FDA Data Integrity Enforcement Is Accelerating — Here's What the Warning Letters Actually Say

The Same Failure, Different Companies

I have read a lot of FDA warning letters. After a while, you stop being surprised — not because the violations are minor, but because they are so consistently the same.

Audit trails disabled. Shared login credentials. Raw data deleted and re-run until the result looked acceptable. Analysts retesting samples without documenting the original failure. These are not exotic compliance failures. They are basic. And FDA is running out of patience.

In 2025, data integrity citations appeared in over 60% of pharmaceutical manufacturing warning letters. That number has climbed every year since 2013, when FDA first issued its draft guidance on the topic. It is no longer a trend — it is the default enforcement story.

What the Warning Letters Actually Cite

Read through recent enforcement actions — Sun Pharmaceutical, Ipca Laboratories, Hetero Drugs — and a pattern emerges. FDA is not just citing falsified data. They are citing the systems that allowed falsification to happen unchallenged for years.

The most common 21 CFR Part 211 citations in recent data integrity warning letters:

• §211.68(b) — Computer systems not validated to prevent unauthorized access or manipulation
• §211.180(a) — Records not kept complete and accurate
• §211.192 — Laboratory investigations not thorough, not extended to other batches
• §211.194(a) — Laboratory records not complete, original observations not captured

What connects all of these? They are systemic. One analyst deleting a chromatography file is a person problem. An LIMS that allows deletion without audit trail capture, a QA function that never reviewed the anomaly rate, a management culture that pressured retesting — that is a system problem. FDA cites the system.

The Alcala Investigation Pattern

One of the clearest illustrations is what FDA describes as the "Alcala pattern" — named after findings at a contract manufacturer where analysts retested out-of-specification samples without initiating formal OOS investigations, then reported only the passing result.

The company had a procedure for OOS investigations. It was not being followed. The audit trail showed dozens of invalidated tests over 18 months. QA had signed off on batch records throughout.

FDA's conclusion was not that the procedure was inadequate. It was that the quality system had failed to detect ongoing data manipulation for a year and a half. That is a different — and much more serious — finding.

What Separates Companies That Get Warning Letters From Those That Don't

I have worked on quality systems at sites that have been through FDA inspections without data integrity findings. The common thread is not more people or bigger budgets. It is that data integrity was treated as an operational reality, not a compliance checkbox.

Practically, that means:

Audit trail review is a scheduled activity, not something that happens when an investigator shows up. Monthly trending of audit trail anomalies — logins outside business hours, record deletions, backdated entries — catches problems before they compound.

The OOS rate is monitored as a leading indicator. A site with a 0.2% OOS rate across all testing is either doing excellent science or gaming the system. Quality leadership should know which one it is.

Analysts are not the last line of defense — systems are. Validated LIMS with role-based access, electronic lab notebooks with locked entries, chromatography software configured to require supervisor approval for any raw data modification. These are the infrastructure that makes data integrity auditable.

Culture is upstream of everything. If an analyst believes their job is at risk when a test fails, they will find a way to make it pass. That is not a quality failure — it is a management failure that shows up as a quality failure.

What FDA Wants to See in a CAPA

When a site receives a data integrity warning letter and submits a CAPA, FDA has become increasingly specific about what it considers adequate. A procedure revision and retraining is not enough. FDA wants:

• A retrospective review of data generated during the period of concern — often two to three years
• Third-party audit of the quality system
• Validated technical controls that physically prevent the observed manipulation
• Evidence that root cause extends beyond the individuals cited to the systems that enabled them

This is not punitive. It is FDA saying: show us you understand what actually happened, not just what you can document happened.

The Bottom Line

Data integrity enforcement is not going to slow down. FDA's use of remote record review and its growing collaboration with international regulators — EMA, MHRA, WHO — means the inspection footprint is expanding even as physical inspections remain constrained.

The sites that will continue to have problems are the ones treating data integrity as a documentation exercise. The sites that will not are the ones that have made the system itself the safeguard — where manipulation is hard, anomalies are visible, and the culture does not punish honest failure.

That gap is exactly what separates a robust quality system from one that looks robust on paper.