background image for GxP Lifeline
GxP Lifeline

FDA Guidance Assists With Preventing Data Integrity Violations

6 Data Integrity Questions to follow FDA Guidance for Pharma companies

In September 2021, a pharmaceutical manufacturing company received a warning letter from the U.S. Food and Drug Administration (FDA) for a number of violations, including the following data integrity infractions:1

  • System did not have sufficient controls to prohibit deletion and alteration of data as cited in FDA 21 CFR Part 211.68.
  • Unique user accounts and associated access levels to the application software and operating system (OS) were not assigned only to individual users.
  • Analysts had access to delete and overwrite data.
  • Analysts used individualized non-validated spreadsheets to calculate assay, impurity, content uniformity, and dissolution test results for a variety of drug products.
  • Calculations to critical quality-related parameters of drug products were performed using unqualified spreadsheets.

The FDA has long emphasized the importance of the data integrity aspect of current good manufacturing practices (CGMP) for companies developing regulated products. To help organizations better understand the regulation and reduce the number of violations across the industry, the agency drafted a question-and-answer-based data integrity guidance titled “Data Integrity and Compliance With CGMP.”2

When the guidance was finalized in 2018, then FDA Commissioner Scott Gottlieb expressed his concerns about the issue. “In all cases, we regard any lapse in data integrity as a risk to patient safety. Patients can’t be assured of the safety and effectiveness of their medication when data has been altered,” he said.3

Answering Six Key Data Integrity Questions

In a nutshell, data integrity can be summed up by the acronym ALCOA:4

  • Attributable
  • Legible
  • Contemporaneously recorded
  • Original or a true copy
  • Accurate

However, the FDA’s expectations for data handling extend beyond this benchmark. This means companies need to implement meaningful and effective strategies to manage their data integrity risks. Ultimately, falling out of compliance with data integrity leads to:

  • Companies missing critical timelines for product launches.
  • Delays in development and shortages of much-needed pharmaceutical products.
  • Medical devices being unavailable to the facilities that need them.

The following questions from the agency’s Q&A guidance provides valuable insight into proper data management.

#1 What is metadata?

Metadata is the contextual information required to understand data. It’s essentially data about data. For instance, a value by itself (e.g., 3) is meaningless without additional information about the data (e.g., 3 milligrams). To have relevance, documentation needs to include contextual attributes such as:

  • Title
  • Author
  • Date
  • Time stamp

Outside of providing clarifying information, metadata makes it easier to manage, retrieve, and use data.

#2 What is an audit trail?

An audit trail is a secure, computer-generated, and time-stamped electronic record. It allows for easy reconstruction of the events (who, what, when, and why) relating to the creation, modification, or deletion of a record. For example, the audit trail for a high-performance liquid chromatography (HPLC) run needs to include the staff member’s name, date, time of the run, and the integration parameters used. It also needs to include documentation justifying any changes.

#3 Can electronic copies be used as accurate reproductions of paper or electronic records?

The guidance says that electronic copies can be used as true copies of paper or electronic records. However, it also stipulates that the copies need to preserve the content and meaning of the original data — this includes associated metadata and the static or dynamic nature of the original records.

Manufacturers are allowed to keep paper printouts or static records. However, some electronic records are dynamic in nature. In this case, the printout or static record does not preserve the dynamic nature of the original electronic record. According to the FDA, the record would fail to meet the CGMP requirements.

#4 Does each workflow on the organization’s computer need to be validated?

The short answer is yes. The FDA’s guidance states that workflows, such as batch records and control records are an intended use of a computer system, which needs to be checked through validation. It goes on to say that if you validate your computer system, but do not validate it for its intended use, you cannot know if your workflow is running correctly.

#5 How should access to CGMP computer systems be restricted?

Any changes to computerized master production and control records (MPCRs) or other records as well as the input of laboratory data into computerized records must be completed only by authorized personnel. The FDA recommends that whenever possible, you should use technology to restrict the ability to alter specifications, process parameters, or manufacturing and testing methods (e.g., limiting permissions for specific tasks and types of data).

#6 When does electronic data become a CGMP record?

All data generated to satisfy a CGMP requirement is a CGMP record. The data integrity guidance states that in order to comply with CGMP requirements with manufacturing processes, you must document or save recorded data at the time a task or process is performed. Also, all data that is recorded and maintained cannot be modified or discarded.

Because of the criticality of data integrity, the FDA’s guidance expands beyond the parameters of the standard CGMP requirements. While the guidance is not binding, the agency tends to rely on guidances during inspections and when making enforcement decisions5.

Ensure Data Integrity Compliance With a Digital Quality Management System

The FDA is determined to ensure that consumers have confidence in the quality, safety, and effectiveness of health care products. In pursuing that initiative, the agency will continue to ramp up its enforcement of data integrity compliance guidelines. That said, companies are urged to implement digitized technologies, such as an electronic document management system (EDMS), designed to automatically prevent omission, incorrect entry, unauthorized alteration, etc. of data.

A digital quality management system (QMS) will enable you to ensure the integrity of your data, easily comply with all other regulatory requirements, and remain audit-ready at all times. Advantages of a digital QMS specific to data management include:

  • Preserves the meaning of original records, including the associated metadata.
  • Ability to restore any deleted data.
  • Eliminates the common problem of out-of-sync metadata during a revision process.
  • Automatically tracks all changes, the names of people who made changes, and the reason for the changes.
  • Tracks every signature combination and prevents duplication or reassignment of the user ID and signature combination.

To learn more about a technology-driven approach to not only ensuring data integrity, but turning data management into a business accelerator, download MasterControl’s “Connecting Quality Data to Overcome Pharma’s 3 Toughest Challenges.”

  1. FDA Issues Warning Letter Due to Severe Violations of Data Integrity,” ECA Academy, Oct. 11, 2021.
  2. Data Integrity and Compliance with Drug CGMP: Questions and Answers Guidance for Industry” U.S. Food and Drug Administration (FDA), Dec. 2018
  3. FDA Keeps Spotlight on GMP Data Integrity,” Suzanne Elvidge, Biopharma Dive, Dec. 13, 2018.
  4. ALCOA+ and Data Integrity,” Susan J. Schniepp,
  5. FDA’s Draft Guidance on Data Integrity: The Cupola on Tower of Guidances,” Mark I. Schwartz and Douglas B. Farquhar, FDA Law Blog, Apr. 17, 2016.


David Jensen is a content marketing specialist at MasterControl, where he is responsible for researching and writing content for web pages, white papers, brochures, emails, blog posts, presentation materials and social media. He has over 25 years of experience producing instructional, marketing and public relations content for various technology-related industries and audiences. Jensen writes extensively about cybersecurity, data integrity, cloud computing and medical device manufacturing. He has published articles in various industry publications such as Medical Product Outsourcing (MPO) and Bio Utah. Jensen holds a bachelor’s degree in communications from Weber State University and a master’s degree in professional communication from Westminster College.

Free Resource
Eliminating Data Integrity Errors Through Digitization

Enjoying this blog? Learn More.

Eliminating Data Integrity Errors Through Digitization

Download Now
[ { "key": "fid#1", "value": ["GxP Lifeline Blog"] } ]