Notes on the FDA’s Draft Data Integrity and Compliance With CGMP Guidance for Industry

Having worked in the pharmaceutical industry where I’ve dealt with electronic systems, paper based systems, programmed my own access databases and Excel spreadsheet  and been on projects such as LIMS system validation, I figured I’d make notes on the FDA’s 2016 guidance for industry document regarding Data Integrity and Compliance With CGMP.  This draft is for currently open for comment and the guidance addresses data integrity in:

  • drug manufacture
  • finished pharmaceuticals
  • positron emission tomography drugs

Knowing about the data integrity requirements (and more importantly, keeping your data intact), will reduce the likelihood of the FDA (or other Government regulatory body) citing you on deficiencies.  Personally knowing about this should help resume my scientific career and it’ll definitely add to my knowledge.  One should note that data is ALL data, both physical AND electronic.

Sections of the non binding, not for implementation Draft Guidance

  • Introduction
  • Background
  • Questions and answers

With the nature of the document being draft and not for implementation, the content is still a very good guide on what is expected of manufacturers working to the cGMP.


  • 21 CFR parts 210, 211 and 212 detail cGMP for drugs as follows:
    • 210: Current Good Manufacturing Practice in Manufacturing, Processing, Packing or Holding of Drugs, general
    • 211: Current Good Manufacturing Practice for Finished Pharmaceuticals
    • 212: Current Good Manufacturing Practice for Positron Emission Tomography Drugs

Dara should be reliable and accurate.  Risk based strategies can be used to detect data integrity issues. Management strategies should be meaningful and effective.  Things get a little hazy here as these strategies are based upon the manufacturer’s process understanding and knowledge management of technologies and business models – you need to employ people who know your tech and operating practices and who are adequately training in such.  I find most people have a pretty tenuous grasp of technology once it surpasses the purely mechanical.

In guidance speak, “should” is a recommended or suggested action.  In reality, if you do not do it, you need to justify why not (which should not be too hard as your processes will be documented and validated to regulatory requirements).


The guide has been created as the number of cGMP data integrity violations has been going up.  This troubles the FDA (and it should you to) as data integrity’s a key component to ensuring the products you make are unadulterated and your end-user is safe from harm (when your product is used correctly).

CFR’s 210 – 212 set out the minimum requirements.  Examples are:

  • 68 Backups are complete and unalterable
  • 110(b) Data to be stored to prevent deterioration or loss
  • 100 & 211.160 Document as it happens and use scientifically sound lab controls
  • 180 Retained data to be classified as original, true copies or some other term that indicates the data is a true reproduction (not representation) of the original records
  • 188, 211.194 & 212.60(g) ALL data needs to be recorded. Complete gets written a lot.

21 CFR 11 Guidance for Industry, Part 11, Electronic Records; Electronic Signatures – Scope and Application,  which I’ve had loads of exposure, having been on a LIMS validation project, sets out the requirements for electronic signatures and record keeping.

Questions and answers

Q1a: What is “data integrity?”

A: According to this guidance, complete, consistent, accurate data.  Attributable, legible, contemporaneously recorded original (or true copy) and accurate.  NOTE, accurate is used twice.  Acronym of ALCOA used.

Q1b: What is “meta data?”

A: Contextual information required to understand data.  Structured information that describes, explains or makes easy to retrieve, use or manage data.  Basically a good filing system, database or LIMS setup. Example of metadata for a given data point include time stamp, user ID, instrument ID, audit trails etc.

Q1c: What is “audit trail?”

A: For guidance purposes, this means a secure, computer generated, time stamped electronic record that allows for reconstruction of the course of events relating to the creation, modification, or deletion of an electronic record.  It details who, what, when and why.

As well as recording the creation, modification or deletion, the audit trail also should show attempts to access the system and file rename or deletion attempts.

cGMP compliant record keeping prevents (I’d say reduces the likelihood of) data from being lost or obscured.

Q1d: How do “static and dynamic relate to record formats?”

A: “Static”: fixed-data document.  Eg paper record, electronic image. “Dynamic”: the record format allows interaction between user and the record content.  Eg, tweaking coding on a spreadsheet that calculates antibiotic potency could skew the results.  Such formulas should be locked down.  NOTE: electronic images can be manipulated quite easily if you know what you are doing.  Here you’d want to make sure modification time stamps are recorded as part of the audit trail (perhaps as a red flag if the file’s modified/accessed outside of the viewing program).

Q1e: What is “backup 211.68(b)?”

A: A true copy of the original data that is maintained securely for the record retention period.  The backup should contain meta data (so the data makes sense/can be retrieved) and in its original format or compatible with original format.  So if paper, needs to be a photocopy or would a scanned document that can be printed suffice?  Most likely paper, as conversion to electronic data would require audit trails and that might impose an unacceptable dollar penalty/overhead.

Different to routine systems backup of data as they tend to be temporary and not archived.

Q1f: What are the “systems” in “computer or related systems” in 211.68?

A: With reference to the American National Standards Institute:

  • Systems: people, machines and methods organised to accomplish a set of specific instructions.
  • Computer or related systems: computer hardware, software, peripherals, networks, off site networked infrastructure (cloud), operators, associated documents such as manuals, SOPs etc.

Q2: When is it permissible to exclude cGMP data from decision making?

A: I’d be inclined to say never!  The guidance agrees.  As per usual, if one was to exclude data, there must be a valid, documented, scientific justification for its exclusion.  In reality, the data is not excluded, your OOS procedure will take the data into account and a risk based approach will determine how likely such data is to impact negatively on product quality and ultimately the end user.

Q3: Does each workflow on our computer system need to be validated.

