FDA Compliance Depends On Data Integrity

By Janice Abel


Excellent quality data has always been important to the US Food and Drug Administration (FDA), because data integrity issues FDA compliancecould lead to serious CGMP (current good manufacturing practices) violations.   FDA compliance depends on data integrity.  Dealing with poor data slows down FDA inspections and costs the agency, and ultimately the business, money.  Unfortunately, data integrity issues are not uncommon and enforcement in this area is increasing.

Data integrity is a critical focus area for FDA because without basic data integrity controls, the agency cannot rely on        that company’s data or records to determine compliance, quality, or safety risks to consumers and patients.   Data integrity is the cornerstone of FDA compliance, since data and documentation provide the only reliable information to determine a company’s actions and intent.  FDA trains investigators to detect signs of data problems and is looking more closely at facilities for signs of altered and doctored records.

In April 2016, FDA issued a draft guidance, Data Integrity and Compliance with CGMP Guidance for Industry, to clarify the role of data integrity in CGMPs for drugs.  The guidance covers the agency’s current thinking on creating and handling data in accordance with CGMP requirements.  This was necessary because, in recent years, FDA has increasingly observed CGMP violations involving data integrity during CGMP inspections.  The agency finds this troubling because ensuring data integrity is an important component of industry’s responsibility to ensure the safety, efficacy, and quality of drugs, as well as FDA’s ability to protect public health.  These data integrity-related CGMP violations have led to numerous regulatory actions, including warning letters, import alerts, and consent decrees.  ARC believes that it is in everyone’s best interest for pharmaceutical companies to implement effective strategies to manage their data integrity.


The guidance defines the key terminology.  In addition to the following terms and items, the guidance includes definitions for audit trail, static and dynamic data and backup data.

FDA complianceMetadata

FDA defines “metadata” as the contextual understanding of data.  Any information required to data value by itself is meaningless without additional information about the data.  Metadata is often described as data about data.  It is structured information that describes, explains, or otherwise makes it easier to retrieve, use, or manage data.  For example, a temperature is meaningless as just a number, such as “75.”  When you add the context such as 75 degrees Fahrenheit it becomes meaningful.  A time stamp can add even more context to this data.  Metadata could also include data/time stamp for when the data was acquired, the user ID of the person conducting the test or analysis that generated the data, instrument ID used to acquire data, and audit trails.


FDA has adopted the ANSI definition of “systems,” as “people, machines and methods organized to accomplish a set of specific functions.”  Computer or related systems can refer to computer hardware, software, peripheral devices, networks, cloud infrastructure, operators, and associated documents such as user manuals and standard operating procedures (SOPs).   Note that FDA mentions cloud as being part of the system definitions.  This would appear to give pharmaceutical companies a green light for using the Cloud for data.

Workflows and MES

FDA clarified “workflow” in the guidance.   Workflow includes the creation of an electronic master production and control record that must be checked through the validation process.  According to FDA, without validation for the intended use, it is not possible to know whether the workflow runs correctly.  For example, qualifying the manufacturing execution system (MES) platform (a computer system), ensures that it meets specifications; however, it does not demonstrate that the master production and control record generated by the MES contains the correct calculations.  The MES must be validated to ensure that the intended steps, specifications, and calculations in the record are correct.

Secure Computer Systems Access

The guidance also emphasizes the need and requirements for “secure computation system access.”  Controls must be in place to restrict the ability to alter specifications, process parameters, or manufacturing or testing methods.  Other computer changes must be restricted, possibly by limiting permissions to change settings or data.    FDA recommends that an administrator role be assigned to a person independent from those responsible for the record contact for all types of computer systems: laboratory, process, MES, etc.  For situations where this is not possible, FDA suggests having two different people – one for inputting content and another for reviewing content.

No Shared Login Accounts

The FDA guidance states that only authorized personnel could make changes to computerized records, laboratory data, etc., and that the actions are attributable to the specific individual.  This is not possible with shared login accounts.

CGMP Records

Pharmaceutical and biotech companies must retain complete and accurate production and laboratory information that can be made available to FDA.   When generated to satisfy a CGMP requirement, all data becomes a CGMP record. Data must be documented or saved at the time of performance to create a record that complies with CGMP.  Data should not be stored in temporary memory in a manner that allows for manipulation before creating the permanent record.  Electronic data automatically saved in a temporary manner does not meet CGMP documentation or retention requirements.

A combination of technical and procedural controls can be employed to meet CGMP documentation practices for electronic systems.   For example, a system could be designed to record data immediately when generated. 

Laboratory Data

Analytical methods such as laboratory chromatography analyses’ data should not be reprocessed.  If reprocessing is required, written procedures must be established and followed and each result retained.  FDA requires complete laboratory records including raw data, graphs, charts, and spectra from laboratory instruments.

