16.04.2019 | LOGFILE Feature 14/2019

A commentary by Tim Sandle

The answer is? FDA publishes final data integrity Q&A

The answer is? FDA publishes final data integrity Q&A

7 min. reading time |


Despite much discussion about the subject over the past three years in particular, data integrity issues remain a common feature on 483 letters issued by the U.S. Food and Drug Administration and data handling matters are also a focus of enforcement actions (as well as inspection findings from other regulatory agencies).

It is perhaps for this reason that the FDA has issued a new guidance document titled “Data Integrity and Compliance with Drug cGMP: Questions and Answers” (1). According to the FDA, the reason for issuing the new document is: “to clarify the role of data integrity in current good manufacturing practice (CGMP) for drugs, as required in 21 CFR parts 210, 211, and 212.” The document joins others from MHRA (2, 3), OCED (4), WHO (5), and PIC/S (6, 7) on the general subject. In short, the document, issued on December 12, 2018, provides definitions and the agency’s current thinking on best practices relating to data integrity. The document outlines the design, operation, and monitoring of data integrity systems. The reasoning behind the document is expanded upon via an accompanying statement, written by FDA Commissioner Dr. Scott Gottlieb. Here the agency notes that the revised recommendations were developed to help manufacturers address “identified data integrity lapses, implement best practices to address gaps that can create risks to data integrity, and ensure consistent awareness and commitment to ensuring data integrity.” (8)

This article reviews the new guidance document and draws out some items of interest for the pharmaceutical and healthcare sectors. The aim here is not to overly repeat what is in the document (since the reader could and should be doing this for themselves), but to note the differences between the final document and the earlier draft and to draw out the key themes within the document.

Anatomy of the guidance document

The new document has been two years in the making, following on from the FDA’s 2016 draft (which has a similar title minus the ‘questions and answers’ component) (9). The core part of the document runs to thirteen pages. Here the new guidance sets questions and provides answers (there are eighteen questions in all). The questions relate to areas such as:

  • When is it permissible to invalidate a cGMP result and exclude it from the determination of batch conformance?
  • How should access to cGMP computer systems be restricted?
  • Who should review audit trails?
  • Can electronic signatures be used instead of handwritten signatures for master production and control records?

In addition, the guidance document contains various definitions, focusing on system components. These fairly well-established definitions are supported in the document by recommendations as to when workflows on computer systems need to be validated, plus how users can ensure electronic master production and control records are monitored, with an emphasis that such records must only be used by authorized personnel. With the definitions it is interesting to see the oft-quoted ALCOA but not ALCOA-plus, which is used by other agencies like MHRA and WHO (ALCOA-plus: attributable, legible, contemporaneous, original and accurate plus complete, consistent, enduring and available).

With computerised systems, the definition of the “system” refers to the ANSI definition, which includes people, machines, and methods organized to accomplish a set of specific functions. In addition, this system can include computer hardware, software, peripherals, networks, cloud infrastructure, operators, and documents. A further important definition is with static and dynamic record formats, which are interpreted as:

  • “Static” is used to indicate a fixed data document such as a paper record or electronic signature.
  • “Dynamic” means a record that allows interaction between the user and record content, such as entering values manually in the systems database.

One noticeable change with the final version compared with the draft is that the FDA has removed a section of the guidance that covered independent security role assignments for small operations because the issue is covered in another guidance: “PET Drugs—Current Good manufacturing Practice (CGMP).” (10)

By issuing the finalised guidance the FDA are aiming to reduce the number of cGMP violations involving data integrity. The FDA appears particularly concerned that where data integrity issues come to light too many firms simply focus on addressing the matter at hand without expanding the scope to see if other parts of the operation may have similar issues of concern. Although it is not explicitly stated the document appears to have been issued due to some confusion over the interpretation of all aspects of data integrity and the way that data integrity needs to be implemented within companies. The accompanying statement from Gottlieb comments that there is frequently a lack of vigilant oversight of data integrity within the pharmaceutical firm.

Key requirements

CFR Part 211
The new guidance reiterates key part of the long-established Code of Federal Regulations Part 211 (last substantially updated on March 20, 1997, although Part 11 was modified in April 2018 to provide a more rational framework for implementation) (11). Title 21 of the FDA’s Code of Federal Regulations (CFR) Part 11 applies to records in electronic format that are created, modified, maintained, archived, retrieved, or transmitted according to requirements set in FDA regulations. As well as defining the controls around electronic signatures, the CFR covers electronic signatures and password control, together with different levels of user access.

The necessity of risk assessment
The FDA document mentions the word ‘risk’ eleven times, with the requirement for organisations to adopt a risk based approach to data integrity (such as how often to review audit trails). In expecting that data is reliable and accurate, companies need to implement meaningful and effective strategies to manage their data integrity risks.

Importance of the life-cycle approach
To get to the heart of the true meaning of data integrity, the document places a strong emphasis upon the cGMP data life cycle. This means that the system design and controls used to develop computerised systems, if performed correctly, should simplify the detection of errors, omissions and aberrant results throughout the data life cycle.

The life-cycle approach feeds into computer system workflows. According to the guidance, a workflow is an intended use of a computer system to be checked through validation. The guidance goes on to say that if a user validates their computer system but does not validate it for its intended use, then the user cannot know if their workflow is running correctly.

A new addition to the document is a clarification of the role of management with in the pharmaceutical or healthcare organization. The introduction section states with the role of management: "It is the role of management with executive responsibility to create a quality culture where
employees understand that data integrity is an organisational core value and employees are
encouraged to identify and promptly report data integrity issues". This emphasis on culture is an important one, as this shapes how employees operate in relation to good data integrity practices.
A company’s standards of ethical conduct, when followed, need to ensure that each employee acts with integrity in the execution of their work. Moreover, each employee should be responsible for the validity and integrity of their data and documentation, whether it is a paper-based or electronic system.

Holistic overview and audit
The guidance document recommends that each organisation assesses data integrity holistically and undertakes regular audits of its systems. Some helpful questions are provided for this form of self-inspection and these can be applied to most systems. The questions are:

  • "Are controls in place to ensure that data is complete?"
  • "Are activities documented at the time of performance?"
  • "Are activities attributable to a specific individual?"
  • Can only authorized individuals make changes to records?"
  • "Is there a record of changes to data?"
  • "Are records reviewed for accuracy, completeness, and compliance with established standards?"
  • "Are data maintained securely from data creation through disposition after the record's retention period?"

Metadata is as important as data
Metadata is ‘data about data’, providing the contextual information needed to understand data. As an example, a value by itself meaningless without additional information about the data. In the microbiology laboratory ‘5’ by itself means nothing, whereas ‘5 CFU’ (CFU for colony forming unit) provides context. The FDA guidance emphasises that metadata is just as important as data and that to ensure integrity, changes made to document metadata should be tracked and made available for review. Each time a change is made to any metadata, a user must enter a reason for the change so the data stays current.

System administrators and authorised users
The FDA guidance stresses the importance of independent system administrators who have no direct interest in the data being the only personnel authorised to make changes. The draft noted that small firms may not have the capacity for independent administrators; this dispensation has been dropped from the final version. Administrators will perform tasks like altering process parameters or testing methods and will extend to altering files and settings. Such administrators should be identified in an approved list. In addition, to restrict access to cGMP computer systems organisations need to exercise appropriate controls to assure that changes to computerised systems and the input of data can be made only by authorised personnel.

Audit trails
With audit trails, the guidance document recommends that all audit trails are reviewed with each record and before final approval of the record. While review of audit trails is established there appears to have been uncertainty of what to look for when reviewing an audit trail. To address this, the FDA guidance document provides some guidance, adding:

  • The change history of finished product test results.
  • Changes to sample run sequences.
  • Changes to sample identification.
  • Changes to critical process parameters.

While the document recommends routine scheduled audit trail review based on the complexity of the system and its intended use, this author’s experience is that FDA expect audit trails to be reviewed with process run or test conducted. In addition, the scope of the audit trail review should extend not only to the direct event but also back to when the last audit trail review was undertaken. This is to guard against things that have occurred, but which have not been reported. For example, suppose laboratory supervisor reviews at test that was conducted on a Wednesday and the previous review was for a test conducted on the Monday of the same week, if a laboratory analyst ran a test on the Tuesday of the same week but decided to discard it this event could be missed by the laboratory supervisor if only Wednesday’s tests were reviewed.

Further, in relation to production, the guidance makes the requirement that audit trails for production computerized systems are reviewed by representatives of quality, rather than by members of the production management chain.

Are emails GMP documents? Potentially so within the new guidance document. In Footnote 14 in the document, the FDA indicates that the agency may inspect “records not intended to satisfy a CGMP requirement, but which nonetheless contain CGMP information.”  FDA also states on page 12 of the guidance that “an email to authorize batch release is a cGMP record that FDA may review” pursuant to its inspectional authority.  This signals that the document goes beyond what FDA generally has authority to inspect, for example, email containing personnel information that could cover a broad range of information.  This does, however, raise the question as to how FDA would go about locating emails containing GMP information (that are not technically CGMP records).

Analytical laboratory data
There are several references to analytical data in the guidance document. A major focus is with ensuring that laboratory data, once created and maintained, cannot be modified. An example given is with chromatograms. The recommendation is that these should be sent to long-term storage (archiving or a permanent record) upon run completion instead of at the end of the day after the last run has been completed.

A second laboratory example is with notebooks. The guidance states that it is not acceptable to record data on pieces of paper that will then be discarded once the data has been transcribed to a permanent laboratory notebook. In other words, where laboratory note books are used, data must be directly entered.

A third example comes with the configuration of Laboratory Information Management Systems (LIMS). Many systems save data at the end of the session, once data input has been completed. This will need to change, given that the FDA document infers that such data capture systems should be designed to automatically save after each separate entry. The reason for this is to make the recording of each computer entry contemporaneous, the same way that after a entry is written onto a sheet of paper it cannot be subject to amendment or change without the change being apparent.

