FDA Issues Draft Guidance on Data Integrity Considerations for Bioavailability and Bioequivalence Studies

April 04, 2024

The US Food and Drug Administration (FDA) released a draft guidance on April 3 providing recommendations to sponsors and testing sites on data integrity for bioavailability and bioequivalence (BA/BE) studies. While the draft guidance only directly applies to BA/BE studies, sponsors and others involved in clinical trials should consider its applicability to other kinds of studies.

As noted by FDA in the Federal Register notice, the guidance is, in part, a reaction to recent “observed data integrity concerns during the inspection of testing sites, clinical testing sites, and analytical testing sites, and during the assessment of the BA and BE study data submitted in support of applications,” with such concerns impacting “application acceptance for filing, assessment, regulatory actions, and approval as well as post-approval actions, such as therapeutic equivalence ratings.”

Accordingly, FDA recommends that both sponsors and testing sites implement controls to protect against and allow the early detection of potential data integrity issues.


FDA defines data integrity as “the accuracy, completeness, and reliability of data.” Per FDA, “[a]ccurate, complete, and reliable data should be attributable to the person generating the data, legible, contemporaneously recorded, original or a true copy, and accurate (ALCOA). These characteristics of the data should be maintained throughout the data lifecycle.” This is different than data quality, which is whether the applicable data was produced in compliance with the applicable regulatory standards such that it is fit for its intended purpose.

According to FDA:

Achieving and maintaining data integrity is an important component of industry’s responsibilities to ensure the safety, efficacy, and quality of drug products and biological therapeutics. It is the role of industry, specifically management with executive responsibility, to create a quality culture where personnel understand that data integrity is an organizational core value and personnel are encouraged to identify and promptly report data integrity issues. In the absence of management support of a quality culture, systems can break down and lead to errors and misconduct.


Per the language of the draft guidance, the recommendations that FDA sets forth are applicable to the clinical and bioanalytical portions of BA/BE studies, the bioanalytical portion of clinical pharmacologic studies, and the bioanalytical portion of nonclinical studies. FDA also encourages sponsors and testing sites to consider applying these standards to other kinds of studies, such as in vitro, pharmacology, and toxicology studies.


As noted by FDA, the complexity of studies and the number of companies involved in the conduct of a single study has significantly grown in recent years. While sponsors may outsource testing services, ultimate responsibility for studies, the resulting data, and compliance with regulatory requirements remains with the sponsor. Accordingly, sponsors should implement systems to manage and monitor data quality throughout the course of a study. Such a system should include the following areas:

  • Vendor Qualification: FDA states that sponsors should only use qualified testing sites, considering the education, training, and experience of the site’s personnel, as well as whether the site has implemented an adequate quality management system, which should include an “open and transparent” reporting structure so that site personnel are able to freely communicate issues impacting data integrity. Sponsors should also consider the site’s regulatory history. Sponsors should further be sure to provide testing sites with all the information necessary to perform their duties, and should require that sites agree, via contract, to follow all regulatory requirements, protocols, procedures, and processes. Finally, sponsors should ensure that testing sites have the resources necessary to perform the contracted study activities.
  • Monitoring: Sponsors should develop and follow a monitoring plan “to ensure that testing sites are appropriately assessing, controlling, communicating, and reviewing risks….” The sponsor monitoring plan should be independent of the testing site’s quality assurance monitoring. When developing a monitoring plan, sponsors are advised to consider the entire dataflow, especially with regard to computerized interfaces that are used to move or transform data between different instruments and systems. Sponsors should also assess risks to data integrity at both system and operational levels, with the ultimate extent of monitoring being commensurate with identified data risks. For instance, FDA has found that bioanalysis of participant samples and data recording, reporting, and retention steps requiring human intervention may pose increased risks to data integrity, warranting closer oversight and monitoring.
  • Auditing: FDA also recommends that sponsors audit testing sites to confirm compliance with monitoring plans. Audits should assess site compliance with contracted responsibilities, whether sites are performing critical activities in accordance with the protocol and regulatory requirements, whether sites maintain data integrity throughout the data lifecycle, and should ensure that any discrepancies between data and metadata are investigated. Audit findings should be documented in sufficient detail to allow sponsors to verify that monitoring plans are followed and should not influence study outcomes or result in amendments to data. Any audit finding should be communicated to the testing site for documented remediation. Moreover, communications between sponsors, test sites, and third parties (e.g., third-party auditors) should be documented “to allow verification of study decisions and input from” sponsors.


While study sponsors are responsible for the ultimate conduct of studies, testing site management is responsible for the organization and function of the site. FDA specifically recommends that site management with executive responsibility consider implementing the following steps:

  • Create a site organizational structure to ensure that BA/BE studies are conducted and analyzed pursuant to regulatory requirements.
  • Ensure that personnel are adequately trained and qualified and that sites have adequate resources to meet their responsibilities.
  • Ensure that personnel roles and responsibilities are clearly defined, and that there is “appropriate responsibility, authority, and interrelation of all personnel who manage, perform, and assess work affecting data….”
  • Establish data integrity policies and objectives that are understood, implemented, and maintained throughout the organization.
  • Create and encourage a culture of quality.
  • Implement a quality management system.

