to ensure that the full meaning of the data
are kept and its history may be reconstructed.
Original records and true copies must preserve the integrity of the record. True copies of
original records may be retained in place of the original record (e.g. scan of a paper record), if
a documented system is in place to verify and record the integrity of the copy. Organisations
should consider any risk associated with the destruction of original records.
It should be possible to create a true copy of electronic data, including relevant metadata, for
the purposes of review, backup and archival. Accurate and complete copies for certification of
the copy should include the meaning of the data (e.g. date formats, context, layout, electronic
signatures and authorisations) and the full GXP audit trail. Consideration should be given to
the dynamic functionality of a ‘true copy’ throughout the retention period (see ‘archive’).
Data must be retained in a dynamic form where this is critical to its integrity or later
verification. If the computerised system cannot be maintained e.g., if it is no longer supported,
then records should be archived according to a documented archiving strategy prior to
MHRA GXP Data Integrity Guidance and Definitions; Revision 1: March 2018
Page 12 of 21
decommissioning the computerised system. It is conceivable for some data generated by
electronic means to be retained in an acceptable paper or electronic format, where it can be
justified that a static record maintains the integrity of the original data. However, the data
retention process must be shown to include verified copies of all raw data, metadata, relevant
audit trail and result files, any variable software/system configuration settings specific to each
record, and all data processing runs (including methods and audit trails) necessary for
reconstruction of a given raw data set. It would also require a documented means to verify
that the printed records were an accurate representation. To enable a GXP compliant record
this approach is likely to be demanding in its administration.
Where manual transcriptions occur, these should be verified by a second person or validated
system.
The metadata (e.g. username, date, and time) are not captured in the system audit trail until
the user saves the transaction to durable storage. In computerised systems, an electronic
signature may be required for the record to be saved and become permanent.
A critical step is a parameter that must be within an appropriate limit, range, or distribution to
ensure the safety of the subject or quality of the product or data. Computer systems should be
designed to ensure that the execution of critical steps is recorded contemporaneously. Where
transactional systems are used, the combination of multiple unit operations into a combined
single transaction should be avoided, and the time intervals before saving of data should be
minimised. Systems should be designed to require saving data to permanent memory before
prompting users to make changes.
The organisation should define during the development of the system (e.g. via the user
requirements specification) what critical steps are appropriate based on the functionality of the
system and the level of risk associated. Critical steps should be documented with process
controls that consider system design (prevention), together with monitoring and review
processes. Oversight of activities should alert to failures that are not addressed by the process
design.
The audit trail is a form of metadata containing information associated with actions that relate
to the creation, modification or deletion of GXP records. An audit trail provides for secure
recording of life-cycle details such as creation, additions, deletions or alterations of information
in a record, either paper or electronic, without obscuring or overwriting the original record. An
audit trail facilitates the reconstruction of the history of such events relating to the record
regardless of its medium, including the “who, what, when and why” of the action.
Where computerised systems are used to capture, process, report, store or archive raw data
electronically, system design should always provide for the retention of audit trails to show all
MHRA GXP Data Integrity Guidance and Definitions; Revision 1: March 2018
Page 13 of 21
changes to, or deletion of data while retaining previous and original data. It should be possible
to associate all data and changes to data with the persons making those changes, and
changes should be dated and time stamped (time and time zone where applicable). The
reason for any change, should also be recorded. The items included in the audit trail should be
those of relevance to permit reconstruction of the process or activity.
Audit trails (identified by risk assessment as required) should be switched on. Users should
not be able to amend or switch off the audit trail. Where a system administrator amends, or
switches off the audit trail a record of that action should be retained.
The relevance of data retained in audit trails should be considered by the organisation to
permit robust data review/verification. It is not necessary for audit trail review to include every
system activity (e.g. user log on/off, keystrokes etc.).
Where relevant audit trail functionality does not exist (e.g. within legacy systems) an
alternative control may be achieved for example defining the process in an SOP, and use of
log books. Alternative controls should be proven to be effective.
Where add-on software or a compliant system does not currently exist, continued use of the
legacy system may be justified by documented evidence that a compliant solution is being
sought and that mitigation measures temporarily support the continued use. 1
Routine data review should include a documented audit trail review where this is determined
by a risk assessment. When designing a system for review of audit trails, this may be limited
to those with GXP relevance. Audit trails may be reviewed as a list of relevant data, or by an
‘exception reporting' process. An exception report is a validated search tool that identifies and
documents predetermined ‘abnormal’ data or actions, that require further attention or
investigation by the data reviewer.
Reviewers should have sufficient knowledge and system access to review relevant audit trails,
raw data and metadata (see also ‘data governance’).
Where systems do not meet the audit trail and individual user account expectations,
demonstrated progress should be available to address these shortcomings. This should either
be through add-on software that provides these additional functions or by an upgrade to a
compliant system. Where remediation has not been identified or subsequently implemented in
a timely manner a deficiency may be cited.
A signature in digital form (bio-metric or non-biometric) that represents the signatory. This
should be equivalent in legal terms to the handwritten signature of the signatory.
The use of electronic signatures should be appropriately controlled with consideration given to:
How the signature is attributable to an individual.
1It is expected that GMP facilities with industrial automation and control equipment/ systems such as programmable logic
controllers should be able to demonstrate working towards system upgrades with individual login and audit trails (reference:
Art 23 of Directive 2001/83/EC).
MHRA GXP Data Integrity Guidance and Definitions; Revision 1: March 2018
Page 14 of 21
How the act of ‘signing’ is recorded within the system so that it cannot be altered or
manipulated without invalidating the signature or status of the entry.
How the record of the signature will be associated with the entry made and how this
can be verified.
The security of the electronic signature i.e. so that it can only be applied by the ‘owner’
of that signature.
It is expected that appropriate validation of the signature process associated with a system is
undertaken to demonstrate suitability and that control over signed records is maintained.
Where a paper or pdf copy of an electronically signed document is produced, the metadata
associated with an electronic signature should be maintained with the associated document.
The use of electronic signatures should be compliant with the requirements of international
standards. The use of advanced electronic signatures should be considered where this
method of authentication is required by the risk assessment. Electronic signature or
E-signature systems must provide for “signature manifestations” i.e. a display within the
viewable record that defines who signed it, their title, and the date (and time, if significant) and
the meaning of the signature (e.g. verified or approved).
An inserted image of a signature or a footnote indicating that the document has been
electronically signed (where this has been entered by a means other than the validated
electronic signature process) is not adequate. Where a document is electronically signed then
the metadata associated with the signature should be retained.
For printed copies of electronically signed documents refer to True Copy section.
Expectations for electronic signatures associated with informed consent (GCP) are covered in
alternative guidance (MHRA/HRA DRAFT Guidance on the use of electronic consent).
The approach to reviewing specific record content, such as critical data and metadata, cross-
outs (paper records) and audit trails (electronic records) should meet all applicable regulatory
requirements and be risk-based.
There should be a procedure that describes the process for review and approval of data. Data
review should also include a risk-based review of relevant metadata, including relevant audit
trails records. Data review should be documented and the record should include a positive
statement regarding whether issues were found or not, the date that review was performed
and the signature of the reviewer.
A procedure should describe the actions to be taken if data review identifies an error or
omission. This procedure should enable data corrections or clarifications to provide visibility of
the original record, and traceability of the correction, using ALCOA principles (see ‘data’
definition).
Where data review is not conducted by the organisation that generated the data, the
responsibilities for data review must be documented and agreed by both parties. Summary
MHRA GXP Data Integrity Guidance and Definitions; Revision 1: March 2018
Page 15 of 21
reports of data are often supplied between organisations (contract givers and acceptors). It
must be acknowledged that summary reports are limited and critical supporting data and
metadata may not be included.
Many software packages allow configuration of customised reports. Key actions may be
incorporated into such reports provided they are validated and locked to prevent changes.
Automated reporting tools and reports may reduce the checks required to assure the integrity
of the data.
Where summary reports are supplied by a different organisation, the organisation receiving
and using the data should evaluate the data provider’s data integrity controls and processes
prior to using the information.
Routine data review should consider the integrity of an individual data set e.g. is this the
only data generated as part of this activity? Has the data been generated and maintained
correctly? Are there indicators of unauthorised changes?
Full use should be made of access controls to ensure that people have access only to
functionality that is appropriate for their job role, and that actions are attributable to a specific
individual. Companies must be able to demonstrate the access levels granted to individual
staff members and ensure that historical information regarding user access level is available.
Where the system does not capture this data, then a record must be maintained outside of the
system. Access controls should be applied to both the operating system and application
levels. Individual login at operating system level may not be required if appropriate controls
are in place to ensure data integrity (e.g. no modification, deletion or creation of data outside
the application is possible).
For systems generating, amending or storing GXP data shared logins or generic user access
should not be used. Where the computerised system design supports individual user access,
this function must be used. This may require the purchase of additional licences. Systems
(such as MRP systems) that are not used in their entirety for GXP purposes but do have
elements within them, such as approved suppliers, stock status, location and transaction
histories that are GXP applicable require appropriate assessment and control.
It is acknowledged that some computerised systems support only a single user login or limited
numbers of user logins. Where no suitable alternative computerised system is available,
equivalent control may be provided by third-party software or a paper-based method of
providing traceability (with version control). The suitability of alternative systems should be
justified and documented. Increased data review is likely to be required for hybrid systems
MHRA GXP Data Integrity Guidance and Definitions; Revision 1: March 2018
Page 16 of 21
because they are vulnerable to non-attributable data changes. It is expected that companies
should be implementing systems that comply with current regulatory expectations2.
System administrator access should be restricted to the minimum number of people possible
taking account of the size and nature of the organisation. The generic system administrator
account should not be available for routine use. Personnel with system administrator access
should log in with unique credentials that allow actions in the audit trail(s) to be attributed to a
specific individual. The intent of this is to prevent giving access to users with potentially a
conflict of interest so that they can make unauthorised changes that would not be traceable to
that person.
System Administrator rights (permitting activities such as data deletion, database amendment
or system configuration changes) should not be assigned to individuals with a direct interest in
the data (data generation, data review or approval).
Individuals may require changes in their access rights depending on the status of clinical trial
data. For example, once data management processes are complete, the data is ‘locked’ by
removing editing access rights. This should be able to be demonstrated within the system.
Data retention may be for archiving (protected data for long-term storage) or backup (data for
the purposes of disaster recovery).
Data and document retention arrangements should ensure the protection of records from
deliberate or inadvertent alteration or loss. Secure controls must be in place to ensure the data
integrity of the record throughout the retention period and should be validated where
appropriate (see also data transfer/migration).
Data (or a true copy) generated in paper format may be retained by using a validated scanning
process provided there is a documented process in place to ensure that the outcome is a true
copy.
Procedures for destruction of data should consider data criticality and where applicable
legislative retention requirements.
