TL;DR
- Data integrity has topped FDA's CGMP citation list for over a decade. An FDLI enforcement-trends analysis puts it at 60-80% of foreign and domestic drug warning letters across multiple three-year windows, not a one-time spike (FDLI, FDA Data Integrity Enforcement Trends and Practical Mitigation Measures).
- FDA's own guidance spells out what a compliant data lifecycle requires: controlled blank forms, restricted computer access, audit trail review at the same frequency as the underlying record, and a documented, scientifically sound investigation before any result is invalidated (FDA, Data Integrity and Compliance With Drug CGMP: Questions and Answers, December 2018).
- The June 2026 warning letter to Huons Co., Ltd. shows the cost of skipping those basics: a discarded failing bioburden result, manipulated camera timestamps, and logbook pages physically cut out with a knife, all packed under one 21 CFR 211.194(a) citation (FDA Warning Letter 320-26-95, June 15, 2026).
- FDA didn't reject Huons' response for lacking activity. It rejected the response after Huons reclassified its own third-party data-integrity audit as an "internal audit" and withheld the report. One of the seven build steps below exists specifically to keep a firm out of that trap.
- Below: a 7-step build order for a data integrity program, written for teams that want one in place before an inspector asks for it, not after.
How do you build a CGMP data integrity remediation plan FDA will actually accept?
FDA has been citing the same handful of data integrity failures since a warning letter to Schein Pharmaceuticals in 2000 flagged uncontrolled computer access at a drug manufacturing site. Twenty-six years later, the agency's list of what it expects has barely moved. What changed is the volume of firms getting caught not meeting it.
That's the uncomfortable part for any quality team building a remediation plan today: the target hasn't shifted enough to justify treating a 2026 citation as a new problem with a new solution. FDA published its core expectations in a 2018 guidance document that is, as of mid-2026, still the operative standard cited in warning letters. A plan built to satisfy that document, read carefully, would have satisfied most of the citations issued in the two decades before it existed. Few firms build one before the citation lands. This is a build order for the ones that want to.
A pattern that keeps repeating
Data integrity enforcement doesn't move in a straight line. It moves in waves, and each wave looks a lot like the one before it.
| Year | What happened |
|---|---|
| 2000 | FDA warning letter to Schein Pharmaceuticals cites lack of control over computerized laboratory systems, including password gaps and broad staff authority to alter data (FDLI) |
| 2005 | Form FDA 483 to Able Laboratories cites submission of false data to FDA and failure to review audit trails (FDLI) |
| 2006-2008 | Three warning letters to two Ranbaxy sites (320-06-03, 320-08-02, 320-08-03) cite data integrity deficiencies (FDLI) |
| 2010 | FDA launches a pilot program to evaluate data integrity as part of routine CGMP inspections (FDLI) |
| 2015-2017 | Data integrity citations rise sharply. China, India, and the United States account for roughly 80% of the warning letters in this category across the three-year window (FDLI) |
| 2018 | FDA finalizes Data Integrity and Compliance With Drug CGMP: Questions and Answers, the guidance still cited in 2026 letters (FDA, December 2018) |
| 2026 | FDA cites Huons Co., Ltd. under 21 CFR 211.194(a) for falsified microbiology records; the agency's own December 2018 guidance is cited directly in the letter as the standard the firm failed to meet (FDA Warning Letter 320-26-95) |
Notice what doesn't appear anywhere in that table: a new regulation. Every entry maps back to language written for §§ 211.68, 211.100, 211.180, 211.188, and 211.194 — sections that predate every letter above. What's cited as a new "wave" is really the same six or seven failure modes, in a different facility, on a different continent, every few years.
The 7-step build order
FDA's guidance doesn't read like a checklist, but it functions like one once you pull the requirements out of the prose. Here's the order that matches how an inspector actually works through a facility, from data creation to CAPA.
-
Map the full CGMP data lifecycle before mapping any fixes. FDA's guidance defines data integrity as spanning "creation, modification, processing, maintenance, archival, retrieval, transmission, and disposition" (FDA Q&A, Section 1a). A remediation plan that starts at "how do we stop falsification" without first documenting where every dataset is created, touched, and stored is building a fix for a problem it hasn't fully located yet.
-
Put every blank form under document control, no exceptions. FDA's guidance is specific: numbered sets of blank forms should be issued and reconciled, and incomplete forms kept as part of the permanent record with written justification for replacement (FDA Q&A, Question 6). This is the least glamorous item on the list and the one firms skip most. FDA's investigators found 1,897 blank, uncontrolled CGMP forms during a single walkthrough of Huons' microbiology labs — a number that, by itself, told the agency the document-control system had no floor under it at all (FDA Warning Letter 320-26-95).
-
Restrict computer system access to named, accountable individuals. Shared login credentials are a specific, named concern: without a unique login, no action can be attributed to a specific person, which FDA says fails the requirements in parts 211 and 212 outright (FDA Q&A, Question 5). The system administrator role — the person who can alter files and settings — should sit with someone independent of whoever owns the record content (FDA Q&A, Question 4).
-
Review audit trails on the same schedule as the record they support. Not quarterly. Not "when there's time." If the underlying data requires review before batch release, the audit trail tied to that data gets reviewed on the same timeline, every time (FDA Q&A, Question 8). Audit trail review that runs on a separate, slower cadence than record review is a gap FDA has learned to look for specifically.
