Data Integrity: A hot topic in FDA Warning Letters

Data integrity continues to be a focus during US FDA inspections. A number of warning letters issued by the FDA in 2022 highlight the importance of Data Integrity compliance.

In the warning letters issued, the FDA references the FDA’s guidance on Data Integrity;

“Your quality system does not adequately ensure the accuracy and integrity of data to support the safety, effectiveness, and quality of the drugs you test. See FDA’s guidance document Data Integrity and Compliance with Drug CGMP for guidance on establishing and following CGMP compliant data integrity practices”.

Data Integrity findings during FDA inspections included:

  • A lack of access control to IT systems including appropriate administrative rights and the use of shared accounts
  • A lack of control to prevent deletion of raw data
  • A lack of audit trail review and inadequate data review procedures
  • A lack of control to ensure the integrity of electronic data is maintained
  • A lack of traceability to individuals recording quality data on paper-based records
  • QMS excel spreadsheets not validated, or password protected
  • Original quality records missing
  • Incomplete quality records

The below expert is taken from an FDA warning letter for case number #622087, dated 31st March 2022.

“Your firm failed to exercise appropriate controls over computer or related systems to assure that only authorized personnel institute changes in the master production and control records, or other records (21 CFR 211.68(b)).”

The findings included:

  • Failure to implement adequate controls to support the integrity of electronic data and to ensure that only appropriate individuals had administrative rights.
  • Use of a shared generic account to access a laboratory computer which had administrative privileges capable of changing and deleting files.
  • Failure of management to review high-performance liquid chromatography (HPLC) audit trails for drug product testing before release of a batch, which was a repeat violation.
  • Inadequate data review procedure.
  • Inadequate use of static copies of laboratory records (raw chromatograms, processed chromatograms, and audit trails) as they do not preserve the dynamic record format of the full analytical test result which should be a part of the QA review process for release.

The FDA requested the manufacturer to provide:

  • A comprehensive, independent assessment and CAPA plan for computer system security and integrity. This should include a report which identifies design and control vulnerabilities, and appropriate remediations for each laboratory computer system. The report should include:
    • A list of all hardware that includes all equipment, both standalone and network, in the laboratory.
    • Identify vulnerabilities in hardware and software, encompassing both networked and non-networked systems.
    • A list of all software configurations (both equipment software and laboratory information management system) and versions, details of all user privileges, and oversight responsibilities for each laboratory system.
    • Specify user roles and associated user privileges (including the specific permissions allowed for anyone who has administrative rights) for all staff who have access to the laboratory computer systems, and their organizational affiliation and title.
    • System security provisions, including whether unique usernames/passwords are always used, and their confidentiality safeguarded.
    • Detailed procedures for robust use and review of audit trail data, and current status of audit trail implementation for each system.
    • Interim control measures and procedural changes for the control, review, and full retention of laboratory data.
    • Technological improvements to increase the integration of data generated through electronic systems from standalone equipment (e.g., balances, pH meters, water content testing) into the network.
    • A detailed summary of procedural updates and associated training, including but not limited to system security control to prevent unauthorized access, appropriate user role assignments, secondary review of all analyses, and other system controls.
    • A remediated program for ensuring strict ongoing control over electronic and paper-based data to ensure that all additions, deletions, or modifications of information in your records are authorized, and all data is retained.

The below expert is taken from an FDA warning letter #320-23-01, issued on 5th October 2022.

“Your quality system does not adequately ensure the accuracy and integrity of data to support the safety, effectiveness, and quality of the drugs you test”.

The findings included:

  • Batch records lacked information on the drug product release date and were not signed by Quality.
  • During the inspection, the Quality department could not locate the laboratory test results in the electronic system and there was inadequate backup of the electronic data.
  • Test results recorded in the laboratory notebook were not legible and the record was not attributable.

The FDA requested the manufacturer to provide:

  • A comprehensive investigation into the extent of the inaccuracies in data records and reporting, including results of the data review for drugs distributed to the United States. The investigation should include a detailed description of the scope and root causes of data integrity lapses.
  • A risk assessment of the potential effects of the observed failures on the quality of the drugs manufactured. The assessment should include an analysis of the risks to patients caused by the release of drugs affected by a lapse of data integrity, and analysis of the risks posed by ongoing operations.
  • A management strategy that includes details of the manufacturer’s global corrective action and preventive action plan. The detailed corrective action plan should describe how the manufacturer intends to ensure the reliability and completeness of all data generated by the manufacturer, including microbiological and analytical data, manufacturing records, and all data submitted to the FDA.

In both examples, the FDA recommends the manufacturers to engage with qualified cGMP consultants to remediate the findings.

“Based upon the nature of the violations we identified at your firm, we strongly recommend engaging a consultant qualified as set forth in 21 CFR 211.34 to assist your firm in meeting CGMP requirements. Your use of a consultant does not relieve your firm’s obligation to comply with CGMP. Your firm’s executive management remains responsible for resolving all deficiencies and systemic flaws to ensure ongoing CGMP compliance.”

Please follow the links below for a full read of the warning letters issued by the FDA:


PharmOut can help you!

PharmOut can help in providing an assessment and roadmap to validate your computerised systems and remediate regulatory findings. Contact us or send a query to

If you are interested in reading more on this topic, check out the following CSV related blogs:

Cannabis Seed to Sale Software – the caveats and CRF Part 11 clashes
Pharmaceutical Cloud Computing – safer than an on-site server?
Requirements Traceability Matrices (RTMs)

PharmOut offers a number of courses on Computer System Validation and Data Integrity:

Instructor led public training workshops
Self-paced eLearning modules for individuals and teams