Of particular importance is establishing a quality culture and implementing a quality management system. With respect to a quality culture, FDA states that this “can enable a testing site to prevent data integrity concerns from arising or to identify potential risks and detect data integrity issues earlier than if the testing site did not have a quality culture. In the absence of a quality culture or management support of a quality system, measures put in place at the testing site to ensure data integrity (such as a quality management system) can break down and a testing site may fail to take sufficient action to identify potential risks and prevent and address data integrity issues.”

With respect to quality management systems, sites should implement risk-based controls that are fit for the site’s processes and procedures. Site management should also periodically review the quality management system to ensure that it is effective, with more frequent reviews for less established systems. Quality management systems should account for the following areas:

  • Data governance throughout the data lifecycle: Data governance is the “sum of total arrangements to ensure data integrity” and should address data roles, responsibilities, and accountability during all phases of data collection, generation, recording, modification, processing, maintenance, storage, retrieval, transmission, and disposition.
  • Records management: Data should be retained so that it is protected, enduring, retrievable, and readable, including with respect to computer or related systems. All data should be recorded promptly and accurately, with associated metadata.
  • Sample analysis: If sample testing is undertaken at a third-party site, specific quality management provisions should be put in place. Methods used for sample analysis should be validated and procedures used during sample processing and analysis should follow written procedures and analytical methods specified for the study. Samples should be analyzed within their stability windows and sample analysis documentation should be contemporaneous with the applicable steps. Finally, audit trails should be maintained and reviewed.
  • Data storage and backup: Data should be maintained with associated metadata and paper-based records should be secured to prevent alteration or loss. Electronic data should be stored on a system with limited access and should be backed up according to written procedures.
  • Archival and retrieval: Within two weeks of study completion, all data should be archived for at least five years. There should be controls to prevent archived data from being damaged, altered, or deleted, and an individual should be specifically responsible for management of data archives.
  • Training: All applicable personnel should be trained on data integrity, including how to prevent and detect issues and reporting of errors or concerns. Training should include individual job functions and tasks, as well as regulatory requirements.
  • Access and privileges: Sites should use access controls to ensure that personnel may only access functions that are necessary for their roles and responsibilities. All personnel should have unique logins and should only work under their own credentials. Passwords should be updated at set intervals. A system administrator role should be assigned to someone who is independent of personnel with data responsibilities.
  • Audit trails: Audit trails should document all changes to BA/BE data, and should capture when, by whom, and the reasons that changes to the electronic record were made.
  • Quality assurance and control: Quality management systems should include both a quality assurance and quality control program. A quality assurance program ensures that processes, controls, equipment, and personnel comply with the applicable requirements to ensure data integrity. Persons with quality assurance responsibilities should be independent of personnel engaged in the management and conduct of BA/BE studies. A quality control program is intended to identify and correct data integrity weaknesses and issues and includes processes for recognizing compromised data. When data integrity weaknesses or issues are identified, corrective and preventative actions (CAPAs) should be established through the quality control program, which should include the conduct of an investigation, establishment of a CAPA, verification/validation of CAPA effectiveness, communication of the CAPA to the necessary people, providing information for management review, and documenting activities.


As studies become more complex, and as more entities are involved in the conduct of studies, the risk of data integrity issues occurring and going undetected until it is too late has increased. This has resulted in recent high-profile issues with respect to testing sites, which have impacted multiple product sponsors. Some important considerations for sponsors and testing sites in light of the draft guidance include the following:

  • What steps should sponsors and testing sites take to ensure data integrity as FDA works to support and industry adopts innovative drug development approaches and tools, including artificial intelligence, machine learning, and decentralized clinical trials? By example, sponsors and testing sites should ensure that all applicable personnel are trained and know how to use these new technologies and methods so that the resulting data will meet the applicable regulatory requirements.
  • What are the potential consequences if there are data integrity issues? Data integrity issues can result not only in enforcement actions against the applicable sponsors and testing sites, but also in the need to repeat studies, the withdrawal of approvals, changes to product bioequivalence ratings, and FDA refusal to approve new marketing applications. Language in the draft guidance regarding management and executive responsibility, as well as an emphasis on the creation of a culture of compliance, also implies that FDA may be willing to exercise its enforcement authority against company executives under the Park Doctrine. Accordingly, sponsor and test site executives and management should ensure that the proper processes and procedures are in place to guard against data integrity issues.
  • What level of sponsor reliance on contractors is appropriate and what level of oversight is required? Many sponsors tend to place significant reliance on outside contractors when it comes to product development programs. This is especially true for smaller companies where the majority of a development program may be implemented by third parties and consultants. Given the draft guidance’s emphasis on monitoring and oversight, sponsors should consider what level of reliance on outside entities is appropriate, given the resources of the company, as well as ways to ensure that the company has the necessary expertise to undertake third party oversight activities.
  • How can sponsors and testing sites protect themselves? In addition to the oversight, monitoring, and quality steps outlined in the guidance, sponsors and testing sites should consider what contractual terms are necessary. For instance, contracts should clearly set out the data integrity, regulatory, and operational responsibilities of each party and ensure that there are adequate representations of compliance and indemnification terms.
  • Finally, while the current guidance is limited to BA/BE studies, sponsors should consider how the guidance could apply to other kinds of studies, including clinical studies, as many of the guidance’s themes cross study classifications.

Interested parties may submit comments on the draft guidance by June 3, 2024.


If you have any questions or would like more information on the issues discussed in this LawFlash, please contact the following:

Jacqueline R. Berman (Washington, DC)