2It is expected that GMP facilities with industrial automation and control equipment/ systems such as programmable logic
controllers should be able to demonstrate working towards system upgrades with individual login and audit trails (reference:
Art 23 of Directive 2001/83/EC).
MHRA GXP Data Integrity Guidance and Definitions; Revision 1: March 2018
Page 17 of 21
6.17.1. Archive
A designated secure area or facility (e.g. cabinet, room, building or computerised system) for
the long term, retention of data and metadata for the purposes of verification of the process or
activity.
Archived records may be the original record or a ‘true copy’ and should be protected so they
cannot be altered or deleted without detection and protected against any accidental damage
such as fire or pest.
Archive arrangements must be designed to permit recovery and readability of the data and
metadata throughout the required retention period. In the case of archiving of electronic data,
this process should be validated, and in the case of legacy systems the ability to review data
periodically verified (i.e. to confirm the continued support of legacy computerised systems).
Where hybrid records are stored, references between physical and electronic records must be
maintained such that full verification of events is possible throughout the retention period.
6.17.2. Backup
A copy of current (editable) data, metadata and system configuration settings maintained for
recovery including disaster recovery.
Backup and recovery processes should be validated and periodically tested. Each back up
should be verified to ensure that it has functioned correctly e.g. by confirming that the data
size transferred matches that of the original record.
Backups for recovery purposes do not replace the need for the long term, retention of data
and metadata in its final form for the purposes of verification of the process or activity.
MHRA GXP Data Integrity Guidance and Definitions; Revision 1: March 2018
Page 18 of 21
6.18. File structure
Data Integrity risk assessment requires a clear understanding of file structure. The way data is
structured within the GXP environment will depend on what the data will be used for and the
end user may have this dictated to them by the software/computerised system(s) available.
There are many types of file structure, the most common being flat files and relational
databases.
Different file structures due to their attributes may require different controls and data review
methods and may retain meta data in different ways.
6.19. Validation – for intended purpose (GMP; See also Annex 11, 15)
Computerised systems should comply with regulatory requirements and associated guidance.
These should be validated for their intended purpose which requires an understanding of the
computerised system’s function within a process. For this reason, the acceptance of vendor-
supplied validation data in isolation of system configuration and users intended use is not
acceptable. In isolation from the intended process or end-user IT infrastructure, vendor testing
is likely to be limited to functional verification only and may not fulfil the requirements for
performance qualification.
6.20. IT Suppliers and Service Providers (including Cloud providers and virtual
service/platforms (also referred to as software as a service SaaS/platform as a service
(PaaS) / infrastructure as a service (IaaS)).
Where ‘cloud’ or ‘virtual’ services are used, attention should be paid to understanding the
service provided, ownership, retrieval, retention and security of data.
The physical location where the data is held, including the impact of any laws applicable to
that geographic location, should be considered.
The responsibilities of the contract giver and acceptor should be defined in a technical
agreement or contract. This should ensure timely access to data (including metadata and audit
trails) to the data owner and national competent authorities upon request. Contracts with
providers should define responsibilities for archiving and continued readability of the data
throughout the retention period (see archive).
Appropriate arrangements must exist for the restoration of the software/system as per its
original validated state, including validation and change control information to permit this
restoration.
Business continuity arrangements should be included in the contract, and tested. The need for
an audit of the service provider should be based upon risk.
MHRA GXP Data Integrity Guidance and Definitions; Revision 1: March 2018
Page 19 of 21
7. Glossary
MHRA GXP Data Integrity Guidance and Definitions; Revision 1: March 2018
Page 20 of 21
8. References
Computerised systems. In: The rules governing medicinal products in the European Union.
Volume 4: Good manufacturing practice (GMP) guidelines: Annex 11. Brussels: European
Commission.
(http://ec.europa.eu/enterprise/pharmaceuticals/eudralex/vol-4/pdfs-en/anx11en.pdf).
OECD series on principles of good laboratory practice (GLP) and compliance monitoring. Paris:
Organisation for Economic Co-operation and Development.
(http://www.oecd.org/chemicalsafety/testing/oecdseriesonprinciplesofgoodlaboratorypracticeglp
andcompliancemonitoring.htm).
Guidance on good data and record management practices; World Health Organisation, WHO
Technical Report Series, No.996, Annex 5; 2016.
(http://apps.who.int/medicinedocs/en/m/abstract/Js22402en/).
Good Practices For Data Management And Integrity In Regulated GMP/GDP Environments –
PIC/S; PI041-1(draft 2); August 2016.
(https://picscheme.org/en/news?itemid=33).
MHRA GMP data integrity definitions and guidance for industry. London: Medicines and
Healthcare Products Regulatory Agency; March 2015.
(https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/412735/Data_in
tegrity_definitions_and_guidance_v2.pdf).
The Human Medicines Regulations 2012 (Statutory Instrument 2012 No. 1916):
http://www.legislation.gov.uk/uksi/2012/1916/contents/made
Revision History
Revision Publication Month Reason for changes
Revision 1 March 2018 None. First issue.
MHRA GXP Data Integrity Guidance and Definitions; Revision 1: March 2018
Page 21 of 21
Appendices C: FDA Data Integrity and Compliance
with CGMP Guidance
Data Integrity and
Compliance With
CGMP
Guidance for Industry
DRAFT GUIDANCE
This guidance document is being distributed for comment purposes only.
Comments and suggestions regarding this draft document should be submitted within 60 days of
publication in the Federal Register of the notice announcing the availability of the draft
guidance. Submit electronic comments to http://www.regulations.gov. Submit written comments
to the Division of Dockets Management (HFA-305), Food and Drug Administration, 5630
Fishers Lane, rm. 1061, Rockville, MD 20852. All comments should be identified with the
docket number listed in the notice of availability that publishes in the Federal Register.
For questions regarding this draft document, contact (CDER) Karen Takahashi 301-796-3191;
(CBER) Office of Communication, Outreach and Development, 800-835-4709 or 240-402-8010;
or (CVM) Jonathan Bray 240-402-5623.
April 2016
Pharmaceutical Quality/Manufacturing Standards (CGMP)
Data Integrity and
Compliance With
CGMP
Guidance for Industry
Additional copies are available from:
Office of Communications, Division of Drug Information
Center for Drug Evaluation and Research
Food and Drug Administration
10001 New Hampshire Ave., Hillandale Bldg., 4th Floor
Silver Spring, MD 20993-0002
Phone: 855-543-3784 or 301-796-3400; Fax: 301-431-6353
Email: druginfo@fda.hhs.gov
http://www.fda.gov/Drugs/GuidanceComplianceRegulatoryInformation/Guidances/default.htm
and/or
Office of Communication, Outreach and Development
Center for Biologics Evaluation and Research
Food and Drug Administration
10903 New Hampshire Ave., Bldg. 71, Room 3128
Silver Spring, MD 20993-0002
Phone: 800-835-4709 or 240-402-8010
Email: ocod@fda.hhs.gov
http://www.fda.gov/BiologicsBloodVaccines/GuidanceComplianceRegulatoryInformation/Guidances/default.htm
and/or
Policy and Regulations Staff, HFV-6
Center for Veterinary Medicine
Food and Drug Administration
7519 Standish Place, Rockville, MD 20855
http://www.fda.gov/AnimalVeterinary/GuidanceComplianceEnforcement/GuidanceforIndustry/default.htm
April 2016
Pharmaceutical Quality/Manufacturing Standards (CGMP)
Contains Nonbinding Recommendations
Draft — Not for Implementation
TABLE OF CONTENTS
I. INTRODUCTION............................................................................................................. 1
II. BACKGROUND ............................................................................................................... 1
III. QUESTIONS AND ANSWERS ....................................................................................... 2
1. Please clarify the following terms as they relate to CGMP records: ......................................... 2
a. What is “data integrity”? ................................................................................................................ 2
b. What is “metadata”? ....................................................................................................................... 3
c. What is an “audit trail”? ................................................................................................................. 3
d. How does FDA use the terms “static” and “dynamic” as they relate to record formats? ............. 3
e. How does FDA use the term “backup” in § 211.68(b)? .................................................................. 4
f. What are the “systems” in “computer or related systems” in § 211.68?........................................ 4
2. When is it permissible to exclude CGMP data from decision making? .................................... 4
3. Does each workflow on our computer system need to be validated? ........................................ 4
4. How should access to CGMP computer systems be restricted? ................................................ 5
5. Why is FDA concerned with the use of shared login accounts for computer systems? ........... 6
6. How should blank forms be controlled? ...................................................................................... 6
7. How often should audit trails be reviewed?................................................................................. 6
8. Who should review audit trails? ................................................................................................... 6
9. Can electronic copies be used as accurate reproductions of paper or electronic records? ..... 7
10. Is it acceptable to retain paper printouts or static records instead of original electronic
records from stand-alone computerized laboratory instruments, such as an FT-IR instrument? . 7
11. Can electronic signatures be used instead of handwritten signatures for master production
and control records?............................................................................................................................... 8
12. When does electronic data become a CGMP record? ................................................................ 8
13. Why has the FDA cited use of actual samples during “system suitability” or test, prep, or
equilibration runs in warning letters? .................................................................................................. 9
14. Is it acceptable to only save the final results from reprocessed laboratory
chromatography? ................................................................................................................................... 9
15. Can an internal tip regarding a quality issue, such as potential data falsification, be handled
informally outside of the documented CGMP quality system? .......................................................... 9
16. Should personnel be trained in detecting data integrity issues as part of a routine CGMP
training program? ................................................................................................................................ 10
17. Is the FDA investigator allowed to look at my electronic records? ......................................... 10
18. How does FDA recommend data integrity problems identified during inspections, in
warning letters, or in other regulatory actions be addressed? ......................................................... 10
Contains Nonbinding Recommendations
Draft — Not for Implementation
1
This guidance has been prepared by the Office of Pharmaceutical Quality and the Office of Compliance in the
Center for Drug Evaluation and Research in cooperation with the Center for Biologics Evaluation and Research, the
Center for Veterinary Medicine, and the Office of Regulatory Affairs at the Food and Drug Administration.
1
Contains Nonbinding Recommendations
Draft — Not for Implementation
42 numerous regulatory actions, including warning letters, import alerts, and consent decrees. The
43 underlying premise in §§ 210.1 and 212.2 is that CGMP sets forth minimum requirements to
44 assure that drugs meet the standards of the Federal Food, Drug, and Cosmetic Act (FD&C Act)
45 regarding safety, identity, strength, quality, and purity. 2 Requirements with respect to data
46 integrity in parts 211 and 212 include, among other things:
47
48 • § 211.68 (requiring that “backup data are exact and complete,” and “secure from
49 alteration, inadvertent erasures, or loss”);
50 • § 212.110(b) (requiring that data be “stored to prevent deterioration or loss”);
51 • §§ 211.100 and 211.160 (requiring that certain activities be “documented at the time
52 of performance” and that laboratory controls be “scientifically sound”);
53 • § 211.180 (requiring that records be retained as “original records,” “true copies,” or
54 other “accurate reproductions of the original records”); and
55 • §§ 211.188, 211.194, and 212.60(g) (requiring “complete information,” “complete
56 data derived from all tests,” “complete record of all data,” and “complete records of
57 all tests performed”).
