Data Integrity in Pharmaceutical Industry
Understanding complex regulations and designing an effective implementation strategy within a short time (Part 1)
13 February, 2020 by
Data Integrity in Pharmaceutical Industry
Ympronta srl, Info Ympronta
| No comments yet


Pharmaceutical enterprises, whether small or big, which have already achieved a good level of Data Integrity coverage or which have undertaken a well-defined path, have one thing in common. It is not a feature imposed by the FDA, nor by GMP regulations. To develop it, a few simple conditions must be met. What are these conditions and how is it possible to design and execute a successful Data Integrity Strategy thanks to them? We will discuss them extensively in this article.

Soluzione IoT per Data Integrity in laboratorio di analisi
IIn this first part we will discover why Data Integrity has become a hot topic in recent years in the pharmaceutical industry. We will set up an indispensable knowledge base to work on this topic: we will examine the definitions of all terms and concepts and give an overview of the main regulations currently existing, trying to understand how they can be translated into practice. We will address the main approaches to Data Integrity (on paper, electronic or hybrid) and their areas of applicability.

In the  second part

we will analyze the spectrum of possible data sources and how they impact strategic decisions on their integrity. We will then try to summarize what we have learned to define the principles on which to base the design of a good strategy for achieving Data Integrity in a pharmaceutical enterprise.



    First and foremost, we must say that this is a global problem and pharmaceutical companies all over the world are dealing with it in their own way. Cases of non-compliance (only those registered by inspections of course) have been found in the USA, Canada, UK, India, China, etc.  

    The integrity of data generated by regulated pharmaceutical companies, both in production and in laboratories, is increasingly important because these are the basis on which manufacturers guarantee the identity, purity, safety of the product, record and justify any non-compliance.  

    The efficiency of the operations carried out and their traceability depend on the integrity of the data. It is easy to imagine that the production and the laboratory are the main source of the information needed to judge the quality of the product. This is why the authorities concentrate their controls in these areas.

    FDA Warning Letters relative a Data Integrity

    FDA Warning Letters relative to Data Integrity

    Why now?

    Data Integrity principles have always been reported in GxP. Documentation is an essential component of quality and, consequently, is one of the strategic elements of the company's business. Precision, contemporaneity, truthfulness and attributability of data have always been requirements of all regulations and guidelines. However, Data Integrity is a very topical issue at the moment.

    Inspection results have exposed the weaknesses common to many companies in data management. This, as we will see later, has triggered a strong feedback from regulators, who have acted on two fronts. On the one hand, they have made enormous efforts to define clear and comprehensive regulations and, on the other hand, they have increasingly focused on the tangible evidence of processes, the traces left by processes already carried out, and not only on the SOPs that define the processes that will (or should) be carried out. In other words, they want to move from promises to proof of facts. 

    In contrast to what one might think, only a fraction of FDA notifications of Data Integrity are attributable to counterfeiting and fraud. Most, 95 percent, are reports of mismanagement of data in general. This is also due to the fact that regulatory agencies expect pharmaceutical companies to track their processes in increasing detail, execute and maintain complete and accurate records, including all raw data that generated them. That is, it is not possible to falsify data that does not exist. The very fact that the company does not have the data documenting critical processes is the cause of non-compliance.


    The agencies are always up-to-date with technological progress and understand the opportunities they offer. It is no surprise that in recent years there has been a strong development of information systems, tools and production and laboratory operations in this direction.

    As regulators continue to refine their approaches to inspection, it is critical for managers and staff working in GxP regulated manufacturing departments and laboratories to understand key data integrity issues and be able to prove regulatory compliance.


    Pharmaceutical companies are among the most technologically conservative. This is due to fact that the life cycle of IT systems is much longer and more expensive than other manufacturing sectors, which is precisely the reason why they have to comply with GmP regulations. However, it is not just a matter of time and cost. Over the years it has been understood that meeting the classic GxP requirements can ensure compliance but may not be sufficient for the complete tracking of production processes and quality control, and especially for the security of the data they have generated. 

    Storia di Data Integrity, Data Integrity History

    We have reached a broader concept than simply using a validated system. Thus the issue of data integrity was born with a clear message to define a plan for the management of priority data and risks. Important concepts of equivalence, integrity, security and availability throughout the data lifecycle are defined and introduced for both paper and electronic data.

    Since 1983, which is considered the founding year of Computerized Systems Validation, we have witnessed a significant evolution, driven by technological progress and increasingly high quality standards, and regulated today by regulatory pillars and guidelines such as: US FDA 21 CFR Part 11, PIC/S PI 011, EU GMP Annex 11 and GAMP Guide.

    In July 2014, the U.S. Food and Drug Administration (FDA) issued a strict warning about the importance of Data Integrity in its ongoing efforts to enforce regulations. In January 2015 the UK Medicines and Healthcare products Regulatory Agency (MHRA) published the GMP Data Integrity Definition and Guidance for Industry on Data Integrity Guidelines.



    Below is a list of the regulations issued by the main regulatory authorities on the subject of Data Integrity. Following the link you can browse all the sources and, after days or weeks of in-depth study, find all the answers on what the agencies expect.

    We have already gone down this road and the main difficulty we have encountered is that these documents, with all their definitions, sections and recommendations are presented in the form of a "shopping list" with many points written in scientific language and often without a real link between them.

    We will then present a summary of the key concepts and specify the correlations between them.


    In 2019, 65% of FDA warning letters were due to Data Integrity issues. 

    The graph in the picture shows an increase in the years of "Notifications 483" related to Data Integrity in laboratory and production environments (source).  The inspections show that many pharmaceutical companies have not yet adopted adequate quality systems and processes.

    The main reason is the incompleteness of data, an avoidable problem but at what price? Realizing that obtaining the completeness of data when the support is paper requires a huge cost of human resources, pharmaceutical companies are increasingly turning to their suppliers of electronic instruments asking for certification for Data Integrity. We will see later on how suppliers meet the request. 
    Notifiche 483 su Data Integrity, data integrity 483 observations



    Although regulations do not explicitly require data management to be electronic and define principles of integrity for both types of data, both digital and physical systems, inspectors consider paper as a less secure way to manage data. The main reason for this is that paper processes are not tracked and documented automatically and simultaneously, and where there is manual data entry the risks (of error, loss of data or simply forgery) are much greater.

    Tipologie di Notifiche 483 su Data Integrity, data integrity 483 observations types


    As mentioned above, the missing data cannot be inspected by nature and the warning letter is guaranteed. 
    The "paper" data is weak and its inspection is not effective, the letter can be (still) avoided because, in this case, the inspectors pay more attention rather than to the data, to the method by which they are managed. In other words, they try to test companies by asking difficult questions and trying to understand whether those responsible have a good grasp of the lifecycle of their data.
     As far as electronic data is concerned, in addition, of course, to its simple availability, it is easier to check whether it is managed according to the established criteria. The inspection, in fact, turns into a check-list, and once at the bottom of this the result of the inspection can be easily predicted. In this perspective the audit trail is a "litmus test" of the level of maturity achieved by the company in terms of Data Integrity, since sometimes it might be enough to check the availability (and quality) of audit trails for the various digital systems to decide whether it is necessary to further deepen the inspection.  
    Finally, the capability of demonstrating and understanding the effectiveness of the ERES (Electronic Record and Electronic Signature) configurations of your digital systems is a clear and immediate indicator for inspectors of the degree of Data Integrity coverage in the company.


    Below you will find the original excerpts of the most common observations of the last 2 years regarding violations of cGMP rules in the area of Data Integrity.


    “Your firm failed to maintain complete information relating to the production and control of each batch.” (21 CFR 211.188); 


    "Failure to document manufacturing operations at the time they are performed. During the inspection, our investigator reviewed 20 executed batch manufacturing records and found that most of them contained similar or identical entries that could not be adequately explained.” (21 CFR 211.100 (b));


    “Your firm failed to exercise appropriate controls over computer or related systems to assure that only authorized personnel institute changes in master production and control records, or other records” (21 CFR 211.68 (b)).


    "The inspection revealed your firm’s use of scratch paper containing critical manufacturing data. The data on these scratch paper records did not always match the data on the corresponding official batch records..."


    Non-context registration to the activity: not registering at the time the activity was performed. For instance, records signed by a person when they were actually unavailable on that day.

    Retesting samples for better results: Multiple tests made with the same sample without proper justification, and in some cases samples tested unofficially or by trial analysis until the desired results are achieved.

    Off-spec data ignored and/or "correct"/manipulated

    Test sample sizes not respected or "adjusted".

    Inconsistent test report or protocol numbering.

