FDA’s New Guidance on Data Integrity and Compliance with GMPs and Potential Product Liability Considerations

The Food and Drug Administration recently released draft guidance for the industry entitled “Data Integrity and Compliance with CGMP [Current Good Manufacturing Practices].” While the draft is not legally binding on industry or the agency, it offers FDA’s current thinking on how drug and biologic manufacturers can comply with current Good Manufacturing Practices in order to ensure completeness, consistency, and accuracy of data. In recent years, FDA has taken numerous enforcement actions against companies for data integrity-related violations during GMP inspections. In addition to describing the agency’s expectations, the document also offers companies a means to reduce potential product liability exposure.

This article highlights some of the key points in the guidance. We will not describe every definition or question and answer offered by FDA, but attempt to identify the agency’s central concerns and recommendations.

Key Definitions

  • Data integrity refers to the completeness, consistency, and accuracy of data. Data should be “attributable, legible, contemporaneously recorded, original or a true copy, and accurate.
  • Metadata is the contextual information required to understand data. For example, the agency noted that a number without explanation or context, or lack of a date/time stamp for when the data was generated, or a user ID that identifies who conducted the test or analysis that generated the data is “meaningless without metadata.” Companies should maintain metadata required to reconstruct the GMP activity throughout a record’s retention period.
  • An audit trail is “a secure, computer-generated, time-stamped electronic record that allows for reconstruction of the course of events relating to the creation, modification, or deletion of an electronic record.” Electronic recordkeeping systems that include these elements can satisfy the GMP requirements to prevent data from being lost or obscured because, in FDA’s terms, it is a chronology of the “who, what, when, and why” of a record.

FDA Recommendations

  • Companies must maintain any data created as part of a GMP record, and there must be “valid, documented, scientific justification” for excluding data from the release criteria decision-making process.
  • Manufacturers should validate each workflow on a computer system. In addition, firms should implement appropriate controls for risks associated with each element of a system, such as software, hardware, personnel, and documentation.

For Data Security

  • Limit permissions to change settings or data.
  • Assign the system administrator role (including the rights to alter files and settings) to personnel independent from those responsible for running the tests that create the records.
  • For small operations, where the system administrator is also responsible for the content of the records, have a second person review the settings and content.
  • Do not use shared login accounts for computer systems; actions must be attributable to specific individuals.
  • Control blank forms (e.g., issue in numbered sets).

For Audit Trails

  • Appropriate personnel should review audit trails capturing changes to critical data with each record and before final approval of the record.
  • Examples of audit trails that should be subject to regular review include the change history of finished product test results, changes to sample run sequences, changes to sample identification, and changes to critical process parameters.

For Electronic Records

  • Electronic copies can be used as true copies of paper/electronic records, as long as the copies preserve the content and meaning of the original data, including metadata.
  • Electronic signatures, used with appropriate controls to identify who signed the record, can be used in GMP records.
  • When generated to satisfy a GMP requirement, all data becomes a GMP record and the data must be saved at the time of performance.

    • e.g. , chromatograms should be sent to archiving/permanent records upon run completion, not at the end of a day’s runs; data should not be stored in temporary memory that allows manipulation before a permanent record is created.
  • All GMP records, including electronic records, are subject to FDA inspection.


  • In warning letters, FDA has cited companies for the use of sampling or testing with the goal of achieving a specific result or overcoming an unacceptable result. This practice of “testing into compliance” undermines data integrity.
  • For companies subject to enforcement action for data integrity problems, FDA recommends hiring a third-party auditor, determining the scope of the problem, implementing a global corrective action plan, and removing any individuals responsible from GMP positions.
  • This guidance follows increased FDA enforcement action for data integrity violations, particularly against foreign manufacturers. Consequently, companies with manufacturing sites outside the U.S. should give particular attention to facility protocols and emphasize the importance of consistent compliance to personnel.


  • The draft guidance describes FDA’s concerns about data integrity problems and how compliance with GMPs may minimize non-compliance. Obtaining proactive FDA insight and expectations always benefits the industry. The guidance is also instructive from a product liability perspective. The compromise of data integrity, such as falsification or manipulation of technical information or breaches of security, can present potential safety risks to patients. Bad and corrupt data in; bad and corrupt data out. Failure to properly generate reliable data, or to track any changes to manufacturing processes, for example, may lead to questionable or unpredictable results, at a minimum, and dangerous out-of-product specifications at worst. Product subpotencies, superpotencies, instabilities, and variations may result in public health concerns and significant product liability exposure.
  • Understanding the recent FDA guidance will not alone eliminate data integrity problems. At the end of the day, company personnel must properly develop and implement facility-specific programs to comply with all FDA quality-related requirements. Such programs must be tailored to the risk-profile of a particular facility and incorporate adequate controls to ensure the integrity of all data documenting an adequate GMP system. However, the draft offers useful recommendations to fine-tune the integrity of the data that serves as a principal feature of your GMP compliance. Implementation of these recommendations will maximize product quality and, in turn, minimize liability exposure.

To review the entire document and formatting for this alert (e.g., footnotes), please access the original below: