Homepage / Scientific Articles / Data integrity – is there something more that needs to be done?

Data integrity – is there something more that needs to be done?

Regulatory authorities are focusing on data integrity.
Regulatory authorities are focusing on data integrity.

Since the most recent publication of several warning letters (1) regarding the issue of data integrity, the FDA is once again focusing on this topic in particular during inspections. This article presents background information and practical experience with this issue.


The initial situation
Data integrity is not a new regulatory requirement. In 21 CFR Part 11, published back in 1997, calls for companies “…to ensure the authenticity, integrity, and, when appropriate, the confidentiality of electronic records, and to ensure that the signer cannot readily repudiate the signed record as not genuine”.(2) The guidance document entitled “Scope and Applications” specifies these criteria in more detail.(3)

Chapter 4 of the EU GMP requires data integrity with regard to documentation.(4)

Together with patient safety and product quality, data integrity is the primary objective for the risk-based validation approach described in EU GMP Annex 11 (5) and GAMP 5®.(6)

In the period between January 2014 and January 2016 alone, the FDA issued 71 warning letters with findings on data integrity issues.(7) Some of these were glaring omissions, but there were also intentional manipulations.

The top findings included, for instance, undocumented deviations, backdating of documents, no timely records, “testing into compliance”, and the destruction of original data.


Practical procedures
The data integrity requirement is not limited to electronic data. Data integrity can be put at risk wherever (GxP)-relevant data are generated, stored, electronically or manually transferred and analyzed.

The principles for ensuring data integrity were summarized in the incisive acronyms ALCOA and ALCOA+ (see table).(8) This is merely a starting point for practical implementation. Only the precise, process-oriented review of the actual work method facilitates the detection of specific risks to data integrity.



The following details are important:

  • How reliable are manual recordings and transmissions?
  • Could data be changed or deleted without detection?
  • Is the permissions concept for the computerized systems still up-to-date and secure, and is it appropriate for the organization.
  • Is there an audit trail for functionality in operation?

In particular, the management of raw data in the laboratory, in production and in other areas often necessitates redesigning the storage concept. Occasionally there are structures that have developed over time and eventually manifest potentially risky weaknesses with regard to data integrity (e.g. unsecured interim storage of raw data).

  • Could paper-based records and documents be replaced without detection?
  • Could the data recording be incomplete?

The possibility of deliberate manipulation should also be included in the review:

  • Could OOS results simply be eliminated, i.e. without being investigated?
  • Could measurements simply be repeated?
  • If so, would it at least be detectable in the audit trail?


An audit trail is generally viewed as an important means of detecting any unauthorized actions and irregularities in a computerized system.

The specific requirements for audit trails are defined in 21 CFR Part 11. With the help of an audit trail review as stipulated in EU GMP Annex 11, proof of authenticity, for example as a complement to batch testing, can be provided.

In principle, the review takes a risk-based approach to focusing on GxP-critical data objects in the audit trail records. In practical implementation, challenges often appear when the joint analysis of various audit trail records becomes more difficult due to different data structures and proprietary file formats.

In addition to these purely technical considerations and resources, a key factor in the success of the endeavor is the attitude of the people themselves. In-depth studies (9) showed that neglectfulness and errors can creep in due to factors such as corporate culture, time pressure and performance pressure, which then adversely affect the data integrity. It is crucial to anchor an awareness of ethical behavior, the maintenance of quality and the possible risks posed thereto throughout the company.

It is useful to scrutinize one’s own approach to work from the standpoint of data integrity, whether to optimize one’s own process reliability or simply to be prepared for the next inspection. Avoid falling into traps and benefit from the experience and expertise of the Business Designers.



(1) Examples were retrieved from





(2) 21 CFR Part 11, Section 11.10

Retrieved from https://www.accessdata.fda.gov/scripts/cdrh/cfdocs/cfcfr/CFRSearch.cfm?CFRPart=11

(3) Retrieved from


(4) Retrieved from http://ec.europa.eu/health/files/eudralex/vol-4/chapter4_01-2011_en.pdf

(5) Retrieved fromhttp://ec.europa.eu/health/files/eudralex/vol-4/annex11_01-2011_en.pdf

(6) GAMP 5: A Risk-Based Approach to Compliant GxP Computerized Systems, (ISPE Publications, Florida, USA, January 2008).

(7) Analysis from FDA’s Electronic Reading Room

(8) Woollen, S. W. (2010, Summer) Data Quality and the Origin of ALCOA, Newsletter of the Southern Regional Chapter Society of Quality Assurance. Retrieved from http://www.southernsqa.org/newsletters/Summer10.DataQuality.pdf

(9) “Analyzing the state of Data Integrity Compliance in the Indian pharmaceutical Industry”, Ernst & Young LLP, 2015

Retrieved from http://www.ey.com/Publication/vwLUAssets/ey-data-integrity-compliance-in-the-pharma-industry/$FILE/ey-data-integrity-compliance-in-the-pharma-industry.pdf



Dr. Peter Schober|Senior Consultant Efficient IT|The Business Designers


No comments found.

Chemgineering Business Design AG | Binningerstrasse 2 | 4142 Münchenstein | T +41 61 467 89 00 | F +41 61 467 89 01 | www.chemgineering.com | info@chemgineering.com