Cleaning Validation Data Integrity: The Silent GMP Risk Driving More FDA Warning Letters

FDA issued more than 70 warning letters to pharmaceutical manufacturers in fiscal year 2024. A striking pattern runs through them: the cited failures aren’t about equipment that wasn’t cleaned. They’re about data that couldn’t prove the cleaning worked.

The dirty secret of cleaning validation isn’t dirty equipment. It’s dirty data.

Cleaning validation has been a cGMP requirement under 21 CFR 211.67 since the original drug GMP regulations took effect more than 60 years ago. And yet, data integrity deficiencies tied to cleaning programs remain among the most consistently cited findings in pharmaceutical manufacturing inspections. The regulation hasn’t changed much. FDA’s expectation of evidence absolutely has.

What FDA Inspectors Are Actually Looking For Under 21 CFR 211.67 and 211.68

The core requirement of 21 CFR 211.67 is deceptively simple: equipment must be “cleaned, maintained, and, as appropriate for the nature of the drug, sanitized and/or sterilized at appropriate intervals to prevent malfunctions or contamination.” One sentence. Enormous audit surface area.

What’s shifted in recent inspection cycles is the depth of scrutiny applied to the data behind the cleaning. Under FDA’s 2018 guidance, Data Integrity and Compliance with Drug CGMP, inspectors now routinely dig into:

• Audit trails on CIP (clean-in-place) systems, autoclaves, and automated cleaning equipment
• Raw analytical data from TOC analyzers and conductivity meters used to verify rinse quality
• Chromatographic data — particularly HPLC integration parameters — used to quantify residual API or cleaning agent
• Electronic batch records for individual cleaning validation runs, including metadata timestamps

21 CFR 211.68 adds another dimension: computerized systems used in GMP applications must have verified input/output accuracy, and changes to system functions must be recorded and justified. This isn’t an IT compliance checkbox. It’s a manufacturing data integrity requirement with direct audit consequences.

In one 2023 warning letter to a bulk API manufacturer, FDA cited the firm for retrospective, undocumented changes to chromatographic integration parameters in cleaning validation analytical data. The equipment almost certainly was clean. The chromatographic record couldn’t prove it to FDA’s standard.

That’s the trap. You can have a validated cleaning process, compliant procedures, trained operators, and passing analytical results — and still receive a data integrity observation if the trail from raw data to final report has uncontrolled gaps.

Where Cleaning Validation Data Integrity Actually Breaks Down

Walk through how most pharmaceutical manufacturers generate their cleaning validation data and the vulnerability points become obvious.

A CIP system runs a validated cleaning cycle. It generates an automated printout or electronic log. A chemist collects a rinse water or swab sample from designated locations. The sample is analyzed by HPLC or TOC analyzer. Results are transcribed — frequently by hand — into a validation report or spreadsheet. The report gets reviewed and filed.

Every step in that chain is a potential data integrity failure point.

The CIP system’s electronic records may not have audit trail review built into the quality system. The analytical instrument may generate raw chromatographic data that is never formally compared against the reported results. The transcription step introduces manual error risk. And if results land in a spreadsheet with no version control, no access restrictions, and no formula protection, you’ve built a GMP data integrity gap that FDA’s Investigations Operations Manual now specifically instructs investigators to look for.

A 2022 industry survey referenced by ISPE found that 41% of participating pharmaceutical firms still used unprotected Excel workbooks in at least one GMP-critical data management application. That number is striking not because Excel is inherently disqualified from GMP use — FDA’s guidance acknowledges spreadsheet use is acceptable with appropriate controls — but because unprotected, unvalidated, version-uncontrolled spreadsheets are exactly what FDA’s current inspection approach flags.

Mid-size manufacturers are disproportionately affected. Large firms invested in LIMS and laboratory automation after the wave of consent decrees in the 2010s. Smaller sites with tighter budgets and longer upgrade cycles are operating with data management infrastructure that hasn’t kept pace with FDA’s expectations.

The 10 PPM Acceptance Criteria Problem Nobody Wants to Talk About

There’s a compounding technical problem beneath many cleaning validation data integrity failures: acceptance criteria that weren’t science-based to begin with.

The “10 ppm” carryover limit — restricting residual API in a subsequent batch to no more than 10 parts per million — became an informal pharmaceutical industry standard in the early 1990s. Fourman and Mullen proposed it in a 1993 Pharmaceutical Technology article. FDA never formally adopted it as a regulatory threshold. It isn’t in any CFR section. But it appears in thousands of cleaning validation protocols across the industry as the primary acceptance criterion.