Falsification of Records

Suspected or known falsification or alteration of records must be investigated to determine the effect of the event on patient safety, product quality, and data reliability.  The root cause must be documented and corrective actions taken.

Training on Data Integrity for FDA compliance

FDA compliancePersonnel must be trained to detect data integrity issues.  All records required under CGMP are subject to FDA inspection.  This includes review, and copying of records and electronic data. 

If a company has data integrity problems identified during inspections or warning letters, FDA encourages the company to hire a third-party to help with the problem and implement corrective actions, while removing all individuals responsible for problems.  This is similar to the expectations for the Application Integrity Policy.

FDA Violations and Data Integrity Warnings

In recent years, FDA has observed CGMP violations involving data integrity from companies all over the world.  Ensuring data integrity is an important component of ensuring the safety, efficacy and quality of drugs and of the FDA’s ability to protect public health.  Some of the data integrity issues have included falsification of data and test results.  Other data violations include the failure to record activities, back-dating, copying existing data as new information, re-running samples to obtain better results, and fabricating new data or discarding of data.  FDA warning letters have been issued to many of these companies.   Many of these companies have experienced import bans from drugs being imported into the US which does impact the bottom line.    Although not stated in this particular guidance, using a contract manufacturer does not reduce the drug manufacturers’ responsibility for data accuracy and reliability either. The licensed manufacturer remains responsible for products meeting quality standards. 

Data Integrity Warnings

A few examples of FDA data integrity warnings in the past include:

Sun Pharmaceutical Industries Limited of Mumbai, India received a warning letter in May 2014, stating that the investigators observed the “failure to ensure that laboratory records included complete data derived from all tests necessary to ensure compliance with established specifications and standards.”  After giving several examples, the letter went on to state, “…the above examples suggest a general lack of reliability and accuracy of data generated by your firm's laboratory, which is a serious CGMP deficiency that raises concerns about the integrity of all data generated by your firm.”

In addition, the letter identified the, “Appropriate record retention policies should also be in place. Our inspection revealed that your firm destroyed CGMP records directly related to the testing and manufacturing of your products. Your firm should reevaluate your record retention policy for all of your CGMP records.”

Another warning letter, issued July 2013, stated that the investigators, “observed and documented practices during the inspection that kept some samples, data and results outside of the local systems for assessing quality. This raises serious concerns regarding the integrity and reliability of the data generated at your Kalyani plant.

In a July 2014 warning letter, FDA cited Italian API producer Trifarma S.p.A. for deleting key test data and failing to establish a system to identify how and when changes are made in manufacturing records. For the Aarti Drug limited facility, an FDA warning letter pointed out that there was a “failure to record all quality activates at the time they are performed.”  The letter noted that the investigator observed at least two examples when a manufacturing step was recorded in the batch record before it occurred.  QC completion times were also recorded before they were completed at the same facility and there were other data issues as well. A company’s quality systems must demonstrate that the company adequately investigates and resolves quality failures.

At a facility in Canada, Apotex, observations included, “Failure to maintain complete data derived from all laboratory tests conducted to ensure compliance with established specifications and standards.”  The CGMP violations focused on quality system violations, including the deletion and alteration of data.  The investigator also pointed out in the warning letter that, “your quality system does not adequately ensure the accuracy and integrity of the data generated at your facility to ensure the safety, effectiveness, and quality of the drug products you manufacture.”  The letter further stated that “the firm needed to produce a comprehensive evaluation of the inaccuracy and reported data.”

While some of the warning letters cited have been addressed by the companies involved, most of the data integrity issues could have been avoided with either an automated system such as a LIMS, MES, DCS, or PLC that help enforce workflow and reduce human errors.  A combination of automated systems, processes, and procedural enforcement seems to work best.

Other global regulations and agencies also have provisions for data integrity.  These include the European Council, ICH, and MHRA.


Data integrity has become a focus of FDA inspections.  Any evidence of misrepresented data or problems with CGMP records found during an inspection can lead to further investigation for which FDA would focus on the greatest sources of risk to patients.  Inaccurate data and data falsification threatens FDA’s efforts to streamline regulatory processes.  Companies with perfect quality systems will benefit from less interference from FDA.  Data integrity issues have real consequences.  ARC believes that some of these risks can be reduced or even eliminated by using automated systems in conjunction with and adequate procedures, standards and enforcement policies.

Companies with data integrity issues should address these with a comprehensive and aggressive program to resolve issues. These multi-faceted programs may need to include cultural changes, administering procedural controls, and adding new automation systems for automated records and quality records.  Programs should include personnel procedure changes, system controls, procedural controls, and more.  


Keywords: Data Integrity, FDA Compliance, CGMP violations, ARC Advisory Group.

 Contact Us

Engage with ARC Advisory Group