-
Never invalidate a result without a documented, scientifically sound investigation that addresses the original failure. This is where "testing into compliance" lives, and FDA calls it out by name as a violative practice (FDA Q&A, Question 13). Huons' letter shows exactly what this looks like in practice: a batch failed testing for unknown impurities, and the firm's own investigation consisted of preparing a second sample using glassware marked for disposal, then using that sample's passing result to invalidate the original failure — without ever explaining what caused it (FDA Warning Letter 320-26-95). An investigation that manufactures a passing comparison isn't an investigation. It's the failure mode the guidance was written to catch.
-
Decide in advance who counts as a "qualified third party," and what you will hand FDA when one is engaged. FDA's guidance recommends retaining a third-party auditor as part of an effective remediation strategy (FDA Q&A, Question 18). FDA's letters make the transparency expectation explicit, too — the Huons letter states the agency "expects full transparency throughout your remediation process" (FDA Warning Letter 320-26-95). Get the scope and reporting commitment in writing before the engagement starts, not after FDA has already been told what to expect. This step exists because of exactly where Huons' response failed: the firm initially committed to sharing its third-party assessment's interim and final reports, then reclassified the same assessment as an "internal audit" and withdrew the offer. FDA's response was direct — it disagreed with the reclassification and treated the reversal as evidence the firm was still managing disclosure rather than fixing the underlying problem (FDA Warning Letter 320-26-95).
-
Write the CAPA to cover the system, not the finding. FDA's recommended remediation path includes a root-cause investigation, a risk assessment of the effect on submitted data, a global corrective action plan, and — where warranted — removing individuals from any position where they can influence CGMP or application data (FDA Q&A, Question 18). Huons' own required response, laid out directly in its warning letter, illustrates the actual scope FDA wants: a three-year retrospective review of every invalidated OOS result, a third party physically present in the lab during sampling, and a named individual with explicit authority to receive anonymous data-integrity complaints. None of that is exotic. It's what "systemic" means when FDA writes it into a required-response list instead of leaving it as a suggestion.
What it looks like when a firm skips this order
Huons Co., Ltd. suspended production and committed to a voluntary recall of all U.S.-bound drug product from its Jecheon, South Korea facility after FDA's inspection surfaced the falsified logbook pages and discarded test results. FDA placed the firm's products on Import Alert 66-40 on April 3, 2026 (FDA Warning Letter 320-26-95). None of the seven steps above would have prevented the underlying misconduct on their own — a team leader who cuts pages out of a logbook with a knife is a personnel failure no document-control policy fully forecloses. What the build order does is remove the surrounding conditions that let a single bad actor operate for as long as this one apparently did: uncontrolled forms that made fabrication easy to hide, an OOS process that accepted a manufactured comparison sample as an investigation, and a corrective-action response that tried to narrow FDA's view of the problem instead of widening it. Read the full case study for the complete citation list, including the aseptic-processing and equipment-maintenance findings that FDA packed into the same letter.
FAQ
Is a data integrity remediation plan the same thing as a CAPA?
No. A CAPA is one component of a remediation plan. FDA's guidance describes remediation as investigation, risk assessment, and a management strategy that includes a global corrective action plan — the CAPA is the "what we're fixing" document; the remediation plan is the broader structure that proves the fix is complete and durable.
Does FDA require a third-party auditor for every data integrity citation?
Not by regulation, but FDA's guidance recommends retaining one as part of an effective remediation strategy, and the agency's own warning letters — including the one to Huons — routinely ask firms to commit to a qualified consultant conducting extensive annual audits for at least two years after remediation.
What's the difference between "testing into compliance" and a legitimate retest?
A legitimate retest follows a written procedure, uses a properly justified sample, and is documented regardless of outcome. Testing into compliance means testing repeatedly, without that documented justification, until a passing result appears — a practice FDA's guidance names directly as prohibited.
How far back should a data integrity investigation look?
FDA doesn't set one fixed lookback period in the general guidance, but its warning letters give a working benchmark: the Huons letter required a retrospective review of invalidated out-of-specification results going back three years from the initial inspection date.
Can a firm satisfy a data integrity citation with documentation alone, without a follow-up inspection?
Rarely. Verified, completed corrective action is what closes these citations, and FDA's standard method for verifying it is a follow-up inspection, not a written commitment on its own.
What CFR sections come up most often in data integrity citations?
21 CFR 211.68 (computer and related systems) and 21 CFR 211.194 (laboratory records) are the two FDA's own guidance names as most frequently at issue, though 211.100, 211.160, 211.180, 211.188, and 211.192 all carry data integrity-related requirements as well.
Sources: FDA, Data Integrity and Compliance With Drug CGMP: Questions and Answers, December 2018; FDA Warning Letter, Huons Co., Ltd., 320-26-95, MARCS-CMS 724650, June 15, 2026; FDLI, FDA Data Integrity Enforcement Trends and Practical Mitigation Measures, April 2018; FDA, Investigating Out-of-Specification (OOS) Test Results for Pharmaceutical Production. Related: Huons Co., Ltd. FDA Warning Letter 724650 case study, What actually makes an FDA warning letter response adequate, What is CGMP?, FDA OTC drug CGMP warning letter sweep, June 2026, FDA warning letter top citations, FY2025. Byline: The Argus Regulatory Analysis Team. Published 2026-07-15.