Since the EMA’s 2014 guidance on health-based exposure limits, and the subsequent ICH Q3C alignment, the scientific standard has shifted to Health-Based Exposure Limits (HBELs) — specifically, product-specific Permitted Daily Exposures (PDEs) derived from pharmacological and toxicological data. FDA has aligned with this approach in its own communications.

Sites still using blanket 10 ppm limits without HBEL derivation are operating with criteria that FDA now views as potentially inadequate — particularly for potent compounds, oncology products, or APIs with known sensitizing or reproductive toxicity profiles. The acceptance criterion might pass a superficial inspection; it won’t hold up to scientific challenge in an FDA 483 response.

When the underlying acceptance criteria are scientifically questionable and the data supporting them has integrity gaps, you have a compounding audit risk that’s considerably harder to remediate than either problem alone.

How AI-Augmented GMP Audits Are Changing This Risk Profile

Traditional regulatory compliance consulting addresses cleaning validation by reviewing documentation: protocols, validation reports, analytical results, deviation logs, and change control history. A skilled consultant surfaces the obvious gaps. But the data volume generated by active manufacturing sites — particularly multi-product facilities running continuous manufacturing or large API campaigns — makes truly comprehensive data integrity assessment impossible to do manually.

AI-augmented audit tools change this equation in specific, practical ways.

Pattern recognition across large chromatographic datasets can identify integration anomalies — adjustments to peak thresholds, retention time windows, or baseline parameters — that deviate from statistically normal behavior without individually triggering an exception flag. Manual review, working through individual batch records, would never catch systematic drift across hundreds of injections.

Timing analysis across electronic records can surface inconsistencies between CIP system logs, analyst login/logout times, and analytical sample result timestamps. When a sample is logged as received 40 minutes before the CIP cycle completion record shows the rinse was collected, that’s a metadata inconsistency that points to a documentation integrity problem.

At Aurora TIC, we’ve applied this approach in cleaning validation data integrity assessments for pharmaceutical manufacturers facing pre-approval inspections and routine GMP audits. In one recent engagement, AI-assisted analysis across 18 months of TOC cleaning validation data identified a recurring measurement drift pattern on one instrument that had been classified as passing in all batch-record reviews. The drift correlated with a specific operator shift — a behavioral pattern that traditional sampling-based audit review would almost certainly have missed entirely.

This is what decision-grade AI for GxP actually means in practice. Not replacing expert judgment. Giving expert judgment the data coverage it needs to make defensible decisions.

What to Do Before FDA Shows Up

If your cleaning validation program hasn’t been reviewed against FDA’s current data integrity expectations, the gap is probably larger than your internal audits suggest. Here’s where to start.

Enable and review audit trails on every analytical instrument used in cleaning validation. HPLC systems, TOC analyzers, conductivity meters — if they’re generating GMP data, their audit trails need to be active, accessible, and periodically reviewed. This is a 21 CFR Part 11 requirement, and FDA investigators check it early in manufacturing inspections.

Map every manual data transfer. Identify every point where cleaning validation data moves between systems without automated verification — instrument to LIMS, LIMS to spreadsheet, spreadsheet to validation report. Eliminate manual transcription steps where possible. Where you can’t eliminate them, implement verified duplicate checks with documented second-person review.

Revisit your acceptance criteria against current science. If 10 ppm is your primary cleaning limit without a product-specific HBEL and PDE derivation, update it — especially for any compound with a defined pharmacological activity or reproductive toxicity concern. This isn’t just about passing the inspection. It’s about having science behind your product quality decisions.

Conduct a data integrity gap assessment specifically focused on cleaning validation. Not a paper review of your data integrity SOP. An actual technical assessment that pulls raw instrument data, exports audit trail logs, and compares them against reported results. Do this annually at minimum; quarterly if you’re approaching a pre-approval inspection.

The cost of expert regulatory compliance consulting for a cleaning validation data integrity assessment is measured in days of preparation. A warning letter — with the remediation timeline, potential consent decree exposure, and supply disruption — is measured in years and millions of dollars.

FDA’s expectations on this topic have been clear since 2016. Sites that haven’t aligned their cleaning programs with those expectations are running a visible, documented risk. The question is whether you find the gaps or FDA does.

Written by Sam Sammane, Founder & CEO, Aurora TIC | Founder, Qalitex Group. Learn more about our team

Reserve early access to our AI audit tools — including AI-powered cleaning validation data integrity assessments. Contact us

Related from our network

• Pharmaceutical Raw Material Testing and Supplier COA Verification — Independent contract lab analysis for API and excipient supply chain qualification, including method verification against USP and Ph.Eur. monographs.
• ISO 17025 Accredited Supplement and Product Testing — Qalitex Laboratories provides GMP-aligned analytical testing for finished products and raw materials, with full data traceability from sample receipt to final report.