Red and white capsules in pharmaceutical production line. 3D rendered illustration.

Pharmaceutical GMPs, Quality Control, and Data: A Deeper Look at FDA’s FY 2020 FDA Observations

By Amy Scanlin

Good Manufacturing Practices—those minimum requirements for methods, facilities, and controls used in manufacturing, processing, and packing of drug products.[i] Though clearly articulated by FDA, a review of FY 2020 pharmaceutical inspection observational findings shows their execution is frequently lacking.

Though 2020 posed many challenges for the pharmaceutical industry, supply chain and product shortages,[ii] to name two, FDA’s focus on GMPs remained central to the agency’s regulatory enforcement and compliance strategy for protecting the American consumer.[iii] The COVID-19 pandemic created difficulties in materials sourcing and shuttered many on-site contract manufacturing, testing audits, and qualification activities, resulting in increased testing costs and a myriad of staffing challenges. Quality systems and oversight had to be adjusted on the fly to meet the evolving paradigm of transitioning from wholly on-site work models to hybrid virtual working team environments. From the executive level to the manufacturing floor, procedures for assuring a continuum of quality had to be flexible while remaining robust. Even those companies well equipped with GMP systems and solid experience found their routine operations strained by the ever-changing impact of the aforementioned factors.

Given that FDA is once again actively returning to the field to conduct prioritized inspections and follow-up on previous non-compliance issues, an increased focus on GMPs at the site level is urged. Drug firms must assure that their quality operations and control systems are delivering as they should, taking into account the potential for new risks that have emerged as a result of the pandemic world in which we now live.

A key issue for manufacturers this year: Supplier disruptions. Many had to ask the difficult question of whether to seek new, yet unqualified, supplier alternatives in order to fill gaps and maintain production schedules. Vetting and qualifying a new supplier is a time-consuming and costly venture. It is a relationship built on trust and defined in documentation. Quality agreements must spell out expectations for audits, assessments, specification testing, and materials/product performance evaluations, all of which must meet FDA and manufacturer expectations. Additionally, requirements for supplier testing must include parameters for documentation for data audits, facility audits, and appropriate confirmation testing.

How many tests are appropriate? The number of tests is set by product specification and/or product submission dossiers (NDA/ANDA/IND), so there is no universal FDA reference or required number of tests. Many in the industry recommend testing a minimum of three unique material lots so that a supplier’s compliance to a specification and the reliability of the vendor-provided Certificate of Analysis (COA) can be assessed independently. Whether vetting a new material or material supplier or requalifying an existing supplier or material, the key issue remains the sponsor’s ability to demonstrate the reliability and integrity of the materials and substantiation of data to meet the GMP requirements.

In the agency’s 2018 Guidance for Industry Q&A[iv] related to data integrity and GMP compliance, FDA noted that pharmaceutical facility inspection findings showed increased challenges with meeting data integrity requirements. As it turns out, not much has changed between 2018 and now. In FY 2020, FDA found documentation and verification of quality control as required under 21 C.F.R. Part 211 is a key issue. From input/output verification (21 C.F.R. 211.68(b)), component identify verification to include reliability of the Certificate of Analysis (21 C.F.R. 211.84(d)(1)), and verification of component additions (21 C.F.R. 211.101(d)) to computer control over master of records (21 C.F.R. 211.68(b)), a significant number of observations encompass the ability to verify quality through integrity of data.

Data integrity plays a key role in all areas of GMP compliance. FDA expects data to be meaningful and reliable, taking into consideration the design, operation, and monitoring of systems and controls based on a risk to patient, process, and product. It should be able to provide valid demonstrations of integrity and verification for an ingredient and/or a final product’s safety, identity, strength, quality, purity, reproducibility, and so on.[v]

All data generated becomes part of the GMP record and must be recorded and saved at the time of performance to be compliant with FDA requirements. This includes specific conformance requirements per 21 C.F.R. Part 11 for electronic records and signatures, of which validation of the electronic system itself is one component.[vi] FDA says each GMP workflow, “such as creation of an electronic master production and control record (MPCR), is an intended use of a computer system to be checked through validation.” The concern is when using the same system to perform both GMP and non-GMP functions, workflows must be checked to ensure they run appropriately. GMPs and integrity of the data support in them are a lifeline of a drug company. Any lack of compliance in any GMP area will have direct consequences on a firm’s ability to bring products to and stay on the market.

