Data Integrity: The Whole Story

Barbara Unger has shared about the new regulatory expectations regarding GMP Regulatory Intelligence.  Indeed, we have heard that FDA inspectors have started asking people about what processes they have in place to monitor new regulations, guidelines, and developments.  In part, this is why we offer the GMP Regulatory Intelligence newsletter.

Now, we go deep into a serious issue that has received a lot of attention and press – data integrity. I’d venture to guess that billions of market capital has been lost because of this one issue.  The crazy part is this – it’s not even close to being a new issue.  As you’ll see, the data integrity story began at least 15 years ago. Here’s Barbara:

This article uses the example of data integrity enforcement actions over the past ten-plus years and identifies the missed opportunities where firms failed to learn from publicly available information. Many have suffered expensive consequences, both financial, and in reputation within the industry. Table 1 provides a selected list of enforcement actions based on shortcomings in the broad category of data integrity.

As early as 2000, a warning letter issued to Schein Pharmaceuticals cited lack of control over computerized laboratory systems[1] including lack of password control and broad ranging staff authority to change data. Another event was a 15-page form FDA-483 issued to Able Laboratories in New Jersey in 2005. Warning letters citing deficiencies in the broad area of data integrity were issued to Actavis Totowa LLC and Sandoz sites, both in the US followed in 2007 and 2008 respectively. Three warning letters were issued to two Ranbaxy sites in 2006 and 2008. The Ranbaxy inspections and warning letters were eventually followed by import alerts, a consent decree agreement, fines and loss of generic product exclusivity. In addition, Wockhardt Ltd. and Changzhou SPL Company received warning letters in 2006 and 2008 respectively, citing concerns about the authenticity and integrity of data. Even discounting the warning letter to Schein Pharmaceuticals in 2000, these early signals, from 2005-2009, were publicly available from regulators as well as being covered in the popular press and trade publications. Firms missed multiple opportunities to learn from the mistakes of others, immediately evaluate, and initiate remediation if necessary. Table 1 shows that enforcement actions based on data integrity have continued into 2015 with similar inspection observations and warning letter deficiencies.

Finally, FDASIA became law in July 2012 and introduced a revised definition of adulteration to include products manufactured by any firm that “…delays, denies, or limits an inspection…” FDA used this justification several times in issuance of warning letters, the first two of which are identified in Table 1. If firms tracked new legislation, particularly in the draft versions, they would have been informed about the expanded definition of “adulteration”. Publication of a draft and then final guidance clarified and expanded on the revised definition of adulteration.

Table 1. Selected Enforcement Actions for Data Integrity Problems

FY Company Additional Enforcement Actions or Comment
2000 Schein Pharmaceuticals Warning letter to Schein Pharmaceuticals cites inadequate control over laboratory computer systems including password control and authority to change data.
2005 Able Laboratories, Cranbury NJ The 15 page form 483 was among the early forms 483 addressing the broad category of data integrity.   Resulted in withdrawal of ~ 50 ANDAs and the firm is no longer in business.
2007 Actavis Totowa LLC, NJ Electronic data files not checked for accuracy; data discrepancies between electronic data and data documented in laboratory notebooks.
2008 Sandoz, site in NC Analysts may modify, overwrite or delete data; no audit trails or history of revisions in analytical data
2006 Ranbaxy, Paonta Sahib Import alerts were issued for four Ranbaxy sites, two dated 9/10/2009 and two dated 9/13/2009.  Ranbaxy entered into a consent decree agreement with the courts in January 2012. Ranbaxy agreed to pay a $500,000 fine in May 2013. Additional Ranbaxy site at Toansa, India was added to the consent decree agreement in January 2014See the FDA timetable of enforcement actions and associated documentation including some forms 483.
2008 Ranbaxy, Paonta Sahib
2008 Ranbaxy, Dewas
2009 Ranbaxy Ohm Laboratories in Gloversville NY
2008 Changzhou SPL Company Import alert dated September 10, 2009
2011 Cetero Research(untitled letter) This firm, located in the US conducted BA/BE studies in support of NDAs and ANDAs. It is no longer in business. Forms 483 here. FDA sent a letter to the firms that contracted with Cetero Research for BA/BE studies requesting specific information to establish validity of the BA/BE information in the drug applications.
2006 Wockhardt Ltd Another warning letter form 2006 that mentions issues in the data integrity area. The 2013 warning letter was the second warning letter that cited the new FDASIA power to determine products adulterated if they are manufactured at a site that “delays, denies or limits” an inspection. The FY 2014 letter addresses two sites owned by the company. Import alerts issued for two sites in India on May 22, 2013 and November 26, 2013. The 6-page form 483 to Morton Grove Pharmaceuticals identifies similar practices to those found to be objectionable at the sites in India
2013 Wockhardt Limited
2014 Wockhardt Limited
2014 Morton Grove Pharmaceuticals (US site owned by Wockhardt)
2012 Fercy Personal Care Products Ltd Import alert issued May 10, 2012
2013 Fresenius Kabi Oncology Ltd This represents the first warning letter to cite the FDASIA definition of adulteration to include products made in a facility that “delays, denies or limits” an inspection.
2014 Apotex Pharmachem India Pvt Ltd. Import alerts issued April 1, 2014 and April 22, 2014
2015 Apotex Research Private Ltd.
2014 Tripfarma S.p.A This site in Italy has data integrity type of issues identified in this recent warning letter.

