FDA Sets Out to Curb Data Integrity Violations With Guidance on Data Handling


The U.S. Food and Drug Administration (FDA) has long emphasized the importance of data integrity in medical device and other regulated product development. To help companies better understand the regulation and reduce the number of violations, the agency drafted a question-and-answer-based guidance, “Data Integrity and Compliance With CGMP.”(1)

Data Integrity Definition

It’s safe to say that the FDA is particular about data management practices. This fact was reiterated by former acting FDA Commissioner Ned Sharpless in response to discovering a data integrity violation involving a high-profile drug manufacturer: “The agency relies on truthful scientific data to make regulatory decisions, and we take the issue of data integrity very seriously.”(2)

The ALCOA acronym establishes a basic formula for data integrity requirements:(3)

  • Attributable
  • Legible
  • Contemporaneously recorded
  • Original or a true copy
  • Accurate

However, the FDA’s expectations for data handling extend beyond this benchmark. This means companies need to implement meaningful and effective strategies to manage their data integrity risks. What it boils down to is falling out of compliance with data integrity leads to:

  • Companies missing critical timelines for product launches.
  • Delays in the development and shortages of much-needed pharmaceutical products.
  • Medical devices are unavailable to the facilities that need them.

The following questions from the agency’s Q&A guidance provides valuable insight into proper data management.

What is metadata?

Metadata is the contextual information required to understand data. It’s essentially data about data. For instance, a value by itself (e.g., 3) is meaningless without additional information about the data (e.g., 3 mg). To have relevance, documentation needs to include contextual attributes such as:

  • Title
  • Author
  • Date
  • Time stamp

Outside of providing clarifying information, metadata makes it easier to manage, retrieve and use data.

What is an audit trail?

An audit trail is a secure, computer-generated and time-stamped electronic record. It allows for easy reconstruction of the events (who, what, when and why) relating to the creation, modification, or deletion of the record.

Can electronic copies be used as accurate reproductions of paper or electronic records?

The guidance says that electronic copies can be used as true copies of paper or electronic records. It also stipulates that the copies need to preserve the content and meaning of the original data, which includes associated metadata and the static or dynamic nature of the original records.

Manufacturers are allowed to keep paper printouts or static records. However, some electronic records are dynamic in nature. In this case, the printout or static record does not preserve the dynamic nature of the original electronic record. According to the FDA, the record would fail to meet the CGMP requirements.

Does each workflow on the organization’s computer need to be validated?

The short answer is yes. The FDA’s guidance states that workflows, such as batch records and control records are an intended use of a computer system, which needs to be checked through validation. It goes on to say that if you validate your computer system, but do not validate it for its intended use, you cannot know if your workflow is running correctly.

How should access to CGMP computer systems be restricted?

Any changes to computerized MPCRs or other records as well as the input of laboratory data into computerized records must be completed only by authorized personnel. The FDA recommends that whenever possible, you should use technology to restrict the ability to alter specifications, process parameters or manufacturing and testing methods (e.g., limiting permissions for specific tasks and types of data).

When does electronic data become a CGMP record?

All data generated to satisfy a CGMP requirement is a CGMP record. The data integrity guidance states that in order to comply with CGMP requirements with manufacturing processes, you must document or save recorded data at the time a task or process is performed. Also, all data that is recorded and maintained cannot be modified or discarded.

Because of the criticality of data integrity, the FDA’s guidance expands beyond the parameters of the standard CGMP requirements. While the guidance is not binding, the agency tends to rely on guidances during inspections and when making enforcement decisions.(4)

Ensure Data Integrity Compliance With a Digital Quality Management System

The FDA is determined to ensure that consumers have confidence in the quality, safety and effectiveness of health care products. In pursuing that initiative, the agency will continue to ramp up its enforcement of data integrity compliance guidelines. That said, companies are urged to implement digitized technologies designed to automatically prevent omission, incorrect entry, unauthorized alteration, etc. of data.

A digital quality management system (QMS) will enable you to ensure the integrity of your data, easily comply with all other regulatory requirements and remain audit-ready at all times. Advantages of a digital QMS specific to data management include:

  • Preserves the meaning of original records, including the associated metadata.
  • Ability to restore any deleted data.
  • Eliminates the common problem of out-of-sync metadata during a revision process.
  • Automatically tracks all changes, the names of people who made changes and the reason for the changes.
  • Tracks every signature combination and prevents duplication or reassignment of the user ID and signature combination.

To learn more about a technology-driven approach to not only ensuring data integrity, but turning data management into a business accelerator, download MasterControl’s exclusive “The Ultimate Guide to Connected Quality Data.”


  1. “Data Integrity and Compliance with Drug CGMP: Questions and Answers Guidance for Industry” U.S. Food and Drug Administration (FDA), Dec. 2018 http://www.fda.gov/downloads/Drugs/GuidanceComplianceRegulatoryInformation/Guidances/UCM495891.pdf 
  2. FDA Threatens Criminal Action Against Novartis Over Faulty Data Used In Application for $2.1 Million Gene Therapy,” Berkeley Lovelace Jr., CNBC, Aug. 6, 2019 https://www.cnbc.com/2019/08/06/fda-novartis-knew-its-application-for-2point1-million-gene-therapy-included-errors.html 
  3. “ALCOA+ and Data Integrity,” Susan J. Schniepp, PharmTech.com http://www.pharmtech.com/alcoa-and-data-integrity
  4. Law Blog: “FDA’s Draft Guidance on Data Integrity: The Cupola on Tower of Guidances,” Mark I. Schwartz and Douglas B. Farquhar, FDA Law Blog, Apr. 17, 2016. http://www.fdalawblog.net/fda_law_blog_hyman_phelps/2016/04/fdas-draft-guidance-on-data-integrity-the-cupola-on-a-tower-of-guidances.html


David Jensen is a content marketing specialist at MasterControl, where he is responsible for researching and writing content for web pages, white papers, brochures, emails, blog posts, presentation materials and social media. He has over 25 years of experience producing instructional, marketing and public relations content for various technology-related industries and audiences. Jensen writes extensively about cybersecurity, data integrity, cloud computing and medical device manufacturing. He has published articles in various industry publications such as Medical Product Outsourcing (MPO) and Bio Utah. Jensen holds a bachelor’s degree in communications from Weber State University and a master’s degree in professional communication from Westminster College.

Ultimate Guide

The Ultimate Guide to Connected Quality Data

Enjoying this blog? Learn more.

The Ultimate Guide to Connected Quality Data

Get the Guide
[ { "key": "fid#1", "value": ["GxP Lifeline Blog"] } ]