Guest Column | June 12, 2019

An Analysis Of 2018 FDA Warning Letters Citing Data Integrity Failures

By Barbara Unger, Unger Consulting Inc.

This article represents the fourth year I have published an evaluation of FDA warning letters associated with data governance and data integrity deficiencies. (Here are links to the 2015, 2016, and 2017 installments.) The agency’s enforcement for failures in data integrity and data governance began almost 20 years ago. This year, however, we may have turned the corner, which I will address below. Although the FDA is not the only health authority that identifies these issues in inspections and enforcement actions, their transparency ensures the data is readily available.

 In this summary, this article will identify:

  • Warning letters from the 2018 calendar year (CY2018) that cite data integrity deficiencies
  • The number of warning letters citing this topic in the past 11 years and the countries where the impacted sites are located
  • The regulations identified most frequently in CY2018 drug GMP warning letters citing data integrity failures.

As in past years, all data integrity deficiencies identified in Form 483s and warning letters are failures to follow cGMPs as specified in the predicate rules. The FDA has not implemented novel interpretations or requirements applicable to data governance. The use of computer systems and other electronic systems requires different approaches to ensure compliant practices, but these are all based on the existing regulations in 21 CFR 211.

Data Integrity GMP Warning Letters And Trends From The Past 11 Years

Table 1 identifies the FDA warning letters issued to drug manufacturers in CY2018 that include data integrity deficiencies. The table includes the date of issuance and the country where the cited facility is located. The FDA issued 85 drug GMP warning letters in CY2018, excluding those issued to compounding pharmacies and outsourcing facilities. Forty-two of the 85 included a data integrity component, for a total of 49 percent of the warning letters. No warning letters were posted in December due to the partial government shutdown.

Table 1: CY2018 Drug Warning Letters With Data Integrity Deficiencies






Yicheng Chemical Corp.



Hunan Norchem Pharmaceutical Co. Ltd.



Daito Kasei Kogyo Co., Ltd.


South Korea

Cosmecca Korea Co., Ltd.



Shanghai Weierya Daily Chemicals Factory



Alchymars ICM SM Private Limited




Zhejiang Ludao Technology Co., Ltd.



Hong Kong China

Nan San (HK) Pharmaceutical Factory Limited


Dominican Republic

Labocont Industrial SRL



Keshava Organics Pvt. Ltd.



South Korea

Hanbul Co., Ltd. dba Hanbul Cosmetics Co Ltd.




Degasa S.A. De C.V.




Lijiang Yinghua Biochemical and Pharmaceutical Co. Ltd.




Reine Lifescience



Cerno Pharmaceutical



Nox Bellcow Cosmetics Lo. Ltd.



Jilin Shulan Synthetic Pharmaceutical Co. Ltd.


South Korea

Kolmar Korea Co Ltd.



ITD Australia Ltd.



Taiwan Biotech Company Ltd.



Henan Lihua Pharmaceutical Co. Ltd.



Sichuan Friendly Pharmaceutical Co., Ltd



Foshan Jinxiong Technology Co. Ltd.



Zhuhai United Laboratories Co. Ltd.



Baxter (Claris Injectables Ltd.)



Milbar Laboratories Inc.



Yuki Gosei Kogyo Co., Ltd.



Les Produits Chimiques B.G.R., Inc.



Yicheng Goto Pharmaceuticals Co., Ltd.



JT Cosmetics & Chemicals Pvt Ltd.



Signature Formulations, LLC



Apotex Research Private Limited



Kyowa Hakko Bio Co., Ltd.



Longood Medicine (Beijing) Co. Ltd.



Pharmaceutical Laboratories and Consultants



Fagron BV


South Korea

Hanlim Pharm Co., Ltd



I Shay Cosmetics



Product Packaging West, Inc.



Surmasis Pharmaceutical



Hangzhou Zhongbo Industrial Co., Ltd.



Genetech Inc


Table 2 and Figure 2 present the number of data integrity-associated warning letters by country over the last 11 years, CY2008 through CY2018, along with a cumulative total. The number of warning letters referencing this topic ranged from four to six from 2008 through 2013 and doubled in CY2014 to 10. The number of warning letters increased from 15 in 2015 to 41 in 2016, and then to 56 in 2017. In 2018, the number actually decreased 25 percent, to 42.

The number of countries associated with these warning letters continues to increase. In 2018, the sites that were the subject of warning letters were in 11 different countries. Figure 2 also shows that nearly 80 percent of data integrity-related warning letters  issued since 2008 occurred in the past four calendar years. The number peaked in CY2017, and it will be interesting to see if the number decreases again in CY2019, as it did in CY2018.

Figure 3 shows the data integrity-associated warning letters by country from CY2015 through CY2018. South Korea is new to this group in the past two years. Canada and Mexico have been members since 2010 and 2012 respectively. Singapore joined in 2017, and Australia, Taiwan, and the Dominican Republic were new to the group in 2018.

Table 2: Number of Data Integrity Associated Warning Letters by Country, CY2008–CY2018

Figure 1

Figure 2

Table 3 compares the number and percentage of warning letters citing data governance and data integrity in the past 11 years compared to the most recent four years. China tops the list in both the last four years and the last 11 years. In the past four years, China significantly outperforms India in this area, and the U.S. comes in third. Europe remains constant at approximately 8 percent of the total for both periods, and the rest of the world (ROW) is constant at approximately 16 percent of the totals.

