Guidance: Focuses on governance, human factors, and risk categorization of data systems.

WHO TRS 1019 Annex 9: Offers global principles for GXP data lifecycle management.

PIC/S PI 041: Explains good practices for data governance and inspection approaches.

3. ALCOA+ Principles

The core principle of data integrity revolves around ALCOA+, representing the attributes of trustworthy data:

• Attributable – Who performed the action and when.
• Legible – Data must be readable and permanent.
• Contemporaneous – Recorded at the time of activity.
• Original – First capture or verified true copy.
• Accurate – Error-free, verified, and traceable.
• + (Complete, Consistent, Enduring, Available) – Extending the principle to lifecycle integrity.

FDA expects every GXP process — from sampling to reporting — to demonstrate compliance with ALCOA+. Training, procedural control, and technical safeguards are all essential.

4. Data Lifecycle and Governance

Data integrity extends across the entire data lifecycle — creation, processing, review, reporting, archiving, and retrieval. Governance structures must assign roles for system ownership, record review, and security management. FDA and EMA both require written Data Governance Policies defining responsibilities for IT, QA, and end users.

5. 21 CFR Part 11 – Core Requirements

Part 11 establishes criteria under which electronic records and signatures are considered reliable and equivalent to paper. Its core elements include:

• System validation to ensure accuracy, reliability, and performance.
• Secure audit trails capturing date, time, and operator ID of all changes.
• Electronic signature controls (unique ID, password, certificate).
• Access authorization and privilege restrictions.
• Archival and retention ensuring record retrievability throughout lifecycle.

Each requirement must be met through validated procedures and documented verification. Systems not meeting full Part 11 criteria must be justified and supplemented by hybrid paper records until compliant.

6. Computer System Validation (CSV) and Part 11

FDA mandates validation of computerized systems per 21 CFR 211.68 and Part 11. CSV follows a lifecycle approach:

1. User Requirements Specification (URS) → Functional Specification (FS)
2. Risk Assessment (per GAMP 5)
3. Installation Qualification (IQ)
4. Operational Qualification (OQ)
5. Performance Qualification (PQ)

Validation evidence must prove that software performs consistently within defined limits. FDA’s “least burdensome” approach encourages risk-based CSV focusing on critical records and signature functions.

7. Audit Trail Review

Audit trails are non-negotiable for regulatory compliance. They must capture creation, modification, deletion, and printing of critical data. Periodic review ensures that data is accurate and unaltered. The FDA expects QA reviewers to routinely evaluate audit trails before batch release, as defined in the firm’s SOP. Failing to review audit trails during record approval has repeatedly appeared in 483s and Warning Letters.

8. Access Control and Security

Access management ensures that only authorized individuals perform critical tasks. FDA expects unique user IDs, password expiry policies, two-factor authentication where feasible, and strict prohibition of shared credentials.

Role-based permissions prevent conflicts of interest — analysts cannot both generate and approve their data. All access changes must be traceable through change control.

9. Data Review and Approval Workflows

Part 11-compliant systems must incorporate structured workflows for data review and approval. Electronic signature application must include the printed name, date, and meaning (e.g., “Approved,” “Reviewed”). QA reviews ensure that data interpretation aligns with raw results. Any discrepancy triggers documented investigation.

10. Hybrid Systems and Paper-Electronic Interfaces

Many facilities still operate hybrid systems combining paper logbooks and digital records. FDA allows this temporarily, provided the interface is controlled. For instance, manually entered test results must be verified against instrument printouts. Hybrid transitions must have migration plans and system validation documentation to prevent data loss.

11. Data Integrity Risk Assessment

Risk assessments identify potential vulnerabilities in computerized systems. Common risk factors include open networks, lack of backup validation, or manual data transcription. The risk matrix assigns severity, occurrence, and detectability scores, guiding mitigation like enhanced audit trails or encryption.

The MHRA and WHO emphasize risk-based prioritization for inspection focus — high-risk systems (QC LIMS, batch records) require deeper oversight.

12. Electronic Signatures and Authentication

Electronic signatures under Part 11 must be legally binding and uniquely linked to the individual signer. Firms must submit a Part 11 certification letter to the FDA confirming signature accountability. Authentication methods include passwords, biometrics, and digital certificates.

Periodic testing of login controls ensures continued security and compliance with cybersecurity best practices (NIST SP 800-63).

13. Backup, Archival, and Disaster Recovery

Data retention and retrievability are crucial during regulatory audits. FDA expects validated backup processes, offsite redundancy, and periodic recovery testing. Archival systems must preserve metadata and audit trails. 21 CFR 211.180 requires that records be “readily available for review throughout retention period.” Use of encrypted cloud storage is acceptable if vendor qualifications and data transfer validation are in place.

14. Vendor and SaaS Qualification

Cloud-hosted and third-party systems introduce shared responsibility models. Vendors must be qualified through supplier audits, service-level agreements, and review of validation documentation. FDA recommends periodic reassessment of SaaS providers, focusing on data segregation, uptime reliability, and security certifications (ISO 27001, SOC 2 Type II).

15. Data Integrity Audits and Inspections

During inspection, FDA investigators may request live demonstration of audit trail functionality, review of system validation documentation, and evidence of data review. Typical 483 findings include disabled audit trails, backdated results, and incomplete access logs.

Firms should conduct internal data integrity audits annually, using risk-based sampling and traceability verification. Audit reports must be reviewed by senior QA and closed through CAPA.

16. Common FDA 483 Observations Related to Data Integrity

• Audit trails not enabled for critical systems (HPLC, GC, LIMS).
• Analysts sharing login credentials.
• Backdating of analytical results or batch records.
• Unvalidated spreadsheet calculations.
• Incomplete backup verification.

These findings often lead to regulatory warning letters and import alerts. Firms can prevent them through proactive internal audits, regular training, and strict system validation oversight.

17. Training and Cultural Elements

Technology alone cannot ensure data integrity. A quality-driven culture is the most powerful defense. Training programs must emphasize ethical behavior, consequences of falsification, and the value of transparency.

Periodic requalification and real-time supervision of analysts during testing reinforce accountability. Management must model integrity — tone from the top defines the culture below.

18. Integration with Pharmaceutical Quality System (PQS)

Data integrity must be embedded within the PQS framework. Cross-functional linkage between validation, change control, CAPA, and management review ensures continuous monitoring. Trending of audit trail findings and electronic record deviations forms part of Annual Product Review (APR) submissions. This integrated approach proves ongoing control during inspections.

19. Future Trends – From Compliance to Data Maturity

Regulators are shifting focus from basic Part 11 compliance to Data Maturity — an organization’s ability to ensure data reliability across systems and geographies. Maturity levels evolve from “reactive” (manual controls) to “predictive” (automated risk detection).

AI-powered anomaly detection, blockchain-based audit trails, and continuous monitoring platforms are transforming the compliance landscape. The FDA’s Data Modernization Action Plan (DMAP) encourages such innovation to enhance oversight while maintaining integrity.

20. Final Thoughts

Data integrity is not an IT project — it’s a fundamental element of GMP compliance and patient safety. A well-structured framework covering policy, people, and technology ensures full alignment with FDA 21 CFR Part 11 and international standards.

In 2026 and beyond, inspection-ready organizations will demonstrate not only validated systems but also ethical governance and digital transparency — the true hallmarks of integrity in pharmaceutical manufacturing.