Mack Powers | December 15, 2021

In December 2018, the FDA issued draft guidance intended to help pharmaceutical companies comply with current good manufacturing practice (cGMP) requirements for data integrity. While the guidance is aimed at all drug manufacturers, it contains specific recommendations relevant to the pharmaceutical industry as a whole. To maintain compliance with FDA data regulations,  companies need to take several steps to protect the integrity and accuracy of their data. These steps include: creating a data governance program, implementing robust security protocols, and conducting routine data audits. By following these steps, companies can help ensure that their data is accurate and compliant with FDA regulations. This post highlights the key takeaways of the FDA’s guidance and explains what companies need to do to ensure data integrity and compliance.

Data Compliance 

Data compliance is used to describe the process of ensuring that drug safety, efficacy, and quality data are appropriately recorded, monitored, analyzed, and reported in support of regulatory requirements. The Food and Drug Administration (FDA) defines data compliance as “the set of processes and controls used to assure that all data collected during manufacturing, clinical trials, and research is accurate, complete, consistent, and current.”

Even though data compliance is a regulatory obligation, it supports drug manufacturing firms in 

  • Improving safety and efficacy of drugs
  • Supplying safe and effective drugs in the market
  • Ensuring fair competition among industry players
  • Assuring drug quality through data collection and analysis
  • Minimizing financial risks

Importance of Data Compliance

Data compliance avoids instances of duplication, falsification, deletion, and accidental or intentional modification of data – ensuring that products are developed in a manner that meets consistent standards. It eliminates the risks and potential losses of delivering substandard or dangerous products to market. 

While data compliance safeguards patient safety, it protects the organization from the severe financial consequences of FDA’s enforcement action such as facility shutdown, product recalls, import and distribution bans, delayed or denied drug approvals, substantial remediation costs, and loss of customers due to a damaged reputation. By enforcing data compliance standards across US pharmaceutical manufacturing, the FDA aims to protect public health as humans use different drug classes, medications, biological products, medical devices, and cosmetics.

Data Compliance – Overview & Requirements

Data compliance is a process of pharmaceutical and food manufacturing firms implementing meaningful and practical strategies to manage their data integrity risks while considering the design, operation, monitoring of systems and data controls based on process, risk to patient, and product. 

To achieve data compliance, the management needs to create a quality culture to adhere to cGMP regulations through executive authority.  

The FDA has a set of minimum requirements in following good manufacturing and data recording practices — compliant methods of manufacturing, processing, packing, and holding of drugs to assure quality, safety, efficacy, and purity characteristics. 

The following are the mandatory data compliance requirements as per FDA regulations: 

Data Backup

All the automatic, electronic, mechanical equipment, including computers or related systems 

used for manufacturing, packing, processing, and holding of drug products must go through calibration checks and inspections, and their written records must be maintained. 

 All Pharmaceutical companies must enforce proper computer system controls on master production records or control records such that it is accessible only by authorized personnel and checked for accuracy.

The backup file of all data entered into the computer system must be kept in hard copy or alternative means, such as duplicates, tapes, or microfilm, designed to ensure that backup data is accurate and complete and safe against tampering, unintentional erasures, or loss.

Any calculations or laboratory analysis findings that are eliminated due to automation or computerization must be reported in writing with enough validation data.

Data Storage

CFR, 212.110(b) specifies record availability, quality, and retention procedures. To meet record availability requirements, records need to be maintained at the PET drug production facility or a secure location readily accessible to officials of the production facility and FDA inspectors. All documents, including those not kept at the inspected business, must be legible, properly preserved to avoid deterioration or loss, and easily accessible to FDA workers for examination and copying. From the date of finalization, you shall keep all documents and documentation for at least one year.

Laboratory Standards for Documentation 

Procedures for laboratory process control and manufacturing must be developed to ensure drug product quality, purity, strength, and identification.

Standard written processes should be used, and any changes should be drafted, authorized, and evaluated by quality control and organizational units. Further, to meet data compliance, these procedures must be followed during the execution of the process control and production process and documented during activity. In addition, any deviation in execution from written procedures will be justified and recorded. Specifications of drug containers, closures, packing, processing, and holding of drugs, sampling plans, standards, test procedures, and “scientifically sound” laboratory control mechanisms along with changes are some of the elements that need recording for compliance as per § 211.160. Instruments, gauges, apparatus, and recording devices must all be calibrated according to a written program that includes precise instructions, accuracy and precision limits, timetables, and provisions for corrective action if the accuracy and precision limitations are not fulfilled.

Standards for Original Documentation

According to § 211.180, any production, control, or distribution record, drug product containers, closures, and labeling records that need to be maintained in compliance shall be retained for at least 1 year after the expiration date of the batch. Records of drugs lacking expiration need to be stored for three years after the distribution. Companies have to make sure that all records and backup copies will be readily accessible for authorized inspection at the time of retention period at the establishment where the activities described in such records occurred.

Records must be stored either as original records or as true copies in microfilm, photocopies, microfiche, or other accurate replications of the original records. Copies that can be immediately retrieved from another location by computer or other electronic means are acceptable.

Testing:  Data Recording & Standards

Pharmaceutical companies must keep batch production and control records for each batch of drug product produced, and they must include all relevant information about the batch’s production and control.

A list of data in laboratory reports that must be complete

  • Data obtained in all tests, including details of samples, received for testing, the method used, and instruments used.
  • Results of tests and how they compare with established acceptance criteria. And the initials or signature of the person who performs and reviews each test.
  • Each laboratory must design and implement protocols to ensure that equipment is calibrated, examined, checked, and maintained on a routine basis and that these activities are documented.
Equipment Oversight

FDA requires pharma companies to keep records of supervisors checking the laboratory equipment performance with log entries in the automated checking equipment. Equipment cleaning, maintenance, and use is a part of batch records for manufacturers to keep track of their products’ safety and ensure that they are in compliance with the regulations. 

The people who clean and/or double-check the cleaning and maintenance must sign or initial the record and date it. The log entries must be in chronological sequence. Regulators demand a review document with the initials or signature of a second person attesting to the original records’ accuracy, completeness, and conformance.

Important Terms: cGMP Standards & Record Keeping

Data Integrity

Data integrity is defined as the consistency, completeness, and accuracy of data. Data that is traceable, readable, recorded in real-time, original, or a true copy should be attributable, consistent, and accurate. Data integrity also refers to the security and regulatory compliance of data, such as GDPR compliance.

Data integrity is an important concept when it comes to data storage. Without data integrity, data can become erroneous or lost, leading to legal and financial implications for an organization. It is kept up to date by processes, rules, and standards established during the design phase. The information recorded will stay complete, accurate, and trustworthy no matter how long it is held or how often it is accessed if data integrity is maintained.

The following are the key data integrity criteria:

Accurate – no mistakes or edits without recorded changes.

Attributable – When was the data gathered, and who did the action?

Available – Record must be available for review, audits, and inspections throughout its lifetime. 

Complete – all data are present and easily accessible

Consistent – All aspects of the record, including the sequence of occurrences, are dated or time-stamped in the intended order.

Contemporaneous – documentation is done at the time of the activities.

Legible – data can be easily read.

Enduring – on proven storage media (electronic or paper)

Original / Reliable – a certified copy of a written output or observation

Trustworthy – There has been no tampering with the data or the record.

Importance of Data Integrity 

Data integrity is critical throughout the data life cycle—including in the creation, modification, processing, maintenance, archival, retrieval, transmission, and disposition of data after its retention period ends. System design and controls must enable easy detection of errors, omissions, and aberrant results throughout the data life cycle. Quantities that are recorded should be consistent with those determined by appropriate methods such as laboratory analysis or appropriate reference standards.

To avoid and identify data integrity concerns, cGMP laws and recommendations allow for flexible and risk-based measures.

In order to avoid and cure situations that might lead to data integrity issues, management must be involved in and have control over these tactics.

It is the responsibility of management with executive responsibility to foster a quality culture in which workers see data integrity as a key value of the business and are encouraged to discover and report data integrity concerns as soon as possible.

Quality systems break down can lead to cGMP noncompliance if management does not promote quality culture.


Metadata is structured data that describes, explains, or helps to retrieve, use, and manage data. In other words, it is contextual information needed to understand data – “data about data.”

Metadata for a specific piece of data can include a date/time stamp documenting when the data was acquired, a user ID for the person who performed the test or analysis that generated the data, material status data, the instrument ID used to acquire the data, the material identification number, and audit trails.


Backup means a true copy of the original record — “consistent with the term archive.” These should be in their original format or a compatible format with the original format. Alongside data, the backup should contain metadata. To prevent losses and eliminate security risks such as destruction, backup copies are kept on site. 

Audit Trail

Audit trails are used to determine the authenticity of data. The audit trail is a secure electronic record, usually time-stamped, that documents the steps taken leading up to the creation, modification, or deletion of a particular electronic record. If someone were to alter an electronic record, the audit trail would show who did it, when it was done and what changes were made.

To ensure the integrity of the data, an audit trail should be maintained for each data set. To implement a risk-based approach to audit trail reviews, companies need to have a quality control unit to assess the risk level of each system and track data life cycle processes. A cGMP compliant audit trail must include reviewing the following:

  • Name of analyst with Date and time when work was performed
  • Change in test parameters
  • Changes to data processing parameters
  • Changes to equipment parameters
  • Information on analytic methods used
  • Unauthorized data access
  • History of data modifications
  • Data deletion

An effective audit trail will help to deter fraud or prevent data from being lost/obscured and ensure that activities are documented accurately at the time of performance.