Table 3: Geographic Totals and Percentage, 2015–2018 and 2008–2018

Table 4 shows the regulations most frequently cited in the warning letters in CY2018. Many of the deficiencies did not identify a regulation or were provided by the FDA as “conclusions” or “data integrity remediation” instructions to which the firms must respond. Warning letters issued to API manufacturers do not identify 21 CFR 211. The citation of regulations continues to follow the FDA’s stated goal of focusing on the evaluation of predicate rule requirements.

Table 4: Regulations Most Frequently Cited in CY2018 Data Integrity-Associated Drug Warning Letters

Actions Firms Can Take To Prevent, Identify, And Remediate Issues

The number of data integrity-associated warning letters decreased significantly between CY2017 and CY2018, though the percentage in 2018 remains slightly above that for CY2016. We will follow the trends for CY2019 to see if the number of data integrity-related warning letters continues to decrease.

So, how should firms prevent, detect, and remediate these problems before the FDA or other health authorities become involved? My advice remains virtually unchanged from last year. My recommendations are divided into those for executive management and those for functional areas. A focus on management of contract services is included among the actions for firms to consider. Additional detail on contract manufacture and data governance is provided in two previous articles published in 2017.

Executive Management Ownership

  • Executive management must develop and reinforce a culture of quality.
  • Executive management must establish and maintain a corporate culture of openness where employees may report problems and failures without fear of retribution. In fact, reporting of problems should be encouraged and rewarded.
  • Executive management must own the gap assessment process and remediation efforts. Remediation may be costly and time-consuming. Firms often uncover additional problems along the way. Don’t expect to complete remediation quickly; it’s often a multiyear process.

Technical Area Actions

  • Cross-functional teams should perform gap assessments for both paper and computer systems against predicate rule requirements and specific data governance/integrity guidance from health authorities. The team should identify corrective actions and a timeline for their implementation. Firms should implement interim corrective actions until they can put fully compliant solutions in place.
  • Firms should map data and process flows and identify and remediate areas of risk. Results from this exercise can contribute to the gap assessments described above.
  • Firms should validate systems for their intended purpose and ensure that adequate controls are in place to ensure that deleted or altered data can be detected. Purchasing software that the supplier claims is Part 11 compliant does not suffice.
  • Monitor enforcement actions including Form 483s, warning letters, import alerts, EU reports of GMP noncompliance, and World Health Organization (WHO) Notices of Concern. All of these, except for the Form 483s, are available without cost on the internet, and Form 483s are available from several commercial sources. A selected subset may be found on the FDA website.
  • Ensure that the data governance processes at suppliers and contract service providers are adequate to ensure that data is valid and trustworthy. This effort begins with rigorous due diligence evaluations, periodic on-site oversight, and appropriately detailed quality agreements. Contractors must have procedures and processes to ensure integrity of the data they produce.


Data integrity and data governance remain as enforcement initiatives of global health authorities. The U.K.’s Medicines and Healthcare Products Regulatory Agency (MHRA) was the earliest to enter the area with its 2015 guidance and 2018 published revision. The European Medicines Agency (EMA), WHO, Pharmaceutical Inspection Co-operation Scheme (PIC/S), Australia, Canada, and China followed in 2016. Further, enforcement is not limited to the GMP area but includes good clinical practice (GCP), with the most impactful cases at sites that perform bioavailability and bioequivalence studies. For these firms, the data for hundreds of products is impacted. Sponsors must frequently repeat the studies at different sites. Among the more significant failures in this area were identified at GVK and Semler Research. Consequences at Semler included a three-page Form 483, untitled letter, WHO notice of concern, and EMA recommendation of suspension.

GMP enforcement citing data governance and data integrity is still significant, expanding in its geographic distribution. Deficiencies in data governance and data integrity have remained markedly consistent over the 11 years addressed in this report, with a few new areas identified each year. Newer focus areas that appeared in 2017 continued in 2018 and include:

  • Firms that repackage APIs were transferring analytical results onto certificates of analysis on their own letterhead, making it appear that they generated the results. The practice obscures the supply chain from the company that purchases and uses the material in the manufacture of drug products.
  • Firms aborted an excessive number of analytical of runs.
  • Firms manipulated “integration suppression” parameters within chromatography data systems, intending to obscure or minimize impurity peaks.

I expect this type of problem to expand in scope to more OTC manufacturers because action in this area is a clear trend that began in 2017. I will also watch for this topic to be cited more frequently in enforcement actions taken against compounding pharmacies and outsourcing facilities. Previously, most of the problems in this area addressed failures in aseptic processing, including facilities and equipment issues. I look for data integrity to be cited more frequently in both Form 483s and warning letters issued to these firms.

Note: Readers who want the complete text of the warning letter deficiencies on this topic can find them on my website for 2015 (starting on page 4), 2016 (starting on page 5), 2017 (starting on page 8) and 2018 (starting on page 1).

About The Author:

Barbara Unger formed Unger Consulting, Inc. in December 2014 to provide GMP auditing and regulatory intelligence services to the pharmaceutical industry, including auditing and remediation in data management and data integrity. Her auditing experience includes leadership of the Amgen corporate GMP audit group for APIs and quality systems. She also developed, implemented, and maintained the GMP regulatory intelligence program for eight years at Amgen. This included surveillance, analysis, and communication of GMP-related legislation, regulations, guidance, and industry compliance enforcement trends. Unger was the first chairperson of the Rx-360 Monitoring and Reporting work group (2009 to 2014) that summarized and published relevant GMP and supply chain-related laws, regulations, and guidance. She also served as the chairperson of the Midwest Discussion Group GMP Intelligence sub-group from 2010 to 2014. She is currently the co-lead of the Rx-360 Data Integrity Working Group. You can contact her at