Keeping Track of Your Data — What You Need to Know about FDA’s Draft Guidance on Data Integrity for In Vivo Bioavailability and Bioequivalence Studies

Given data integrity issues that have been uncovered in the past, in April 2024, the U.S. Food and Drug Administration (FDA) published a draft guidance to applicants and testing site management on providing recommendations on achieving and maintaining data integrity for the clinical and bioanalytical portions of bioavailability (BA) and bioequivalence (BE) studies submitted in support of investigational new drug applications (INDs), new drug applications (NDAs), and abbreviated new drug applications (ANDAs). The guidance also includes recommendations on the bioanalytical portion of clinical pharmacologic studies supporting the Center for Drug Evaluation and Research (CDER)-regulated biologic license applications (BLAs) as well as amendments and supplements to these applications.

In addition to clinical and bioanalytical portions of BA and BE studies, FDA has increasingly observed current good manufacturing practice (cGMP) violations involving data integrity during facility inspections.

In light of the serious legal and regulatory consequences associated with data integrity issues, it is very important that sponsors and testing sites implement meaningful and effective strategies to manage their data integrity risks based upon their process understanding and knowledge management of technologies and business models controls to protect against and allow the early detection of potential data integrity issues.

Data Integrity Defined

Data integrity is defined by the FDA as “the accuracy, completeness, and reliability of data.” The core data principles of attributable, legible, contemporaneous, original, and accurate (ALCOA) serve as a framework for data management and documentation practices that help ensure the accuracy, reliability, and completeness of data generated in support of drug development, regulatory submissions, and postmarket monitoring.

FDA expects management with executive responsibility, to create a quality culture where personnel understand that data integrity is an organizational core value and personnel are encouraged to identify and promptly report data integrity issues. In the absence of management support of a quality culture, systems can break down and lead to errors and misconduct.

Actions Study Sponsors Can Take to Ensure Data Integrity

• Vendor Qualification: Sponsors should only use qualified testing sites, considering the education, training, and experience of the site’s personnel, as well as whether the site has an adequate quality management system. Sponsors should further be sure to provide testing sites with all the information necessary to perform their duties, and should require that sites agree, through contracts, to comply with all regulatory requirements, protocols, procedures, and processes.
• Monitoring: Sponsors should develop and follow a monitoring plan “to ensure that testing sites are appropriately assessing, controlling, communicating, and reviewing risks….” The sponsor’s monitoring plan should be independent of the testing site’s quality assurance monitoring. Sponsors should consider the entire dataflow, specifically where data is moved or transformed.
• Auditing: Sponsors audit testing sites to confirm compliance with monitoring plans. Audits should assess site compliance with contracted responsibilities, whether sites are performing critical activities in accordance with the protocol and regulatory requirements, whether sites maintain data integrity throughout the data lifecycle, and should ensure that any discrepancies between data and metadata are investigated. Audit findings should be documented in sufficient detail to allow sponsors to verify that monitoring plans are followed and should not influence study outcomes or result in amendments to data. Any audit finding should be communicated to the testing site for documented remediation. In addition, communications between sponsors, test sites, and third parties (e.g., third-party auditors) should be documented “to allow verification of study decisions and input from” sponsors.

Actions Testing Sites Can Take to Ensure Data Integrity

Testing sites should consider implementing the following steps:

• Create a site organizational structure to ensure that BA/BE studies are conducted and analyzed pursuant to regulatory requirements.
• Ensure that personnel are adequately trained and qualified and that sites have adequate resources to meet their responsibilities.
• Ensure that personnel roles and responsibilities are clearly defined, and that there is “appropriate responsibility, authority, and interrelation of all personnel who manage, perform, and assess work affecting data….”
• Establish data integrity policies and objectives that are understood, implemented, and maintained throughout the organization.
• Create and encourage a culture of quality.
• Implement a quality management system.

Establishing a quality culture and implementing a quality management system is of paramount importance. A quality culture can enable a testing site to prevent data integrity concerns from arising or to identify potential risks and detect data integrity issues earlier than if the testing site did not have a quality culture. Sites should implement quality management systems risk-based controls that are appropriate and address the site’s processes and procedures. The quality management system should be reviewed periodically to ensure that it is effective.