58
59 Electronic signature and record-keeping requirements are laid out in 21 CFR part 11 and apply to
60 certain records subject to records requirements set forth in Agency regulations, including parts
61 210, 211, and 212. For more information, see guidance for industry Part 11, Electronic Records;
62 Electronic Signatures — Scope and Application. 3 The guidance outlines FDA’s current thinking
63 regarding the narrow scope and application of part 11 pending FDA’s reexamination of part 11
64 as it applies to all FDA-regulated products.
65
66 III. QUESTIONS AND ANSWERS
67
68 1. Please clarify the following terms as they relate to CGMP records:
69
70 a. What is “data integrity”?
71
72 For the purposes of this guidance, data integrity refers to the completeness,
73 consistency, and accuracy of data. Complete, consistent, and accurate data should
74 be attributable, legible, contemporaneously recorded, original or a true copy, and
75 accurate (ALCOA). 4
2
FDA’s authority for CGMP comes from FD&C Act section 501(a)(2)(B), which states that a drug shall be deemed
adulterated if “the methods used in, or the facilities or controls used for, its manufacture, processing, packing, or
holding do not conform to or are not operated or administered in conformity with current good manufacturing
practice to assure that such drug meets the requirement of the act as to safety and has the identity and strength, and
meets the quality and purity characteristics, which it purports or is represented to possess.”
3
CDER updates guidances periodically. To make sure you have the most recent version of a guidance, check the
FDA Drugs guidance Web page at
www.fda.gov/Drugs/GuidanceComplianceRegulatoryInformation/Guidances/default.htm.
4
For attributable, see §§ 211.101(d), 211.122, 211.186, 211.188(b)(11), and 212.50(c)(10); for legible see §§
211.180(e) and 212.110(b); for contemporaneously recorded (at the time of performance) see §§ 211.100(b) and
211.160(a); for original or a true copy see §§ 211.180 and 211.194(a); and for accurate see §§ 211.22(a), 211.68,
211.188, and 212.60(g).
2
Contains Nonbinding Recommendations
Draft — Not for Implementation
76 b. What is “metadata”?
77
78 Metadata is the contextual information required to understand data. A data value
79 is by itself meaningless without additional information about the data. Metadata is
80 often described as data about data. Metadata is structured information that
81 describes, explains, or otherwise makes it easier to retrieve, use, or manage data.
82 For example, the number “23” is meaningless without metadata, such as an
83 indication of the unit “mg.” Among other things, metadata for a particular piece
84 of data could include a date/time stamp for when the data were acquired, a user ID
85 of the person who conducted the test or analysis that generated the data, the
86 instrument ID used to acquire the data, audit trails, etc.
87
88 Data should be maintained throughout the record’s retention period with all
89 associated metadata required to reconstruct the CGMP activity (e.g., §§ 211.188
90 and 211.194). The relationships between data and their metadata should be
91 preserved in a secure and traceable manner.
92
93 c. What is an “audit trail”?
94
95 For purposes of this guidance, audit trail means a secure, computer-generated,
96 time-stamped electronic record that allows for reconstruction of the course of
97 events relating to the creation, modification, or deletion of an electronic record.
98 An audit trail is a chronology of the “who, what, when, and why” of a record. For
99 example, the audit trail for a high performance liquid chromatography (HPLC)
100 run could include the user name, date/time of the run, the integration parameters
101 used, and details of a reprocessing, if any, including change justification for the
102 reprocessing.
103
104 Electronic audit trails include those that track creation, modification, or deletion
105 of data (such as processing parameters and results) and those that track actions at
106 the record or system level (such as attempts to access the system or rename or
107 delete a file).
108
109 CGMP-compliant record-keeping practices prevent data from being lost or
110 obscured (see §§ 211.160(a), 211.194, and 212.110(b)). Electronic record-keeping
111 systems, which include audit trails, can fulfill these CGMP requirements.
112
113 d. How does FDA use the terms “static” and “dynamic” as they relate to record
114 formats?
115
116 For the purposes of this guidance, static is used to indicate a fixed-data document
117 such as a paper record or an electronic image, and dynamic means that the record
118 format allows interaction between the user and the record content. For example, a
119 dynamic chromatographic record may allow the user to change the baseline and
120 reprocess chromatographic data so that the resulting peaks may appear smaller or
3
Contains Nonbinding Recommendations
Draft — Not for Implementation
121 larger. It also may allow the user to modify formulas or entries in a spreadsheet
122 used to compute test results or other information such as calculated yield.
123
124 e. How does FDA use the term “backup” in § 211.68(b)?
125
126 FDA uses the term backup in § 211.68(b) to refer to a true copy of the original
127 data that is maintained securely throughout the records retention period (for
128 example, § 211.180). The backup file should contain the data (which includes
129 associated metadata) and should be in the original format or in a format
130 compatible with the original format.
131
132 This should not be confused with backup copies that may be created during
133 normal computer use and temporarily maintained for disaster recovery (e.g., in
134 case of a computer crash or other interruption). Such temporary backup copies
135 would not satisfy the requirement in § 211.68(b) to maintain a backup file of data.
136
137 f. What are the “systems” in “computer or related systems” in § 211.68?
138
139 The American National Standards Institute (ANSI) defines systems as people,
140 machines, and methods organized to accomplish a set of specific functions. 5
141 Computer or related systems can refer to computer hardware, software, peripheral
142 devices, networks, cloud infrastructure, operators, and associated documents (e.g.,
143 user manuals and standard operating procedures).
144
145 2. When is it permissible to exclude CGMP data from decision making?
146
147 Any data created as part of a CGMP record must be evaluated by the quality unit as part
148 of release criteria (see §§ 211.22 and 212.70) and maintained for CGMP purposes (e.g., §
149 211.180). Electronic data generated to fulfill CGMP requirements should include relevant
150 metadata. To exclude data from the release criteria decision-making process, there must
151 be a valid, documented, scientific justification for its exclusion (see the guidance for
152 industry Investigating Out-of-Specification (OOS) Test Results for Pharmaceutical
153 Production, and §§ 211.188, 211.192, and 212.71(b)). The requirements for record
154 retention and review do not differ depending on the data format; paper-based and
155 electronic data record-keeping systems are subject to the same requirements.
156
157 3. Does each workflow on our computer system need to be validated?
158
159 Yes, a workflow, such as creation of an electronic master production and control record
160 (MPCR), is an intended use of a computer system to be checked through validation (see
161 §§ 211.63, 211.68(b), and 211.110(a)). If you validate the computer system, but you do
5
American National Standard for Information Systems, Dictionary for Information Systems, American National
Standards Institute, 1991.
4
Contains Nonbinding Recommendations
Draft — Not for Implementation
162 not validate it for its intended use, you cannot know if your workflow runs correctly. 6 For
163 example, qualifying the Manufacturing Execution System (MES) platform, a computer
164 system, ensures that it meets specifications; however, it does not demonstrate that a given
165 MPCR generated by the MES contains the correct calculations. In this example,
166 validating the workflow ensures that the intended steps, specifications, and calculations
167 in the MPCR are accurate. This is similar to reviewing a paper MPCR and ensuring all
168 supporting procedures are in place before the MPCR is implemented in production (see
169 §§ 211.100, 211.186, and 212.50(b), and the guidance for industry PET Drugs — Current
170 Good Manufacturing Practice (CGMP)).
171
172 FDA recommends you implement appropriate controls to manage risks associated with
173 each element of the system. Controls that are appropriately designed to validate a system
174 for its intended use address software, hardware, personnel, and documentation.
175
176 4. How should access to CGMP computer systems be restricted?
177
178 You must exercise appropriate controls to assure that changes to computerized MPCRs,
179 or other records, or input of laboratory data into computerized records, can be made only
180 by authorized personnel (§ 211.68(b)). FDA recommends that you restrict the ability to
181 alter specifications, process parameters, or manufacturing or testing methods by technical
182 means where possible (for example, by limiting permissions to change settings or data).
183 FDA suggests that the system administrator role, including any rights to alter files and
184 settings, be assigned to personnel independent from those responsible for the record
185 content. To assist in controlling access, FDA recommends maintaining a list of
186 authorized individuals and their access privileges for each CGMP computer system in
187 use.
188
189 If these independent security role assignments are not practical for small operations or
190 facilities with few employees, such as PET or medical gas facilities, FDA recommends
191 alternate control strategies be implemented. 7 For example, in the rare instance that the
192 same person is required to hold the system administrator role and to be responsible for
193 the content of the records, FDA suggests having a second person review settings and
194 content. If second-person review is not possible, the Agency recommends that the person
195 recheck settings and his or her own work.
196
6
In computer science, validation refers to ensuring that software meets its specifications. However, this may not
meet the definition of process validation as found in guidance for industry Process Validation: General Principles
and Practices: “The collection and evaluation of data … which establishes scientific evidence that a process is
capable of consistently delivering quality products.” See also ICH guidance for industry Q7A Good Manufacturing
Practice Guide for Active Pharmaceutical Ingredients, which defines validation as providing assurance that a
specific process, method, or system will consistently produce a result meeting predetermined acceptance criteria. For
purposes of this guidance, validation is being used in a manner consistent with the above guidance documents.
7
For further discussion of such alternate control strategies, see the guidance for industry PET Drugs — Current
Good Manufacturing Practice (CGMP).
5
Contains Nonbinding Recommendations
Draft — Not for Implementation
197 5. Why is FDA concerned with the use of shared login accounts for computer
198 systems?
199
200 You must exercise appropriate controls to assure that only authorized personnel make
201 changes to computerized MPCRs, or other records, or input laboratory data into
202 computerized records, and you must implement documentation controls that ensure
203 actions are attributable to a specific individual (see §§ 211.68(b), 211.188(b)(11),
204 211.194(a)(7) and (8), and 212.50(c)(10)). When login credentials are shared, a unique
205 individual cannot be identified through the login and the system would thus not conform
206 to the CGMP requirements in parts 211 and 212. FDA requires that systems controls,
207 including documentation controls, be designed to follow CGMP to assure product quality
208 (for example, §§ 211.100 and 212.50).
209
210 6. How should blank forms be controlled?
211
212 There must be document controls in place to assure product quality (see §§ 211.100,
213 211.160(a), 211.186, 212.20(d), and 212.60(g)). FDA recommends that, if used, blank
214 forms (including, but not limited to, worksheets, laboratory notebooks, and MPCRs) be
215 controlled by the quality unit or by another document control method. For example,
216 numbered sets of blank forms may be issued as appropriate and should be reconciled
217 upon completion of all issued forms. Incomplete or erroneous forms should be kept as
218 part of the permanent record along with written justification for their replacement (for
219 example, see §§ 211.192, 211.194, 212.50(a), and 212.70(f)(1)(vi)).