Microbiology laboratories
Often overlooked outside of general laboratory provisions, microbiology laboratories are called out in relation to plate reading. Here the FDA guidance is somewhat ambiguous, when it states: “in microbiology, a contemporaneous written record is maintained of the colony counts of a petri dish, and the record is then subject to second-person review.” Does this mean checking the record or a having a section person to verify each plate count?

Review of invalidated data
The guidance states that invalidated data must be evaluated by the quality unit pursuant to release. The earlier draft did not cover this issue; however, it now appears that legitimately invalidated data needs to be included within the scope of the quality unit’s batch record review as part of the release process. The guidance states:  “Even if test results are legitimately invalidated on the basis of a scientifically sound investigation, the full CGMP batch record provided to the quality unit would include the original (invalidated) data, along with the investigation report that justifies invalidating the result.”


To sum up the intent of the FDA guidance, the focus is clearly on the:

  • Accuracy of records,
  • Integrity of records,
  • Security of records,
  • Retrieval of records.

The new FDA guidance is timely, and it does address many questions that the industry had in relation to the interpretation of data integrity, albeit that the answers provided may not always be welcomed in terms of the changes that some organisations will need to make in order to comply. The questions themselves cover a range of topics including how access to cGMP computer systems should be restricted, how blank forms should be controlled and how often audit trails should be reviewed. Given that only certain subjects were covered and that no guidance document can embrace everything, there will still be gaps. Here it is prudent to read all of the case studies included and to weigh up where else the guidance might be applied.

Excerpt from gmp review


  1. FDA  (2018)   Data  Integrity  and  Compliance   With   Drug   CGMP  Questions  and   Answers   Guidance   for    Industry,   U.S.    Department   of    Health    and     Human Services, Food and Drug Administration, Bethesda, MD, USA. At: https://www.fda.gov/downloads/drugs/guidances/ucm495891.pdf  
  2. MHRA (2015) MHRA GMP Data Integrity Definitions and Guidance for Industry March 2015, Medicines Healthcare products and Regulatory Agency, London, UK
  3. MHRA (2016) GXP Data Integrity Draft Guidance, Medicines Healthcare products and Regulatory Agency, London, UK
  4. OECD (2016) Series on Principles of Good Laboratory Practices and Compliance Monitoring. Number 17. The Application of the Principles of GLP to Computerized Systems. Environment, Monograph no. 13, Organization for Economic Co-operation and Development. Paris, France
  5. WHO (2016) Annex 5, Guidance on good data and record management practices, WHO Expert Committee on Specifications for Pharmaceutical Preparations, 15th report, World Health Organisation, Geneva, Switzerland
  6. PIC/S (2007) Good Practices for Computerized Systems in Regulated GxP Environments, Pharmaceutical Inspection and Cooperation Scheme, Brussels, Belgium
  7. PIC/S (2016) Draft PIC/S Good Practices for Data Management and Integrity in Regulated GMP/GDP Environments, PI 041-1 (Draft 2,  Pharmaceutical Inspection and Cooperation Scheme, Brussels, Belgium
  8. Statement from FDA Commissioner Scott Gottlieb, M.D., on the agency’s efforts to improve drug quality through vigilant oversight of data integrity and good manufacturing practice, at: https://www.fda.gov/NewsEvents/Newsroom/PressAnnouncements/ucm628244.htm  
  9. FDA (2016) Data Integrity and Compliance With CGMP, Draft Guidance for Industry, April 2016, U.S. Department of Health and Human Services, Food and Drug Administration, Washington
  10. FDA (2011) Guidance PET Drugs — Current Good Manufacturing Practice (CGMP) (Small Entity Compliance Guide), U.S. Department of Health and Human Services, Food and Drug Administration, Bethesda, MD, USA at:
  11. FDA (1997). Title 21 of the Code of Federal Regulations Part 11, U.S. Department of Health and Human Services, Food and Drug Administration, Washington D.C, USA Retrieved from https://www.ecfr.gov/cgi-bin/text-idx
gmp review

gmp review

This article, “The answer is? FDA publishes final data integrity Q&A”, is reproduced from a recent issue of gmp review, a quarterly journal researched and edited by an expert team experienced in all aspects of pharmaceutical manufacturing and control.

gmp review provides in-depth analyses of international pharmaceutical manufacturing regulations.

gmp review keeps readers up to date on the latest Directives, Regulations and Guidelines applicable to the pharmaceutical industry from the FDA, EU, CPMP and ICH positions. Each item comes with analysis and comment on its effect on your company. The dry legal jargon is made understandable to you and your colleagues in manufacturing and quality. As such gmp review is the perfect companion to the GMP Compliance Adviser and will help provide further useful commentary on the new regulations.

If you are involved in any aspect of GMP then gmp review will provide much needed information and analysis in a convenient quarterly journal format. gmp review subscribers will also receive gmp-review news a monthly news service to keep you up-to-date on new developments in GMP and associated regulations.

> More information and order


Thank you for posting, the data integrity issues are of great importance. Tim Sandle https://www.pharmamicroresources.com/
Tim Sandle 19.08.2020

> Do not hesitate, we look forward to your feedback!