    Test report inconsistent or conflicting with raw data generated by the process and/or "correction" / manipulation of results.

    Insertion in different batch records of the same information.

    Lack of access control to computerized and related systems used in production batch management; not only authorized personnel can access and modify production masters and batch records.

    Document backdating: stability test results backdated to meet required commitments.

    Copy of existing data passed off as new information: Results from previous batches used to replace tests from another batch or acceptable test results were created without testing.

    Test duration "shortened" arbitrarily, without following SOPs.

    Records not concurrent with the activity: the documentation required to close the production batch is not compiled at the same time or immediately after completion of the activities, but afterwards. 

    Backdating of production lot documents.

    Use of unofficial sheets to note critical production data, inconsistencies between official batch records and these annotations.

    Mismatch between, for example, data reported on a batch record and data recorded by the system and/or equipment.


    • In-depth investigation

    • Risk analysis regarding the consequences

    • Comprehensive CAPA plan that tackles the root of the problems

    FDA, understanding the effort required for a pharmaceutical company to achieve Data Integrity compliance, advises companies to seek assistance from qualified and experienced consultants. The need for external support is still noticeable considering the fact that agencies are pushing companies to "build" a system of data governance, a set of different initiatives and targeted procedures to ensure data integrity. The system will have to be sized according to the level of risk of each individual data and process both of the company itself and of the partners involved, and will have to be applied to both paper and electronic documents. This is a new challenge for pharmaceutical companies whose core business was the manufacture of medicines, while it is now expanding to the advanced management of related documents and records. And since all data will sooner or later become digital, the FDA is pushing companies to become Digital Companies as soon as possible.

    10 Comandamenti su Data Integrity,  raccomandazioni


    Of course, the FDA, and all the other agencies, demand proof that the data generated is under control, during the entire life cycle of the data, i.e. from the process that generates it, to dynamic management (real-time acquisition and processing), up to the final stages of the life cycle, such as archiving and reporting. In addition, it is required to demonstrate the correct management of business processes, specifying that they are owned (and mastered) by users, rather than by technical experts (IT or Engineering) and that not only the primary data but all corrections are brought to the attention of those who review them, because in the pharmaceutical industry a data has no value if it has not been approved. And this review must also be documented.  

    In other words, a solid and at the same time flexible control of production and laboratory processes is the key to applying the concepts of Data Integrity to the latter.  


    Data Integrity is absolutely transversal. The entities show at least 3 specific contexts: Production, Laboratory, R&D. This only because they are the main areas that address GxP impact data. However, of course, if some warehouse processes have been considered critical, also the related data must be treated as Data Ingegrity.

    PREREQUISITI tecnici per il Data Integrity

    To streamline the approach, FDA has defined the ALCOA principles. The "CCEA" requirements, also called ALCOA+, have been added to this list. We will discuss them in detail in the next chapter but here is a brief overview of the fundamental technical requirements for Data Integrity in Life Science:  

    • Having access to the system (or server) clock to track the event with the correct time.

    • Have access to batch records in the same places where the activities take place, so that it is not necessary to transcribe the data on official documents at a later date.  

    • Implement, where feasible, automatic and contextual checks at the time of manual data entry.

    • Automatically perform user access rights checks to prevent unauthorized changes to the data.

    • Where possible, automatically acquire data or set up printers directly connected to the physical source of the data (e.g. scales) to avoid transcription errors or inaccuracies.

    • Equipping sampling points (e.g. for water systems) with electronic detection sensors.  

    • Provide access to raw data for staff performing data verification activities.


    Why data integrity is important?
    We understand what the regulators are requesting. Let us also try to understand why and what the agencies are asking pharmaceutical companies to do. There are several reasons, but there is one in particular, and to understand it, we must first try to think more closely about the mission of these agencies.

    The Food and Drug Administration is responsible for protecting the public health by ensuring the safety, efficacy, and security of human and veterinary drugs, biological products, and medical devices; and by ensuring the safety of our nation's food supply, cosmetics, and products that emit radiation.

    FDA is responsible for advancing the public health by helping to speed innovations that make medical products more effective, safer, and more affordable and by helping the public get the accurate, science-based information they need to use medical products and foods to maintain and improve their health. 

    In simple terms, the FDA's goal is the availability of quality medicines to the population. With this in mind, we try to analyze the following report on stock shortages, or simply their depletion, resulting in the unavailability of medicines on the market.