Quality management systems should account for the following areas:

• Data governance throughout the data lifecycle: Data governance is the “sum of total arrangements to ensure data integrity” and should address data roles, responsibilities, and accountability during all phases of data collection, generation, recording, modification, processing, maintenance, storage, retrieval, transmission, and disposition.
• Records management: Data should be retained so that it is protected, enduring, retrievable, and readable, including with respect to computer or related systems. All data should be recorded promptly and accurately, with associated metadata.
• Sample analysis: If sample testing is undertaken at a third-party site, specific quality management provisions should be put in place. Methods used for sample analysis should be validated and procedures used during sample processing and analysis should follow written procedures and analytical methods specified for the study. Samples should be analyzed within their stability windows and sample analysis documentation should be contemporaneous with the applicable steps. Finally, audit trails should be maintained and reviewed.
• Data storage and backup: Data should be maintained with associated metadata and paper-based records should be secured to prevent alteration or loss. Electronic data should be stored on a system with limited access and should be backed up according to written procedures.
• Archival and retrieval: Within two weeks of study completion, all data should be archived for at least five years. There should be controls to prevent archived data from being damaged, altered, or deleted, and an individual should be specifically responsible for management of data archives.
• Training: All applicable personnel should be trained on data integrity, including how to prevent and detect issues and reporting of errors or concerns. Training should include individual job functions and tasks, as well as regulatory requirements.
• Access and privileges: Sites should use access controls to ensure that personnel may only access functions that are necessary for their roles and responsibilities. All personnel should have unique logins and should only work under their own credentials. Passwords should be updated at set intervals. A system administrator role should be assigned to someone who is independent of personnel with data responsibilities.
• Audit trails: Audit trails should document all changes to BA/BE data, and should capture when, by whom, and the reasons that changes to the electronic record were made.
• Quality assurance and control: Quality management systems should include both a quality assurance and quality control program. A quality assurance program ensures that processes, controls, equipment, and personnel comply with the applicable requirements to ensure data integrity. Persons with quality assurance responsibilities should be independent of personnel engaged in the management and conduct of BA/BE studies. A quality control program is intended to identify and correct data integrity weaknesses and issues and includes processes for recognizing compromised data. When data integrity weaknesses or issues are identified, corrective and preventative actions (CAPAs) should be established through the quality control program, which should include the conduct of an investigation, establishment of a CAPA, verification/validation of CAPA effectiveness, communication of the CAPA to the necessary people, providing information for management review, and documenting activities.

Important Things to Consider

Companies conducting BA and BE studies must have the controls in place and be diligent to ensure the integrity of the data that is generated and submitted to FDA. These BA and BE studies are becoming more complex, and there is increased price sensitivity and competition for conducting these studies, there is an increased risk of data integrity issues arising and going undetected until FDA inspections identify such concerns. Data integrity issues have resulted in disruptions in conducting studies and disqualification of studies due to lack of confidence in the data. Approvals have been delayed or possibly revoked which has a significant impact on applicants.

Some important considerations for applicants and testing sites in light of the draft guidance include the following:

• Sponsors and testing sites should consider taking steps outlined above to ensure data integrity as FDA works to support and industry adopts innovative drug development approaches and tools, including artificial intelligence, machine learning, and decentralized clinical trials.   
• There are serious potential consequences if data integrity issues are identified by FDA. Data integrity issues can lead to enforcement actions against the applicable sponsors and testing sites. Moreover, there is the potential to be required to repeat studies, the withdrawal of approvals, changes to product bioequivalence ratings, and FDA refusal to approve new marketing applications. Management and executive leaders have the responsibility to create a culture of compliance. 
• Sponsors often rely on outside contractors and third-party laboratories in the development of products. Management and executive leaders have the responsibility to ensure these programs have adequate monitoring and oversight.
• Sponsors and testing sites should take the necessary steps to protect themselves as noted above and ensure that contracts have terms that define the responsibilities of each party with respect to data integrity, regulatory, and other operational aspects of the development and testing program.

Interested parties may submit comments on the draft guidance by June 3, 2024.

Foley is here to help you address the short- and long-term impacts in the wake of regulatory changes. We have the resources to help you navigate these and other important legal considerations related to business operations and industry-specific issues. Please reach out to the authors, your Foley relationship partner, our Health Care & Life Science Sector, or to our Health Care Practice Group with any questions.