The U.S. Food and Drug Administration (FDA) recently published draft guidance on "Data Integrity and Compliance with CGMP (Current Good Manufacturing Practice, or simply GMP)" as related to 21 CFR parts 210, 211, and 212. [1] There are a few reasons why this Guidance, although it's only in draft, may be helpful for those working in the industries regulated by the FDA, whether you are in manufacturing or not. Guidance documents don't contain regulations themselves, but they are useful nevertheless to understand the mindset and perspectives of the regulators; they provide a glimpse of what's expected of the regulations and inspections. The fact that this Guidance was published in response to a recent string of violations, mostly outside the U.S. (FDA regulates foreign entities that export to the U.S. market), calls for even more attention; you know what the FDA inspectors might be looking for the next time they come to visit your facility. This Guidance also contains, in question-and-answer formats, very specific definitions and examples of common terms, like "what is an audit trail?" These definitions confirm what we already know or provide additional details on what inspectors may ask for. The fact that these common terms are being defined in this document may indicate that they are not being used consistently or to the expectations of inspectors.
Computer systems used in Life Sciences industries are typically categorized by the risk levels posed by their "intended use." The GMP systems used for drug manufacturing tend to have high risk levels because they are close to patient safety. What if impurities get into drugs? What if wrong active ingredients are used? What if too much or too little active ingredients are injected? The consequences are potentially fatal. Having said that, I'm not aware of any cases of ServiceNow being used directly for drug manufacturing — if you're aware of any such cases, I'd like to know (orchestration for active pharmaceutical ingredients control system, anyone?). ServiceNow is often used for IT Change Management. If it covers GMP systems used for drug manufacturing, then, by extension, it'll be held to the same expectations. What if a change introduced to a manufacturing system resulted in a wrong ingredient to be used? This will set off a series of investigations and the investigators will ask for the change records; many of the data integrity and compliance recommendations from this Guidance would apply to these records in the same way.
Since some sections in Guidance are very specific to manufacturing, I'd like to pick out those that are more relevant to the ServiceNow Community and to GxP (Good "x" Practice, where "x" stands for Manufacturing, Clinical, Laboratory, etc.) systems in general.
Section III(1)(a) defines "data integrity" as "the completeness, consistency, and accuracy of data. Complete, consistent, and accurate data should be attributable, legible, contemporaneously recorded, original or a true copy, and accurate (ALCOA)." In other words, it should be clear where the data came from, whether another system or a person, and the data should be recorded at the time of performance. Data should not be altered and any changes should be documented.
Section III(1)(b) defines "metadata" as "the contextual information required to understand data." It adds "Metadata is often described as data about data," which is a commonly used definition of metadata. It further adds "Metadata is structured information that describes, explains, or otherwise makes it easier to retrieve, use, or manage data. For example, the number '23' is meaningless without metadata, such as an indication of the unit 'mg'." What could metadata include? It says "metadata for a particular piece of data could include a date/time stamp for when the data were acquired, a user ID of the person who … acquire the data, audit trails, etc." How should metadata be maintained? It says "Data should be maintained throughout the record's retention period with all associated metadata required to reconstruct the CGMP activity … The relationships between data and their metadata should be preserved in a secure and traceable manner." Take "time zone", for example. When timestamps or dates are stored, how would one know which time zone they're in? If date/time is stored as the seconds or milliseconds since the epoch, is it clear in the data output? Metadata, stored in a dictionary, label, or field description, should help interpret the data and inspectors would expect to see this.
Section III(1)(c) defines "audit trail" as "a secure, computer-generated, time-stamped electronic record that allows for reconstruction of the course of events relating to the creation, modification, or deletion of an electronic record. An audit trail is a chronology of the "who, what, when, and why" of a record." "Electronic audit trails include those that track creation, modification, or deletion of data (such as processing parameters and results) and those that track actions at the record or system level (such as attempts to access the system or rename or delete a file)." This would include audit trails for a record (a change record, for example) as well as system logs. Audit trails for any related lists should be part of this, especially if they are used for GxP decision making (for example, impacted CIs for a change record). Since time is limited during an inspection, it's a good idea to have a way to quickly produce readable and complete audit-trail reports, in case they are asked for.
Section III(1)(e) defines "backup" as "a true copy of the original data that is maintained securely throughout the records retention period. The backup file should contain the data (which includes associated metadata) and should be in the original format or in a format compatible with the original format." "This should not be confused with backup copies that may be created during normal computer use and temporarily maintained for disaster recovery (e.g., in case of a computer crash or other interruption). Such temporary backup copies would not satisfy the requirement … to maintain a backup file of data." I think the key terms here are "a true copy of the original data"; inspectors expect to see the "original" data, in case data have been altered since the time they were created. Since this Guidance was written, in part, to address data falsification, inspectors may ask for the earliest backup during their investigation. Inspectors may also ask for evidence showing the backup is a true copy of the original and can be restored to the original state.
Section III(1)(f) defines "systems" in "computer or related systems" as "computer hardware, software, peripheral devices, networks, cloud infrastructure, operators, and associated documents (e.g., user manuals and standard operating procedures)." What's noteworthy here is "systems" include not only hardware and software, but also people and documents. The list also includes "cloud infrastructure," such as ServiceNow.
Section III(3) asks "Does each workflow on our computer system need to be validated?" and the answer, of course is, "Yes." I'd expect approval workflows for Change Management to be validated and tested for both "happy path" and negative cases (for example, missing approvers doesn't result in skipping the approval to the next step), especially for GxP scenarios.
Section III(5) asks "Why is FDA concerned with the use of shared login accounts for computer systems?" and states "You must exercise appropriate controls to assure that only authorized personnel make changes to … records, and you must implement documentation controls that ensure actions are attributable to a specific individual." "When login credentials are shared, a unique individual cannot be identified through the login and the system would thus not conform to the CGMP requirements." Sharing of login credentials is not allowed for GxP activities. This is typically enforced by policies as technical restrictions are difficult to implement (biometric authentication is one viable approach). The use of the out-of-the-box "admin" account in ServiceNow should be strictly controlled.
Section III(7) asks "How often should audit trails be reviewed?" and states "FDA recommends that audit trails that capture changes to critical data be reviewed with each record and before final approval of the record." For example, for GxP change records, the audit trails should be reviewed to determine if any of the key data used for approval decisions were altered after the approvals, which might invalidate the approvals. Some customers require certain data to be locked down (made read-only) after approvals, so they can't be changed.
Section III(17) asks "Is the FDA investigator allowed to look at my electronic records?" and the answer, of course, is "Yes. All records required under CGMP are subject to FDA inspection. You must allow authorized inspection, review, and copying of records, which includes copying of electronic data." They may ask for backup copies to determine if any data alterations were made.
The public comment period for this document just closed last week. It's also instructive to read the comments (there are 43) to see the reactions by the industry professionals, whether asking for clarification or raising objections. You can read them at https://www.regulations.gov/document?D=FDA-2016-D-1113-0001.
"Do it for the patient."
Please feel free to connect, follow, post feedback / questions / comments, share, like, bookmark, endorse.
John Chun, PhD PMP 
1. Data Integrity and Compliance With CGMP, Guidance for Industry, Draft Guidance, U.S. Food and Drug Administration, April 2016. https://www.regulations.gov/document?D=FDA-2016-D-1113-0002
1 Comment
