Follow the Data: FDA Addresses cGMPs for Data Integrity Issues in Draft Guidance

April 28, 2016

The draft guidance provides insight into FDA’s expectations regarding data controls and compliance for pharmaceutical companies.

In recent years, issues involving the integrity of and controls around manufacturing data have become a significant concern for product sponsors and manufacturers within the pharmaceutical industry, as the US Food and Drug Administration (FDA or Agency) has increasingly cited data integrity violations during current Good Manufacturing Practices (cGMPs) inspections.

To clarify its expectations around data integrity and documentation of cGMP activities, on April 14, 2016, FDA released a draft guidance titled Data Integrity and Compliance with CGMP (Draft Guidance).[1] The Draft Guidance gives insight into FDA’s expectations for data controls and monitoring, and provides pharmaceutical companies with potential areas for follow-up to ensure that data systems meet the Agency’s expectations.

Background of Manufacturing Data Integrity

Under the Federal Food, Drug, and Cosmetics Act (FFDCA), drugs are deemed to be adulterated if they are not manufactured under cGMPs, which include requirements around data integrity.[2] As automated recordkeeping has become more sophisticated, FDA has increased its expectations concerning the necessary controls and audits for data systems, and has increasingly cited pharmaceutical companies for data integrity issues during inspections. As a result, there has been an increase in enforcement actions based on data integrity issues, including FDA Warning Letters, import alerts, and consent decrees.[3] Such enforcement actions can have significant regulatory and commercial consequences, often requiring substantial capital investments by pharmaceutical companies to upgrade outdated or inadequate data systems as well as to increase employee training and improve hiring practices for information technology functions.

FDA’s Draft Guidance

FDA defines data integrity as “the completeness, consistency, and accuracy of data.”[4] The Draft Guidance states that data should be

  • attributable,
  • legible,
  • contemporaneously recorded,
  • an original or a true copy, and
  • accurate.[5]

While the Draft Guidance addresses many aspects of a data integrity system, some of the more notable aspects of the guidance relate to

  • data system validation, 
  • the use of cGMP data for decision making,
  • the documentation of cGMP data,  
  • elements of a data integrity compliance program, and
  • voluntary reporting to FDA of data integrity issues.[6]

FDA expects data systems, including their intended uses, to be validated.[7] All cGMP data must also be included in cGMP reviews and release decision making.[8] To exclude data, companies must have a valid, documented, scientific justification.[9] Further, all cGMP activities must be adequately documented at the time of the activity.[10] This includes all metadata, such as date and time stamps, user IDs, instrument IDs, and audit trails.[11] It is not acceptable to record data on pieces of paper that will be discarded after data is transcribed into a permanent record.[12]  Similarly, it is not acceptable to store data electronically in temporary memory, which could allow for data manipulation before the creation of a permanent record.[13]

Of particular note, FDA expects that pharmaceutical companies will have data integrity compliance programs that include full investigations of suspected data falsification or alteration, corrective actions, and personnel training.[14] Finally, FDA invites (but does not require) individuals to report suspected data integrity issues that may have a product impact to the Agency.[15]

Next Steps

The Draft Guidance provides pharmaceutical companies with a number of items that they should consider, such as potential areas for improvements, as well as areas not fully addressed by the Draft Guidance. These include the following:

  • Considering whether any policy changes are necessary relating to
    • data integrity investigations,
    • data integrity audits,
    • circumstances in which internal audits will be shared with FDA,[16] and
    • the circumstances under which data integrity discrepancies will be reported to FDA.
  • Assessment of contract manufacturing agreements and relationships for necessary changes.
  • System upgrades.
  • Upgrades to training programs.
  • The circumstances under which third party auditors may be required, and the vetting of such auditors.

Comments on the Draft Guidance are requested by the Agency by June 14, 2016.[17] 


If you have any questions or would like more information on the issues discussed in this LawFlash, please contact any of the following Morgan Lewis lawyers:

Washington, DC
Kathleen M. Sanzo
Jacqueline R. Berman

[1] Food and Drug Admin., Draft Guidance for Industry: Data Integrity and Compliance with CGMP (2016).

[2] FFDCA § 501(a)(2)(B); see e.g., 21 C.F.R. §§ 211.68, 211.100, 211.160.

[3] Draft Guidance at 1-2; see e.g., FDA, Warning Letter to Polydrug Laboratories Pvt. Ltd. (Apr. 14, 2016).

[4] Draft Guidance at 2.

[5] Id.

[6] Id. at 4-10.

[7] Id. at 4-5.

[8] Id. at 4.

[9] Id.

[10] Id. at 8.

[11] Id. at 3.

[12] Id. at 8.

[13] Id.

[14] Id. at 9-10.

[15] Id. at 10.

[16] FDA does not review or copy internal auditing reports and records during routine FDA inspections that result from a company’s audits and inspections of its written quality assurance program, but may seek written certification that such audits and inspections have taken place and that corrective actions were implemented. FDA, Compliance Policy Guide Sec. 130.300 FDA Access to Results of Quality Assurance Program Audits and Inspections (2007).

[17] Data Integrity and Compliance with Current Good Manufacturing Practice; Draft Guidance for Industry; Availability, 81 Fed. Reg. 22281, 22281-22282 (Apr. 15, 2016).