    "Data integrity is a fundamental requirement for the regulated health sector, since decisions and assumptions about product quality and compliance with applicable regulatory requirements are made on the basis of data". 

    Institute of Validation Technology

    According to FDA, more than 60% of the cases of non-availability of the drug on the market (stock shortage), are caused by problems detected in production and non-conformity events in quality control processes. We can therefore say that the lack of data integrity or its total absence compromise the safety, effectiveness, quality and, of course, the availability of the drug.  

    Rottura di stock e Data Integrity, Drug Shortages

    However, in addition to endangering the end consumer, especially in cases of "necessary" drugs (such as vaccines or anaesthetics), data integrity issues have a direct impact on the company's business and are able to create an image damage, which inevitably causes economic damage.


    Let's begin to analyse the subject more closely and, before we immerse ourselves in the methods, approaches and strategies, we must necessarily give definitions to the concepts with which we are going to operate. 


    Cos'è Data integrity?

    What do we mean by raw data? The raw data is the first recording of a sensitive data, both paper and electronic.

    What are metadata? They are the contextual information required to understand the data. A value is in itself meaningless without further information. 

    Metadata is data that describes the attributes of other data by specifying their meaning and context. Typically, this data describes the structure, elements, relationships, or other characteristics of the data to which it refers. They also allow the attribution of a data to an individual. Also the Audit Trail and the possible Electronic Signature are metadata.  

    ... Data life cycle? What is it?


    Good Documentation Practice


    Le principali fasi del ciclo di vita dei dati:

    • generazione raw data

      • I raw data devono essere immediatamente e accuratamente registrati e devono rimanere integri per poter ricostruire le attività che hanno generato quei dati.

    • elaborazione/migrazione e/o registrazione

    • uso/review

    • conservazione

    • archiviazione/recupero

    Data Life Cycle

    Dati originali nella forma in cui sono stati generati (per esempio, osservazioni manuali scritte su carta o dati acquisiti automaticamente in formato elettronico da un sistema).

    Informazioni derivate o ottenute da Record Originali (per esempio dati o risultati di calcoli analitici su un report).

    • True copy: Copie esatte di un dato o record originale ➔ possono “sostituirlo”. Possono essere mantenute nello stesso formato o in un formato diverso da quello in cui era stato generato il dato originale.

      • una fotocopia di un record cartaceo

      • la scansione elettronica di un record cartaceo

      • la stampa di un dato generato elettronicamente. Le copie non devono comportare perdite di informazioni sia in termini di contenuti (es. perdita metadati) che in termini di accuratezza o «risoluzione» del dato.

    • Il raw data può essere buttato solo se viene prodotta una true copy (scansione, fotocopia..). Le copie devono preservare il contenuto e il significato dei dati originali, che include i metadati e la natura statica o dinamica del record originale.

    Le misure di sicurezza servono a proteggere i dati dall’alterazione principalmente tramite l’autenticazione al sistema operativo e delle password:

    • complessità delle password

    • blocco automatico delle sessioni utente dopo un periodo di inattività

    • obbligo di cambio password al primo accesso

    • scadenza delle password

    • tentativi massimi di accesso fallito

    • log degli accessi

    I requisiti richiesti da FDA e quelli espressi in EU GMP presentano alcune differenze:

    • La richiesta di FDA è che la review dell’audit trail contestuale sia eseguita sui campioni di ogni lotto dei semilavorati e dei prodotti finiti.

    • Gli audit trail sono metadati e sono considerati parte dei relativi record. Il personale responsabile della review dei record dovrebbe rivedere anche il relativo audit trail.

    Caratteristiche dell'audit trail

    • automatico

    • non disattivabile

    • non alterabile

    • necessario solo su dati/metadati critici modificabili dall’utente

    • esportabile e stampabile

    • completo delle informazioni richieste

    L’audit trail deve essere disponibile e convertibile in un formato intellegibile e deve essere periodicamente rivisto (Annex 11, punto 9). La revisione dell’audit trail è, dunque un requisito specifico dell’Annex 11 delle EU GMP ma al punto 9 non si specifica nè la frequenza esatta nè la modalità di esecuzione perché questi possono variare da sistema a sistema. FDA specifica meglio, richiedendo la review contestuale dell’audit trail prima dell’approvazione finale.

    • Audit trails need to be regurlarly reviewed

    Vanno rivisti i risultati dei test per i prodotti finiti, le sequenze delle analisi, l’identificazione dei campioni e i parametri critici di processo.

    Naturalmente la funzionalità dell’audit trail deve essere verificata in convalida iniziale.

    Chi deve fare la review dell’audit trail?

    • La review contestuale va fatta da un pari

    • La review periodica compete al QA

    • Chi rivede i record dovrebbe rivedere anche gli audit trail relativi

    Come documentare la review?

    • checklist da compilare ad ogni review

    • flag in fondo al report

    • nota sul logbook

    • firma di revisione di un record che attesta l’esecuzione

    Deve esserci una copia di backup del software, dei dati (con frequenza da decisa dal azienda in base alla criticità del dato). Dal punto di vista del data integrity, supporto e modalità non sono rilevanti purchè il backup rispetti i requisiti normativi applicabili:

    L’unico requisito per i backup è che ci sia un backup:

    • regolare e con esito verificato

    • convalidato

    • monitorato

    • regolamentato da SOP

    Il back up può essere: automatico, manuale o ibrido. Nelle ultime due opzioni possono sorgere problemi di data integrity, come la cancellazione di file o dimenticanze.

    Naturalmente anche le copie di backup devono essere protette da opportune misure logiche e fisiche per prevenire la cancellazione/alterazione dei file.


    It can be said that the ALCOA principles enclose the essence of all Data Integrity legislation. In fact, these criteria have been defined by the GLP (Good Laboratory Practice) inspectors of the FDA in such a way as to provide simple and immediate evidence of the characteristics that the data must possess. Although a creation of FDA and initially defined in the laboratory of analysis, the ALCOA criteria are a summary of all international guidelines, such as ICH and EU GMP, and should be applied to all critical GxP data.

    Over time, and more precisely in 2012, the European Medicine Agency (EMA) also added the following "CCEA" requirements (also called ALCOA+).

    Attribuibile: along with signature, abbreviation, date, time (abbreviation and date for repetitive and routine actions). Records indicate by whom and when an action was performed

    LegibleThe data must be readable throughout the entire life cycle of the records.

    Contemporaneous: Recorded at the time of the event itself or as soon as possible. 

    Original: Original records or certified copies.

    AccurateError-free or with documented changes. 
    Complete: All data collected on the same sample, lot (or other critical record), including tests, rework, analysis performed, etc.
    Complete: all data collected for sample, batch or other critical record, included test, analysis, reworks, etc.

    Consistent: Consistency in data collection, as stated in the time stamp, in order to reconstruct the entire life of the record.

    Enduring: the consistency is checked and saved on a secure (durable) medium.

    Disponibile (Available): accessibile per la consultazione durante tutto il ciclo di vita del dato.


    We can conclude the first part here by summarizing what we have learned about the current context of Data Integrity and the historical period it is going through, having deepened the main definitions and trying to understand the reasons behind this fascinating field of the pharmaceutical industry.

    Data = raw data + metadata.

    Complete data and raw data are the same thing? Actually yes, assuming they include metadata.

    The documents, records, data must be stored (and the storage tool must be validated) to ensure their integrity. According to the Consumer Protection Act it is compulsory to keep the documents for at least 10 years, even if GMP requires less (1, 3, or 5 years, depending on the type of product and criticality of the data).

    FDA, in addition to compliance, is very conscious of the awareness of companies, management and personnel. For this reason, it demands that the responsibility for Data Integrity is attributed to management and that this guarantees adequate training for personnel, effective authentication methods, and the culture of data management in general.

    In the  second part of the article we will try to define the criteria of a solid Data Integrity strategy and the main steps for its definition, always keeping in mind our goal, which is to achieve in a short time a good awareness and autonomy on this complex and extremely important topic.


    Join Us

    Be the first notified about our events, news, and publication of high-quality content.

    Odoo • Un'immagine con didascalia
    Production and Laboratory Data Integrity Digital Solution
    Odoo • Un'immagine con didascalia
    Smart Serialization and Track&Trace solution

    Smart MES Solution for Life Sciences Industry.
    Data Integrity 
    Questions and Answers
    Your Dynamic Snippet will be displayed here... This message is displayed because you did not provided both a filter and a template to use.
    Data Integrity in Pharmaceutical Industry
    Ympronta srl, Info Ympronta 13 February, 2020
    Share this post
    Sign in to leave a comment