220
221 Similarly, bound paginated notebooks, stamped for official use by a document control
222 group, allow detection of unofficial notebooks as well as of any gaps in notebook pages.
223
224 7. How often should audit trails be reviewed?
225
226 FDA recommends that audit trails that capture changes to critical data be reviewed with
227 each record and before final approval of the record. Audit trails subject to regular review
228 should include, but are not limited to, the following: the change history of finished
229 product test results, changes to sample run sequences, changes to sample identification,
230 and changes to critical process parameters.
231
232 FDA recommends routine scheduled audit trail review based on the complexity of the
233 system and its intended use.
234
235 See audit trail definition 1.c. above for further information on audit trails.
236
237 8. Who should review audit trails?
238
239 Audit trails are considered part of the associated records. Personnel responsible for record
240 review under CGMP should review the audit trails that capture changes to critical data
241 associated with the record as they review the rest of the record (for example, §§
242 211.22(a), 211.101(c), 211.194(a)(8), and 212.20(d)). For example, all production and
6
Contains Nonbinding Recommendations
Draft — Not for Implementation
243 control records, which includes audit trails, must be reviewed and approved by the
244 quality unit (§ 211.192). This is similar to the expectation that cross-outs on paper be
245 assessed when reviewing data.
246
247 9. Can electronic copies be used as accurate reproductions of paper or
248 electronic records?
249
250 Yes. Electronic copies can be used as true copies of paper or electronic records, provided
251 the copies preserve the content and meaning of the original data, which includes
252 associated metadata and the static or dynamic nature of the original records.
253
254 True copies of dynamic electronic records may be made and maintained in the format of
255 the original records or in a compatible format, provided that the content and meaning of
256 the original records are preserved and that a suitable reader and copying equipment (for
257 example, software and hardware, including media readers) are readily available (§§
258 211.180(d) and 212.110).
259
260 10. Is it acceptable to retain paper printouts or static records instead of original
261 electronic records from stand-alone computerized laboratory instruments,
262 such as an FT-IR instrument?
263
264 A paper printout or static record may satisfy retention requirements if it is a complete
265 copy of the original record (see §§ 211.68(b), 211.188, 211.194, and 212.60). For
266 example, pH meters and balances may create a paper printout or static image during data
267 acquisition as the original record. In this case, the paper printout or static image created
268 during acquisition, or a true copy, should be retained (§ 211.180).
269
270 However, electronic records from certain types of laboratory instruments are dynamic
271 records, and a printout or a static record does not preserve the dynamic format which is
272 part of the complete original record. For example, the spectral file created by FT-IR
273 (Fourier transform infrared spectroscopy) can be reprocessed, but a static record or
274 printout is fixed, which would not satisfy CGMP requirements to retain original records
275 or true copies (§ 211.180(d)). Also, if the full spectrum is not displayed, contaminants
276 may be excluded.
277
278 Control strategies must ensure that original laboratory records, including paper and
279 electronic records, are subject to second-person review (§ 211.194(a)(8)) to make certain
280 that all test results are appropriately reported.
281
282 For PET drugs, see the guidance for industry PET Drugs — Current Good Manufacturing
283 Practice (CGMP) for discussion of equipment and laboratory controls, including
284 regulatory requirements for records.
285
7
Contains Nonbinding Recommendations
Draft — Not for Implementation
286 11. Can electronic signatures be used instead of handwritten signatures for
287 master production and control records?
288
289 Yes, electronic signatures with the appropriate controls can be used instead of
290 handwritten signatures or initials in any CGMP required record. While § 211.186(a)
291 specifies a “full signature, handwritten,” as explained in the Federal Register on
292 September 29, 1978 (43 FR 45069), part of the intent of the full signature requirement is
293 to be able to clearly identify the individual responsible for signing the record. An
294 electronic signature with the appropriate controls to securely link the signature with the
295 associated record fulfills this requirement. This comports with part 11, which establishes
296 criteria for when electronic signatures are considered the legally binding equivalent of
297 handwritten signatures. Firms using electronic signatures should document the controls
298 used to ensure that they are able to identify the specific person who signed the records
299 electronically.
300
301 There is no requirement for a handwritten signature for the MPCR in the PET CGMP
302 regulations (21 CFR part 212).
303
304 12. When does electronic data become a CGMP record?
305
306 When generated to satisfy a CGMP requirement, all data become a CGMP record. You
307 must document, or save, the data at the time of performance to create a record in
308 compliance with CGMP requirements, including, but not limited to, §§ 211.100(b) and
309 211.160(a). FDA expects processes to be designed so that quality data required to be
310 created and maintained cannot be modified. For example, chromatograms should be sent
311 to long-term storage (archiving or a permanent record) upon run completion instead of at
312 the end of a day’s runs.
313
314 It is not acceptable to record data on pieces of paper that will be discarded after the data
315 are transcribed to a permanent laboratory notebook (see §§ 211.100(b), 211.160(a), and
316 211.180(d)). Similarly, it is not acceptable to store data electronically in temporary
317 memory, in a manner that allows for manipulation, before creating a permanent record.
318 Electronic data that are automatically saved into temporary memory do not meet CGMP
319 documentation or retention requirements.
320
321 You may employ a combination of technical and procedural controls to meet CGMP
322 documentation practices for electronic systems. For example, a computer system, such as
323 a Laboratory Information Management System (LIMS) or an Electronic Batch Record
324 (EBR) system, can be designed to automatically save after each separate entry. This
325 would be similar to recording each entry contemporaneously on a paper batch record to
326 satisfy CGMP requirements. The computer system could be combined with a procedure
327 requiring data be entered immediately when generated.
328
329 For PET drugs, see the “Laboratory Controls” section of the guidance for industry PET
330 Drugs — Current Good Manufacturing Practice (CGMP).
331
8
Contains Nonbinding Recommendations
Draft — Not for Implementation
332 13. Why has the FDA cited use of actual samples during “system suitability” or
333 test, prep, or equilibration runs in warning letters?
334
335 FDA prohibits sampling and testing with the goal of achieving a specific result or to
336 overcome an unacceptable result (e.g., testing different samples until the desired passing
337 result is obtained). This practice, also referred to as testing into compliance, is not
338 consistent with CGMP (see the guidance for industry Investigating Out-of-Specification
339 (OOS) Test Results for Pharmaceutical Production). In some situations, use of actual
340 samples to perform system suitability testing has been used as a means of testing into
341 compliance. We would consider it a violative practice to use an actual sample in test,
342 prep, or equilibration runs as a means of disguising testing into compliance.
343
344 According to the United States Pharmacopeia (USP), system suitability tests should
345 include replicate injections of a standard preparation or other standard solutions to
346 determine if requirements for precision are satisfied (see USP General Chapter <621>
347 Chromatography). System suitability tests, including the identity of the preparation to be
348 injected and the rationale for its selection, should be performed according to the firm’s
349 established written procedures and the approved application or applicable compendial
350 monograph (§§ 211.160 and 212.60).
351
352 If an actual sample is to be used for system suitability testing, it should be a properly
353 characterized secondary standard, written procedures should be established and followed,
354 and the sample should be from a different batch than the sample(s) being tested (§§
355 211.160, 211.165, and 212.60). All data should be included in the record that is retained
356 and subject to review unless there is documented scientific justification for its exclusion.
357
358 For more information, see also the ICH guidance for industry Q2(R1) Validation of
359 Analytical Procedures: Text and Methodology.
360
361 14. Is it acceptable to only save the final results from reprocessed laboratory
362 chromatography?
363
364 No. Analytical methods should be capable and stable. For most lab analyses, reprocessing
365 data should not be regularly needed. If chromatography is reprocessed, written
366 procedures must be established and followed and each result retained for review (see §§
367 211.160(a), 211.160(b), 211.165(c), 211.194(a)(4), and 212.60(a)). FDA requires
368 complete data in laboratory records, which includes raw data, graphs, charts, and spectra
369 from laboratory instruments (§§ 211.194(a) and 212.60(g)(3)).
370
371 15. Can an internal tip regarding a quality issue, such as potential data
372 falsification, be handled informally outside of the documented CGMP quality
373 system?
374
375 No. Suspected or known falsification or alteration of records required under parts 210,
376 211, and 212 must be fully investigated under the CGMP quality system to determine the
377 effect of the event on patient safety, product quality, and data reliability; to determine the
9
Contains Nonbinding Recommendations
Draft — Not for Implementation
378 root cause; and to ensure the necessary corrective actions are taken (see §§ 211.22(a),
379 211.125(c), 211.192, 211.198, 211.204, and 212.100).
380
381 FDA invites individuals to report suspected data integrity issues that may affect the
382 safety, identity, strength, quality, or purity of drug products at DrugInfo@fda.hhs.gov.
383 “CGMP data integrity” should be included in the subject line of the email.
384
385 See also Application Integrity Policy, available at
386 http://www.fda.gov/ICECI/EnforcementActions/ApplicationIntegrityPolicy/default.htm.
387
388 16. Should personnel be trained in detecting data integrity issues as part of a
389 routine CGMP training program?
390
391 Yes. Training personnel to detect data integrity issues is consistent with the personnel
392 requirements under §§ 211.25 and 212.10, which state that personnel must have the
393 education, training, and experience, or any combination thereof, to perform their assigned
394 duties.
395
396 17. Is the FDA investigator allowed to look at my electronic records?
397
398 Yes. All records required under CGMP are subject to FDA inspection. You must allow
399 authorized inspection, review, and copying of records, which includes copying of
400 electronic data (§§ 211.180(c) and 212.110(a) and (b)). See also section 704 of the FD&C
401 Act.
402
403 18. How does FDA recommend data integrity problems identified during
404 inspections, in warning letters, or in other regulatory actions be addressed?
405
406 FDA encourages you to demonstrate that you have effectively remedied your problems
407 by: hiring a third party auditor, determining the scope of the problem, implementing a
408 corrective action plan (globally), and removing at all levels individuals responsible for
409 problems from CGMP positions. FDA may conduct an inspection to decide whether
410 CGMP violations involving data integrity have been remedied.
411
412 These expectations mirror those developed for the Application Integrity Policy. For more
413 detailed guidance, see the “Points to Consider for Internal Reviews and Corrective Action
414 Operating Plans” public document available on the FDA Web site, accessible at
415 http://www.fda.gov/ICECI/EnforcementActions/ApplicationIntegrityPolicy/ucm134744.
416 htm.
10
Appendices D: ICH Q10: Pharmaceutical Quality
System
Guidance for Industry
Q10 Pharmaceutical
Quality System
April 2009
ICH
Q10 Pharmaceutical
Quality System
Office of Communication
(Tel) 301-796-3400
http://www.fda.gov/cder/guidance/index.htm
Development, HFM-40
http://www.fda.gov/cber/guidelines.htm.