The purpose of all this data, of course, is to support informed quality decisions as to the acceptability of materials and finished goods. Much of the data will be generated through laboratory testing in support of validation of analytical methods and processes. Sections 211.160 and 211.165 stipulate that components, containers and closures, in-process materials, and finished products must conform to specifications, including stability. The 1993 “Barr Decision” handed down in the civil case United States vs. Barr Laboratories, Inc. solidified federal expectations for appropriate GMPs with regards to U.S. Pharmacopeia’s (USP) established standards. A firm cannot retest an Out of Specification result into specification (i.e., testing into compliance). In addition, per the 2006 Guidance for Industry on Investigating Out-of-Specification (OOS) Test Results for Pharmaceutical Production,[vii] a decision to invalidate a test result to exclude it from quality unit decisions about conformance to a specification requires a valid, documented, scientifically sound justification; and in those cases where a scientifically sound investigation justifies the legitimacy for invalidation, a full GMP batch record must be kept, including the original (invalidated) data, along with the investigation report that justifies invalidating the result.[viii]

Data storage is another area critical to successful demonstration of sound GMPs and data integrity. Not surprisingly, numerous violations were seen in 2020 observations, with examples including 21 C.F.R. Section 211.68(b) where backup data was not assured as exact or complete and back up files were not maintained. Per 21 C.F.R. Sections 211.68 and 212.110(b), not only should exact, unaltered, and complete copies of back up data be kept, but any risk of inadvertent deletion (including by an individual), loss, or deterioration of data (i.e., computer hard drive or server crash) must be evaluated, assessed, and subject to a risk mitigation plan.

While on the surface it may seem confusing, FDA’s intentional decision to not prescribe specifics to its GMP requirements enables each firm to develop protocols suitable to their specific operations. This allows flexibility as new systems, equipment, and products are brought on-line. However, it also means that GMPs must be updated and reviewed accordingly, including change control, SOPs, validations, specifications, and more. Third-party reviewers, such as consultants, can bring fresh eyes to standard development and GMP reviews for accuracy and completeness.

Quality control coupled with data integrity can make or break a company’s GMPs and increase the risk of FDA regulatory action. It is important to ensure controls are in place to capture a complete data picture, including when and by whom activities were performed. Data must be reviewed for accuracy, completeness, and compliance with appropriate standards, and it must be securely maintained and retained until such time that disposition is appropriate.

Don’t close the books, paper or electronic, on your company’s compliance. FDA is watching.


[i] Current Good Manufacturing Practice Regulations, U.S. Food & Drug Admin. (Sept. 21, 2020),

[ii] FDA Insight: Drug Shortages and COVID-19, U.S. Food & Drug Admin. (Aug. 25, 2020),

[iii] Coronavirus (COVID-19) Update: FDA Focuses on Safety of Regulated Products While Scaling Back Domestic Inspections, U.S. Food & Drug Admin. (March 18, 2020),

[iv] Data Integrity and Compliance With Drug CGMP: Questions and Answers—Guidance for Industry, U.S. Food & Drug Admin. (Dec. 2018),

[v] Data Integrity and Compliance With CGMP: Guidance for Industry—Draft Guidance, U.S. Food & Drug Admin. (Apr. 2016),

[vi] Electronic Records; Electronic Signatures, 21 C.F.R. § 11 (1997),

[vii] Guidance for Industry, Investigating Out-of-Specification (OOS) Test Results for Pharmaceutical Production, U.S. Food & Drug Admin. (Oct. 2006),

[viii] Id.