Additional Data Compliance Considerations

Invalidating Test Results

There are many laboratory situations that may require the invalidation of test results. The following are some examples. However, they are not exhaustive:

  1. Incorrect or missing information on test records.
  2. Errors in test procedures, equipment, or personnel may have affected the results.
  3. Results for samples taken from nonconforming production lots.

The reason for invalidating data should be determined and documented with a scientifically sound justification according to CFR guidelines. You should not release any product from an invalidated batch or use any ingredients or packaging materials to make more product batches.

Validating cGMP Workflows

A cGMP workflow, such as the compilation of an electronic master production and control record (MPCR), is a computer system’s intended purpose that must be validated. Validation studies should be proportional to the risk that an automated system poses. When a single system is utilized to execute both cGMP and non-cGMP activities, the risk of non-cGMP functions interfering with cGMP operations should be considered and suitably addressed. 

Computer Systems Security and Oversight

Pharmaceutical firms must ensure that changes to computerized MPCRs or other cGMP records can be made only by authorized personnel. FDA advises restricting the ability to alter specifications, process parameters, data, or manufacturing or testing methods by technical means where possible.

Login Security

Systems that share logins among multiple users may not be able to identify a unique individual. So, these systems may not be able to document and track actions and decisions throughout the product life cycle. System controls are designed in accordance with cGMP requirements to assure product quality. Shared logins are not attributable and don’t comply with CFR 211 and 212 requirements. Therefore they cannot be involved in review or audit activities.

Form Maintenance and Security

The Blank forms (e.g., electronic worksheets, lab notebooks, and MPCRs) employed should be regulated by the quality unit or another document control mechanism.

Incomplete or incorrect forms, as well as documented reasons for their replacement, should be preserved in the permanent record.

Audit Trail Review

As they analyze the rest of the record, personnel responsible for cGMP record review should check the audit trails that gather changes to data linked with the record. 

Furthermore, FDA guidelines state that if the data review frequency is not specified in cGMP regulations, you should determine the audit trail review frequency based on your processes and risk assessment tools.

Electronic Copies

Drug companies can use electronic copies of paper or electronic records as true copies if they maintain the original record’s content, meaning, and static/dynamic nature along with information to reconstruct cGMP.

Paper Records

Paper printouts are allowed for retaining static records when they are original copies conforming to cGMP requirements. 

Electronic Signatures

Electronic signature of an authorized user (e.g., a supervisor) assigned access to the system that meets other specific requirements for data integrity and authorization controls are to be used instead of handwritten signature or initials in any cGMP required record. It has to be a full handwritten signature with appropriate controls to securely link the signature with the associated record.

Companies using electronic signatures should ensure they are able to identify the specific person who signed the records with controls. 

Testing Into Compliance

Testing into compliance is an act of testing and sampling done to achieve the desired outcome and specific result and override unacceptable results. FDA prohibits it, and it is not consistent with cGMP.

Data Falsification

If there is a suspected alteration to records, it must be fully investigated under the cGMP quality system to inspect how it affected the product’s making, its consequences to patient health, and data reliability. Also, your drug company needs to investigate the root cause for taking corrective action. This should be done no matter who is suspected of the alteration and how information was altered or falsified. 

Data Integrity Training

Personnel training is critical for preventing and detecting data integrity issues as early as possible and effectively resolving the issues. According to FDA regulations, companies must ensure that data integrity personnel have the necessary education, training, and experience to complete the assigned tasks.

Ensuring Data Compliance and Integrity

Data integrity has become more difficult to preserve as a result of electronic data and computerized systems; as a result, the data governance system should be an intrinsic part of the pharmaceutical quality system, as mandated by regulatory bodies. Data governance effort and resources should be proportional to the risk to product quality and should be balanced with other quality assurance resource needs. As a result, manufacturers and analytical laboratories must develop and manage a system that offers an appropriate level of control based on data integrity risk and is correctly documented with reasoning.

When your pharmaceutical company is determining how to satisfy several of these regulatory criteria, it’s a good idea to consider the below questions:

  1. Are controls in place to review and verify that all recorded data is complete?
  2. Is documentation of actions done at the time of performance?
  3. Is it possible to attribute activity to a certain person?
  4. Are only authorized personnel allowed to make changes to records?
  5. Do records contain the history of data changes?
  6. Are records checked for correctness, completeness, and compliance with set quality guidelines?
  7. Is data kept safe from the time it is created until it is disposed of at the end of the retention period?

Data integrity is a key consideration for organizations in producing the safest and most efficacious products.  And in a world of increased scrutiny from regulatory bodies as well as potential litigation and other business risks,  having the proper data security and oversight has never been more important.

If you would like a review of your current policies and operations, we can help.