April 2009
ICH
TABLE OF CONTENTS
A. Scope (1.2)....................................................................................................................................... 2
B. Monitoring of Internal and External Factors That Can Have an Impacton the
Approaches *............................................................................................................... 18
i
Guidance for Industry1
This guidance represents the Food and Drug Administration's (FDA’s) current thinking on this topic. It
does not create or confer any rights for or on any person and does not operate to bind FDA or the public.
You can use an alternative approach if the approach satisfies the requirements of the applicable statutes
and regulations. If you want to discuss an alternative approach, contact the FDA staff responsible for
implementing this guidance. If you cannot identify the appropriate FDA staff, call the appropriate
number listed on the title page of this guidance.
ICH Q10 describes one comprehensive model for an effective pharmaceutical quality system that
is based on International Organization for Standardization (ISO) quality concepts, includes
applicable good manufacturing practice (GMP) regulations, and complements ICH “Q8
Pharmaceutical Development” and ICH “Q9 Quality Risk Management.”3 ICH Q10 is a model
for a pharmaceutical quality system that can be implemented throughout the different stages of a
product lifecycle. Much of the content of ICH Q10 applicable to manufacturing sites is currently
specified by regional GMP requirements. ICH Q10 is not intended to create any new
expectations beyond current regulatory requirements. Consequently, the content of ICH Q10 that
is additional to current regional GMP requirements is optional.
1
This guidance was developed within the Expert Working Group (Quality) of the International Conference on
Harmonisation of Technical Requirements for Registration of Pharmaceuticals for Human Use (ICH) and has been
subject to consultation by the regulatory parties, in accordance with the ICH process. This document has been
endorsed by the ICH Steering Committee at Step 4 of the ICH process, June 2008. At Step 4 of the process, the final
draft is recommended for adoption to the regulatory bodies of the European Union, Japan, and the United States.
2
Arabic numbers reflect the organizational breakdown of the document endorsed by the ICH Steering Committee at
Step 4 of the ICH process, June 2008.
3
These guidances are available on the Internet at http://www.fda.gov/cder/guidance/index.htm. We update
guidances periodically. To make sure you have the most recent version of a guidance, check the CDER guidance
page at http://www.fda.gov/cder/guidance/index.htm
FDA's guidance documents, including this guidance, do not establish legally enforceable
responsibilities. Instead, guidances describe the Agency’s current thinking on a topic and should
be viewed only as recommendations, unless specific regulatory or statutory requirements are
cited. The use of the word should in Agency guidances means that something is suggested or
recommended, but not required.
A. Scope (1.2)
This guidance applies to the systems supporting the development and manufacture of
pharmaceutical drug substances (i.e., active pharmaceutical ingredients (APIs)) and drug
products, including biotechnology and biological products, throughout the product lifecycle.
The elements of ICH Q10 should be applied in a manner that is appropriate and proportionate to
each of the product lifecycle stages, recognizing the differences among, and the different goals
of, each stage (see section IV (3)).
For the purposes of this guidance, the product lifecycle includes the following technical activities
for new and existing products:
• Pharmaceutical Development
o Drug substance development
o Formulation development (including container/closure system)
o Manufacture of investigational products
o Delivery system development (where relevant)
o Manufacturing process development and scale-up
o Analytical method development
• Technology Transfer
o New product transfers during development through manufacturing
o Transfers within or between manufacturing and testing sites for marketed products
• Commercial Manufacturing
o Acquisition and control of materials
o Provision of facilities, utilities, and equipment
o Production (including packaging and labeling)
o Quality control and assurance
o Release
o Storage
Regional GMP requirements, the ICH guidance “Q7 Good Manufacturing Practice Guidance for
Active Pharmaceutical Ingredients,” and ISO quality management system guidelines form the
foundation for ICH Q10. To meet the objectives described below, ICH Q10 augments GMPs by
describing specific quality system elements and management responsibilities. ICH Q10 provides
a harmonized model for a pharmaceutical quality system throughout the lifecycle of a product
and is intended to be used together with regional GMP requirements.
The regional GMPs do not explicitly address all stages of the product lifecycle (e.g.,
development). The quality system elements and management responsibilities described in this
guidance are intended to encourage the use of science- and risk-based approaches at each
lifecycle stage, thereby promoting continual improvement across the entire product lifecycle.
Implementation of the Q10 model should result in achievement of three main objectives that
complement or enhance regional GMP requirements.
1. A
chieve Product Realization (1.5.1)
To establish, implement, and maintain a system that allows the delivery of products with the
quality attributes appropriate to meet the needs of patients, health care professionals, regulatory
authorities (including compliance with approved regulatory filings) and other internal and
external customers.
To develop and use effective monitoring and control systems for process performance and
product quality, thereby providing assurance of continued suitability and capability of processes.
Quality risk management can be useful in identifying the monitoring and control systems.
Use of knowledge management and quality risk management will enable a company to
implement ICH Q10 effectively and successfully. These enablers will facilitate achievement of
the objectives described in section II.D (1.5) above by providing the means for science- and risk-
based decisions related to product quality.
Product and process knowledge should be managed from development through the commercial
life of the product up to and including product discontinuation. For example, development
activities using scientific approaches provide knowledge for product and process understanding.
Knowledge management is a systematic approach to acquiring, analyzing, storing, and
disseminating information related to products, manufacturing processes, and components.
Sources of knowledge include, but are not limited to, prior knowledge (public domain or
internally documented); pharmaceutical development studies; technology transfer activities;
process validation studies over the product lifecycle; manufacturing experience; innovation;
continual improvement; and change management activities.
(a) The design, organization, and documentation of the pharmaceutical quality system
should be well structured and clear to facilitate common understanding and consistent
application.
(b) The elements of ICH Q10 should be applied in a manner that is appropriate and
proportionate to each of the product lifecycle stages, recognizing the different goals
Leadership is essential to establish and maintain a company-wide commitment to quality and for
the performance of the pharmaceutical quality system.
(a) Senior management should establish a quality policy that describes the overall
intentions and direction of the company related to quality.
(b) The quality policy should include an expectation to comply with applicable regulatory
requirements and should facilitate continual improvement of the pharmaceutical
quality system.
(c) The quality policy should be communicated to and understood by personnel at all
levels in the company.
(d) The quality policy should be reviewed periodically for continuing effectiveness.
(a) Senior management should ensure the quality objectives to implement the quality
policy are defined and communicated.
(b) Quality objectives should be supported by all relevant levels of the company.
(c) Quality objectives should align with the company’s strategies and be consistent with
the quality policy.
(d) Management should provide the appropriate resources and training to achieve the
quality objectives.
(e) Performance indicators that measure progress against quality objectives should be
established, monitored, communicated regularly, and acted upon as appropriate as
described in section V.A (4.1) of this document.
(a) Management should determine and provide adequate and appropriate resources
(human, financial, materials, facilities, and equipment) to implement and maintain the
pharmaceutical quality system and continually improve its effectiveness.
(b) Management should ensure that resources are appropriately applied to a specific
product, process, or site.
(a) Management should ensure appropriate communication processes are established and
implemented within the organization.
(b) Communications processes should ensure the flow of appropriate information between
all levels of the company.
(c) Communication processes should ensure the appropriate and timely escalation of
certain product quality and pharmaceutical quality system issues.
The pharmaceutical quality system, including the management responsibilities described in this
section, extends to the control and review of any outsourced activities and quality of purchased
materials. The pharmaceutical company is ultimately responsible to ensure processes are in place
to assure the control of outsourced activities and quality of purchased materials. These processes
should incorporate quality risk management and include:
(a) Assessing prior to outsourcing operations or selecting material suppliers, the suitability
and competence of the other party to carry out the activity or provide the material
When product ownership changes (e.g., through acquisitions), management should consider the
complexity of this and ensure:
(a) The ongoing responsibilities are defined for each company involved
This section describes the lifecycle stage goals and the four specific pharmaceutical quality
system elements that augment regional requirements to achieve the ICH Q10 objectives, as
defined in section II.D (1.5). It does not restate all regional GMP requirements.
The goal of pharmaceutical development activities is to design a product and its manufacturing
process to consistently deliver the intended performance and meet the needs of patients and
healthcare professionals, and regulatory authorities and internal customers’ requirements.
Approaches to pharmaceutical development are described in ICH Q8. The results of exploratory
and clinical development studies, while outside the scope of this guidance, are inputs to
pharmaceutical development.
2. T
echnology Transfer (3.1.2)
The goal of technology transfer activities is to transfer product and process knowledge between
development and manufacturing, and within or between manufacturing sites to achieve product
realization. This knowledge forms the basis for the manufacturing process, control strategy,
process validation approach, and ongoing continual improvement.
The goals of manufacturing activities include achieving product realization, establishing and
maintaining a state of control, and facilitating continual improvement. The pharmaceutical
quality system should assure that the desired product quality is routinely met, suitable process
performance is achieved, the set of controls are appropriate, improvement opportunities are
identified and evaluated, and the body of knowledge is continually expanded.
The goal of product discontinuation activities is to manage the terminal stage of the product
lifecycle effectively. For product discontinuation, a predefined approach should be used to
manage activities such as retention of documentation and samples and continued product
assessment (e.g., complaint handling and stability) and reporting in accordance with regulatory
requirements.
The elements described below might be required in part under regional GMP regulations.
However, the Q10 model’s intent is to enhance these elements to promote the lifecycle approach
to product quality. These four elements are:
These elements should be applied in a manner that is appropriate and proportionate to each of the
product lifecycle stages, recognizing the differences among the stages and the different goals of
each stage. Throughout the product lifecycle, companies are encouraged to evaluate
opportunities for innovative approaches to improve product quality.
Each element is followed by a table of example applications of the element to the stages of the
pharmaceutical lifecycle.
Pharmaceutical companies should plan and execute a system for the monitoring of process
performance and product quality to ensure a state of control is maintained. An effective
monitoring system provides assurance of the continued capability of processes and controls to
produce a product of desired quality and to identify areas for continual improvement. The
process performance and product quality monitoring system should:
(a) Use quality risk management to establish the control strategy. This can include
parameters and attributes related to drug substance and drug product materials and
components, facility and equipment operating conditions, in-process controls, finished
product specifications, and the associated methods and frequency of monitoring and
control. The control strategy should facilitate timely feedback/feedforward and
appropriate corrective action and preventive action.
(b) Provide the tools for measurement and analysis of parameters and attributes identified
in the control strategy (e.g., data management and statistical tools).
(c) Analyze parameters and attributes identified in the control strategy to verify continued
operation within a state of control.
(d) Identify sources of variation affecting process performance and product quality for
potential continual improvement activities to reduce or control variation.
(e) Include feedback on product quality from both internal and external sources (e.g.,
complaints, product rejections, nonconformances, recalls, deviations, audits and
regulatory inspections, and findings).
(f) Provide knowledge to enhance process understanding, enrich the design space (where
established), and enable innovative approaches to process validation.
