2024 Top Data Integrity Audit Issues

Picture of Dr Eva Kelly

 

In the fast-evolving world of life sciences, ensuring the integrity of GMP records has never been more critical. Regulatory bodies like the FDA and EMA continue to emphasize data integrity as a cornerstone of GxP compliance, with ALCOA+ or ALCOA++ principles serving as a guiding framework.

Whether you’re transitioning to manufacturing operations, implementing serialization systems, or embracing risk-based approaches, understanding and mitigating uncovered data integrity issues is essential to patient safety and product quality.

Here, we’ll delve into the most common noncompliance citations informed by 2024 inspection observation data sets from the FDA with an added focus placed in this article on data integrity issues and perennial challenges. Based on our experience supporting life sciences and medical device organizations we then offer some basic insights on how to strengthen your data integrity compliance strategies for 2025.

2024 Was Characterized By Familiar Issues

Some data integrity challenges persist in organizations. Inadequate or missing procedural controls and incomplete and/or missing records are perennial problems. The following points elaborate on these and other key data integrity challenges.

1. Governance and SOP weaknesses

Even where procedures exist, they are often insufficiently detailed to guide GMP data and record activities and are difficult to follow or repeat in a consistent manner. Based on FDA 2024 fiscal year data and including the product areas veterinary, drugs, biologics, and medical devices, over 50% of all citations related to inadequate procedures with some specific citations observed in 2022, 2023, and 2024 relating to:

  • 21 CFR 820.100(a) “Procedures for corrective and preventive action have not been [adequately] established.”
  • 21 CFR 820.198(a) “Procedures for receiving, reviewing, and evaluating complaints by a formally designated unit have not been [adequately] established.”
  • 21 CFR 211.22(d) “The responsibilities and procedures applicable to the quality control unit are not [in writing] [fully followed].”
  • 21 CFR 211.100(a) “Your firm failed to establish [adequate] written procedures for production and process controls designed to assure that the drug products have the identity, strength, purity, and quality that they are purported or represented to possess.”

Applying an additional data integrity lens and looking specifically at warning letters for the same period, certain problems continue to crop up again and again, including procedural controls, with regulators continually emphasizing: “Data integrity is critical throughout the cGMP data life cycle, including in the creation, modification, processing, maintenance, archival, retrieval, transmission, and disposition of data after the record’s retention period ends.”

In one specific example, FDA investigators found insufficient high-level audit trail review instructions only, leading to inconsistencies across reviewers.

Indoco Remedies was found to lack appropriate procedural controls, including: “The procedures governing chromatography analyses do not require the review of all audit trail data. Your personnel were unaware of the requirement to review the Empower Message Center data in Plant (redacted) analyses during the inspection.” 

Many companies also showed insufficiencies around data security with common citations including:

  • uncertainty on how to confirm access for the right role at the right time, including user role changes
  • uncertainty on how to confirm vendor activities when they may have elevated roles in the system

Unexo Lifesciences was found lacking in key system access controls. “QC analyst had the ability to manipulate results, dates, and images of in-house and vendor stamp approvals on component certificate of analyses (COAs) from third-party contract laboratories, including the means to duplicate the stamp approval across multiple COAs for components.”

  • inadequate procedures for end-to-end backup and restore processes

Applied Therapeutics struggled to apply appropriate controls to their data or adequately maintain data backups. Part of the remediation activities will include Applied Therapeutics creating “a data process map that clearly shows the flow and storage of collected data, to ensure that source data is maintained at both the site and at the sponsor” and “Electronic data (even if held on third-party systems) will be backed up appropriately and held at the sponsor.”

2. Validation deficiencies

Insufficient validation of software, including network or cloud solutions, was again an issue in 2024 with the lens possibly shifting to appropriate use of AI and required validation for 2025.

Some key 2024 callouts:

  • 21 CFR 820.70(i) “Software used as part of [production] [the quality system] has not been [adequately] validated for its intended use according to an established protocol.”

 Rolence had not validated the software application for X-ray quality control used to perform the final tests of portable X-ray systems.

  • 21 CFR 211.68(b) “Input to and output from [the computer] [related systems of formulas] [records or data] are not checked for accuracy”

Citations associated with 211.68(b) comprise approximately 7% of all FDA citations year on year, so companies either lack proper procedures to manage computerized systems and protect their data, or the procedures they have just aren't cutting it.