A: I am REALLY surprised this needs to be asked. You need to document everything.  See my notes on the PIC/s Guide to GMP .  You need to validate everything.  IF IT IS NOT DOCUMENTED IT NEVER HAPPENED.  (This is not to say if you do not document a stuff up, it never happened.  It did and it’ll most likely be revealed by way of audit or customer complaint/adverse reaction).

For computer systems.  URS.  IQ.  OQ.  PQ.

Q4:  How should access to cGMP computer systems be restricted?

A: For electronic systems, user access with appropriate permissions.  It is suggested the system’s admin not be a member of the data recording team.  Eg, for a microbiology or chemistry lab, the admin should not be working for the lab.  It might make things tedious at times, but it improves the integrity of your data.

Maintain the list of authorised individuals along with access rights for each cGMP system.

If the site is small as roles of admin and user cannot be split, it is suggested a second person review the settings and content.  If that is not possible, the sole user should recheck settings and their work before pressing the commit/enter/submit button.

Q5: What is FDA concerned with the use of shared login accounts for computer systems?

A: For the same reason anyone concerned about IT security is!  So only authorised users can enter or modify or access data.  Recall that the user ID forms part of the meta data.  Sharing logins means your data is not cGMP compliant and thus your product is adulterated.

Q6: How should blank forms be controlled?

A: This one’s interesting as I worked at a site that moved from printed out/photocopied forms to electronically issued blank forms. The electronically issued worksheets were issue number and date stamped and included an electronic record of who printed the sheet.  This still does not prevent an operator from photocopying the newly printed sheet if they were inclined to. A check of bins and desk would reveal such a practice pretty quickly.

Incomplete or erroneous forms should be kept as part of the original data.  A book of numbered forms could be kept (and reconciled), or page numbered workbooks with document control group use approval stamps could be used (this is to prevent cooking the books).

Q7: How often should audit trails be reviewed?

A: They should be reviewed along with the batch record before final approval.

Q8: Who should review the audit trails?

A: For all production and quality records, the quality unit (CFR 211.192)

Q9: Can electronic copies be used as accurate reproductions of paper or electronic records?

A: I surmised something about this in Q1e, though the FDA’s clearly not expecting anyone to run around photoshopping scanned in documents or modifying them in Indesign.  The answer is yes, provided the copies preserve the content and meaning of the original data, including associated metadata and the static or dynamic nature of the original records.

Q10: Is it acceptable to retain paper printouts or static records instead of original 260 electronic records from stand-alone computerized laboratory instruments, 261 such as an FT-IR instrument?

A: If it is a complete copy of the original record.  Some equipment is read out only (scales, pH meters etc), so some other way or recording the displayed data is needed.

In the case of dynamic records printouts do no preserve the dynamic format of the data.  Eg electronic data can be reprocessed, where are a printout of what you see on screen cannot.

Control strategies such as second person review of original paper and electronic records is recommended as per 211.194(a)(8) to ensure all results are appropriately recorded.

For PET drugs, see guidance for industry PET Drugs — Current Good Manufacturing 282 Practice (CGMP),

Q11: Can electronic signatures be used instead of handwritten signatures for master production and control records?

A: Yes.  The intent of a signature (written or otherwise) is to identify who’s signed off on the data.  As usual, your procedures on controlling electronic signatures needs to be documented.

Q12: When does electronic data become a CGMP record?

A: As soon as it is created.  Lots of waffle here for what is a cut and dry answer.

Q13: Why has the FDA cited use of actual samples during “system suitability” or test, prep, or equilibration runs in warning letters?

A: Testing into compliance is frowned upon.  The FDA considers (in some situations) using an actual sample in test, prep or equilibration runs a violative practice as it is a means of disguising testing into compliance.  I’m a bit fuzzy on this as a microbiologist.  You have a sample.  You test it.  You get a result.   Perhaps they mean use negative and positive controls.  Though, when testing antibiotics, you could test three samples from the one batch where the average result would be within spec.  That was not something we allowed.

We are pointed towards ICH guidance for industry Q2(R1) Validation of  Analytical Procedures: Text and Methodology (a 1994 document) for more information.

Q14: Is it acceptable to only save the final results from reprocessed laboratory chromatography?

A: No!  Reprocessed results are not original data.  You need to show the original result and the reprocessed result.

Q15: Can an internal tip regarding a quality issue, such as potential data falsification, be handled informally outside of the documented CGMP quality system?

A: Here, any tip must be treated as legitimate and a documented investigation carried out in case product quality/patient safety is affected.  For both, CAPA should prevent (reduce likelihood) of future (fraudulent) modification, thus reducing likelihood of suspicion as with appropriate checks and balances, alteration at the very least should not be possible without appropriate permission for electronic records.

Details of how to tip off the FDA are provided.

Q16: Should personnel be trained in detecting data integrity issues as part of a routine CGMP training program?

A: In so far as it suits their role as personnel must have the education, training and experience required to perform their assigned duties.

Q17: Is the FDA investigator allowed to look at my electronic records?

A: All data associated with batch records and process/plant validation, training etc is subject to regulatory inspection and audit.

Q18: How does FDA recommend data integrity problems identified during inspections, in warning letters, or in other regulatory actions be addressed?

A: It looks like here, the FDA has no confidence in you internal systems and knowledge and suggest you hire a third party auditor to determine the scope of the issue and implement CAPA.  If individuals responsible for data integrity issues are identified, remove them from cGMP positions. At the very least, retrain them unless the issue is chronic.

The FDA’s expectations mirror those in a 1991 document available here.

Additional links and references

FDA Guidance for industry – PDF

Most importantly for Australian manufacture, here is a link to the TGA’s Data Integrity expectations dated July 2015.

Here is a presentation given by the TGA in 2005 regarding the Auditing of Computerised Systems for Pharmaceuticals and Medical Devices.