MFT Gateway is a hosted Software as a Service (SaaS) solution that enables file exchange over the AS2 or SFTP protocol, without the need to install or maintain.
Start Free Trial
FDA
Data Integrity in Regulatory Submissions: Best Practices for FDA Readiness
Learn best practices to ensure data integrity in FDA submissions via ESG and AS2, following ALCOA+ principles and avoiding regulatory pitfalls.
Adheeb Shafik
Published: 25 Aug 2025
Table of Contents
Maintaining data integrity, the completeness, consistency, and accuracy of submission data is critical for FDA review. FDA expects submission data to follow ALCOA+ principles (Attributable, Legible, Contemporaneous, Original, Accurate, Complete) so that every record and number can be traced and trusted. Ensuring that data are properly time-stamped, access-controlled, and locked after review helps meet these standards.
The FDA’s Electronic Submissions Gateway (ESG), established in 2006, is the mandatory portal for electronic drug, biologic, and device submissions. Companies typically use AS2 for high-volume transfers into the ESG. Because these transmissions carry critical regulatory data, they must adhere to data integrity controls at every step. In fact, FDA’s recent draft data-integrity guidance notes that “increasingly observed cGMP violations involving data integrity” have led to “numerous regulatory actions, including warning letters, import alerts, and consent decrees”. In short, any gap or weakness in your EDI/ESG process can attract scrutiny, so following robust best practices ensures your submissions are FDA-ready.
Best Practices for EDI/AS2 Communication
Validate and document your submission systems
Treat your EDI/AS2/ESG platform like any critical system. Each intended use or workflow (e.g. preparing and sending a submission packet) should be qualified through testing and validation. Maintain standard operating procedures (SOPs) covering system-use and change control, and restrict system administrator privileges to separate individuals (to prevent unauthorized changes to submission data).
Encrypt and confirm your data in transit
Use the FDA-recommended AS2 or ESG API for sending files, and always encrypt or sign submission packages using the FDA-provided certificates (AES-128 or higher is preferred). After sending, monitor the FDA acknowledgments: obtain MDNs (Message Disposition Notifications) and ACK2/ACK3 receipts to verify successful receipt. These digital signatures and receipts provide non-repudiation and show that no data was altered in transit.
Keep thorough audit trails and backups
Ensure that your AS2/EDI platform logs all submission activities (file sent, MDN received, user actions, etc.) with timestamps. FDA guidance emphasizes that electronic records (including submission data) should be backed up and retrievable for the required retention period. For example, keep duplicate copies of each submission package and its metadata in the original format, and follow the FDA’s recommendation to review audit logs regularly. A complete audit trail shows inspectors that you can reconstruct the submission history if needed.
Verify data accuracy and completeness
Prior to submission, run validation checks on the eCTD package or EDI messages (including file structure and checksums) to confirm nothing is corrupted or missing. Maintain version-controlled records of all submission files, cover letters, and correspondence. These practices ensure the data are accurate and complete (key ALCOA attributes) and help catch any inadvertent changes before FDA review.
Test system configurations before go-live
Use the FDA ESG test gateway (routing ID ZZFDATST) to trial any changes to your AS2 setup. Confirm that transmissions, encryption settings, and acknowledgments are functioning correctly before moving to production. This proactive step helps avoid submission failures or silent data gaps.
Train staff and document procedures
Ensure everyone involved in submissions understands ALCOA+ principles and FDA regulations. Maintain SOPs for data handling, review, and electronic submission (including ESG/AS2 usage). Well-documented processes and training demonstrate compliance with electronic records/SIG (Standardized Information Gathering) requirements and cGMP computer controls.
Avoiding FDA 483 Observations
During an FDA inspection of your quality system, any lapses in data integrity controls can result in Form FDA 483 observations (and possibly warning letters). Common citations include unvalidated computer systems, lack of audit trails, or missing data. To minimize these risks:
Include EDI/AS2 systems in your quality system
Validate your submission software and processes so inspectors see documented evidence of their performance. Maintain formal SOPs and logs - inspectors often cite unvalidated systems or missing procedures in their 483s.
Keep complete, tamper-proof records
Ensure every submission has a backup copy and a timestamped audit log. Missing or incomplete records (e.g. no proof of file delivery or missing MDNs) are frequent 483 triggers. By keeping detailed logs and backups, you show FDA that you can reproduce any submission and verify its integrity.
Actively monitor and correct issues
Periodically review your EDI/ESG logs and perform internal audits. If you find discrepancies (e.g. transmission errors or unauthorized changes), document and fix them through your CAPA (Corrective Action and Preventive Action) process. FDA inspectors look for evidence of ongoing oversight; catching and correcting issues internally before an inspection reduces the chance of receiving a 483.
By embedding these data integrity controls into your EDI/AS2 workflows, you build confidence in your submissions and significantly reduce regulatory risk. Audited, secure, and well-documented submissions not only minimize 483 observations, they also smooth the path to successful FDA review and approval.
Adheeb is a Senior Software Engineer at Aayu Technologies, with over a year of expertise in enterprise communication software and cloud technologies. Specializing in full stack development, he is passionate about every stage of the development lifecycle—from product design and architecture to implementation—and is always exploring the latest in tech. When he's not coding, you'll find him capturing moments through photography or tuning into intriguing podcasts.
Talk to an EDI Expert
Stay Compliant. Stay Connected. Powered by AS2.
Join hundreds of organizations already taking full control of their B2B AS2 communications with our trusted solutions. Contact us today to tailor a solution that fits your specific AS2 EDI needs.
Request a demo and take a live look at all the features of our AS2 EDI solutions.
Get answers to your questions and explore customizations that we can offer tailored specifically for you.
Get to know the dedicated deployment option available for your specific use cases.
Related Articles
View All BlogsExplore our product stack
Try before you buy with a 30-day Free Trial
No commitment, all value. Try the AS2 Solution Risk-Free and discover how our solutions can transform your business workflows. No credit card required.
Driving Innovation, Simplifying Connections.
EDI via AS2
30-day Free Trial
Secure and Compliant