3. System inventory gaps

Frequently-cited system inventory gaps include:

  • outdated or incomplete inventory lists, leading to uncontrolled data and records
  • retired systems not appropriately tracked but still containing GxP-relevant data

While searching through warning letters and 483s, it is not always immediately obvious that a deficiency associated with computerized system inventory management is such a big issue that could lead to data integrity gaps, but when the investigator letter cites: “A comprehensive investigation into the extent of the inaccuracies in data records and reporting,” your investigation should include a detailed investigation, protocol, and methodology and a summary of all laboratories, manufacturing operations, and systems to be covered by the assessment.

For Viatris there can be no doubt, if you don’t know where the data is or whether it is reliable, then how on earth can you be applying appropriate controls

4. Missing records or data and records missing key ALCOA++ attributes

Missing records continue to be an issue, with failure to maintain original records still an area of great concern for many companies, including just a selection here: Viatris, Micro Orgo Chem, and Becton, Dickinson, and Company.

The bad news is that insufficient data attributes to provide data integrity assurance are also still an issue.

Perennial ALCOA++ offenders include:

  • Poor or no attribution of activities: There is a lack of segregated roles, and use of generic accounts leads to confusion of who had actually completed GMP activities
  • Poor or no legibility: There are overwritten or altered records and no justifications recorded for changes made or audit trails are disabled with no explainable reason
  • Questionable accuracy: Uncontrolled data transformations and manual calculations are performed without independent oversight
  • Data transformation errors: Unverified transformations compromised accuracy. Transformation tools are used with no version or coding controls

5. Physical and logical security issues

Governance and controls associated with physical records continue to be an issue.

Jiangsu-hengrui-pharmaceuticals had numerous cited issues during their inspection, including:

“serious quality assurance (QA) deficiencies, such as discarded original cGMP records found stacked in a bag underneath a vehicle and in a nearby trash can, as well as your production manager’s unrestricted access to blank production batch records and other cGMP documents without QA issuance.”

Another issue associated with logical controls is the misuse of generic accounts. Often these generic accounts are used by vendors but the correct use would be by the service or application itself and limited to very specific activities. Generic accounts are not typically associated with a specific named user, are typically not mail-enabled, and users should not be permitted to use them as temporary accounts.

Mitigating Data Integrity Risks

To better address these challenges before they become citation-causing issues, site leadership teams, IT, quality directors, and all data stakeholders must adopt proactive measures:

  • Enhance training: Ensure that all staff understand the importance of ALCOA++ principles and their practical application
  • Regularly revise SOPs: Regularly review and update procedures to include detailed instructions for audit trails, backup and restore, and system and data life cycle management
  • Conduct regular audits and assessments: Perform internal data integrity audits and GEMBA walks to identify and address gaps
  • Leverage technology: Implement GxP-compliant systems that streamline audit trail reviews, data security exception reporting, and life cycle management
  • Maintain a centralized inventory: Use validated tools to manage system inventories and ensure retired systems are monitored appropriately

Conclusion

Data integrity remains a top priority for life sciences organizations navigating complex regulatory landscapes. By addressing governance weaknesses, enhancing SOPs, and leveraging robust systems, it is possible to ensure GxP compliance and audit readiness.

How can we help you?

Are you ready to strengthen your data integrity practices? Sign up for one of ERA Sciences’ comprehensive data integrity courses and equip your team with the knowledge and tools to safeguard patient safety and regulatory compliance. Or simply reach out to one of our data integrity experts and start the success conversation today.

Contact us at info@erasciences.com

 
, , , , , ,
Dr Eva Kelly

Dr Eva Kelly

Eva holds a degree in Analytical Science and a PhD in Chemistry from Dublin City University, bringing over 25 years of experience in site solutions and learning management across various sectors, including pharmaceuticals, medical devices, and FMCG. She has specialized as a Data Integrity SME, with expertise in 21 CFR Part 11 and Annex 11 compliance, and has led Data Integrity and QA IT roles within pharma and biotech companies, focusing on GxP SAAS, hosted, and on-premise solutions. Eva is passionate about fostering a culture of Data Integrity (DI) excellence, working directly with clients to implement DI governance strategies that prioritize people, processes, and technology. Over the past decade, she has honed her skills in stakeholder presentations, quality risk management, and the implementation of systems such as SABA Cloud, EtQ Reliance, VEEVA Vault, and Axway Track and Trace, among others. With a deep understanding of DI's evolving role, Eva is dedicated to helping clients achieve thorough GxP record compliance and successful DI initiatives.

Follow me on LinkedIn

Comments

Related posts