FDA Data Integrity Violations Keep Repeating. This Is Why.

---

FDA Data Integrity Violations Keep Repeating. This Is Why.

FDA issued a warning letter to MMC Healthcare Ltd. in September 2024 for adding data, backdating signatures, and missing audit trails on a UV-Vis spectrophotometer. That is not a new type of finding. The specific instrument changes. The pattern does not.

Data integrity violations under 21 CFR 211.68(b) are among the most consistent findings in FDA enforcement. The agency's framework, ALCOA+, requires records to be Attributable, Legible, Contemporaneous, Original, Accurate, Complete, Consistent, Enduring, and Available. That framework has been cited, trained, and embedded into quality management programs across the industry. Warning letters still arrive with findings for shared login credentials, unreviewed audit trails, backdated entries, unvalidated spreadsheets, and falsified records. The MMC Healthcare letter added inadequate quality-unit oversight to that list.

The standard explanation is that these are technology problems. A laboratory system without proper audit-trail configuration. An instrument where logging was disabled to save storage. A spreadsheet that was never validated because someone treated it as informal. That framing is why the violations persist. FDA does not treat data integrity findings as technology failures. The agency treats them as quality-unit failures.

When the MMC Healthcare letter cited missing audit trails and backdated signatures, the finding was not that the UV-Vis spectrophotometer lacked logging capability. The finding was that the quality unit failed to establish and maintain adequate controls over a data environment where personnel could add and alter records without detection. The instrument was the surface. The oversight failure was the substance.

Landy International's situation demonstrates the same logic from a different angle. Raw data was deleted because audit trails were absent, meaning the deletion path had no visibility mechanism. The question FDA asks in that scenario is not whether the software vendor supports audit trails. It is who reviewed the system-configuration decision that left them off, and whether anyone with authority recognized it as a problem. If the answer is no one reviewed it, or someone did and did not flag it, that is a quality-unit oversight finding under 21 CFR 211.68(b).

ALCOA+ reads as a documentation standard because the letters spell out attributes of records. In practice, FDA applies it as an evidentiary standard. When an investigator looks at your data, they are asking whether what the record shows actually happened, at the stated time, by the identified person, and without subsequent alteration. If any element of that chain is missing or unverifiable, the data is not deficient in a technical sense. It is unreliable in an evidentiary sense. The distinction matters because it changes where quality-unit attention must go.

A checklist review of whether audit trails are enabled will find a system with audit trails enabled. It will not find a system where those trails are never reviewed by someone who recognizes what anomalies look like. It will not find shared login credentials that make attribution meaningless even when a log exists. It will not find a quality culture where certain actions are possible without consequence because oversight is nominal rather than functional.

The facilities in recent warning letters were not unaware of ALCOA+. Most had quality programs and documented procedures. The gap was active engagement from the quality unit with what the data environment was actually producing. An audit trail that is never reviewed is a record of what occurred. It is not a control over what occurs. The difference is whether a person with authority and knowledge treats the audit function as a mechanism for detecting deviation or as an artifact for producing during inspections.

Generic logins eliminate attributability regardless of how sophisticated the system. Deleted raw data cannot be recovered by improving documentation. Backdated signatures contaminate the record permanently. These are not recoverable through a CAPA that adds new training or revises an SOP. They require the quality unit to change how it monitors the data environment on a continuous basis.

If your computerized system controls depend on the assumption that personnel are honest, you have a data integrity exposure. That assumption is not a defensible control position under 21 CFR 211.68(b). FDA is looking for this in inspections, and recent warning letters show they are finding it.

Get your Inspection Risk Scan and find out where your data controls stand before an investigator does.