The pharmaceutical company should have a system for implementing corrective actions and
preventive actions resulting from the investigation of complaints, product rejections,
nonconformances, recalls, deviations, audits, regulatory inspections and findings, and trends
from process performance and product quality monitoring. A structured approach to the
10
investigation process should be used with the objective of determining the root cause. The level
of effort, formality, and documentation of the investigation should be commensurate with the
level of risk, in line with ICH Q9. CAPA methodology should result in product and process
improvements and enhanced product and process understanding.
Table II: Application of Corrective Action and Preventive Action System Throughout the
Product Lifecycle
Innovation, continual improvement, the outputs of process performance and product quality
monitoring, and CAPA drive change. To evaluate, approve, and implement these changes
properly, a company should have an effective change management system. There is generally a
difference in formality of change management processes prior to the initial regulatory
submission and after submission, where changes to the regulatory filing might be required under
regional requirements.
The change management system ensures continual improvement is undertaken in a timely and
effective manner. It should provide a high degree of assurance there are no unintended
consequences of the change.
The change management system should include the following, as appropriate for the stage of the
lifecycle:
(a) Quality risk management should be utilized to evaluate proposed changes. The level of
effort and formality of the evaluation should be commensurate with the level of risk.
(b) Proposed changes should be evaluated relative to the marketing authorization,
including design space, where established, and/or current product and process
understanding. There should be an assessment to determine whether a change to the
regulatory filing is required under regional requirements. As stated in ICH Q8,
working within the design space is not considered a change (from a regulatory filing
perspective). However, from a pharmaceutical quality system standpoint, all changes
should be evaluated by a company’s change management system.
(c) Proposed changes should be evaluated by expert teams contributing the appropriate
11
Table III: Application of Change Management System Throughout the Product Lifecycle
Management review should provide assurance that process performance and product quality are
managed over the lifecycle. Depending on the size and complexity of the company, management
review can be a series of reviews at various levels of management and should include a timely
and effective communication and escalation process to raise appropriate quality issues to senior
levels of management for review.
12
This section describes activities that should be conducted to manage and continually improve the
pharmaceutical quality system.
Management should have a formal process for reviewing the pharmaceutical quality system on a
periodic basis. The review should include:
(a) Measurement of achievement of pharmaceutical quality system objectives
(b) Assessment of performance indicators that can be used to monitor the effectiveness of
processes within the pharmaceutical quality system, such as:
(1) Complaint, deviation, CAPA and change management processes
(2) Feedback on outsourced activities
(3) Self-assessment processes including risk assessments, trending, and audits
(4) External assessments such as regulatory inspections and findings and customer
audits
13
The outcome of management review of the pharmaceutical quality system and monitoring of
internal and external factors can include:
(a) Improvements to the pharmaceutical quality system and related processes
(b) Allocation or reallocation of resources and/or personnel training
(c) Revisions to quality policy and quality objectives
(d) Documentation and timely and effective communication of the results of the
management review and actions, including escalation of appropriate issues to senior
management
14
ICH and ISO definitions are used in ICH Q10 where they exist. For the purpose of ICH Q10,
where the words “requirement”, “requirements,” or “necessary” appear in an ISO definition, they
do not necessarily reflect a regulatory requirement. The source of the definition is identified in
parentheses after the definition. Where no appropriate ICH or ISO definition was available, an
ICH Q10 definition was developed.
Capability of a Process: Ability of a process to realize a product that will fulfill the
requirements of that product. The concept of process capability can also be defined in statistical
terms. (ISO 9000:2005)
Continual Improvement: Recurring activity to increase the ability to fulfill requirements. (ISO
9000:2005)
Control Strategy: A planned set of controls, derived from current product and process
understanding, that assures process performance and product quality. The controls can include
parameters and attributes related to drug substance and drug product materials and components,
facility and equipment operating conditions, in-process controls, finished product specifications,
and the associated methods and frequency of monitoring and control. (ICH Q10)
Design Space: The multidimensional combination and interaction of input variables (e.g.,
material attributes) and process parameters that have been demonstrated to provide assurance of
quality. (ICH Q8)
Enabler: A tool or process that provides the means to achieve an objective. (ICH Q10)
Feedback/Feedforward:
15
Performance Indicators: Measurable values used to quantify quality objectives to reflect the
performance of an organization, process, or system, also known as performance metrics in some
regions. (ICH Q10)
Product Realization: Achievement of a product with the quality attributes appropriate to meet
the needs of patients, health care professionals, and regulatory authorities (including compliance
with marketing authorization) and internal customers requirements. (ICH Q10)
Quality: The degree to which a set of inherent properties of a product, system, or process fulfils
requirements. (ICH Q9)
Quality Objectives: A means to translate the quality policy and strategies into measurable
activities. (ICH Q10)
Quality Planning: Part of quality management focused on setting quality objectives and
specifying necessary operational processes and related resources to fulfill the quality objectives.
(ISO 9000:2005)
Quality Policy: Overall intentions and direction of an organization related to quality as formally
expressed by senior management. (ISO 9000:2005)
Quality Risk Management: A systematic process for the assessment, control, communication,
and review of risks to the quality of the drug (medicinal) product across the product lifecycle.
(ICH Q9)
Senior Management: Person(s) who direct and control a company or site at the highest levels
with the authority and responsibility to mobilize resources within the company or site. (ICH Q10
based in part on ISO 9000:2005)
16
State of Control: A condition in which the set of controls consistently provides assurance of
continued process performance and product quality. (ICH Q10)
17
Regulatory Approaches *
*Note: This annex reflects potential opportunities to enhance regulatory approaches. The actual
regulatory process will be determined by region.
18
Annex 2
Investigational products
GMP
Management Responsibilities
Knowledge Management
Enablers
Quality Risk Management
This diagram illustrates the major features of the ICH Q10 Pharmaceutical Quality System
(PQS) model. The PQS covers the entire lifecycle of a product including pharmaceutical
development, technology transfer, commercial manufacturing, and product discontinuation as
illustrated by the upper portion of the diagram. The PQS augments regional GMPs as illustrated
in the diagram. The diagram also illustrates that regional GMPs apply to the manufacture of
investigational products.
The next horizontal bar illustrates the importance of management responsibilities explained in
section III (2) to all stages of the product lifecycle. The following horizontal bar lists the PQS
elements that serve as the major pillars under the PQS model. These elements should be applied
appropriately and proportionally to each lifecycle stage, recognizing opportunities to identify
areas for continual improvement.
The bottom set of horizontal bars illustrates the enablers: knowledge management and quality
risk management, which are applicable throughout the lifecycle stages. These enablers support
the PQS goals of achieving product realization, establishing and maintaining a state of control,
and facilitating continual improvement.
19
FINAL DOCUMENT
Global Harmonization Task Force
The document herein was produced by the Global Harmonization Task Force, which is comprised of representatives
from medical device regulatory agencies and the regulated industry. The document is intended to provide non-
binding guidance for use in the regulation of medical devices, and has been subject to consultation throughout its
development.
There are no restrictions on the reproduction, distribution or use of this document; however, incorporation of this
document, in part or in whole, into any other document, or its translation into languages other than English, does not
convey or represent an endorsement of any kind by the Global Harmonization Task Force.
Table of Contents
Preface ........................................................................................................................................................................3
Introduction.................................................................................................................................................................3
1.0 Scope ...............................................................................................................................................................4
2.0 Definitions.......................................................................................................................................................4
2.1 Correction .........................................................................................................................................4
2.2 Corrective action...............................................................................................................................4
2.3 Data Sources .....................................................................................................................................4
2.4 Concession ........................................................................................................................................4
2.5 Preventive action...............................................................................................................................5
2.6 Nonconformity..................................................................................................................................5
2.7 Verification .......................................................................................................................................5
2.8 Validation..........................................................................................................................................5
3.0 Overview .........................................................................................................................................................5
4.0 Phase I: Planning.............................................................................................................................................7
4.1 Plan for Measurement, Analysis and Improvement Processes..........................................................8
4.2 Establish Data Sources and Criteria ..................................................................................................9
5.0 Phase II: Measurement and Analysis within and across Data Sources..........................................................10
5.1 Measure...........................................................................................................................................10
5.2 Analyze ...........................................................................................................................................10
6.0 Phase III: Improvement .................................................................................................................................14
6.1 Investigate .......................................................................................................................................14
6.2 Identify Root Cause ........................................................................................................................16
6.3 Identify Actions ..............................................................................................................................17
6.4 Verify Identified Actions ................................................................................................................18
6.5 Implement Actions..........................................................................................................................18
6.6 Determine Effectiveness of Implemented Actions..........................................................................19
7.0 Phase IV: Input to Management ....................................................................................................................19
7.1 Report to Management....................................................................................................................19
7.2 Management Review.......................................................................................................................20
Annex A: Examples of Phase Activities ...................................................................................................................21
Annex B: Examples of Data Sources and Data Elements.........................................................................................22
Annex C: Examples of Contributing Factors............................................................................................................24
Annex D: Examples for Documentation of the Improvement Processes ..................................................................25
Preface
The document herein was produced by the Global Harmonization Task Force, a voluntary group
of representatives from medical device regulatory agencies and the regulated industry. The doc-
ument is intended to provide non-binding guidance for use in the regulation of medical devices,
and has been subject to consultation throughout its development.
There are no restrictions on the reproduction, distribution or use of this document; however, in-
corporation of this document, in part or in whole, into any other document, or its translation into
languages other than English, does not convey or represent an endorsement of any kind by the
Global Harmonization Task Force.
Introduction
This guidance document is intended for medical device manufacturers and regulatory authorities.
It is intended for educational purposes and is not intended to be used to assess or audit compli-
ance with regulatory requirements. It is expected that the reader is familiar with regulatory Qual-
ity Management System (QMS) requirements within the medical devices sector.
For the purposes of this document it is assumed that the medical device manufacturer has a QMS
which requires the manufacturer to have documented processes to ensure that medical devices
placed on the market are safe and effective. For example ISO13485 Medical Devices – Quality
Management Systems – Requirements for regulatory purposes, Japanese Ministerial Ordinance
on Standards for Manufacturing Control and Quality Control for Medical Devices and in vitro
Diagnostics (MHLW 1 Ministerial Ordinance No. 169), the FDA 2 Quality System Regulation 21
CFR Part 820 or the respective quality system requirements of the European medical Device Di-
rectives.
For this purpose the manufacturer will establish processes and define appropriate controls for
measurement and analysis to identify nonconformities and potential nonconformities. Also, the
manufacturer should establish processes defining when and how corrections, corrective actions,
or preventive actions should be undertaken. These actions should be commensurate with the sig-
nificance or risk of the nonconformity or potential nonconformity.
The terms risk, risk management and related terminology utilized within this document are in
accordance with ISO 14971 “Medical Devices-Application of Risk Management to Medical De-
vices.”
The acronym “CAPA” will not be used in this document because the concept of corrective action
and preventive action has been incorrectly interpreted to assume that a preventive action is re-
quired for every corrective action.
1
Japanese Ministry of Health Labor and Welfare
2
US Food and Drug Administration
This document will discuss the escalation process from different “reactive” sources which will
be corrective in nature and other “proactive” sources which will be preventive in nature. The
manufacturer is required to account for both types of data sources whether they are of a correc-
tive or preventive nature.
Regardless of the nature of the data source, if there is a decision to escalate the information to
further evaluation and investigation, the steps of investigation, identification of root causes and
actions needed, verification, implementation, and effectiveness checks will be similar.
This guidance document will describe measurement, analysis and improvement as complete and
integrated processes.
1.0 Scope
This document provides guidance for establishing adequate processes for measurement, analysis
and improvement within the QMS as related to correction and/or corrective action for noncon-
formities or preventive action for potential nonconformities of systems, processes or products.
2.0 Definitions
The references to clauses in this section refer to ISO 9000:2005.
2.1 Correction
Action to eliminate the cause of a detected nonconformity (3.6.2) or other undesirable situ-
ation
Note 1 There can be more than one cause for nonconformity
Note 2 Corrective action is taken to prevent recurrence whereas preventive ac-
tion (3.6.4) is taken to prevent occurrence
Note 3 There is a distinction between correction (3.6.6) and corrective action
The processes within a Quality Management System that provide quality information that
could be used to identify nonconformities, or potential nonconformities
2.4 Concession
Permission to use or release a product that does not conform to specified requirements
(3.6.11).
Action to eliminate the cause of a potential nonconformity (3.6.2) or other undesirable sit-
uation
Note 1 There can be more than one cause for nonconformity
Note 2 Preventive action is taken to prevent occurrence whereas corrective ac-
tion (3.6.5) is taken to prevent recurrence
2.6 Nonconformity
2.7 Verification
2.8 Validation
Confirmation through provision of objective evidence (3.8.1) that the requirements for a
specific intended use or application have been fulfilled
Note 1 The term “validated” is used to designate the corresponding status.
Note 2 The use conditions for validation can be real or simulated.
3.0 Overview
The manufacturer is responsible for the implementation and maintenance of a QMS which en-
ables their organization to provide safe and effective medical devices meeting customer and
regulatory requirements.
When a nonconformity is identified, the manufacturer will determine the significance, the asso-
ciated risk and the potential for recurrence.
Once these have been determined the manufacturer may decide the nonconformity has little as-
sociated risk or is unlikely to recur. In such cases the manufacturer may decide only to carry out
a correction.
Should the nonconformity recur within the QMS, during manufacture or after the medical device
has been delivered to a customer, it is an indication that improvement action(s) may be needed.
In either case the QMS requires that a corrective action should be carried out with the aim to
prevent recurrence. The corrective action may be as simple as retraining, or as complex as redes-
igning the manufacturing process.
The manufacturer may encounter situations that have not actually caused a nonconformity, but
may do so in the future. Such situations may call for preventive action. For example, production
or acceptance testing trend data indicates that control limits are being approached and revision of
product or production (process, equipment or facilities) requirements may be necessary. These
revisions could constitute a preventive action. Preventive action would not include planned
process adjustments intended to return process performance to nominal values from the edges of
the process control range.
Actions taken to eliminate observed nonconformities within the scope of a single QMS (regard-
less of whether the actions are taken at more than one site or facility operating within that QMS)
would be considered corrective actions. However, similar actions applied within another QMS
(regardless of whether it is the same site, facility, or organization) that has not yet experienced
these nonconformities, would be considered preventive actions.
Figure 1 illustrates typical Phases to be considered when planning, implementing and maintain-
ing effective processes for measurement, analysis, improvement and providing input to manage-
ment. See Annex A for a list of possible activities corresponding to the phases in Figure 1.
As a check on the effectiveness of the processes defined, management should regularly review
the outputs of processes and make adjustments as needed.
The involvement of management at appropriate levels (e.g. review, approval) in actions taken in
response to nonconformities or potential nonconformities should be established. Management
should ensure that measurement criteria are defined for identified data sources and communi-
cated across the organization.
In the process of planning measurement and analysis, a manufacturer needs to take into account
data sources, the measurement of the data elements within each data source, the frequency of
monitoring, and the analysis to be performed within a data source, or across data sources.
The measurement of data elements should be done in a way that ensures the manufacturer is ef-
fective in managing the operations and maintain an effective QMS. Each of the data elements
should be planned and established with specific requirements for measurement that are moni-
tored routinely.
The scope of the QMS and the scope of the measurement, analysis and improvement processes
will provide the boundaries as to whether the data source is reactive/corrective or proac-
tive/preventive.
For each data element individual criteria should be defined; however, criteria may be defined for
a combination of data elements. Criteria should be quantitative whenever possible in order to
maximize consistency and reproducibility for subsequent analysis. If the criteria and data are qu-
alitative, subjectivity should be eliminated or minimized.
Acceptance criteria should be based on system, product and process specifications or require-
ments which are typically identified during design and development activities. This includes the
design of the Quality Management System, development and maintenance of assembly proc-
esses, delivery processes, servicing and installation processes.
Escalation criteria used for the purpose of initiating the improvement process (see 6.0) may often
be called action levels, trigger points, thresholds, etc. These escalation criteria should be proce-
duralized and would likely include certain generic action levels as well as specific action levels
resulting from risk management activities. In particular, criteria should be established for imme-
diate escalation. For example, an incident alleging a death or serious injury should be escalated
to the improvement phase (see 6.0) for immediate action.
For new technology and existing technologies with new intended uses/applications, initial escala-
tion criteria may be difficult to define for the monitoring process. Therefore a manufacturer
should plan for resources to analyze information in order to confirm initial assumptions and es-
tablish or revise escalation criteria.
Planning should provide for confirmation that the defined limits, acceptance criteria, escalation
criteria and mechanisms for reporting of nonconformities or potential nonconformities for the
original data sources and data elements are still appropriate. Where new data sources need to be
established, confirm that they have been identified and their criteria defined.
Examples of data sources can be, but are not restricted to:
Regulatory Requirements
Management Review
Supplier (performance/controls)
Complaint Handling
Adverse Event Reporting
Process Controls
Finished Product
Quality Audits (internal/external)
Product Recall
Spare Parts Usage
Service Reports
Returned Product
Market/Customer Surveys
Scientific Literature
Media Sources
Product Realization (design, purchasing, production and service and customer informa-
tion)
Risk Management
When an issue is identified in one of the data sources, it is also important that the manufacturer
identify and review related information from other data sources across the organization. Fur-
thermore a review of information from external data sources should also be considered. The ag-
gregation of information from more than the original data source may lead to more comprehen-
sive knowledge. With this knowledge base a manufacturer will be positioned to better determine
appropriate action.
5.0 Phase II: Measurement and Analysis within and across Data Sources
Once data sources, data elements and acceptance criteria have been specified, as part of the plan-
ning process, the manufacturer is required to perform measurement, monitoring and analysis
processes to determine conformity or nonconformity.
For example, a customer survey conducted by the marketing department, indicated that there was
a general dissatisfaction with the packaging of product X. When investigated further (within and
across other data sources) and reviewed with other data from complaints, returned product and
service reports, it became evident that there was a potential for misuse, unsafe use, or damage to
the device as a result of the current packaging design. As the result of this analysis, escalation to
Phase III (see 6.0) for preventive action may be appropriate.
5.1 Measure
For the purpose of this guidance, measurement is a set of operations to determine a value of a
data element (i.e. quantity, quality).
Data collected from the measurement of product, process and QMS are acquired throughout the
life-cycle of the product. The manufacturer should define for example frequency of the meas-
urement, precision and accuracy of the data. The manufacturer should also ensure that the data
collected is current and relevant.
Measurement data should be retained as a quality record. The manufacturer should maintain the
data in a form that is retrievable, suitable for analysis and meets both QMS and regulatory re-
quirements.
Monitoring is the systematic and regular collection of a measurement. The manufacturer should
define during the planning phase what, when and how data should be monitored. The data should
be defined such that it can be analyzed for further action. The monitoring of data may be con-
tinuous or periodic, depending on the type of data source and elements. The monitoring proc-
esses should be periodically reviewed for their continued suitability.
5.2 Analyze
For the purpose of this guidance, analysis is a systematic review and evaluation of data from
measurements to derive a conclusion.
The manufacturer should have documented procedures for the analysis of data against the estab-
lished criteria (see 4.1). Analysis is performed to identify nonconformity or potential noncon-
formity or identify areas where further investigation should be initiated. In addition analysis is
used to demonstrate the suitability and effectiveness of product, process and QMS. Analysis can
be performed utilizing analytical tools, a team of experts, process owners or independent review-
ers. The results of the analysis should be documented.
After it is determined what will be measured, statistical techniques should be identified to help
understand variability and thereby help the manufacturer to maintain or improve effectiveness
and efficiency. These techniques also facilitate better use of available data to assist in decision
making. Statistical techniques assist in identifying, measuring, analyzing, interpreting and mod-
eling variability.
For the analysis of nonconformity, appropriate statistical and non-statistical techniques can be
applied. Examples for statistical techniques are:
Statistical Process Control (SPC) charts
Pareto analysis
Data trending
Linear and non-linear regression analysis
Experimental design (DOE – Design of Experiments) and analysis of variance
Graphical methods (histograms, scatter plots, etc.)
Analysis will likely occur at several different points (time and/or organizational level). For ex-
ample, a certain amount of analysis and possible failure investigation (where there is evidence of
a nonconformity) will occur for each data source.
In addition to the analysis within the data sources there should also be a level of analysis across
data sources to determine the extent and significance of nonconformity or potential nonconform-
ity. The linkage of data from different data sources will be referred to as “horizontal analysis”.
The horizontal analysis may:
determine that the action proposed from the data source analysis is appropriate without
further progress into Phase III (see 6.0); or,
provide additional information warranting progress into Phase III (see 6.0), regardless of
whether the data source analysis escalated the nonconformity or potential nonconformity.
The outcome of measurement and analysis leads to different scenarios as shown in Figure 2.
The following tables provide more details to support the use of Figure 2. Each scenario is de-
scribed with an example showing the different outcome of measurement and analysis.
Scenario C Correction and escalation to further investigation under the improvement phase.
The decision is made to perform an initial correction. However, there is a need for escalation to
Phase III (see 6.0) to further investigate as a result of the analysis performed in order to determine
the appropriate corrective action.
Example
Nonconformity The supplier name and number was not included in the research report.
Key Results of Analysis indicates that the procedure may not be adequate and it is not well
Measurement know to the users of the research procedure. The issue has been identified in
and Analysis multiple reports.
In some cases, traceability to the supplier could be established via other
means, and in other cases it could not.
Conclusion Take an initial correction to update the research report with the supplier
name and number (in the cases where the supplier could be identified).
Escalate to Phase III for corrective action.
Documented procedures should clearly delineate and define when escalation to Phase III is re-
quired.