The collection of enforcement actions in Table 1 and agency documents span more than ten years and covers both GMP and GCP. Firms located in the US, EU, India and China have been cited for data integrity problems. If firms read and internalized the actions at Schein Pharmaceuticals, Able Laboratories in Cranbury NJ, Actavis Totowa LLC in NJ and Sandoz in NC, followed the Ranbaxy series of actions, there is no reason to claim surprise in this enforcement area in 2016. Note that the earliest publicly available signals of the problem occurred during inspections of sites in the US. Enforcement for lack of data integrity is not limited to actions taken by FDA. The public section of the Eudra GMDP database was expanded in 2014 to include reports of non-compliance, many of which address the area of data integrity identified during inspections conducted by the European authorities. Also, MHRA first published a series of Q&A on this topic in January 2015 that was revised in March 2015. Anyone interested in data integrity should read, and re-read this.

It does not take a complicated financial formula to see that there are financial consequences for these compliance actions. For example, Able Laboratories ceased doing business, Cetero Research is no longer a business entity, Ranbaxy is in the process of being acquired by another pharmaceutical company in India, and Wockhardt Ltd’s sales are severely diminished in the US[2].


Data are publicly available to inform companies about changes in GMP laws, regulations, guidance, and inspection focus and enforcement trends. The example of data integrity is not meant to be the only topic for which this is true, but it is one where firms have suffered financial consequences resulting from enforcement actions. A GMP Regulatory Intelligence program should provide analysis and connect the dots among different types of information and multiple enforcement actions over time. New and important boilerplate language in a warning letter should be identified and communicated. Warning letters that identify new types of deficiencies, for example the absence of audit trails, are important to evaluate. Likewise, warning letters that identify seemingly stringent requirements that can be linked to similar requirements in consent decree agreements should be highlighted. An effective comprehensive GMP Regulatory Intelligence program meets the requirements in ICHQ10 and serves as a component of a corporate knowledge management system. Finally, the financial return is substantial if the program provides actionable knowledge to prevent a warning letter, import alert, seizure or the more serious consent decree agreement. Companies should consider that this applies across the GXP continuum, and is not limited to GMP activities alone.

When the FDA inspector asks you what your SOP is to stay on top of regulations and guidance, what is your answer? Let Barbara cover this function for you by reading the weekly GMP Regulatory Intelligence.

More about Barbara Unger>>

Learn more about how FDAzilla can help you achieve your quality and inspection preparation goals: get 483sInspector ProfilesEnforcement Analytics, and GMP Regulatory Intelligence. Contact me if you ever have questions at

Other FDA Inspection resources:


      1. [1] The warning letter is not available on the current FDA web site and must be requested under FOI. Following is the specific deficiency.
      2. Failure to maintain the integrity and adequacy of the laboratory’s computer systems used by the Quality Control Unit in the analysis and processing of test data. For example:

a) There was a lack of a secure system to prevent unauthorized entry in restricted data systems. Data edit authorization rights were available to all unauthorized users, not only the system administrator.

b) The microbiology departments original reports on sterility test failures of Penicillin G Potassium for injection, lots 9804024 and 9811016 due to environmental mold, which were sent via electronic mail to the Quality Assurance Management, differed significantly from the versions included in the Quality Assurance Management’s official reports.

c) The network (b) (4) module design limitations, which can only support up to four chromatographic data acquisition systems, had up to five chromatographic systems connected. There was no validation showing this configuration to be acceptable.

d) System testing was not conducted to insure that each system as configured could handle high sampling rates. Validation of the systems did not include critical system tests such as volume, stress, performance, boundary and compatibility.[2] See article in FiercePharma from 11/3/2014

Leave a Reply

Your email address will not be published. Required fields are marked *