The basics of Data Integrity in GMP

Updated: Apr 22, 2021

From research and development all throughout manufacturing and into the supply chain you are expected to vouch the for integrity of the data you gather on your product in our highly-regulated life science industry. Easy task? Definitely not. After all, it usually includes international networks of suppliers, manufacturers, labs and everything that follows in the supply chain. Following all of the required regulations at the different phases can be daunting but making sure your data is compliant, ultimately results in higher-quality products on the market and the public should be able to trust on this.

So, what are all the different vital elements you should be aware of to be sure you are meeting all requirements for data integrity compliance?


From research and development all throughout manufacturing and into the supply chain you are expected to vouch the for integrity of the data you gather on your product in our highly-regulated life science industry. Easy task? Definitely not.

But how do you determine where your Data Integrity Risks are? This webinar gives you the tools to do just that:

  • Process mapping

  • Data & System Identification

  • Categorization

  • Risk Assessment

  • Risk Management

Join the next webinar on Data Integrity and learn about Risk Assessment.

Register here.


Important Authorities

FDA 21CFR Part 11: Electronic Records and Signature

The FDA’s Regulations on electronic records and electronic signatures (ERES). Usually known as Part 11, it defines the criteria under which electronic records and electronic signatures are considered trustworthy, reliable, and can be used to replace to paper records in your process.

According to the regulations, data records need to be reliable and accurate over their entire lifecycle. And to this purpose the FDA actually refers to the well-known ALCOA principle/acronym.

FDA: Data Integrity and Compliance with cGMP

Besides the regulations in Part 11, the FDA also provides a guidance document which helps to clarify the impact of data integrity in cGMP environment. Although it is not legally binding it contains a great Q&A that answers many practical questions regarding data integrity. If you are checking your own systems and/processes for data integrity, it is a great document to start with.

GAMP Record & Data Integrity

Although GAMP is very well-known, it is not legislation, but it does present helpful guidelines. For those involved in the implementation of automated production systems, it describes principles and procedures that facilitate the production of high-quality products. It focuses on the complete manufacturing process by stipulating that ‘quality cannot be tested into a batch of product but must be built into each stage of the manufacturing process’. That being said, these are helpful guidelines for development of systems for raw materials receipt up to the training and hygiene of staff.

EU-GMP Annex 11

In the European Union we have Annex 11 is the part of the GMP Guidelines that defines the terms of reference for computerized systems, but it is not a regulation, like the FDA’s 21 CFR Part 11. These guidelines are quite similar to their US counterpart and define criteria under which electronic records and electronic signatures should be managed.


Different organization have all drafted guidelines of their own and are all designed to facilitate compliance in their own way, whilst clarifying their own position on this subject and what they expect from manufacturers. Some of the others that are definitely important (but outside the scope of this blog) are:

MHRA - Guidance on GxP data integrity

PIC/S - Good practices for data management and integrity in regulated GMP/GDP environments

WHO - Guidance on good data and record management practices

EMA – Data Integrity

The ALCOA principle and the Data Lifecycle

If you google data integrity there is no getting around ALCOA. Even the FDA refers to it and this acronym has proven to be a worthful tool to provide proof of compliance and operational integrity for your data.

Attributable: Who acquired the data or performed an action?

Legible: Is it possible for a regular person to read the data?

Contemporaneous: Was the data documented at the time of the activity?

Original: Written printout or observation or a certified copy thereof

Accurate: Have there been no errors or editing without documented amendments?

Besides the principles the data records are also expected to be complete, consistent, enduring (not on a napkin) and should always be available for review or inspection.

These principles apply all throughout the lifecycle of a data record for which the EMA gives a succinct overview:

  1. Generation and recording of data

  2. Processing into usable information

  3. Checking the completeness and accuracy of reported data and processed information

  4. Data (or results) are used to make a decision

  5. Retaining and retrieval of data which protects it from loss or unauthorised amendment

  6. Retiring or disposal of data in a controlled manner at the end of its life

Elements of Data Integrity Compliance

The different authorities may have slightly different views on some aspects of being compliant, but the following elements that should be on your checklist if you’re aiming to set up a data integrity compliant system.

1. Audit Trail

The secure, computer-generated, time-stamped electronic record that allows you (or the inspection) to reconstruct certain events that relate to the creation, modification, or deletion of an electronic record. Basically, it comes down to the chronologic order of who, what, when and perhaps why did this happen to a record. Actions that such an audit trail also needs to capture are overwriting or deleting, aborting runs, backdating, or simply altering data. When you think about it these are all necessary data to be able trust that records are correct (and have not been tampered with). It’s also recommended (FDA) to schedule routine audit trail review based on the complexity of a system and its intended use.

2. Meta Data

Metadata is the contextual information that is necessary to understand data because values like numbers, for instance, would be useless without additional information describing what it ‘means’ (think in terms of mg, s, and m but also the time and place of electronic stamps). Besides this, meta data also facilitates the retrieval, use, or management of data. Just like the actual record, the meta data should be saved throughout the record’s legal lifetime to be able to reconstruct any CGMP activity in an audit trail, for instance.

3. Identification Control ID & Password

Just like the records themselves, the users of systems that generate electronically or digitally signed records are subject to identification rules. This might seems like an open door but experience teaches us that there are often issues with password and ID Code (unique usernames), absent password periodical changes to ensure compliance, and lack of role definition and accessibility status like operator and administrator. For obvious reasons this could possibly lead to data tampering in worst cases.

4. Difference between Static and Dynamic Records

Specifically mentioned in the FDA Guidance document it states you should keep in mind the difference between the use of “static” and “dynamic” in relation to record format:

  • Static: fixed data document such as a paper record or an electronic image

  • Dynamic: record format allows interaction between the user and the record content such as a chromatogram where the integration parameters can be modified

5. Backup Data

The backup of your data should be exactly like your original records. Defined by the FDA as a ‘True copy of the original data that is maintained securely throughout the records retention period that should include the metadata and is maintained securely throughout the record retention period’

So, keep in mind that your backup data is exact, complete, and secure and has not been altered in any way. Simply creating a temporary backup copies would be deemed insufficient by the authorities.

6. System Validation

The definition of a system in this case is quite broad and includes not only both hardware and software but also: peripheral devices, networks, anything you might have cloud based (upcoming topic). Besides these technical aspects, the system operators are also included and the user manuals/SOPs.

Within this system you should make sure to:

  • validate every workflow in the system

  • install controls to assure authorized access only

  • assign the administrator role to someone independent from recording content

  • maintain a list of authorized individuals and their access privileges

7. Training

Company culture influence and employee can affect data integrity greatly. So, be sure to train personnel in detecting data integrity issues periodically as part of their training manual and also keep records of it.

Although staff at all levels should have an understanding of data integrity and their responsibilities in the process (according to their roles), process, system, and data owners should receive additional training on the consequences of integrity breaches to assure a proper mindset regarding this subject.

Data Integrity Issues

1. Criticality

Sooner or later you will come across a data integrity issue and you’ll have to decide upon it’s criticality. The two important questions ‘Which decision does the data influence?’ and ‘What is the impact of the data to product quality or safety?’ should be your main focus in determining how critical the situation you are in actually is.

Does it have to do with:

  • Alteration, deletion, loss or re-creation, falsification

  • Disaster recovery

  • Inconsistent processes, open-ended

  • Methods of generating and processing data

  • Manual interfaces with IT

  • Or the general belief that there is “no risk” of DI failure

2. Finding weaknesses

The PIC/S guidelines actually present a very helpful checklist of areas to start if you want to prevent, detect and correct DI weaknesses in your pharmaceutical Quality Management system:

  • Quality Risk Management

  • Investigation programs

  • Data review practices

  • Computer system validation

  • IT security

  • Vendor/contractor management

  • Training programs

  • Storage and retrieval of completed records, including out-sourced data storage activities

  • Oversight of purchase of GxP critical equipment that incorporate requirements designed to meet data integrity expectations, e.g. URS

  • Self-inspection program to include data quality and integrity

  • Performance indicators (quality metrics) and reporting to senior management

3. Dealing with DI issues

In case you have found a data integrity issue that you need to deal with the agreed approach doesn’t differ from any other deviation you come across:

  1. Determine extent

  2. Root cause analysis

  3. Take Corrective and Preventive Actions (CAPA) including the ALCOA principle

  4. Based on sound scientific evidence

Besides these standards actions consider open and transparent communication of these issues and DI expectations, additional evaluation of vulnerability of computerized systems, and implementation of specific DI policies.

Blog by: Nick Veringmeier - Business Director NL