Typically manufacturers have organizational groups or processes surrounding some of their main
data sources (e.g. complaint handling, handling of nonconformities, material review boards,
change management process). Within these groups or processes certain activities described in
Figure 2 can be implemented without escalation.
There may be predefined events that due to the significance of the risk will be escalated to Phase
III without any delay that can not be justified. In the event a potential nonconformity is identi-
fied, it may be escalated into Phase III (see 6.0) for consideration of actions to prevent the occur-
rence of the potential nonconformity.
When no correction or only corrections within these groups or processes are taken, there needs to
be data source monitoring and analysis (e.g. trending) to determine if escalation to Phase III may
be necessary from accumulated information. Whenever an issue is escalated to Phase III, any in-
formation gained within the defined activities of these groups or processes should be an input to
the Phase III activities such as Investigation (see 6.1) or Identified Actions (see 6.3).
The improvement activities are dependant on the specific nonconformity or potential noncon-
formity. Any previous data from Phase II should be utilized as input to the Phase III process.
The improvement phase and the activities described in Figure 3 needs to be documented. Im-
provement generally involves the following activities that the manufacturer would take sequen-
tially or sometimes simultaneously:
A thorough investigation of the reported nonconformity
An in-depth root cause analysis
Identification of appropriate actions
Verification of identified actions
Implementation of actions
Effectiveness check of implemented actions
6.6 Determine
6.3 Identify Actions
Effectiveness of Improvement
Implemented Actions
6.4 Verification of
6.5 Implement Actions identified Actions
6.1 Investigate
The purpose of investigation is to determine the root cause of existing or potential non –
conformities, whenever possible, and to provide recommendations of solutions. The magni-
tude/scope of the investigation should be commensurate with the determined risk of the noncon-
formity.
Good practice shows that a documented plan should be in place prior to conducting the investi-
gation (see Annex D for examples). The plan should include:
Description of the nonconformity expressed as a problem statement
Scope of the investigation
Investigation team and their responsibilities
Description of activities to be performed
Resources
Methods and tools
Timeframe
November 4, 2010 Page 14 of 26
Guidance on corrective action and preventive action and related QMS processes GHTF/SG3/N18:2010
From the information obtained throughout the process the problem statement should be reviewed
and refined as appropriate.
The investigation should include the collection of data to facilitate analysis and should build
upon any analysis, evaluation and investigation that were previously performed (see 5.0). This
will require the investigator to identify, define and further document the observed effects/non-
conformity, or already determined causes, to ensure that the investigator understands the context
and extent of the investigation. It may be necessary to:
Review and clarify the information provided
Review any additional information available from an horizontal analysis
Consider whether this is a systemic issue/non-systemic issue
Gather additional evidence, if required
Interview process owners/operators or other parties involved
Review documents
Inspect facilities, or the environment of the event
Previous investigations should be reviewed in order to determine if the event is a new problem or
the recurrence of a previous problem where, for example, an ineffective solution was imple-
mented. The following questions will assist in making the determination:
Is the nonconformity from a single data source?
Does the current nonconformity correlate with nonconformities from other data sources?
Are multiple data sources identifying the same nonconformity?
Do other nonconformities have an effect on the problem investigated here?
Many of the tools used in investigations rely upon a cause and effect relationship between an
event and a symptom of that event. To ensure that causes are identified, not symptoms, the fol-
lowing should be considered:
There must be a clear description of a cause and its effect. The link between the cause
and the undesirable outcome needs to be described.
Each description of a cause must also describe the combined conditions that contribute to
the undesired effect
A failure to act is only considered a cause if there was a pre-existing requirement to act. The re-
quirement to act may arise from a procedure, or may also arise from regulations, standards or
guidelines for practice, or other reasonably expected actions.
For further details on aspects to be considered when doing the root cause analysis see Annex C.
The output of the root cause analysis should be a clear statement of the most fundamental
cause(s) resulting in the nonconformity (see Annex D for examples).
Correction
It may be necessary to take initial corrections (e.g. containment, stop of shipment/supply,
issuance of advisory notice) in order to address an immediate risk or safety issue. This
may be necessary before investigation has been completed and root cause has been de-
termined. However, after investigation and root cause determination, additional and/or
possibly different corrections may become necessary.
Corrective action
Corrective action should address systemic problems. For example, changing the proce-
dure and training of personnel to the revised procedure may not, by itself, be appropriate
or sufficient to address the systemic cause(s).
Preventive action
By its very nature preventive action can not follow a nonconformity.
As a result of this step, a list of action items should be documented. These may include:
A detailed description of the implementation
Review regulatory requirements (e.g. submissions, licensing, certifications)
Roles and responsibilities for execution of action items
Identification of the necessary resources (e.g. IT, infrastructure, work environment)
Verification and/or validation protocols of the action(s) with acceptance criteria
Implementation schedule, including timelines
Method or data for the determination of effectiveness with acceptance criteria
Identify the starting point of monitoring, and end point of correction and/or corrective ac-
tion or preventive action as described above
Verification activities are to ensure that all the elements of the proposed action (documentation,
training etc) will satisfy the requirements of the proposed action. These activities should be per-
formed by persons who are knowledgeable in the design or use of the product or process that is
the subject of corrective or preventive action. Verification of a preventive action can be accom-
plished by introducing the conditions that would induce a nonconformity and confirming that the
nonconformity does not occur.
Validation activities generate data and information that confirm the likelihood of the effective-
ness of the corrective action to eliminate the nonconformity or proposed nonconformity.
The manufacturer should gather data over a period of time related to the effectiveness of the im-
plemented action (see Annex D for examples).
Management should ensure and be involved in a review and confirmation that actions taken were
effective and did not introduce new issues or concerns. The following questions should be con-
sidered at appropriate times throughout the process and be revisited in the final review:
Has the problem been comprehensively identified?
Has the extent of the problem been identified (e.g. range of affected devices, patient out-
come, process, production lines, operator)?
Have the root cause/contributing factors of the problem been identified and addressed?
Has the improvement action(s) been defined, planned, documented, verified and imple-
mented?
If the manufacturer finds the actions are not effective, the manufacturer should re-initiate Phase
III activities (see 6.0). If the manufacturer finds the actions create a new issue or a new noncon-
formity then the manufacturer needs to initiate Phase II (see 5.0) activities.
The Management Review is the overall mechanism for management to ensure that the Quality
Management System as a whole is effective.
The manufacturer needs to define what meaningful data is to be reported for a management re-
view. Data should be specific to the quality objectives of the manufacturer and be reported regu-
larly. Merely providing the number of improvement actions or the number of how many im-
provement actions are opened or closed to the management review process are not sufficient in
assessing the effectiveness of the processes.
Included in this review would be an assessment of any opportunities for improvement of the de-
vice, manufacturing process, QMS or the organization itself.
An outcome of the review could be the allocation of funding or personnel to a particular area,
project or device that the review has identified as not meeting customer and regulatory safety and
effectiveness expectations.
The following is an outline/aid memoir of the main points described in this document. It is not
intended as a “box ticking” exercise and should not be used as such, but used purely to summa-
rize and align the steps in the process described in this document. The activity numbers do not
imply sequential steps – some steps may take place in parallel.
Phase Activities
Planning 1. Identify all data sources (internal/external) by product type (4.1)
2. Identify resources required and individual personnel responsibilities for
measuring each data source (4.1)
3. Define the requirements for each data source and the data elements
within each data source that will be measured and analysed (4.1)
4. Define requirements for escalation to the improvement phase (4.1)
5. Define requirements for monitoring the measurements in the data
sources (5.1)
6. Establish data sources (4.2)
Measurement and Analysis 7. Measure and analyse all data sources for nonconformities and potential
within and across Data Sources nonconformities (5.0, 5.1 and 5.2)
8. Have reports of nonconformity or potential nonconformity come from
more than one data source?
9. Is the nonconformity or potential nonconformity systemic?
*Steps 20 to 22 are not described in this document but are added as reminders of general management responsibilities
in this area of the QMS.
Materials
Defective raw material (does material meet specification?)
Batch related problem
Design problem (wrong material for product, wrong specifications)
Supplier problem (lack of control at supplier, alternative supplier)
Lack of raw material.
Machine / Equipment
Incorrect tool selection – suitability
Inadequate maintenance or design – calibration?
Equipment used as intended by the manufacturer?
Defective equipment or tool
End of life?
Human error – inadequate training?
Environment
Orderly workplace
Properly controlled – temperature, humidity, pressure, cleanliness
Job design/layout of work
Management
Inadequate management involvement
Stress demands
Human factors
Hazards not properly guarded
Were management informed / did they take action?
Methods
Procedures not adequately defined
Practice does not follow prescribed methodology
Poor communications
Management system
Training or education lacking
Poor employee involvement
Poor recognition of hazard
Previous hazards not eliminated
Correction General Examples The supplier was notified of the issue on [date].
Containment, The supplier conducted an operator awareness training of
Stop of shipment/ supply the incident on [date].
Issuance of advisory notice
Incident awareness / training Initial extent of the issue is restricted to supplier lot #678.
Change or suspend production All unused components and product built with components
process from this lot were controlled on [date]. No product built
with this lot had been distributed.
Investigate • Clearly defined problem statement See initial problem statement. Subsequent investigation
(update/refine if new information confirmed that the issue was limited to lot #678. All addi-
is determined) tional available lots of this component were inspected with
What information was gathered, a 95/95 inspection plan and no additional lots were con-
reviewed and/or evaluated firmed to have the issue.
Results of the reviews/evaluations The incoming inspection process and component FMEA
of the information were reviewed and determined to be adequate and accu-
Identification of cause(s) or con- rate, respectively.
tributing factors
Review of finished product reject data over the past year
revealed no other rejects for surface finish of this compo-
nent.
Identify The output of the root cause analy- It has been concluded that the root cause of the tubing sur-
Root Cause sis should be a clear statement of face finish issue is inadequate line clearance procedures
the most fundamental cause(s) re- established at the supplier.
sulting in the nonconformity
Verification Verification activities are to ensure General examples are included below. Actual documenta-
of actions that all the elements of the pro- tion would need to be more specific.
posed action (documentation, Review and approval of the procedural changes prior
training etc) will satisfy the re- to use
quirements of the proposed action Conduct a pilot of new procedure on a specific pro-
ject/department/time frame prior to full scale imple-
Validation activities generate data mentation
and information that confirm the Verification that the updated supplier procedure ad-
likelihood of the effectiveness of dresses the process that caused the nonconformity
the corrective action to eliminate Verification that the training materials address the
the nonconformity or proposed specific process that caused the nonconformity
nonconformity. Comparing a new design specification with a similar
proven design specification
Performing calculations using an alternative method
Perform validation of equipment, software, production
processes, test method, component, etc.
Specific example:
Review and approval of supplier procedure XXX by the
supplier and the customer to ensure adequacy of the up-
dated line clearance process.
Winterhufen 1.0