Lab Manager | Run Your Lab Like a Business

Data Integrity and Compliance

New cybersecurity and quality control solutions log adverse events and anticipate future events.

by Margaret Blackburn
Register for free to listen to this article
Listen with Speechify

When it comes to manufacturing products that can affect public health, scientists need to prove the integrity of their data or risk having their laboratories cited—or even shut down. However, regulatory guidelines put forth by the U.S. Food and Drug Administration (FDA), the UK’s Medicines and Healthcare Products Regulatory Agency, and the European Medicines Agency are constantly evolving and oftentimes unclear. In addition, analytical laboratories are encountering a whole new regulatory mindset during the audit process.

As such, the development of data and its life cycle are increasingly important indicators to regulators for potential fraud or insufficient system management practices. But in an industry fraught with enormous and complex IT systems, it can be challenging to understand data compliance needs—let alone manage and implement them across global organizations. While it may be appropriate and necessary, remediation from such an event is likely to be costly, time-consuming, and could have a significant impact on productivity and morale.

Data integrity is at the heart of laboratory compliance

Data integrity violations can occur for several reasons, such as the use of a generic user account, not properly safeguarding usernames and passwords, lack of administrative procedural control, or a lack of secured and specified group privileges—basically any reason that gives proximal cause to view the data environment as uncontrolled.

But data integrity does not stop there. There has been a big push by the FDA to ensure that data—whether raw or edited—has an audit trail, which includes information about who added or edited the data, which instrument or medical device it came from, and time stamps that point to when and where the data was accessed. That means companies must ensure that their software and instruments establish and maintain adequate procedures for data collection and reporting through computerized system validation.

For companies looking to digitize old paper records, challenges can also occur when manually inputting data into the system if the data does not correlate with the paper records, regardless of any human error or miscalculation.

In recent years, the FDA has reviewed thousands of analytical reports, conducted hundreds of on-site inspections, and acted against more than 200 out-of-compliance companies for violations to the current good manufacturing practices (cGMP), including data integrity.1 These cGMP violations have led to numerous regulatory actions, including 483s, warning letters, import alerts, and consent decrees.

For example, in January of this year, the FDA issued a warning letter to a manufacturing facility in Teramo, Italy, for discrepancies in data, stating that the lab’s quality system did not adequately ensure the accuracy and integrity of data to support the safety, effectiveness, and quality of the drugs manufactured.2 The facility was cited for storing original data in an “unofficial” and uncontrolled electronic spreadsheet on a shared computer network drive—meaning that the data could potentially be altered. The agency also took issue with the facility’s quality control unit after observing copies of uncontrolled and partially completed cGMP forms without any accountability or oversight, and the use of paper shredders to destroy critical lab and production records without the appropriate controls or procedures.

As a result, the FDA recommended that the laboratory evaluate training and quality control procedures to ensure that qualified and experienced personnel would review and document critical test results moving forward. Additionally, in order to protect the data and research that was already done, the lab was required to review all the uncontrolled spreadsheets from January to September 2014, and indicate when and where additional steps were taken to confirm the validity of the results.

In such circumstances, the FDA might also recommend the lab retain a qualified consultant to assist in remediation, including the following activities:

  • Conduct a comprehensive investigation into the extent of the inaccuracies in data records and reporting.
  • Perform a current risk assessment of the potential effects and risks to patients posed by ongoing operations.
  • Establish a management strategy for the firm that includes the details of a global corrective and preventive action plan, including:
    • A detailed corrective action plan that describes how the company intends to ensure the reliability and completeness of all the data generated, including analytical data, manufacturing records, and all data submitted to the FDA.
    • A comprehensive description of the root causes of data integrity lapses, including evidence that the scope and depth of the current action plan is commensurate with the findings of the investigation and risk assessment. Additionally, the company must indicate whether individuals responsible for data integrity lapses remain able to influence cGMP- related or drug application data at the firm.
    • Interim measures describing the actions the company has taken or will take to protect patients and to ensure the quality of drugs, such as notifying customers, recalling product, conducting additional testing, adding stability programs, drug application actions, and enhanced compliance monitoring.
    • Long-term measures describing any remediation efforts and enhancements to procedures, processes, methods, controls, systems, management oversight, and human resources such as training or staffing improvements designed to ensure the integrity of the company’s data.

The good news is that new cybersecurity and quality control solutions are entering the market to help address these needs on a proactive basis, helping log adverse events and anticipate future events. The problem for most companies is that they do not have the time or resources to move quickly enough to keep pace with changing regulations. Moreover, the specific needs of each lab are unique, and the enormity and complexity of IT systems can make it hard to arrive at the right solution, leaving many to adopt a waitand- see approach. This wait-and-see approach to regulatory audits can result in inefficiencies and temporary fixes.

With more time and resources being drained by emergency or high-priority situations, the reactive approach creates an inability to develop a plan to address the laboratory environment holistically.

Industry leaders are no longer leaving compliance to chance

In today’s landscape, it pays to be proactive. Doing so can improve compliance, stabilize costs, and give labs more control over time and resources.

In the lab, it might be as simple as introducing electronic recordkeeping, automatically affixing data time stamps, or validating an instrument’s computer systems, including both hardware and software. On the enterprise level, it could also lead the way to a more productive and profitable approach to doing business. This requires the adoption of a global, comprehensive, risk-based approach to compliance that builds quality into procedures and products rather than introducing robust compliance initiatives post-inspection.

Managed services companies that offer remediation support have experienced staff and proven methodologies that can help labs take a proactive approach to quality assurance, and can relieve the burden caused by remediation, which can help avoid the wasted time and effort caused by trial-and-error scenarios. Additionally, managed services companies can also provide a number of other services, including:

  • In-lab, proactive, health-based programs to ensure system uptime
  • Instrument repair services
  • Maintenance services that improve the efficiency and effectiveness of lab applications
  • Development of automated and traditional protocols
  • Validation support and qualification of methods and platforms
  • Relocation of partial or entire laboratories
  • Harmonization of documentation
  • Expert training
  • Turnkey services that enhance scientific workflows while implementing high-quality compliance practices and processes

As the world of drug development and manufacturing becomes more complex, it raises new challenges in the oversight process involving variables such as personnel, practices, treatments, and geographic dispersion. Advances in technology are helping companies deploy proven solutions to mitigate and prevent risk as they streamline their compliance strategies and approaches to be in line with global guidance.

Staff scientists no longer need to tinker with hardware, software, or validation procedures in the hope of remaining compliant. New data management methodologies are based on centralized monitoring activities and continual improvement processes that allow scientists to do what they do best—pursue science with integrity.


1. U.S. Department of Health and Human Services, Food & Drug Administration. (2017). Warning Letters and Notice of Violation Letters to Pharmaceutical Companies [Data file]. Retrieved from:  

2. Cosgrove, T.J. (1/1/3/17). FACTA Farmaceutici S.p.A. 1/13/17. In Inspections, Compliance, Enforcement, and Criminal Investigations, Compliance Actions and Activities, Warning Letters, 2017. Retrieved from: