Analytical Quality Control Group

Data Integrity & IT Compliance Group

GMP, GCP and GDP

Data Governance and
Data Integrity

A guidance document by the ECA Foundation

Version 3.0; December 2022
Developed by and
GMP, GCP and GDP Data Governance and Data Integrity

Table of Contents

1 Objectives and Scope of this Guidance ................................................................................ 7

1.1 Objectives ...................................................................................................................................... 7
1.2 Scope of this Guidance .................................................................................................................... 7
1.2.1 A Data Integrity Model................................................................................................................ 8
1.2.2 Foundation: Right Corporate Culture and Ethics ........................................................................... 10
1.2.3 Level 1: Right Equipment / Instrument and System for the Job ..................................................... 10
1.2.4 Level 2: Right Manufacturing Process, Data Collection and Aggregation and Analytical Procedure for
the Job ..................................................................................................................................... 11
1.2.5 Level 3: Right Production for Right Batch - Right Analysis for Right Reportable Result - Right setup for
the Right Data. ......................................................................................................................... 12
1.2.6 Role of the Quality .................................................................................................................... 12
1.2.7 The Big Manufacturing Picture .................................................................................................... 12
1.2.8 The Big Analytical Picture ........................................................................................................... 13
1.2.9 The Big Clinical Development Picture ..........................................................................................14
2 Background......................................................................................................................... 15
2.1 Brief history of data governance & integrity issues ............................................................................ 15
2.2 The Cost of Non-Compliance ........................................................................................................... 16
2.3 A Comprehensive Remediation Plan ................................................................................................. 18
2.4 Summary of Data integrity issues arising from Regulatory experience ................................................. 18
2.5 Poor Practices versus Falsification ................................................................................................... 19
2.5.1 Data Falsification .......................................................................................................................19
2.5.2 Poor Data Management Practices................................................................................................20
2.5.3 Manufacturing Records .............................................................................................................. 21
2.5.4 Laboratory Records ................................................................................................................... 22
2.5.5 Clinical Trial Records ................................................................................................................. 23
3 Regulatory References, Guidance and Requirements ........................................................ 25
3.1 MHRA (UK) GMP Data Integrity Initiatives ........................................................................................ 25
3.2 WHO Guidance on Good Data and Records Management Practices ..................................................... 26
3.3 FDA Guidance on Data Integrity and Compliance with CGMP ............................................................. 26
3.4 PIC/S PI-041 Data Integrity Guidance .............................................................................................. 30
3.5 OECD 22 Advisory Document of the Working Party on Good Laboratory Practice on GLP Data Integrity . 34
3.6 EMA Notice to sponsors on validation and qualification of computerised systems used in clinical trials ... 35
3.7 EMA Draft Guideline on computerised systems and electronic data in clinical trials ............................... 35
3.8 ISPE Records and Data Integrity Guides...........................................................................................35
4 Data Governance ................................................................................................................ 36

© Copyright: ECA Foundation, Germany – Copying, editing and distributing require the written agreement of the ECA Foundation Page 2 of 96
GMP, GCP and GDP Data Governance and Data Integrity

4.1 Corporate Management Leadership for Data Governance and Data Integrity ....................................... 36
4.2 Technical Procedures ..................................................................................................................... 36
4.3 Expected Culture and Behaviours .................................................................................................... 38
4.4 Maturity Level of the Organization ................................................................................................... 38
4.5 Quality Management System ...........................................................................................................39
4.6 Risk Management .......................................................................................................................... 39
4.7 Training ........................................................................................................................................ 40
4.8 Roles and Responsibilities ............................................................................................................... 40
4.8.1 Senior Management................................................................................................................... 40
4.8.2 Data Owner .............................................................................................................................. 41
4.8.3 Data Steward – Power User – Department Administrator .............................................................. 41
4.8.4 Second Person Reviewer ............................................................................................................ 42
4.9 Identifying and Empowering Data Owners and Data Stewards ........................................................... 43
4.9.1 Identifying the Data Owner of a System or Process ...................................................................... 43
4.9.2 The Business is Responsible for the Data .....................................................................................43
4.10 CMOs, CROs and Contract Laboratories............................................................................................43
5 Policies, Procedures & Processes ....................................................................................... 44
5.1 Corporate Data Integrity and Ethics Policy........................................................................................44
5.2 Good Documentation Practices ........................................................................................................ 44
5.3 Understanding Complete Data, Raw Data and Clean Data.................................................................. 44
5.3.1 Traceability of Actions................................................................................................................44
5.3.2 Understanding Complete Data .................................................................................................... 45
5.3.3 Understanding Raw Data and Equating it to Complete Data .......................................................... 45
5.4 Chromatographic Integration .......................................................................................................... 46
5.5 Source Data in Clinical Trials ........................................................................................................... 46
5.6 “Clean” Data in Clinical Trials .......................................................................................................... 46
6 Criteria for Data Integrity and Security of Records based on ALCOA+ Principles ............. 48
6.1 Definition of ALCOA+ ..................................................................................................................... 48
6.2 Access / Security/ Segregation of Duties .......................................................................................... 49
6.3 Validation ...................................................................................................................................... 50
6.4 Audit Trail Review .......................................................................................................................... 50
7 Auditing for Data Integrity and Security of Records .......................................................... 52
7.1 Audit Focus ................................................................................................................................... 52
7.2 Tools for Auditing Data Integrity ..................................................................................................... 53
7.3 Quality Oversight ........................................................................................................................... 54
8 Illustrative Appendices....................................................................................................... 55

© Copyright: ECA Foundation, Germany – Copying, editing and distributing require the written agreement of the ECA Foundation Page 3 of 96
GMP, GCP and GDP Data Governance and Data Integrity

8.1 System Assessment........................................................................................................................ 55

8.2 Strategic Assessment of all GMP/GDP/GCP Systems .......................................................................... 55
8.2.1 Prioritization Approach & DI Risk Assessment ..............................................................................55
8.2.2 Detailed Examination Strategy .................................................................................................... 57
8.3 Process Management and Pharmaceutical Manufacturing ..................................................................57
8.3.1 Data Integrity in the Manufacturing Areas ...................................................................................57
8.3.2 Types of manufacturing ............................................................................................................. 58
8.3.3 The ISA 95 Levels and related systems & equipment .................................................................... 58
8.3.4 Programmable Logical Controllers (PLC) ......................................................................................59
8.3.5 SCADA (DCS) System ................................................................................................................ 59
8.3.6 Visualization Level ..................................................................................................................... 59
8.3.7 MES Level ................................................................................................................................. 60
8.3.8 ERP Level ................................................................................................................................. 60
8.3.9 Types of data and their relevance for data integrity...................................................................... 60
8.3.10 Data Categories ........................................................................................................................ 60
8.3.11 Criticality of the data ................................................................................................................. 61
8.3.12 Breakdown of the complex automation infrastructure ................................................................... 61
8.3.13 Leveraging grouping strategies ................................................................................................... 62
8.3.14 Data Lifecycle Elements ............................................................................................................. 62
8.3.15 Audit Trail Review in the context of the ISA95 framework ............................................................. 64
8.3.16 Risk analysis and mitigation measures.........................................................................................64
8.3.17 Data integrity risk mitigation measures........................................................................................64
8.3.18 Events & Alarms ........................................................................................................................65
8.3.19 Process Documentation impacted by Data Integrity ......................................................................65
8.3.20 Supporting documents and forms ...............................................................................................65
8.4 The Laboratory .............................................................................................................................. 65
8.4.1 Recording records by observation ............................................................................................... 65
8.4.2 Recording Results from an Analytical Balance ..............................................................................66
8.4.3 Colour and Odour Determination ................................................................................................66
8.4.4 Observing Results from Simple Instruments .................................................................................66
8.4.5 Recording Sample Preparation Observations ................................................................................66
8.5 The Clinical Trial ............................................................................................................................ 67
8.5.1 Process overview and Data Life Cycle ..........................................................................................67
8.5.2 Critical Records / Data ............................................................................................................... 67
8.6 Blank Forms .................................................................................................................................. 67
8.6.1 Quo Vadis Blank Forms? ............................................................................................................ 67

© Copyright: ECA Foundation, Germany – Copying, editing and distributing require the written agreement of the ECA Foundation Page 4 of 96
GMP, GCP and GDP Data Governance and Data Integrity

8.6.2 Control of the Master Template .................................................................................................. 68

8.6.3 Use of the Blank Template ......................................................................................................... 69
8.6.4 Are Paper Records the Best Way Forward? .................................................................................. 71
8.6.5 Summary.................................................................................................................................. 72
8.7 Hybrid Systems..............................................................................................................................72
8.7.1 Record Types in Hybrid Systems ................................................................................................. 72
8.7.2 Electronic Source Data in Clinical Trials ....................................................................................... 72
8.7.3 Audit Trail................................................................................................................................. 73
8.7.4 Risk-Based Process Review ........................................................................................................ 73
8.7.5 Retention of Records ................................................................................................................. 73
8.7.6 Media Change ........................................................................................................................... 75
8.8 Spreadsheets................................................................................................................................. 75
8.8.1 Data integrity model for spreadsheet templates ........................................................................... 76
8.8.2 Development and validation of spreadsheet templates .................................................................. 77
8.8.3 Distribution and control of spreadsheet templates ........................................................................ 79
8.8.4 Control of completed spreadsheet templates as e-records ............................................................. 80
8.9 Chromatographic Integration .......................................................................................................... 80
8.9.1 Rules of Integration ...................................................................................................................80
8.9.2 How Can Manual Integration Result in Falsification? ..................................................................... 81
8.9.3 What is Manual Integration?.......................................................................................................82
8.9.4 Scope of a Chromatographic Integration SOP .............................................................................. 83
8.9.5 Manual Intervention versus Manual Integration ............................................................................84
8.9.6 Chromatographic Integration in Practice ......................................................................................84
8.9.7 Do Not Use Hybrid Systems........................................................................................................85
8.9.8 Understand the Predicate Rule ................................................................................................... 85
8.9.9 Ensure the Software Application Can Work Electronically .............................................................. 85
8.9.10 Simplify the Business Process ..................................................................................................... 86
8.10 GDP – Good Distribution Practices ................................................................................................. 86
9 Technical Glossary .............................................................................................................. 90
10 References .......................................................................................................................... 93

© Copyright: ECA Foundation, Germany – Copying, editing and distributing require the written agreement of the ECA Foundation Page 5 of 96
GMP, GCP and GDP Data Governance and Data Integrity

GMP, GCP and GDP Data Governance and Data Integrity

Authors – Analytical Quality Control Group & Data Integrity and IT Compliance
Group:
Dr C Burgess
Dr M Dathe
Mr S Canas
Mr F Henrichmann
Mr S Huq
Dr M Mangold
Dr R D McDowall
Ms M Sabater
Mr Y Samson
Mr St Schoettle
Dr W Schumacher

Version
Version 1.0 – 04 October 2016
Version 2.0 – 30 January 2018 (Expansion of the document to include manufacturing)
Version 3.0 – 01 December 2022 (Expansion to GCP and GDP, general update)

Technical Review:
Dr A Mangel

Legal Representative:
ECA Foundation
c/o VHP Auditing Firm and Legal Trustee
Attn Mr J. Ruland
Hebelstr. 7
68161 Mannheim
Germany

If you have any comments regarding ECA or this Guide please contact us by E-Mail at
info@gmp-compliance.org.

All references to “he”, “him” or ”his“ should be read as ”she“/ ”her“ respectively “they” / “them” or “their” where appropriate.

© Copyright: ECA Foundation, Germany – Copying, editing and distributing require the written agreement of the ECA Foundation Page 6 of 96
GMP, GCP and GDP Data Governance and Data Integrity

1 Objectives and Scope of this Guidance

In this introduction to the ECA Data Governance and Data Integrity Guidance we present the team’s
objectives and detailed scope statement.

This Guidance primary scope is GMP, GDP and GCP but the principles outlined here apply to most of the Good
Practice Regulations.

1.1 Objectives

There are five objectives of this ECA guidance document:

To define data governance in the GMP, GDP and GCP areas as a set of policies and procedures within a
Pharmaceutical Quality Management System which leads to ensuring data integrity and data security within
an ethical corporate culture
To provide a single source of clear and concise harmonised high-level guidance document covering data
governance and data integrity within the framework of a Pharmaceutical Quality Management System
covering corporate, laboratory, production and IT activities
To review and evaluate regulatory requirements and guidelines to work towards global harmonisation and
compliance
To provide a model framework to achieve objectives 1 - 3
To provide more detailed appendices for specific data integrity topics

When all objectives are explained, it will provide a data governance framework as shown in Figure 1.

Figure 1: Overview of the Components of Data Governance mapped to ICH Q10 Quality Management System
Model

1.2 Scope of this Guidance

It is important to understand that this guideline is concerned with more than just the generation and security
of correct numbers. It is concerned with the totality of arrangements under a Quality Management System
(QMS) or as it is also called a Pharmaceutical Quality System (PQS), to ensure that data, irrespective of the
format in which they are generated, are recorded, processed, retained and used to ensure complete,

© Copyright: ECA Foundation, Germany – Copying, editing and distributing require the written agreement of the ECA Foundation Page 7 of 96
GMP, GCP and GDP Data Governance and Data Integrity

consistent and accurate records throughout the data lifecycle, and product lifecycle. Data governance is the
term used for the overall control strategy to ensure data integrity in the GMP, GDP and GCP areas.

1.2.1 A Data Integrity Model

Data governance and integrity is to be applied throughout product lifecycle (Figure 2). It begins in Research
and continues with GCP and DI requirements through the early and late stages of development. The full GMP
and DI requirements are to be applied with product launch and commercialization. Data governance for data
integrity needs to be consistently applied throughout the lifecycle stages and according to the extent of GMPs
and GDPs required. A comprehensive model is to be defined and systematically applied for DI following the
Pharmaceutical Quality System (PQS) covering the requirements on risk-based approach according to the
stage of product lifecycle. In particular, Research does have different and less stringent requirements to data
integrity than clinical, development and commercialized products/processes. In Research, DI applies to the
experiment and its results. Good Scientific Practice is intended to describe an experiment in such a way that it
can be independently repeated and its results can be reproduced.

By this, in GMP DI begins with the first raw data point, in Research DI applies to the experiment. The overall
model of DI needs to make sure that the relevant data is available from all phases of R&D (including Drug
Safety) and commercial lifecycle until the discontinuation of the product allows disposal of the data.

Figure 2: Product Lifecycle and generation of GCP, GMP and GDP data

Throughout product lifecycle the knowledge about product and process properties grows constantly and DI
needs to be systematically applied. The extent of Data Integrity applied should be commensurate with the
stage of Development.

To help understand the overall scope of this guidance, a data integrity model is presented to visualise the
topic and is shown in Figure 3. To achieve compliance all work must be carried out within the Data
Governance framework of a pharmaceutical quality system (PQS). It is important to realise that there are
other functional aspects within the laboratory, production, the quality function and within overall organisation

© Copyright: ECA Foundation, Germany – Copying, editing and distributing require the written agreement of the ECA Foundation Page 8 of 96
GMP, GCP and GDP Data Governance and Data Integrity

that must be under control otherwise data integrity will be compromised, in spite of the best efforts of all
staff.

Principles are intended to GMP, but the outlined principles can also be applied to patentable data and GLP
implementations but not explicitly covered here.

Figure 3: A Data Integrity Model [1]

For GCP the levels indicated above are

 Level 3: Right Data Aggregation, Decision Making during the process, Final Analysis for the Right
Result, Data Acquired and Transformed that are Complete, Consistent and Accurate
 Level 2: Right Data Collection and Aggregation Procedure for the Right Job, Validated / Verified Under
Actual Conditions of Use
 Level 1: Right Data Collection Systems for the Right Job, Qualification and / or Validation for Intended
Purpose

Although there are several regulatory guidance documents on the subject of data integrity, discussed in
Section 4 of this guidance, they lack a rigorous holistic structure for a regulated organisation to fully
understand and implement; furthermore, they lack hands-on tools and guidance in implementing solutions
and fixing non-compliant systems. Typically, these guidance documents list regulatory requirements and
philosophies regarding what must be achieved but not how to achieve them.

It is important to understand that data integrity must be comprehended in the context of analysis of
representative samples taken from a validated manufacturing operation within a verified and validated
analytical process that is operating under the auspices of a pharmaceutical quality system [Refs 8, 9]. Data
integrity does not exist in a vacuum. A holistic approach to data integrity within an organisation is based
upon a common foundation and three other layers with overall quality oversight as described in the next
sections.

© Copyright: ECA Foundation, Germany – Copying, editing and distributing require the written agreement of the ECA Foundation Page 9 of 96
GMP, GCP and GDP Data Governance and Data Integrity

1.2.2 Foundation: Right Corporate Culture and Ethics

The foundation of this Data Integrity Model is the engagement and involvement of executive and senior
management throughout any organisation. This is to ensure that data integrity / data governance is set firmly
in place within the context of a pharmaceutical quality system. Therefore, there must be management
leadership, corporate data integrity policies that cascade down to laboratory, clinical, production and
distribution data integrity procedures, staff who have initial and on-going data integrity training.

Engagement of executive and senior management in ensuring that data integrity is in place is essential. FDA
in the DI guidance, PIC/S PI041 and EU GMP Chapter 1 [2-4] make it crystal clear that executive
management are responsible for quality within an organisation and that includes data integrity.

1.2.3 Level 1: Right Equipment / Instrument and System for the Job

There is little point in carrying out any analysis or data collection if the analytical instrumentation or systems
used is not adequately qualified or the software that controls it or processes the data is not validated.
Interconnections to processes and systems need to be taken into account (as illustrated in Figure 4 for a
laboratory system). Similar comments can be made about production equipment and the controlling software
systems. Therefore, at Level 1, the analytical instruments, production equipment and computerized systems
used in pharmaceutical manufacturing, clinical development, quality control and distribution must be qualified
for the specified operating ranges and confirmed as being ‘fit for their intended purpose’ respectively.

Figure 4: The laboratory system and data flow overview

Organisations may need to conduct computerised system validation in their own individualised way. Typically,
it is usual practice to conduct the project top down looking at the process, improving it and then configuring
the software application to that process as shown in Figure 5. However, this approach has the flaw in that the
records acquired and processed by the software may not be adequately protected especially if the records are
held in directories in a local operating system environment [3]. Additionally, the continuing trend of
outsourcing services in manufacturing, clinical development and laboratory analysis may lead to unprotected
data flows across several organizations that may have different approaches to computerised system
validation. We must learn to identify the gaps between the systems (end to end validation), and we need to
change the way that we conduct our computerised system validation as discussed in Section 7.

© Copyright: ECA Foundation, Germany – Copying, editing and distributing require the written agreement of the ECA Foundation Page 10 of 96
GMP, GCP and GDP Data Governance and Data Integrity

Figure 5: Validation Model

Top – Down Validation:

Process and Application Focus

Business Defining Raw

Activity 1 Activity 2 Activity 3 Activity 4 Activity 5
Process Data as Paper

Configuration
Application Software Application & Configuration not
Documented

E‐Records
Data, Metadata Vulnerable –
Records
& Information Deletion, Clock,
etc

Bottom – Up Validation
Record and Data Integrity Focus

Failure to ensure that an analytical instrument or data collection system, clinical development system or
production equipment is adequately qualified or computerised system adequately validated means that all
work in the two levels of the Data Integrity Model above is wasted.

IT Architecture should be qualified as a pre-requisite because if the architecture is not well configured,
qualified, documented and secured, all the upper layers are located over moving sand.

1.2.4 Level 2: Right Manufacturing Process, Data Collection and Aggregation and Analytical
Procedure for the Job

Following completing qualification of analytical instruments and validating software, the analytical procedure
is developed and validated. There are several published references for this from ICH Q2(R1) [6] , and
respective chapters in the European Pharmacopoeia (EP) and United States Pharmacopoeia (USP) . However,
the focus of these publications is on validation of an analytical procedure already developed. Method
development, which is far more important as it determines the overall robustness or ruggedness of the
procedure, receives scant attention in these publications. However, this analytical world is changing, USP
General Chapter <1220> on analytical procedure lifecycle [7] and the in-process revision of ICH Q2(R2) [8]
and introduction of ICH Q14 [9] on this topic. This means that “good” scientifically sound method
development that results in having defined the procedure’s design space now becomes important, as changes
to a validated method within the design space would be deemed to be validated per se [7].

Similarly, there needs to be a validated manufacturing process which has been the subject of major
regulatory change in recent years both in the USA [10] ] and the EU [11] GMP regulations.

For Clinical Development revised guidelines and regulations (ICH E6 (R2) and EU No 536/2014) focus on data
integrity and validation principles applied by risk-based methods which has become mandatory in the last
years [12].

For Level 2 and Level 3 functions to be effective, the lower layers of the Data Integrity Model must be in
place and demonstrably functioning for this layer to work correctly.

© Copyright: ECA Foundation, Germany – Copying, editing and distributing require the written agreement of the ECA Foundation Page 11 of 96
GMP, GCP and GDP Data Governance and Data Integrity

1.2.5 Level 3: Right Production for Right Batch - Right Analysis for Right Reportable Result -
Right setup for the Right Data.

Finally, at Level 3 of the Data Integrity Model, actual pharmaceutical work will be performed: making and
distributing a batch, executing a clinical trial or analysing a sample. The analysis of a sample or the collection
of data must be undertaken using the right method and right data system, generated by staff working in an
environment that enables data to be generated, interpreted and the reportable result to be calculated in a
secure, accurate, legible, contemporaneous, original and attributable manner. Staff should be encouraged to
admit any mistakes and there must be a no-blame culture in place (from the Foundation). It is also important
not to forget the importance of the overall quality management system.

1.2.6 Role of the Quality

A quality function for oversight of compliance of all the operations performed at the three levels is essential.
The tasks here include;

 Quality oversight of regulatory requirements

 Quality oversight of policies and procedures
 Compliance checks of records of tasks performed
 Data integrity audits including relevant aspects of data governance
 Data integrity investigations

1.2.7 The Big Manufacturing Picture

Figure 6 shows an example for a system landscape which is used in most pharmaceutical companies acting
globally. The detailed manufacturing landscape usually on the basis of the ISA 95 approach is outlined in
section 9.

Figure 6: Example for a typical System Landscape

Beside the specific manufacturing systems, the QC and QA applications there are two other very complex
applications strongly supporting Data Integrity: the ERP (e.g. SAP) system and the Master Data Management
System (MDMS). Most critical data in the ERP system is usually the release status of each product batch. The
major advantage of the MDMS is to provide one global database for all Master Data: all specifications and
limits are residing in one location with interfaces to a large number of applications. This is facilitating the
cumbersome change control during the product lifecycle.

© Copyright: ECA Foundation, Germany – Copying, editing and distributing require the written agreement of the ECA Foundation Page 12 of 96
GMP, GCP and GDP Data Governance and Data Integrity

1.2.8 The Big Analytical Picture

Figure 7 shows the four layers of the Data Integrity Model in a column down the left-hand side against the
various tasks in an analytical process.

 The foundation shows an outline of what is required at the corporate layer with management
leadership, culture, ethics and data integrity policies, procedures and training. Above the Foundation
is an analytical process with the various requirements at the three Levels of the Data Integrity Model.
 Level 1 shows qualification of an analytical balance as well as analytical instrument such as a
spectrometer coupled with the validation of computerised system that controls it. In addition, we
have the regulatory requirements for calibration, maintenance and use logs.
 Level 2 is represented by the preparation of reference standard solutions, sample preparations, and
the development and validation of the analytical procedure.
 Level 3 is expanded and shows the application of a validated analytical procedure from sampling,
transporting the sample to the laboratory, sample management, analysis, calculation of the reportable
result as well as out of specification investigation etc.

This diagram shows far better how the layers of the laboratory Data Integrity Model interact. Without the
Foundation, how can the three other levels hope to succeed? Without qualified analytical instruments and
validated software how can you be assured of the quality and integrity of the data used to calculate the
reportable result?

It is less important where an individual activity is placed in the various levels. The primary aim
of this Model is to visualise for analytical scientists how data integrity is achieved in practice.

Figure 7: The Analytical Process and the Data Integrity Model

© Copyright: ECA Foundation, Germany – Copying, editing and distributing require the written agreement of the ECA Foundation Page 13 of 96
GMP, GCP and GDP Data Governance and Data Integrity

1.2.9 The Big Clinical Development Picture

Figure 8 outlines a Clinical Trial system landscape at a very high level.

The most challenges aspects for data integrity are:

 Project-character of Clinical trials that vary in terms of:

o Investigational Product / Indication
o Phase, size and geographic spread
o Systems / system configurations / interfaces required
 High number of involved organizations including
o Sponsor of the Trial (often a Pharmaceutical Company)
o Contract Research organizations (CROs)
o Multiple Clinical Sites
o Specialized Technology provider

Figure 8: High level Clinical Trial landscape

Data integrity needs to be safeguarded within each trial across multiple organizations and computerized
systems that are often provided by several specialized technology providers and configured and/or interfaced
to meet to trial-specific needs.

This requires a cross-organizational quality and data integrity approach that should be included in contractual
agreements in the appropriate detail. But it is essential to supplement these agreements with robust,
continuous communication and data governance over the trial. This must be maintained through trial start-up,
site and patient inclusion, treatment and data collection, statistical analysis and reporting.

© Copyright: ECA Foundation, Germany – Copying, editing and distributing require the written agreement of the ECA Foundation Page 14 of 96
GMP, GCP and GDP Data Governance and Data Integrity

2 Background

2.1 Brief history of data governance & integrity issues

Data integrity in GMP and GCP regulated laboratories is the current hot topic with regulatory agencies either
due to falsification of data or poor data management practices. Data integrity is not just confined to a single
country or continent but is a global issue, as many data integrity problems are based on poor and/or outdated
working practices rather than a minority of cases involving data falsification.

Data integrity in the GMP laboratory can be traced to Barr Laboratories in the early 1990s [13]. Here an issue
in production was tracked to the Quality Control laboratory where it was found that the laboratory was
retesting and resampling until the batch passed. Following the resulting court case the judge ruled that
outliers could not be rejected unless allowed by the United States Pharmacopoeia (USP) . The FDA also
responded by issuing a guide on Inspection of Pharmaceutical Quality Control Laboratories in 1993 [14].
This guidance still is relevant as many processes in regulated laboratories are still paper based or use hybrid
systems and the latter half of this document should be read as it provides valuable insights into how
regulators will conduct an inspection of a Quality Control laboratory.

In 2005, the Able Laboratories fraud case was a major issue where manipulation or falsification of data to
pass was found [15]. What was a major concern for the Food and Drug Administration (FDA) was that the
issue was not found by their inspectors but from a company whistle-blower. Unfortunately for the FDA, Able
Laboratories had seven successful pre-approval inspections (PAI). As a direct result, the FDA completely
rewrote the Compliance Program Guide (CPG) 7346.832 [16] for Pre Approval Inspections in order to be able
to detect similar issues during PAI. The updated CPG became effective in May 2012. The CPG has been
updated twice since in 2019 [17] and 2022 [18] and the new version of the CPG now has four objectives:

1. Readiness for Commercial Manufacturing

2. Conformance to the Application
3. Data Integrity Audit
4. Commitment to Quality in Pharmaceutical Development

At first glance, the focus for data integrity is objective 3. However close reading of the CPG [18], one realises
that laboratory and production data integrity permeates all three objectives and to focus only on objective 3 is
not sufficient..

Objective 3 lists some advice for the inspectors undertaking a PAI:

 Compare raw data, hardcopy or electronic, such as chromatograms, spectrograms, laboratory analyst
notebooks, and additional information from the laboratory with summary data filed in the CMC
section.
 Raw data files should support a conclusion that the data/information in the application is complete
[…].
 Lack of contextual integrity include the failure by the applicant to scientifically justify non-submission
of relevant data, such as aberrant test results or absences in a submitted chromatographic sequence
[18].
Objective 4 is more wide-ranging than just the dossier under review.
 This will be assessed when first conducting a PAI and at intervals thereafter based on risk of the
organisation.
 Assess the pharmaceutical development programme by evaluating the extent to which it is supported,
defined, managed and continually assessed for its effectiveness as well as its use in supporting
continual improvement of the PQS [18].

© Copyright: ECA Foundation, Germany – Copying, editing and distributing require the written agreement of the ECA Foundation Page 15 of 96
GMP, GCP and GDP Data Governance and Data Integrity

Reiterating, the advice above, this document should be read in conjunction with the 1993 guidance on
Inspection of QC Laboratories [14] to gain an overall perspective of a regulatory inspection for any regulated
laboratory working to a GMP discipline.

Looking wider than the FDA, PIC/S have an aide memoire for inspectors on the Inspection of Quality Control
Laboratories [19] as well as their guidance on Computerised Systems in GxP environments [20]. The former
publication has a section on documentation where there are small sub-sections on data traceability and
computerised systems which can be used understanding data integrity [19]. The latter has sections 23 and
24 covering inspections of computerised systems; section 23 is a general approach to inspections and section
24 has six checklists for computerised systems. However, there is not a specific focus on data integrity which
reflects the age of the document as it is based on the 1992 version of Annex 11 and GAMP 4 principles [21].

However, together these four regulatory guidance documents give a more comprehensive approach to
auditing both computerised systems and paper records for data integrity issues. In addition, there is level 2
guidance on the FDA’s web site for some aspects of data integrity such as: shared user log-ins, why paper
cannot be raw data from a computerized system, and using samples as SST injections.

Questions and Answers on Current Good Manufacturing Practices, Good Guidance Practices, Level 2 Guidance
- Records and Reports [22].

3. How do the Part 11 regulations and predicate rule requirements (in 21 CFR Part 211) apply to the
electronic records created by computerized laboratory systems and the associated printed
chromatograms that are used in drug manufacturing and testing? (posted in 2010)

FDA 2018 Data Integrity and Compliance with CGMP Guidance for Industry Guidance [2]

Question 5. Why is FDA concerned with the use of shared login accounts for computer systems?

Question 13. Why has the FDA cited use of actual samples during “system suitability” or test, prep, or
equilibration runs in warning letters?

Data Integrity in the GCP area come into public consideration in when hundreds of drugs tested in India were
banned from sale in the European Union after French inspectors found flaws in clinical trials conducted by
GVK Biosciences, a company based in Hyderabad. GVK Biosciences is a "contract research organization" -
essentially a subcontractor hired to conduct research for the medical industry. In May 2014, the French
investigators examined nine bioequivalence trials (which are used to compare generics with brand name
drugs) conducted by GVK Biosciences and discovered that some employees had regularly swapped
electrocardiogram (ECG) results of patients and healthy individuals. In January 2015 the EMA recommended
that the authorization of many generic drugs tested by GVK Biosciences be suspended. Out of 1,000 drugs
that the EMA examined, some 300 were found to have other supporting data but 700 were listed for removal.

2.2 The Cost of Non-Compliance

Risk management is one of the requirements for the pharmaceutical industry following the publication of the
FDA’s GMPs for the 21st Century [23, 24] and ICH Q9 on Quality Risk Management [25] which is currently
under revision by ICH at step 2 [26]. How much work is required in a regulated laboratory is dependent on a
justified and documented risk assessment that must also be scientifically sound. This discussion can be
summarised as the balance between non-compliance versus the cost of compliance. Each organisation makes
the decision along a spectrum from doing nothing to doing everything that is possible and this determines
how much regulatory and business risk a company wishes to mitigate or carry as well as how much money
the company wishes to spend.

© Copyright: ECA Foundation, Germany – Copying, editing and distributing require the written agreement of the ECA Foundation Page 16 of 96
GMP, GCP and GDP Data Governance and Data Integrity

Figure 9: Understanding the Balance between the Costs of Compliance and Non-Compliance [27]

Cost of Non-
Compliance

Cost of
Compliance

0% % Compliance 100%

Interpretation
Over Time

The left-hand vertical axis of Figure 9 is the cost of non-compliance and the right-hand axis the cost of
compliance. The cost of non-compliance axis is much bigger than the cost of compliance axis. One viewpoint
is that one axis is logarithmic and the other linear, guess which one is linear? This is one of the balances to
consider, the right-hand side shows the cost of doing it right first time and the left-hand side is the cost of
getting caught. Fixing a regulatory problem that has been identified in a warning letter is always more
expensive than doing the right job first time or finding a problem and fixing it yourself. If any reader is in
doubt about the cost of non-compliance for data integrity violations, I suggest that you read a consent decree
such as that for Ranbaxy. Here, the cost of non-compliance can be quantified as hundreds of millions of
dollars.

In Figure 9 the horizontal axis is the percentage of compliance from 0 to 100%. The only fixed points are at
the ends of the scale where 0% is where no control of the process or system and 100% where anything that
can be compliant is compliant. In between is a relative scale of compliance. The major point to note is that
this scale is not fixed but moves as indicated by the arrow at the bottom of the figure. But the direction of
movement is only one way and that is to the right! To understand this point, consider the situation with data
integrity.

When a company receives an FDA warning letter there are several consequences, many of which will result in
additional costs that we have not covered yet.

 Reactive Compliance Approach: Laboratories and other operations that have a reactive
compliance approach, summarised as wait until a non-compliance is found and then fix it, will find
that the exponential cost of remediation action now makes this approach extremely expensive,
dangerous and foolish as seen in Figure 9. A proactive compliance approach of do it right first time is
the only way to work now.
 Regulatory Credibility: A company’s regulatory credibility is lost, not just with the FDA, but with
global regulators as inspection information is shared under mutual recognition agreements. For
example, when FDA places a foreign company on import alert Health Canada frequently follows suit
even if they have not been involved with the inspection. The result will be increased scrutiny during
subsequent inspections from all authorities and slow down the NDA review significantly, extending

© Copyright: ECA Foundation, Germany – Copying, editing and distributing require the written agreement of the ECA Foundation Page 17 of 96
GMP, GCP and GDP Data Governance and Data Integrity

the time to market by months to years. This means ensuring that the organisation is in a state of
constant inspection readiness. For serial offenders, there is an option of a consent decree of
permanent injunction that binds the company to be compliant with the regulations in perpetuity and
that also may be associated with large fines [28].
 Informing Your Sponsors: Even worse is the situation with a Contract Organisation (CRO or
CMO). Here one lucky individual draws the short straw to phone all sponsors to inform them of their
regulatory failings. A task guaranteed to raise any individual’s blood pressure and a consequence of a
poor inspection report may lead to a loss of business with existing and potential sponsors.

2.3 A Comprehensive Remediation Plan

Most warning letters require comprehensive CAPA plans with very similar wording, e.g.:

A comprehensive, independent assessment and corrective action and preventive action (CAPA) plan
for computer system security and integrity. Include a report that identifies vulnerabilities in the design
and controls. Also include appropriate remediations for each of your laboratory computer systems.
This should include but not be limited to……

Let us analyse this single paragraph in some detail:

 Comprehensive: An extremely detailed and extensive report is required. Some of the words and
phrases used to describe the remedial action required include describe in detail, strict on-going
control, enhanced, comprehensive review, etc. This plan is not going to be written on the back of an
envelope. Neither will it be cheap.
 Independent assessment: The work must be led and conducted by an external consulting
company with the extensive knowledge of data integrity, regulations and computerised systems. It
will also require much input from laboratory staff which will slow down analytical work whilst trying to
assess and remediate processes, systems and documentation. A consulting opportunity.
 Computer security and integrity: Each computerised system in the laboratory needs to be
assessed from the perspectives of unique user identities, password use, user roles with associated
access privileges that avoid conflicts of interest and application configuration to ensure protection of
electronic records.
 Vulnerabilities in design and controls: Data process mapping needs to be conducted on all
systems. For each workflow in a system the records generated need to be identified, the controls in
place (assuming that there are some) and the data vulnerabilities noted. Data process mapping is an
iterative process involving a facilitator and subject matter experts from the laboratory and where
appropriate IT in the first instance. It does not state how many instruments or computerised systems
are in either laboratory but for a medium sized laboratory there might be 10 – 25 instruments.

Share Price Impact: Information about a warning letter or even a possibility of one can result may result
in a fall in the company share price. For example, on 15th February 2019 the shares of Dr Reddy’s
Laboratories nosedived nearly 29% in a morning on the Bombay Stock Exchange before ending the day over
4% lower than its previous close. This was due to the fear of a further FDA warning letter for the company.
Here management need to think about their share options and if they are worth anything.

2.4 Summary of Data integrity issues arising from Regulatory experience

Currently data integrity is a major concern within all regulatory agencies in all GxP disciplines. Although
falsification and fraud make the headlines it is in a minority of cases. The main data integrity issues are due
to poor management leadership, poor contractual agreements and poor data management practices such as
reliance on paper as raw data where this is not sufficient, poor training (specifically for data integrity), failure

© Copyright: ECA Foundation, Germany – Copying, editing and distributing require the written agreement of the ECA Foundation Page 18 of 96
GMP, GCP and GDP Data Governance and Data Integrity

to configure systems correctly to protect records, failure to validate the system for intended use, failure to
back up records, and ineffective internal audits.

A summary of FDA warning letter citations pertaining to data integrity can be seen in Figure 10, the majority
of the citations can be classified into three areas:

 Equipment: 21 CFR 211.68(b)

 Laboratory Controls: 21 CFR 211.160 – 165
 Laboratory Records: 21 CFR 211.194 (a) – (e)

Figure 10: A Summary of FDA Warning Letter Citations for Lack of Laboratory Data Integrity [29]

Quality  Senior & line management responsible

Management  QMS not robust
System  Internal audit failure
Citations  All lab data questioned

Automatic &
Laboratory Laboratory
Electronic
Controls Records
Equipment
Citations Citations
Citations
§211.160 – 165 §211.194 a – e
§211.68(b)

 Shared user identities:  Unofficial testing  Audit trail turned off

for both CDS & Windows  Work not  Audit trail not reviewed
 No lock out of the OS contemporaneously  Trial / test injections to
 Inappropriate user documented determine if batch passed
access privileges  Overwriting of data  Complete data not
 No separation of system  Removal of available
administrator functions instruments / CDS  Reintegration to pass
 No backup procedure during inspection  No saving of the
 Data deleted  Requires computer life processing method
 Data lost cycle SOP  Deletion of data
 Data not consistently  Falsification of sample
archived to network weights
server  No standard / solution
 No SOP for management preparation details
of raw data files  Lack of batch information
 No CDS software to  Signature of tester omitted
rerun data  Signature of reviewer
 Impact of numerous omitted
power outages not
investigated

However, the regulatory focus has widened over time and now includes CROs. The Texas CRO Cetero went
bankrupt after the FDA discovered in 2010 that 1,900 instances over a 5-year period in which lab workers
reported results that didn't exist [30-32]. Issues like this one have supported the strengthening of data
integrity aspects in the regulations including ICH E6 R2 for Good Clinical Practices [12]..

2.5 Poor Practices versus Falsification

Although data falsification, which has mainly focused in laboratory analysis and clinical trials, is a major issue
with data integrity it constitutes only about 5% of the regulatory citations. The remainder of data integrity
problems are caused by companies having poor data management practices. We consider both of these
areas in this section.

2.5.1 Data Falsification

Data falsification and fraud in the laboratory is essentially testing into compliance and is a practice that is
intended to deceive: batches or material are passed as within specification with a combination of the
following activities:

 Recording a result on paper without any corroborating documented evidence

© Copyright: ECA Foundation, Germany – Copying, editing and distributing require the written agreement of the ECA Foundation Page 19 of 96
GMP, GCP and GDP Data Governance and Data Integrity

 Continuing testing until an acceptable result is obtained that passes. This may be accompanied by
deletion of earlier failed test results or the use of samples as system suitability test injections to see
what the result is before committing the run for analysis
 Copying a passing result file from one batch into a new batch without doing the actual analysis
 Doing an analysis and then calculating what the weight of sample should be to pass and then
fabricating the balance data
 Performing “chromatographic analysis” without any physical chromatographs, merely reintegrating
and printing the same sets of data using a chromatography data system
 Manually integrating chromatograms into compliance by skimming or enhancing peaks of standard
chromatograms but not the sample ones or vice versa

Data falsification and fraud in clinical trials is often conducted for financial benefits by participating
investigators or to cover-up deficiencies in the data collection or processing.

 Inclusion of incorrect or non-existing patients

 Invention of data that were not measured / recorded
 Sharing of user credentials for systems for activities (e.g. signatures) that should only be performed
by a qualified/responsible user.

2.5.2 Poor Data Management Practices

The remaining 95% of data integrity citations are due to poor data management practices. For example,
these can include:

Attributable  Failure to sign the results as a tester

 Failure to review and sign the results documentation package as a reviewer
 Saving money on user licences and sharing accounts so that an individual
performing work cannot be identified
 Generic shared user accounts
Legible  Using standalone workstations that are not connected to a network
 Failing to back up electronic records
Contemporaneous  Pre-dating/back-dating records
Original  Using an analytical balance without an attached printer and just recording
measurements by observation
 Defining raw data as paper when using a computerised system either in a
hybrid or electronic mode
 Deleting electronic records
Accurate  Lack of complete data
 Using an analytical balance without an attached printer and just recording
measurements by observation
 Defining raw data as paper when using a computerised system either in a
hybrid or electronic mode
Complete  Not to include incomplete records
Consistent  Referencing missing attachments
Enduring  Using thermal paper without attached true copy
Available  Records are archived in a way that it takes more than 24 hours to retrieve
them

Further information on regulatory citations can be seen on the FDA’s web site. All form 483 observations
from all of the FDA inspections are collated and published each fiscal year by the Office of Regulatory Affairs.

© Copyright: ECA Foundation, Germany – Copying, editing and distributing require the written agreement of the ECA Foundation Page 20 of 96
GMP, GCP and GDP Data Governance and Data Integrity

An FDA web page of Inspections, Compliance, Enforcement, and Criminal Investigations [33] provides a
spreadsheet of all citations made using an FDA software application and made available in an annual
spreadsheet for each FDA fiscal year starting from 2006. However, be prepared:

 Each spreadsheet needs to be carefully reviewed to highlight the area you are interested in as they
contain citations for all areas that the FDA regulates but within each spreadsheet there is a tab for
medical devices, pharmaceutical etc. This way you avoid having to wade through citations dealing
with food, although the Capitol Cake Company warning letter from August 2008 can be a diverting
and surprising source of entertainment.
 When you open the tab dealing with pharmaceutical companies, the citations need to be sorted to
find the area of the CFR you are interested in.
 These spreadsheets are not a comprehensive listing of all inspectional observations as only 483s
prepared using Turbo EIR are included in the listings, therefore data is not comprehensive but give a
representative “snapshot” of compliance or rather non-compliance in the pharmaceutical industry.

Owing to COVID-19 induced measures and fiscal year, structure of the data the following numbers for the
483’s for the year 2020 are influenced by travel restrictions. In particular, the lower numbers are probably not
so much a result of improved situation but due to decreased number of inspections performed.

2.5.3 Manufacturing Records

The area of the CFR that of interest is the section covering batch production and control records or §211.188.
§211.192 covers production record review [34]. §211.188 is divided into two clauses covering the following
topics:

 (a) Accurate reproduction

 (b) Documentation

The phrases “complete information” applies to §211.188 (and so to §211.192) and “complete records” is a
consistent requirement for the §211.188. In addition, EU GMP Part I Chapter 4 and 4.20 [35], Part II chapter
6 and 6.5 [36], and Annex 11 have similar requirements [37].

Table 1: Number of All FDA 483 Citations for §211.188 and §211.192 Non-Compliances 2006 – 2016

CFR Section Topic

2006

2007

2008

2009

2010

2011

2012

2013

2014

2015

2016

2017

2018

2019

2020

Total (%)

§211.188+ All Batch 204 181 147 154 170 152 137 114 74 112 102 117 93 123 54 1934
§211.188(a)+ production (100%)
§211.188(b) and control
records
§211.188 Batch 60 47 42 66 61 61 56 56 43 56 31 51 26 46 16 718 (37%)
production
and control
records
§211.188(a) Accurate 12 15 4 4 8 4 4 2 0 4 9 13 7 8 3 97 (5%)
reproduction

§211.188(b) Documentati 132 119 101 84 101 87 77 56 31 52 62 53 60 69 35 1119 (58%)

on

§211.192 Production 231 207 181 235 252 299 233 239 209 250 227 193 201 264 128 3349
record review (100%)

© Copyright: ECA Foundation, Germany – Copying, editing and distributing require the written agreement of the ECA Foundation Page 21 of 96
GMP, GCP and GDP Data Governance and Data Integrity

Note to the table: Percentage figures are rounded to the nearest whole number which accounts for 66 and
being equivalent to 4% of the citations

Table 1 presents eleven FDA fiscal years of 483 observations from the downloaded spreadsheets 2006 - 2016
for the number of citations against the clauses in §211.188 and §211.192.

 There was a total of 1934 citations against any clause of §211.188 over the eleven years, with the
number of citations for non-compliances in any one year ranging from 54 to 204.
 There was a total of 3349 citations against any clause of §211.192 over the eleven years, with the
number of citations for non-compliances in any one year ranging from 128 to 299.
 However, the distribution of the non-compliances per clause was more interesting. The clear area
where there were the most problems was §211.188(b) documentation which constitutes 58% of the
non-compliances.
 Also, the review of the records exhibits 1/3 more observations for the review than for the records
themselves. There is no obvious connection between the observations per year, min/max does not
seem to be connected.
 There is no obvious trend or standardization to be seen. However, there is also no indication that it is
going to be better or worse.
 When interpreting the data in the table one needs to consider that the mix of citations does probably
not fully reflect the market composition of small and big companies.

A further analysis of the data within the data shows that three of the major causes of regulatory citations in
this area are:

 Failure to identify the test method used adequately

 Failure to record sample weights taken during the analysis
 Failure to have the initials of signature of the reviewer

In essence, these citations are a fundamental failure of either the tester or the reviewer to do their respective
jobs correctly and contrast with the FDA focus on “data integrity” as documented in the scope of the
laboratory audit (objective 3) of the Compliance Policy Guide 7346.832 on pre-approval inspections [18].

2.5.4 Laboratory Records

The area of the CFR that of interest is the section covering laboratory records or §211.194 [34]. §211.194 is
divided into five clauses covering the following topics:

 (a) Testing Records

 (b) Test Method Modification Records
 (c) Reagents & Standards Testing Records
 (d) Laboratory Equipment Calibration Records
 (e) Stability Testing Records

The phrases “complete data” applies to §211.194(a) and “complete records” is a consistent requirement for
the remaining clauses of §211.194 from sub sections (b) to (e) inclusive. In addition, EU GMP Chapter 6,
6.16 and 6.17 [38], and Annex 11 [37] have similar requirements.

Complete data and raw data are essentially the same terms and for computerised systems includes review of
audit trail entries regardless if the system is used as a hybrid or electronic application. The focus of an audit
trail review for second person review should be a review by exception, if the application supports this
approach [3]. Review by exception, a risk-based approach to data integrity, is to only review applicable audit
trail entries of there are GMP-relevant modifications or deletions that are notified by the system to the

© Copyright: ECA Foundation, Germany – Copying, editing and distributing require the written agreement of the ECA Foundation Page 22 of 96
GMP, GCP and GDP Data Governance and Data Integrity

reviewer. The way this function works can be colour coding data, check boxes or annotations, etc.
Regardless of the approach taken by a supplier, to be able to use a review by exception approach a company
must:

 Specify the function in a user requirements specification

 Document any application configuration
 Verify that the function works correctly in the user acceptance testing (Performance Qualification)
phase
 Ensure that the configuration settings are unaltered though routine data integrity audits and / or
periodic reviews

Table 2: Number of All FDA 483 Citations for §211.194 Non-Compliances 2006 – 2020

Table 2 presents fifteen FDA fiscal years of 483 observations from the downloaded spreadsheets 2006 - 2020
for the number of citations against the clauses in §211.194.

 There was a total of 1647 citations against any clause of §211.194 over the eleven years, with the
number of citations for non-compliances in any one year ranging from 54 to 145.
 However, the distribution of the non-compliances per clause was more interesting. The clear area
where there were the most problems was §211.194(a) testing records which constitutes 80% of the
non-compliances.
 When interpreting the data in the table one needs to consider that the mix of citations probably does
not fully reflect the market composition of small and big companies.

A further analysis of the data within the various sub-clauses of §211.194(a) shows that three of the major
causes of regulatory citations in this area are:

 Failure to identify the test method used adequately

 Failure to record sample weights taken during the analysis
 Failure to have the initials of signature of the reviewer

In essence, these citations are a fundamental failure of either the tester or the reviewer to do their respective
jobs correctly and contrast with the FDA focus on “data integrity” as documented in the scope of the data
integrity audit (objective 3) of the Compliance Policy Guide 7346.832 on pre-approval inspections [18].

2.5.5 Clinical Trial Records

In general, all processes and systems associated to the conduct of clinical trials must aim at the protection of
the Subjects health and well-being and data integrity. After all, the data collected during clinical trials form

© Copyright: ECA Foundation, Germany – Copying, editing and distributing require the written agreement of the ECA Foundation Page 23 of 96
GMP, GCP and GDP Data Governance and Data Integrity

the basis for a subsequent market authorization by the regulatory authorities. It should be understood that all
manufacturing activities for medicinal products used in clinical trials have to comply with GMP regulatory
expectations, like on-going stability assessment of IMPs.

In GCP the Term “Source data” is used instead of “Raw Data”. Source data in the GCP environment is “All
information in original records and certified copies of original records of clinical findings, observations, or
other activities in a clinical trial necessary for the reconstruction and evaluation of the trial [12].”

The investigator is responsible for the completeness and accuracy of the source data, however, Sponsors and
CROs are checking the data integrity of the source data and the data recorded in the relevant system on an
ongoing basis during the clinical trial. This includes Source Data Verification by monitors as well as continuous
remote monitoring and review for patterns that might indicate a data integrity problem.

FDA Warning letters are not as frequent as for Manufacturing operations, but 11 Warning Letters to sponsors
were published on the FDA webpage during the years 2010-2019. Warning letters to investigators are more
frequent, 61 have been issued in the same timeframe.

Almost all warning letters have a relationship to Data Integrity as findings include for example:

 Failure to ensure proper monitoring of the clinical investigations

 Failure to secure investigator compliance with the investigational plan and applicable FDA regulations
(21 CFR 312.50; 312.56(a))
 Failure to maintain adequate records showing the receipt, shipment or other disposition of an
investigational drug (21 CFR 312.57(a))
 Failure to maintain adequate records of the disposition of the drug, including dates, quantity, and use
by subjects (21 CFR 312.62(a))
 Failure to maintain adequate and accurate case histories that record all observations and other data
pertinent to the investigation on each individual administered the investigational drug or employed as
a control in the investigation (21 CFR 312.62(b))
 Failure to retain records required to be maintained under 21 CFR Part 312 (21 CFR 312.62(c))
 Failure to ensure proper monitoring of the clinical investigations (21 CFR 312.50; 312.56(a))
 Failure to review and evaluate the evidence relating to the safety and effectiveness of the drug as it is
obtained from the investigator (21 CFR 312.56(c))
 Failure to maintain adequate and accurate case histories that record all observations and other data
pertinent to the investigation on each individual administered the investigational drug or employed as
a control in the investigation (21 CFR 312.62(b))
 Repeated or deliberate submission to FDA or to the sponsor false information in any required report
(21 CFR 312.70(a)) [39].

While no direct finding has been issued for the validation of the computerized systems that support almost all
clinical processes nowadays, it is quite clear that the adequate validation as well as process adherence by all
parties involved is critical to the success and the trustworthiness of any clinical trial.

© Copyright: ECA Foundation, Germany – Copying, editing and distributing require the written agreement of the ECA Foundation Page 24 of 96
GMP, GCP and GDP Data Governance and Data Integrity

3 Regulatory References, Guidance and Requirements

An overview of regulatory guidance that is available for GMP environments is shown in Figure 11.

Figure 11: Overview of Data Integrity Guidance from Regulatory Authorities

Data Integrity
Guidance

Food and Drug Industry

European World Health
Administration PIC/S Guidance
Regulators Organisation
Documents

Good Practices
CPG 7346.832 Guidance on PDA TR80 ECA APIC
Inspection of MHRA EMA for Data GAMP
Pre‐Approval Good Data and Lab DI DI & DG v2 Practical Risk
Pharmaceutical GMP DI Q&A: Management and Records &
Inspections Record Management 2018 Based Guide
QC Laboratories Guidances GMP D I Integrity Data Integrity
2012, 2019 & Management System (V3 in for DI
1993 2015 2016 Draft 2: 2016 2017
2022 Practices 2016 2018 preparation) 2019
Draft 3: 2018

MHRA EMA GCP Guideline on

Data Integrity Good Practices GAMP GPG
Level 2 Guidance GXP DI Computer Data Integrity Not shown are DI guidance documents issued by:
and cGMP for Data 1. DI Key
on the FDA Web Guidance systems & 2021 Russia 2018,
Compliance Management and Concepts
Site 2010 Rev 1 e‐data draft (Poor but China 2020,
2018 Integrity 2. Manufacturing
2018 2021 replaces 2016 OECD GLP Number 22 2021 (MHRA for GLP!)
Final 2021 3. DI by Design
version)

3.1 MHRA (UK) GMP Data Integrity Initiatives

The MHRA (Medicines and Healthcare products Regulatory Agency) has been involved with data integrity
since December 2013 when they announced on their web site [40] that stating from January 2014:

The MHRA is setting an expectation that pharmaceutical manufacturers, importers and contract
laboratories, as part of their self-inspection programme must review the effectiveness of their
governance systems to ensure data integrity and traceability.

This was an extension of self-inspections (internal audits) that needs to be carried out under Chapter 9 of EU
GMP [5]. However, in addition to the pharmaceutical company itself it was also an expectation that the data
integrity of a company’s suppliers (e.g. API suppliers, contract manufacturing and contract laboratories, etc.)
were included in these assessments as well.

In March 2014, the MHRA wrote to suppliers of chromatography data systems to request a copy of their
software and documentation to understand how each system worked. The indirect message was to
understand how data can be falsified using a specific CDS application. The next month, MHRA and other
European inspectors received training in data integrity from one of the trainers to the FDA on the subject. In
January 2015, MHRA released a GMP guidance for industry on data integrity [41], after industry feedback
MHRA issued a revised version in 2015 [42], a draft GXP guidance was issued for comment in 2016 and
finalised in 2018 [43].

The GXP guidance document consists of three pages of discussion about various data integrity topics followed
by 13 pages of definitions with meaning and regulatory expectations [43].

© Copyright: ECA Foundation, Germany – Copying, editing and distributing require the written agreement of the ECA Foundation Page 25 of 96
GMP, GCP and GDP Data Governance and Data Integrity

The main concepts introduced in this guidance are:

 Data governance
 Data lifecycle
 Design of systems
 Definitions and regulatory expectations

In presenting the definitions, there is no logic of the order and the raw data definition is wrong as it only
refers to original observations rather than original observations and activities necessary to reconstruct the
report of the regulated activity [43]. This incorrect definition is repeated in the PIC/S PI-041 guidance as well
[3]. The reason is that raw data is a GLP term and encapsulates all data generated throughout a study [44,
45]

In addition MHRA and FDA have published in June 2020 a joint paper on ‘Data integrity in global clinical
trials’] [46].

3.2 WHO Guidance on Good Data and Records Management Practices

In 2016 the WHO issued a guidance document on Good Data and Records Management Practices [47] was
published and replaced by awful “Guideline on Data Integrity” issued on April 2021 (Annex 4 of WHO TRS
1033) [48].

The main sections of the 2016 WHO guidance [47] are:

 Introduction and Background
 Data Governance
 Quality Risk Management
 Management Review
 Outsourcing
 Training
 Data, Data Transfer and Data Processing
 Good Documentation Practices
 Computerized Systems
 Data Review and Approval
 Corrective and Preventive Actions

Holistically, the 2016 guidance has a greater scope that is covered in more depth than any other regulatory
guidance on data integrity especially for definition of the ALCOA criteria [47]. There is much good advice that
can be used within the regulated laboratory regardless if GMP, GDP, GCP or GLP is applicable. Other chapters
in this guide cover data governance, data integrity audits and issues of poor data management practice or
falsification.

A Data Integrity Risk Management is highly recommended with an holistic approach to identify and control
data integrity issues. This should take into account the different factors from the infrastructure, the
technology of the system, the interconnection / interface, the users to the top management role for data
integrity culture.

3.3 FDA Guidance on Data Integrity and Compliance with CGMP

In 2018 the FDA released a Guidance [2] document emphasizing on flexible and risk-based strategies to
prevent and detect data integrity issues. As usual with FDA guidance documents it describes the Agency’s
current thinking on the DI topic.

© Copyright: ECA Foundation, Germany – Copying, editing and distributing require the written agreement of the ECA Foundation Page 26 of 96
GMP, GCP and GDP Data Governance and Data Integrity

The FDA guidance is unlike those from the WHO and MHRA guidance documents [47] [43] in that it is
presented in the format of 18 questions and answers. The FDA document does not have the more
encompassing scope of the MHRA and WHO guidance documents that consider topics such as data
governance, the role of management and the extension of data integrity to an organisation’s suppliers.
Instead, the FDA guidance is complimentary and is entirely focussed on interpretation of the 21 CFR 211
regulations for current Good Manufacturing Practice for specifically to ensure the integrity of data generated
in pharmaceutical manufacturing [34]. The problem with US regulations, unlike those in the European Union,
is that (with one exception) they have not been updated since 1978. As such there is no explicit reference
that is specific for ensuring the integrity of data – it is the interpretation of the regulations that is the key. As
a result, there are multiple references to the different sections of 21 CFR 211 to support the 18 questions.

Of particular interest is question 1e which illustrates the “current” in cGMP [49]. Backup is now interpreted
by the FDA as long-term archive for records retention rather than simply creating a copy of records on tape or
disk for disaster recovery purposes.

 Static versus Dynamic Data: Question 1d talks about static and dynamic data which are perhaps
not the best of terms to use. Static data is typically discrete values such as temperature and pH that
cannot be interpreted or as the guidance mentions a paper printout or image. In contrast, dynamic
data requires human interpretation or processing such as chromatography or spectroscopic data files
and this type of data is of major concern to the FDA and other regulators for manipulating data and
testing to pass.

 Q4 and Q5: Access to Computerised Systems: In short, there must not be any generic or
shared log-on accounts for access to a computerised system as each person must be uniquely
identified and their actions within a system tracked and audit trailed. User types need to be
established that separate administrator privileges from those involved with generating, processing
and reviewing data. Ideally an independent function, typically the IT department need to control the
administration rather than the laboratory. However, with standalone systems this may be impossible
to achieve and therefore as noted in the MHRA GMP and OECD GLP data integrity guidances [43,
50]an alternative option may be for a laboratory user to have two user types. The first would be as
an administrator with no user access rights and the second as a user with no administrator privileges
to avoid conflict of interest.

In the laboratory it is possible to convert static data such as a sample weight into dynamic data by
manually entering it into a computerised system such as a CDS or LIMS. If an error was made in the
entry the error must be corrected: static data are now dynamic [51]

The FDA guidance and EU GMP Annex 11 §12.3 also recommends maintaining a list of authorised
individuals with their access privileges [2, 37]. This should cover both current and historical users of
a system. In case you think this is an FDA rabbit out of the hat, this has been the stated Agency
position since 2007. It is contained in the guidance for industry on Computerised Systems Used in
Clinical Investigations [52] under Recommendations, Section E on External security safeguards:

You should maintain a cumulative record that indicates, for any point in time, the names of
authorized personnel, their titles, and a description of their access privileges.

This is good advice as it allows quality assurance, auditors or inspectors to see at any point in time
the access privileges that any individual has had for a system e.g. trainee, analyst or supervisor.

© Copyright: ECA Foundation, Germany – Copying, editing and distributing require the written agreement of the ECA Foundation Page 27 of 96
GMP, GCP and GDP Data Governance and Data Integrity

 Q12 & Q2: When Do Data Become a GMP Record and Can I Exclude GMP Data? Now we
come to probably the most contentious part of the FDA Guidance: Question 12. At the beginning of
Q12 is a simple statement of fact:

When generated to satisfy a GMP requirement, all data become a GMP record.

This is simply a confirmation and restatement of the GMP requirement in 21 CFR 211.194(a) for
complete data secured in the course of testing [34] and complete information for production records
in 21 CFR 211.188. The guidance then continues:

You must document at the time, or save, the data at the time of performance to create a record in
compliance with GMP requirements ….. FDA expects processes to be designed so that quality data
required to be created and maintained cannot be modified.

For example, chromatograms should be sent to long-term storage (archiving or permanent record)
upon run completion instead of at the end of a day’s runs.

There is a problem here, if a spectroscopy or chromatography file cannot be modified how can we
interpret it? Perhaps what is meant is that the data or the computer file created cannot be changed
but the data contained within it can be interpreted? The requirement about removing
chromatograms immediately to long term storage is not practicable. I appreciate what the Agency is
trying to achieve – to ensure that electronic records generated by data systems of all types are
protected especially for standalone systems that do not have databases. This actually reflects on how
instrument suppliers design and laboratories select data systems that are sub-standard for regulated
laboratories. To put this into perspective, virtually all software currently in use in laboratories was
designed before the current focus on data integrity.

For too long laboratories have accepted spectroscopic applications running on standalone
workstations that generate data files that are stored in directories in the operating system. Quite
simply, these systems are not fit for use in a regulated environment. To illustrate this point,
McDowall and Burgess recently wrote a series of four papers describing the ideal chromatography
data system (CDS) for regulated GxP laboratories in LC-GC North America [53-56]. Although
focussed on CDS, most of the principles and recommendations outlined in these papers are also
applicable to spectroscopic data systems. In the part on system architecture [54] the point was made
that standalone workstations and using directories in the operating system for file storage were not fit
for purpose. Instead data must be acquired directly to network storage and that all data systems
must use a database. In these ways the intent of the FDA’s requirement would be met but in a more
practical way. Correctly designed data systems are the main way laboratories will comply with the
protection of records other than implementing a scientific data management system (SDMS). Not
using a database means to mimic the functionality procedurally with much more effort and risk.

Question 12 progresses through the next statement in the document for paper records, which must
have been copied verbatim from a GxP documentation class 101. However as judging from the
citations in many warning letters there appear to be usage of temporary scraps of paper in regulated
laboratories that necessitated the statement;

It is not acceptable to record data on pieces of paper that will be discarded after transcription into a
permanent laboratory notebook

There then follows the electronic equivalent which is more contentious:

© Copyright: ECA Foundation, Germany – Copying, editing and distributing require the written agreement of the ECA Foundation Page 28 of 96
GMP, GCP and GDP Data Governance and Data Integrity

Similarly, it is not acceptable to store data electronically in temporary storage, in a manner that allows
for manipulation, before creating a permanent record. Electronic data that are automatically saved
into temporary memory do not meet cGMP documentation or retention requirements

This section has probably caused more discussion than any other in the whole data integrity
guidance. Obviously, the Agency does not want people taking a file then interpreting it multiple times
without saving it as this is testing or rather over-interpreting into compliance. It is unlikely that the
Agency intended or wanted keystroke loggers on all systems used for regulated analysis. The process
in all data systems should be to automatically save the data first and monitor the interpretation.
However, this is where science and compliance meet, often in a head on collision. The controls
required, especially technical ones rather than procedures need to be designed and implemented. In
some systems, especially those close to research end of the R&D, may be designed with minimal
regulatory compliance controls. There needs to be a fundamental rethink by software suppliers how
their software is designed and operated in compliance with the applicable regulations.

There is a clash between the FDA requirement in Question 12 to keep all electronic records and the
advice offered in Appendix S3 in GAMP 5 second edition [57] which recommends that for simple
calculations all that is needed is the paper printout of a mean and standard deviation. Select your
option carefully here.

Question 2 discusses if GMP data can be excluded from decision making? It notes that:
Any data created as part of a GMP record must be evaluated by the quality unit as part of release
criteria and maintained for GMP purposes. Electronic data generated to fulfil GMP requirements
should include relevant metadata.

The answer is that data (paper, hybrid or electronic) can only be excluded if there is a justified and
documented scientific rationale e.g. out of specification result following a laboratory investigation.

The corollary is that data should not be deleted, even if it is excluded, as this is part of complete data
collected in the course of testing under 21 CFR 211.194(a) [34]. .

 Q3: Does Each Workflow on a Computer System Need Validating?: Yes, is the answer in the
FDA guidance [49]. If a workflow is configured or customised then it needs to be specified, built or
configured in the software and then tested for intended use. So far, so good and the ECA IT Working
Group has no problem with this approach. However, what if you have standard workflows in a
system that you don’t use and can’t turn them off? As the question is written and answered, the data
integrity guidance implies that they all need to be validated which is a compliance overhead and not
in the spirit of a risk-based approach. There is also a clash of FDA guidance documents. There is the
small matter of the 2002 General Principles of Software Validation which states in section 6.1 [58]:

For example, a manufacturer who chooses not to use all the vendor-supplied capabilities of the
software only needs to validate those functions that will be used and for which the manufacturer is
dependent upon the software results as part of production or the quality system.

Or put simply, only validate those software functions you use. However, if you only validate
functions that you use you either have to train users to avoid using non-validated functions or restrict
access using technical controls.

 Q6 Control of Blank Forms: At the back of many procedures in regulated laboratories are blank
forms designed to ensure compliance with the work contained in the SOP and to collect the required
data. Question 6 of the FDA guidance raises the question of how these blank forms should be
controlled [49]. The FDA wants each copy of such form to be uniquely numbered and accounted for.

© Copyright: ECA Foundation, Germany – Copying, editing and distributing require the written agreement of the ECA Foundation Page 29 of 96
GMP, GCP and GDP Data Governance and Data Integrity

This is simply a restatement of their position from the 1993 guidance on Inspection of Pharmaceutical
QC Laboratories [14] as noted in Section 13 on documentation that:

We expect raw laboratory data to be maintained in bound, (not loose or scrap sheets of paper),
books or on analytical sheets for which there is accountability, such as prenumbered sheets.

The requirement for control of blank forms has also been presented in the MHRA, WHO and PIC/S
guidance documents [3, 43, 47]. The rationale for this approach is that uncontrolled blank forms
present an opportunity for data falsification or testing into compliance. An approach to the control of
blank forms is presented in Section 9 in this guidance.

 Importance of the Second Person Review: A problem with the FDA data integrity guidance is
that there is only a focus on audit trail review with Questions 7 and 8 and with Question 16 on the
need for personnel to be trained to detect data integrity issues [49]. As such, the guidance misses
the point and an opportunity. If we are serious about data integrity and compliance with the
regulations, surely the focus both here and in our laboratories should be on a series of questions
covering the second person review of analytical data. As currently written, we are scratching the
surface with simply a focus on a computerised system audit trail (if used) and that people should be
trained to detect poor data management practices

3.4 PIC/S PI-041 Data Integrity Guidance

In July 2021 the PIC/S Working Group on Data Integrity has published a guidance document on Good
Practices for Data Management and Integrity in Regulated GMP/GDP Environments [3]. It sets out basic
expectations for good data governance and refers to the influence of organisational behaviour and global
supply chain challenges. The aim of this document is to develop a guidance for Health Authority Inspectors.
The PIC/S guidance details the various deficiencies linked to data integrity failures that may impact product
quality with risk to patient health. The rationale for another regulatory guidance document on data integrity is
the continued focus of health authorities with numerous issues of data falsification, poor data management
practices and the basic inability of companies globally to comply with GMP regulations.

The final version of PI-041 guidance document is now 63 pages compared with 53 of the 2018 draft. It is
easily the longest regulatory data integrity guidance.

Data Integrity Considerations for Paper Records

Covering approximately 13 pages of the guidance, there is an in-depth treatise of data integrity
considerations for paper records that need for follow GDocP and meet the ALCOA+ criteria. First up, the old
chestnut of control of master templates and blank forms for which there is accountability coupled with a
discussion on the importance of controlling records. Control of blank forms is a basic GMP requirement that is
usually ignored by many laboratories. Control of blank forms is not new and has been required by the FDA
since 1993 and reiterated in the data integrity guidance documents from WHO, MHRA, FDA and now PIC/S
PI-041.

In section 8.4 brings the first of many tables on specific subjects, in this case Expectations for the generation,
distribution and control of record. The table presents:

 Expectation: e.g., all documents should have a unique identifier and uncontrolled documents should
be prohibited
 Potential risk of not meeting expectation: e.g., it is easier to falsify uncontrolled documents
and increases the potential for loss of official records by discarding or destruction.

© Copyright: ECA Foundation, Germany – Copying, editing and distributing require the written agreement of the ECA Foundation Page 30 of 96
GMP, GCP and GDP Data Governance and Data Integrity

Sections 8.5 to 8.7 are tables of basic Good Documentation Practices requirements for paper records
from control of records at point of use, how to complete a record to how to make corrections. These
sections, whilst are basic GMP requirements, the content is the basis for a good training course in
GDocP, all it needs to complete the course are pictures of right and wrong examples. Similarly, second
person review of paper records is covered in Section 8.8; another good source of training material.

The last topic in Section 8.9 reviewed here is direct print-outs from electronic systems such as standalone
analytical balances and pH meters that have printouts of the measurements performed by an analyst. PI-041
notes that the original record should be signed and dated by the person generating the record and
information to ensure traceability (attribution perhaps?). These original records should be attached to batch
processing or testing records [3]. There are a few points that need commenting:

 Older analytical balances and similar instruments may not have the function to have user accounts
and so the analyst must (note, not should) sign or initial and date the printout.
 Newer balances have time and date stamps as well as individual user accounts and passwords; each
printout from the instrument will have the name of the analyst as well as the date and time on it.
 What is surprising is that there is no mention of an instrument log that should be completed in
parallel with the analysis being performed. Logs provide critical correlation of work performed and
are essential for ensuring data integrity [59].

Role of Risk Management

Risk management and its role in data integrity and data governance is covered in Sections 5.3 to 5.5
inclusive. It is the role of risk management to identify systems and processes that create and manage data
that are more critical so that they can be assessed first to identify data vulnerabilities and mitigate them.

Candidates at the front of the queue are processes that are complex, inconsistent or open ended that
generate data are used in product submissions or batch release. Also, manual, paper-based processes can be
problematical as we shall see later. Ideally, short-term remediation (mainly procedural with some simple
technical fixes) should be applied for quick fixes with longer term solutions implemented (automation with
technical controls) to have a process or system to ensure data integrity.

Organisational Influences on Data Integrity

The scope of Section 6 covers some critical areas for data integrity:

 Setting expectations for staff ethics and behaviour with respect to recording, interpreting, calculating
and reporting data that are clearly communicated to all
 Management need to ensure that staff are aware of the
 Unacceptable behaviours must be identified, documented in policies and communicated clearly to
staff along with the range of company actions if they commit unacceptable behaviour
 Quality culture is the responsibility of management to establish and foster. In my view this is the
most difficult part of any data integrity programme and requires management to lead by example

Section 6.4 deals with modernizing the PQS so that it is able to detect and correct weaknesses that could lead
to data integrity lapses. Particular areas for a laboratory are second person review, quality oversight and the
purchase of instrumentation and systems to ensure data integrity [3].

Role of the PQS in Controlling Computerised Systems

To ensure overarching control of computerised systems and the processes automated by them, the
Pharmaceutical Quality System (PQS) needs to ensure the following:

© Copyright: ECA Foundation, Germany – Copying, editing and distributing require the written agreement of the ECA Foundation Page 31 of 96
GMP, GCP and GDP Data Governance and Data Integrity

 Evaluate and control computerised systems to meet GMP regulations (essentially Chapter 4 and
Annex 11)
 Ensure that a system meets it’s intended purpose
 Know the data integrity risks and vulnerabilities of each system and manage them.
 Know the impact each system has on product quality and the criticality of the system
 Ensure that data generated by a system is protected from accidental and deliberate manipulation
 Assess that suppliers of computerised systems have an adequate understanding of applicable
regulations and this is reflected in the applications that they market
 Assessment of the criticality and risks to the data and metadata generated by each system. Data
process mapping is one way to understand how the system operates, the metadata used to acquire
and manipulate data, how the data are stored and the access allowed to each user role.

System Security and Access Control

Section 9.5 covers 5 pages setting the expectations for system security, appropriate access to user functions,
configuration to ensure data integrity, network protection and restrictions on use of USB devices [3].

Strict segregation of duties is essential so that administrators are independent of laboratory users, which is
reflected in several other regulatory guidances. However, one of the common questions that arises during
training is if a laboratory has a standalone system with only a few users, how should this be achieved. The
PIC/S guidance recognizes that this is a potential problem for smaller organisations and suggests that a user
can have either two user identities or roles:

 An administrator with no user functions

 A user with no administrator functions.

There are many security expectations that read as a list of system requirements that most users won’t have
read or even bother with during selection of an instrument and its data system. For example, can a system
generate a list of users with user identification and their role? Most networked systems can generate a
similar list but not many standalone systems can as this does not feature on the horizon of supplier
requirements. There is a specific section on the control of USB devices either as sticks or thumb drives but
also cameras, smartphones, etc. This is to ensure that malware is not introduced into an organisation and
devices are not used to copy and manipulate data.

Audit Trails Are Critical for Data Integrity

In contrast with the security section, the one for audit trails is shorter which is surprising given how critical an
audit trail is for ensuring traceability of actions and data integrity. The first expectation is that a laboratory
purchases a system with an audit trail. However, there is an alternative option available in EU GMP Annex 11
clause 12.4 that Management systems for data and for documents should be designed to record the identity
of operators entering, changing, confirming or deleting data including date and time [37]. Therefore, if an
application can meet 12.4 requirements, then an audit trail is not required.

The guidance reiterates that proper system selection should ensure that software should have an adequate
audit trail that users must verify the functionality during the validation. Some applications may have more
than one audit trail and it is important to know which ones are important for monitoring changes to data. A
good point is that the guidance suggests looking at entries for changes to data with a focus on anomalous or
unauthorized activities to allow review by exception. Software having more than one audit trail, the review of
any non-critical audit trails can be performed in periodic reviews at longer time intervals.

© Copyright: ECA Foundation, Germany – Copying, editing and distributing require the written agreement of the ECA Foundation Page 32 of 96
GMP, GCP and GDP Data Governance and Data Integrity

Validation of Systems

The traditional approach to validation of a computerised system in a regulated laboratory is once validated no
changes are made. In contrast, in the security section the PIC/S guidance takes a more pragmatic approach
on page 37 and suggests that computerised systems should be updated in a timely manner including security
patches and new application versions. This is good in principle but there needs to be a different mindset
within industry to commit and follow this in practice. For example, it is easier to update an application
incrementally with minor revalidation rather than wait until the application goes out of support and panic as a
full validation and possible data migration project may be required. However, the detail provided here
appears to be more of an inspector’s checklist with little flexibility.

Outsourced Activities

When GMP work is outsourced e.g. API production, contract manufacture or contract analysis the same
principles of data integrity are expected. After an adequate assessment of the facility, technical ability and
approaches to data integrity, requirements for DI and escalation of data integrity issues to contract giver
need to be included in agreements between the two parties as required by Chapter 7 [60].

Regulatory Actions for DI Findings

Section 11 has a section where the various PIC/S regulations and guidance documents are mapped to the
ALCOA+ criteria. Of most use is a classification of data integrity deficiencies in four categories [3].

 Critical: Impact to product with actual or potential risk to patient health

 Major: Impact to product with no risk to patient health
 Major: No impact to product, evidence of moderate failure
 Other: No impact to product, limited evidence of failure

Examples given for each of the above deficiency categories are given to help during inspections. IT may be
prudent to adopt the same approach for classifying DI findings in internal audits or supplier assessments.

Remediation of DI Failures

The last section is guidance of how an organisation should investigate data integrity failures [3]. What the
guidance does not state that a data integrity investigation is a very detailed process and time-consuming
process [1]. It is unlikely that any root cause will be determined at stage of the investigation (interviewing
employees), you need to investigate. Root cause determination comes later when the investigation team has
a complete picture of the extent and depth of the data integrity problems.

In addition to identification of data integrity problems, a data integrity investigation will also identify poor data
management practices. They need to be identified, classified and remediated in parallel as they could be the
source of the next data integrity investigation. These will also be included in the data investigation report.

Some of the outcomes of an investigation could be:

 Data in a product license submission are falsified

 Data manipulation resulting in a risk to patient health necessitating a batch recall

Section 12 ends with a discussion on the indicators of improvement following an on-site inspection to verify
that the CAPA actions have been effective. Indicators of improvement are listed as:

 A thorough and open investigation of the issue and implementing effective CAPA actions
 Open communications with clients and other regulators

© Copyright: ECA Foundation, Germany – Copying, editing and distributing require the written agreement of the ECA Foundation Page 33 of 96
GMP, GCP and GDP Data Governance and Data Integrity

 Evidence of open communication of the DI expectations and processes for open reporting of issues
and opportunities for improvement across the organisation
 Resolution of the DI violations and remediation of computerised system vulnerabilities
 Implementation of data integrity policies with effective training
 Implementation of routine data verification practices

Ensure that DI principles are infused throughout the organisation, the PQS, computerised systems and staff
are trained in the DI policies. The effort and cost along with loss of reputation with regulatory authorities is
not worth any efforts to save money. The cost of non-compliance is always much more expensive than the
cost of compliance.

3.5 OECD 22 Advisory Document of the Working Party on Good Laboratory Practice
on GLP Data Integrity

In summer 2021, the series of available Data Integrity Guidelines has grown with OECD Document No. 22
[50] in the GLP sector. Its draft was still heavily based on the MHRA Guideline (2018), the final version hardly
so. OECD 22 (net 20 pages) can be seen as a clarification of OECD 17 on computerised systems published in
2016 [61]. Compared to the final PIC/S 041 Guideline (63 pages), which is the guideline for the GMDP sector,
the scope and level of detail of OECD 22 is significantly lower.

The Guideline is logically organized, with guidance on all the important elements of data integrity to be
followed in a test facility. Chapter 3 discusses in detail the various definitions commonly used in the field of
data integrity (including raw data) and the data formats "static" and "dynamic", respectively, analogous to
FDA and WHO guidelines. The document specifically and extensively (chapters 4 and 5) addresses the various
roles important for GLP testing and their responsibilities for data integrity; however, there is only a very short
section on data governance. Only a regular review of the data governance activities is required, without
further details. In 3.6, manual data entry into an electronic system is given as a practical example of a hybrid
system.

On the subject of "electronic signature" (Chapter 3.3), OECD 22 refers to the national regulations that apply
to electronic signatures; unfortunately, depending on the country, this could lead to considerable additional
work (compared with the GMP requirements for electronic signatures). It is clarified that electronically signed
documents are to be considered as dynamic data/records [50].

The topic of "risk management" is given a lot of space in the document; in numerous sections, especially in
chapter 5, the expectations for the various risk assessments, the composition of the teams as well as
corrective measures and necessary communication are discussed.

Controlled blank forms (pre-numbered sheets), which are to be output and reviewed by QA in a controlled
manner, are required here - just as they are now required by all other Data Integrity Guidelines.

Section 6.12 deals with the sequential input of data before it is stored and recommends an automatic
mechanism to ensure data integrity. Sections 6.13 and 7.2 are devoted to the audit trail and its review: as in
other guidelines, the audit trail must not be able to be switched off, or it must be possible to determine that it
has been switched off in the audit trail itself. For the review, sufficient expertise and access to the system are
required; a "review by exception" is permitted [50].

It should not go unmentioned that the use of e-mail systems (for example for the verification of GLP
activities) is surprisingly also considered (chapter 6.14). However, the lack of possibility to validate such
systems or alternatives to email are not addressed.

© Copyright: ECA Foundation, Germany – Copying, editing and distributing require the written agreement of the ECA Foundation Page 34 of 96
GMP, GCP and GDP Data Governance and Data Integrity

Summary: OECD 22 is a comprehensive, well-written, fluently readable guide to data integrity in the GLP
field.

3.6 EMA Notice to sponsors on validation and qualification of computerised systems

used in clinical trials

In April 2020 the EMA published this notice that was triggered by recent inspection findings, to clarify the
regulatory expectations for the validation of outsourced GCP systems [62]. It again made it clear that “the
ultimate responsibility with regards to the clinical trial conduct — in particular related to the safety of subjects
and the integrity, reliability and robustness of the data generated in the clinical trial — remains with the
sponsor” and that “Data integrity, reliability and robustness will depend on the design and the validation
status of the computerised systems used”. As a consequence, it is stated that “the sponsor is ultimately
responsible for the validation of the computerised system and for providing adequate documented evidence
on the validation process”.

In practical terms this means that Sponsors cannot outsource the validation of regulated systems including
SaaS and cloud-based systems. Outsourcing the system and relaying on more or less frequent audits by the
sponsor is not acceptable to the regulators and they will not accept being send to a technology provider for
the review of the validation documentation. “Sponsors shall be able to provide the GCP inspectors of the
EU/EEA authorities with access to the requested documentation regarding the qualification and validation of
computerised systems irrespective of who performed these activities [62].”

3.7 EMA Draft Guideline on computerised systems and electronic data in clinical trials

The GCP Inspectors Working Group of the EMA published in June 2021 the draft "Guideline on computerised
systems and electronic data in clinical trials" [63]. The 47-page document describes, among other things, the
requirements for data integrity, computer validation and audit trails, including audit trail review.

In addition, the draft document includes five appendices with detailed information on:

 Contracts,
 Computer Validation, and Change Control,
 User Management,
 Security,
 Requirements for specific systems, processes and data, such as Interactive Response Technology
(IRT), Electronic Informed Consent and traceability of all study data.

3.8 ISPE Records and Data Integrity Guides

The International Society of Pharmaceutical Engineering (ISPE) has published a Guide and three Good
Practice Guides (GPG) on the Data Integrity :

ISPE GAMP® Guide: Records and Data Integrity, 2017 [64]

ISPE GAMP® RDI Good Practice Guide: Data Integrity – Key Concepts, 2018 [65]

ISPE GAMP® Data Integrity for Manufacturing Records, 2019 [66]

ISPE GAMP® RDI Good Practice Guide: Data Integrity by Design, 2020 [67]

ISPE GAMP® Good Practice Guide: Validation and Compliance of Computerized GCP Systems and Data (Good
eClinical Practice), 2017 [68]

© Copyright: ECA Foundation, Germany – Copying, editing and distributing require the written agreement of the ECA Foundation Page 35 of 96
GMP, GCP and GDP Data Governance and Data Integrity

4 Data Governance

4.1 Corporate Management Leadership for Data Governance and Data Integrity

The principles of data integrity are not limited to compliance with regulatory requirements but extend to the
general state of awareness mind set and culture of all staff regarding data integrity and prevention of issues.

The pictorial overview is shown in Figure 1: Overview of the Components of Data Governance mapped to ICH
Q10 Quality Management System Model [69].

This can be achieved by establishing a data governance program within the overall pharmaceutical quality
system focusing on

I. Management Leadership
II. Procedural (Policies): Establishing the general polices and procedural practice for data handling
III. Behavioural (Culture): Introducing/teaching/practicing appropriate organisational behaviour when
handling data
IV. Technical (Process): Having appropriate processes for handling, recording, processing, archiving and
decommissioning of data
V. Assessment and remediation of existing processes and systems for generating, interpreting, reporting
and storing data

It is essential that senior management is engaged in establishing the foundation for data governance by
assuring that policies, training and technical systems are in place. Further, senior manager under the EU GMP
Chapter 1 is responsible for the overall quality system and that includes data integrity.

4.2 Technical Procedures

Figure 12: Data Governance Model; Technical and Procedural Controls for Data Integrity Section

To ensure that general handling of data is aligned with data integrity principles, procedures should be
established and maintained using a Quality Risk Management (QRM) approach.
Recommended policies to be implemented at a corporate level are

1. Data Integrity Policy/Manual

The Data Integrity Quality Policy should state the Company’s Corporate Quality requirements for the custody
and control of company data and information. It is based on industry best practices to meet regulatory
requirements and guidelines. The major reasons for establishing a single quality policy for data integrity are:

© Copyright: ECA Foundation, Germany – Copying, editing and distributing require the written agreement of the ECA Foundation Page 36 of 96
GMP, GCP and GDP Data Governance and Data Integrity

Ethics Provide rules of conduct to assure data integrity.

Control Provide a standardized framework for management and control of data.
Law Establish accountability, inspection readiness, and compliance with regulatory
authorities.
This policy also:
 Provides to company’s personnel a high level clear and consistent guidance to ensure data integrity
and minimize exposure to risks in a regulated environment.
 Stresses the high degree of importance to data integrity by management.
 Emphasizes management’s involvement in following up on observations and concerns of data integrity
breaches and issues.

2. Ethics Policy
The Ethics Policy should ensure that all employee, conduct themselves ethically at all times and follow
Company’s code of conduct.

This policy defines the company’s requirements for its employee to consistently meet the specific ethical
requirements. The purpose of this policy includes the following:

a. to emphasize the paramount importance of ethics in the performance of all work

b. to obtain every employee’s commitment to the principle that all work shall be performed in a
controlled and documented manner
c. to ensure that every employee consistently meets the specific ethical requirements defined herein

3. Data Integrity Assurance plan/program

This Plan presents the company’s vision and approach for ensuring Data Integrity in computerized systems.
It lists components that require employee participation to ensure high levels of data integrity. Its purpose is
to assist in improving awareness and capability around the issue of data integrity by identifying and
remediating all applicable areas that require data integrity improvements by taking into account the data
criticality (what is the data used for?) and the inherent risk of the data (how complex is the process by which
the data is generated?).

The criticality of data is determined by what the data is used for – examples of highly critical data is critical
process control data, long-term stability data, data to determine batch release decisions and data on clinical
endpoints. Data categorisation practices can be a valuable tool in securing handling of data based on
criticality and in securing resources are spent where they are of most use.

Recommended procedures to be implemented at a corporate level are

1. Good Documentation Practices

2. Quality Management Review (include KPIs for DI)
3. Validation of Computerized Systems
4. System Access (physical and logical)
5. Audit Trail and Review
6. Data Backup and Disaster Recovery
7. DI internal audit

© Copyright: ECA Foundation, Germany – Copying, editing and distributing require the written agreement of the ECA Foundation Page 37 of 96
GMP, GCP and GDP Data Governance and Data Integrity

Technical policies and procedures should be applicable for

 Both paper and electronic data. The general Good Documentation Practices (GDocP) principles that
apply for paper records should also be established for electronic records (see also 21 CFR Part 11).
 To contract givers (our company) and contract acceptors (CMOs, Contract Laboratories, CROs and
other Service Providers). Contract givers are responsible for the decision making based on data
provided by contract acceptors, while contract acceptors are responsible for establishing data
governance programs to assure reliability of provided data.

4.3 Expected Culture and Behaviours

Figure 13: Data Governance Model; Ethical Culture & Corporate management Practices Section

Quality Culture – Senior management is responsible for providing the environment to establish, maintain and
continually improve the quality culture, providing for the transparent and open reporting of deviations, errors
or omissions at all levels of the organization.

Code of Conduct – Senior management is committed to educating and ensuring adherence to the Code of
Conduct, including honesty and full disclosure in all aspects of data reporting, and disclosure and escalation
when these practices are found not to meet company standards, policies or procedures.

4.4 Maturity Level of the Organization

The data integrity Maturity Level may be used to quantify the degree of intrinsic data integrity and data
governance development of an organisation. It is consisting of an initial assessment, the definition of
improvement measures and periodic re-assessments to monitor the development degree of the organisation
over time.

For any assessment of Data Integrity maturity level, the scope (e.g., site or specific group/function), must be
well defined to avoid confusion and inconsistent results. The data integrity maturity model (refer to e.g. GAMP
DI Guide 2017 [64]) must be used to assess the current state of maturity, and to understand actions for
improvement required to reach the next maturity level. The frequency of the data integrity maturity
assessment is annual unless performance in all maturity areas are level four. In this case, a
site/function/contracted organization may change to assess at a frequency of every two years.
Representatives (Data integrity SMEs) collectively score the performance according to the maturity areas
defined in the Data Integrity Maturity Assessment by assessing the maturity factors within each maturity area
in scope, providing evaluation of:

 Culture
 Governance & Organization
 Strategic planning & Data Integrity program

© Copyright: ECA Foundation, Germany – Copying, editing and distributing require the written agreement of the ECA Foundation Page 38 of 96
GMP, GCP and GDP Data Governance and Data Integrity

 Regulatory
 Data life cycle and
 Data life cycle supporting processes

The Data Integrity Maturity Assessment provides assessment of maturity factors scoring on a scale from level
1 (undefined, uncontrolled, not monitored or no evidence of) to level 5 (defined policy and established
processes, proactive and continuous improvement).

In the assessment sheet, there are two different scoring types:

1. General score - achieved by the end of the assessment. This is the general level for the
site/function/contracted organization.
2. Maturity area individual score – score given for each maturity area item. This score should be used
to guide which areas or items need improvements and prioritization.

The scoring of each maturity area will depend on meeting all the criteria defined by the level. The general
score is the average of all values given for each maturity area item, rounding up or down

Detailed documented evidence to indicate the reason for the maturity level that is selected is not required.
However, a short comment of justification to support the process of defining improvement actions is
mandatory.

The document should be approved by senior management (e.g. Site Head and Site Quality Head).

4.5 Quality Management System

Figure 14: Data Governance Model; Quality Management System Section

Senior Management is responsible for establishing an effective quality management system with appropriate
use of the Pharmaceutical Quality System (ICH Q10) elements and enablers, including quality risk
management. It should include appropriate organizational structure with adequate segregation of duties,
written policies and procedures (e.g., good documentation practices), key performance indicators (KPI) and
processes to monitor the timely and accurate entry of data (e.g., self-inspection, management reviews), and
systems to enable informed decisions to prevent and detect situations that may impact data integrity.

4.6 Risk Management

Risk management should be applied throughout the lifecycle of the data collection/generation, processing,
analysis, review and reporting, retention and retrieval and destruction taking into account data integrity,
product quality and patient safety; the assessment of risks should include both manual and electronic data
operations. As part of a risk management system, decisions on the extent of validation and data integrity
controls should be based on a justified and documented risk assessment of the computerized system. In
clinical trials an overall process-based risk assessment is mandatory, data integrity and system risks could be

© Copyright: ECA Foundation, Germany – Copying, editing and distributing require the written agreement of the ECA Foundation Page 39 of 96
GMP, GCP and GDP Data Governance and Data Integrity

identified as part of this risk analysis and followed-up as part of the whole risk management process for the
study.

The inherent risk of data is determined by how the data is generated and recorded. The inherent risk is
depending upon the degree to which data generated by the specific process can be configured and therefore
also potentially manipulated. Simple systems such as pH-meters and balances have a lower inherent risk than
more complex analytical systems such as High Performance Liquid Chromatography (HPLC) systems and Gas
Chromatography (GC) systems. Procedures regarding data handling should take into account both the
criticality and the inherent risk of data generated from the specific system in its specific setting.

The degree of effort and resource applied to the organizational and technical control of data lifecycle
elements should be commensurate with its criticality in terms of impact to product quality attributes as well as
quality (e.g. product release) and GxP decisions. The inherent risks to data integrity may differ depending
upon the degree to which data (or the system generating or using the data) can be configured, and therefore
potentially manipulated.

4.7 Training

Senior Management is committed to ensure training of its personnel in data integrity policies and procedures,
including measures to prevent and detect data integrity issues across the data lifecycle.

Personnel should be trained in data integrity policies and procedures, and agree to abide by them.

Management should ensure personnel (from IT staff to end-users and management) are trained to
understand and distinguish between proper and improper conduct, including deliberate falsification, and
potential consequences. In addition, key personnel, IT staff, including managers, supervisors and quality unit
personnel, must be trained in measures to prevent and detect data integrity issues.

4.8 Roles and Responsibilities

4.8.1 Senior Management

Senior Management should take responsibility for ensuring appropriate data governance program is in place
[2-4, 43, 69]. Elements of management governance should include

 allocating the necessary human and technical resources to ensure and enhance infrastructure for
performing QRM, training, implementation of systems and procedures, internal audits and quality
metrics. Active engagement of management in this manner remediates and reduces pressures and
possible sources of error that may increase data integrity risks
 establishing a quality culture within the company that encourages personnel to be transparent about
failures so that management has an accurate understanding of risks and can then provide the
necessary resources to meet data quality standards
 ensuring that all site personnel are kept up to date about the GMP, GDP and GCP principles of ALCOA
and that they are understood and applied
 applying modern QRM and sound scientific principles throughout the data lifecycle
 setting expectations according to the true capabilities of a process, a method, an environment,
personnel, or technologies
 establishing procedures for mapping and monitoring of data processes
 implementing and validating computerized systems and the necessary controls so that the probability
of occurrence of errors in the data is minimized

© Copyright: ECA Foundation, Germany – Copying, editing and distributing require the written agreement of the ECA Foundation Page 40 of 96
GMP, GCP and GDP Data Governance and Data Integrity

 training of personnel who install / configure / use computerized systems and review electronic data in
basic understanding of how computerized systems work and how to efficiently review the electronic
data, which includes metadata, audit trails, data transfer / interface and backup.
 defining and managing of appropriate roles and responsibilities for quality agreements and contracts,
regarding data governance by the contract acceptor on behalf of the contract giver;
 modernizing quality assurance inspection techniques and gathering of quality metrics to efficiently
and effectively identify risks and opportunities to improve data processes;
 Ensuring that data integrity expectations are included in contractual agreements with 3rd parties and
the adherence is verified.
 Generation of metrics for data integrity and PQS;
 Regular review of PQS and data integrity programme;
 Gemba walks - management in order to find out what's going on first hand and to promote the DI
approach.

4.8.2 Data Owner

It is important to realise that data integrity (can you trust the numbers?) and data quality (can you use the
numbers?) begin at the point of data acquisition by the system and not in the data centre. Therefore, the
data owner’s responsibilities for a regulated computerised system from the business side include:

 Definition of what is required of system in terms of data quality, data integrity and data security. This
will result either in inputs to the configuration specification for the setting of application policies,
writing of SOPs for using the system or the agreement with IT to support the system (e.g. backup,
account management, etc.)
 Assessment of the system to determine if there are vulnerabilities of the records contained therein.
Although a system may be validated, record vulnerabilities may exist which have to be managed, for
more detail see the discussion in Section 9.1 which will probably be executed by a technical team
consisting of IT and data stewards
 Development of a remediation plan with the data stewards and IT for any remediation to secure the
records and reduce or eliminate data vulnerabilities following the assessment
 Approve access to the system for new users and changes in access privileges for existing ones for IT
administrators to implement
 Approval or rejection of change control requests
 Approval for archiving data and removing them from the system

Receive feedback from the data stewards of the system of issues involving quality, integrity and security of
the CDS data and implement any modifications of procedures, etc. for the data stewards to implement.

It should be noted that Data ownership may be passed on when data are copied or handed over one
organization/department/process to another. E.g. the investigator owns the data generated at site, however
the copies of such data that are passed on to the Sponsor or CRO require a data owner within these
organizations.

4.8.3 Data Steward – Power User – Department Administrator

We mentioned above that integrity and quality of data starts in e.g. the laboratory and the data owner of a
networked system is typically the head of a department such as a laboratory and is similar for manufacturing
systems. This individual will probably will not have the time or the training to implement the requirements for
data integrity and quality that they have mandated. This is where power users or department administrators
of the networked system come in and be involved as data stewards for the system.

© Copyright: ECA Foundation, Germany – Copying, editing and distributing require the written agreement of the ECA Foundation Page 41 of 96
GMP, GCP and GDP Data Governance and Data Integrity

The power users are the first point of contact for user questions for help with the system. They will be
instrumental in ensuring the smooth running of the system and maintaining state of CSV. Also, they are
further developing the system by e.g. custom reports or custom calculations. Of course, they have to be
controlled e.g. specified and validated for correct function.

As data stewards, expert users of the system, they will be responsible for ensuring that the requirements for
data integrity and data quality set by the data owner have been implemented and are working.

They are also responsible for data queries and monitoring data integrity from a system perspective e.g.
regular review of system level audit trails for system related issues rather than data integrity problems. For
the more mundane work they would also be responsible for rebooting the laboratory data servers when
needed. In monitoring the system from the business perspective, they can raise issues for discussion with
the data owner to resolve as noted earlier.

4.8.4 Second Person Reviewer

Second person review normally begins from taking the samples from the storage areas, through sample
preparation, instrument set-up, chromatographic analysis, integration, calculation of individual values and
reporting the work.

In clinical trials these reviews are performed by Clinical Monitors that visit the site and verify the data
collected against the source data at the site.

Reviewers need to be trained to detect falsification and therefore processes and transfers need to be as
transparent and automated as possible. The scope of the second person review should cover the whole
analytical process from sample storage to reportable result and must not be confined to the boundaries of a
specific system. Scope of the review:

 Original records (or true copies) are to be reviewed

 Records can be paper, electronic or hybrid.
 In case of hybrid and “mixed“ records (e.g. electronic records with signatures on the associated paper
printouts) is has to be ensured that the paper record is linked to the ER (example see 8.8
Spreadsheets). For media change see 8.7.6 Media Change.
 This mixture of record formats will be typical for many laboratories when reviewing CDS data, even if
the system is configured for electronic working.
 Records must be accurate or where data have been changed it meets GMP, GDP and GCP
requirements
 Records must be complete
 Instrument and column log books must match data within the system and other records outside of it
 Audit trail events must be reviewed as part of the second person review and include items such as
change history of finished product test results, changes to sample run sequences, changes to sample
identification.
 Records generated must comply with the applicable procedures for the CDS and laboratory activities

Note, if the second person review is focused on a specific system then data integrity issues can fall between
the cracks between the applications and not be detected e.g. data transfer between applications.
There must obviously be a procedure and training for staff who will be conducting the second person review.

In clinical trials a detailed data review plan should describe the steps to review data (Source Data Verification,
Remote Monitoring/Data Review, Safety Data Review, Reconciliations between Data bases/sources, Medical
Data Review) as a bottom-up approach from the detailed record review level for a single record to the “in
context”-review from a process-oriented person (medical).

© Copyright: ECA Foundation, Germany – Copying, editing and distributing require the written agreement of the ECA Foundation Page 42 of 96
GMP, GCP and GDP Data Governance and Data Integrity

4.9 Identifying and Empowering Data Owners and Data Stewards

4.9.1 Identifying the Data Owner of a System or Process

Both MHRA and WHO data integrity guidance documents [43, 47] require that data owners are appointed for
processes and systems. The question is who should be a data owner of a computerised system or process?
The answer lies in EU GMP Annex 11 that defines a process owner as a person in the business who is
responsible for the overall system [37]. For a networked system, the process owner would usually be the
head of the department or the head of the functional unit if served across multiple departments.

Therefore, it would make logical sense if the process owner was also the data owner – being a single point of
responsibility for the system.

One potential area of confusion concerns the name “data owner”, which implies that an individual rather than
the organisation that owns the system and the data generated by it. This is not so, the organisation owns
the data, the data owner is merely the custodian of the data in the system who acts on behalf of the
organisation.

Data are the main product in clinical trials and these data are nowadays collected in concerting, but single
system, it is a challenge to define the one responsible person for all data. Sponsors should reach real data
governance by applicable oversight procedures.

4.9.2 The Business is Responsible for the Data

Data quality and data integrity are often thought of as an IT issue, this is wrong as these areas are the
responsibility of the business as they generate the data. IT merely manage and backup the data and
information contained in a system according to the agreement they have with the business [37].

4.10 CMOs, CROs and Contract Laboratories

The principles of this guideline apply to contract manufacturers, contract research organisations, contract
laboratories and service providers. Every company is ultimately responsible for the accuracy of all decisions
made based on GMP/GDP/GCP data, including those that are made based on data provided to them by
contractors. A pharmaceutical company therefore should perform periodic scheduled audits to verify data
integrity controls as described in quality agreements to assure that contractors have in place appropriate
programs to ensure the veracity, completeness and reliability of provided data [3, 47].

© Copyright: ECA Foundation, Germany – Copying, editing and distributing require the written agreement of the ECA Foundation Page 43 of 96
GMP, GCP and GDP Data Governance and Data Integrity

5 Policies, Procedures & Processes

5.1 Corporate Data Integrity and Ethics Policy

Senior Management must assure appropriate data and record management controls across the entire data
lifecycle of company products to ensure data integrity and trustworthiness. This guidance describes the key
general principles regarding company’s good data management strategies for GMP/GDP/GCP records. More
specific guidance for the application of these principles are provided in detailed documents by the ECA (Data
Integrity Policy, Data Integrity Principles, and Audit Trail Review SOP).

Employees shall notify responsible management if they become aware of any potential issue that impacts
data integrity such as those attributable to errors, omissions, or wrongful acts regardless of the cause. For
example, employees shall immediately notify management if they become aware of or have reason to suspect
others have falsified data, made unauthorized changes, destroyed data or other conduct that calls into
question the integrity of data. The notification shall follow the general “speak-up” procedures established in
applicable policies, standards, procedures, or other documents.

5.2 Good Documentation Practices

Controls must be in place to ensure integrity of the records throughout their lifecycle for both paper and
electronic records. The controls should include the following:

 Secure controls for ensuring data reliability, authenticity, integrity and confidentiality
 A GMP/GDP/GCP record must have only one Official Record.
 GMP/GDP/GCP records must have a defined Record Owner (either function or person), type and
retention period.
 The record management inventory must list the Record Owners, retention period and record type.
This inventory must be approved by the corresponding Quality group and be stored in the eDMS
(Electronic Document Management System) / eCMS (Electronic Content Management System). It
compares to the CSV inventory.
 A local procedure for changes of the ownership, location, archival, or destruction of a GMP/GCP
record must be in place.
 A record retention schedule or specific retention rules must be identified for all GMP/GDP/GCP
records. GMP/GDP/GCP records must be maintained and be readily available throughout their
lifecycle.
 GMP/GDP/GCP records that are revised must have version control.
 For types of documentation see EU GMP chapter 4 (Instruction type and record/report type) [35]

5.3 Understanding Complete Data, Raw Data and Clean Data

5.3.1 Traceability of Actions

 Throughout the whole process of the creation of an analytical record or complete data for an
analytical procedure there must be explicit linkage to key metadata to support data integrity criteria
such as identification of:
 Individual analytical personnel are uniquely identified and their actions are accurately time and date
stamped
 Samples analysed are linked to the material batch numbers or a stability or study plan
 Instruments used to generate data are identified
 Name and version numbers of software used to acquire and process data and report results are
documented on the reports

© Copyright: ECA Foundation, Germany – Copying, editing and distributing require the written agreement of the ECA Foundation Page 44 of 96
GMP, GCP and GDP Data Governance and Data Integrity

 There is a link to the raw data and metadata from the analysis from which the reportable result has
been obtained
 The analytical procedure and version used to acquire data is documented
 Time and date stamps on all raw data files, processed data files and the contextual metadata must be
consistent and have a trustworthy storyline.

5.3.2 Understanding Complete Data

Let us take the chromatographic process using a CDS to explain the process of generating analytical data:
there are some common elements that need to be highlighted for a CDS:

 Complete data is not a single record but a collection of data, metadata, information and knowledge
that are acquired from the setting up of the chromatograph, the analytical run, integration and
interpretation of the run data, all data generated during the calculation of analytes in individual
aliquots and the reportable result.
 Audit trail entries are acquired throughout the initial data acquisition and the conversion of data to
information and then to knowledge

Figure 15: Complete Data / Raw Data or Primary Analytical Record for a Chromatography Data System [70]

Data Acquisition Integration, Calculation and

Phase Reporting Phase

Automatic Manual
Instrument Sequence Acquisition Post Run
Integration Reintegration
Control File File Method Calculations
Method Parameters

Analytical
Initial Processed
Run SSTs Individual Range Reportable
Chromatographic Data: Chromatographic Data: OK? OK?
Specific Results Result
Raw Data Files Baselines and Peak Areas
Metadata

Audit Trail Entries For Analytical Run Life Cycle

Data:
Raw Data, Metadata Information Knowledge
and Processed Data

Figure 15 illustrates the generation of raw data and the process of creating other records as data is processed
and converted to knowledge. This illustrates the principle of EU GMP Chapter 4 that Records include the raw
data which is used to generate other records [35].

 In addition, there will be other records associated with the analysis that may be recorded on paper
printouts (e.g. sample weights) or in laboratory notebooks or on controlled analytical worksheets for
which accountability are components of complete data.

5.3.3 Understanding Raw Data and Equating it to Complete Data

Raw data is mentioned in EU GMP Chapter 4 but there is no definition of the term in GMP which makes for
multiple interpretations. The problem is that raw data is a Good Laboratory Practice (GLP) term and is
defined in the US GLP regulations (21 CFR 58.3(k)) as:

© Copyright: ECA Foundation, Germany – Copying, editing and distributing require the written agreement of the ECA Foundation Page 45 of 96
GMP, GCP and GDP Data Governance and Data Integrity

 Raw data means any laboratory worksheets, records, memoranda, notes, or exact copies thereof,
that are the result of original observations and activities of a nonclinical laboratory study and are
necessary for the reconstruction and evaluation of the report of that study [44].

From this definition, raw data is not just the original observations alone. Once data have been acquired, raw
data also includes any transformation records, calculation of individual results and finally the reportable result
plus any applicable audit trail requirements. This is consistent with GLP definition that includes the journey
from original observations to the final report.

As raw data includes data acquisition, data transformation, audit trail entries, calculation of results and the
certificate of analysis this can now be equated to complete data.

In the manufacturing areas raw data is generated on the instrumentation field level (ISA 95) or directly by
embedded systems, i.e., by complex machines. Such production equipment can be found widely in the
manufacturing and packaging processes of pharmaceutical dosage forms. Considering data integrity, the
operator of these machines has very limited or no influence at all on the raw data and may only change raw
data by modifications of the very narrow range of parameters which are accessible for her/him.

5.4 Chromatographic Integration

Control of chromatographic integration is a major regulatory topic but does not feature by name in any of the
regulatory guidance documents. The FDA guidance comes the closest to this in Question 12 – when does
electronic data become a cGMP record. The issue is when brought into memory how many times can a data
file be reintegrated without trace? This is a system design function that is outside of the scope of this
guidance.

However, chromatographic integration is a key regulatory issue and is discussed in Section 9.8.

5.5 Source Data in Clinical Trials

The equivalent to raw data in GMP are Source data in the GCP environment. Source data are defined as “all
information in original records and certified copies of original records of clinical findings, observations, or
other activities in a clinical study necessary for the reconstruction and evaluation of the trial” [12].

The investigator is responsible for the completeness and accuracy of the source data as well as for the data
entered into a GCP system. Typically, the investigator releases these data by signing the individual eCRFs
(electronic case report forms). Documents containing any source data are part of the documentation of the
trial and GDocP must be applied e.g. the documents must be filed and archived.

5.6 “Clean” Data in Clinical Trials

In clinical trials all data management activities are outlined in the associated data management plan, which
may include or reference a data verification plan. The data cleaning activity is integrated in the process to
lock the database. In clinical studies, data management processes constitute the foundation of study data
validation and integrity. The clinical data manager is involved in/responsible for eCRF development, database
and EDC set up, data cleaning (query process), and all activities to prepare for database closure.

Usually, the responsibility is separated into the technical and systems-related part (EDC set up and validation)
and the data reviewing part (definition of CRF, edit checks, and data review and cleaning including query
management).

© Copyright: ECA Foundation, Germany – Copying, editing and distributing require the written agreement of the ECA Foundation Page 46 of 96
GMP, GCP and GDP Data Governance and Data Integrity

Data cleaning, the prerequisite for locking the database, comprises the check that:

 CRFs exist and have been signed off

 Queries of the responsible clinical monitor and the data manager have been resolved
 The coding process has been completed
 Reconciliation of SAEs is complete

© Copyright: ECA Foundation, Germany – Copying, editing and distributing require the written agreement of the ECA Foundation Page 47 of 96
GMP, GCP and GDP Data Governance and Data Integrity

6 Criteria for Data Integrity and Security of Records based on

ALCOA+ Principles

The critical issue is knowing the data and metadata that comprise complete data (or raw data or primary
analytical record or clinical source data) so that it can be subject to a data lifecycle. For example, Burgess
and McDowall [70] have defined complete data, primary analytical record or raw data for a QC laboratory
chromatography data system.

6.1 Definition of ALCOA+

Figure 16: The ALCOA+ elements

Contempor-
aneous
Legible
Original

Attributable
Data Accurate

Integrity
Complete Available

Consistent Enduring

Overlaying the data lifecycle and the complete data / primary analytical record should be the nine ALCOA+
data integrity elements applicable over the data lifecycle [71] are defined as:

 Attributable: Identification of the individual who performed an activity

 Legible: Can you read the electronic data together with any associated metadata or all written
entries on paper? Legible should also extend to any original data that has been changed or modified
by an authorised individual so that the original entry is not obscured.
 Contemporaneous: Documented (on paper or electronically) at the time of an activity
 Original: A written observation or printout or a certified copy thereof or an electronic record
including all metadata of an activity
 Accurate: No errors in the original observation(s) and no editing without documented amendments /
audit trail entries by authorised personnel. Accuracy is ensured and verified by documented review
including review of audit trails.
 Complete: All data from an analysis including any data generated including original data, data
before and after repeat testing, reanalysis, modification, re-calculation, re-integration and deletion.
For hybrid systems, the paper output must be linked to the underlying electronic records used to
produce it.
 Consistent: All elements of the primary analytical record such as the sequence of events are in
sequence and do not contradict each other (i.e. documented chronologically). Data files are date (all
processes) and time (when using paper, a hybrid or electronic systems) stamped in the expected
order.

© Copyright: ECA Foundation, Germany – Copying, editing and distributing require the written agreement of the ECA Foundation Page 48 of 96
GMP, GCP and GDP Data Governance and Data Integrity

 Enduring: Recorded on authorised media e.g. laboratory notebooks, numbered worksheets for which
there is accountability or electronic media that can last throughout the record retention period
 Available: The complete collection of records can be accessed or retrieved for review and audit or
inspection over the lifetime of the record.

These first five criteria (ALCOA) were developed initially by Stan Wollen, an FDA inspector to described data
quality [72] and the additional four criteria by the European Medicines Agency when discussing integrity
criteria for electronic source data from clinical studies ALCOA+ [73]. In 2021, a draft EMA GCP paper added
a tenth criterion Traceability [74] to make ALCOA++. Although traceability is implied in several of the
ALCOA+ criteria (e.g. accurate using traceable reference material or calibrated equipment), it may be better
to have an explicit mention.

Recently, a comprehensive layout of the ALCOA+ criteria was published [75] and is shown in Figure 17.

Figure 17: The criteria that comprise ALCOA. ALCOA+ and ALCOA++

ALCOA+ &
ALCOA++ Criteria
ALCOA
Criteria
Who acquired data or performed an All data / metadata including any
action? repeat or reanalysis performed.
When was the activity performed? Attributable Complete Includes any excluded data and all
Identity of instrument and method. changes. No deletions or unofficial
Location may be required. tests. Second person review checks

Can you read and understand All records follow in the expected
written entry. Can a data file be sequence with supporting dates or
read and understood? (May require Legible Consistent time stamps
contextual metadata). Readable Enforcement by computer systems
after system upgrades or migrations with technical controls

Documented or recorded at the Record on official & durable media.

time of the activity. Real time data
ALCOA, Synchronise hybrid records.
Contem‐
capture and processing.
poraneous
ALCOA+ & Enduring No use of envelopes, cigarette
Time and date (time zone) recorded packets, sticky notes, lab coat
Use of scribes needs justification. ALCOA++ sleeve or body parts

First written observation, e‐record Accessible for review, audit or

or printout. No unathorised copies. inspection over the record lifetime.
True or verified copies are OK. Original Available Applied to any media used for GXP
Blank forms and master templates records. Dynamic data remains
controlled. dynamic. Migrated data readable.

No errors or editing without Data traceable throughout the

documented amendments. process and data life cycle including
Instruments calibrated/qualified. Accurate Traceable changes with no overwriting.
Software & methods validated Metrological, time and metadata
Calculations and rounding correct. traceability

©R D McDowall with input from Ulrich Köllisch and Chris Burgess

6.2 Access / Security/ Segregation of Duties

Physical and/or logical controls should be in place to restrict access to authorized persons for data managed
electronically and manually [3, 37, 43, 47].

Systems must be configured in a way that system operators who work with the system cannot change data or
system settings (e.g. inactivate audit trails, delete data, delete files, etc.). System Administrator rights
(permitting activities such as data deletion, database amendment or system configuration changes) should
not be assigned to individuals with a direct interest in the data (data generation, data processing, data review
or approval).

© Copyright: ECA Foundation, Germany – Copying, editing and distributing require the written agreement of the ECA Foundation Page 49 of 96
GMP, GCP and GDP Data Governance and Data Integrity

The role model should be designed as such that no user has all access rights, e.g. the administrators should
not be able to delete audit trails (but maybe archive them).

6.3 Validation

Validation must consider the intended use of the data throughout its lifecycle [3, 37]. The validation of a
computer system must address the implementation and maintenance of the controls to enable integrity,
including data entered manually or automatically acquired. If records are transferred to another format, the
qualification must include checks that the new format has not altered the value or meaning nor context
during the migration process [37].

Validation should address the necessary controls to ensure the integrity of data, including original electronic
data and any printouts or electronic reports from the system. In particular, the approach should ensure that
Good Documentation Practices will be implemented and that data integrity risks will be properly managed
throughout the data lifecycle.

For critical systems, there should be an up-to-date system description [37] detailing the physical and logical
arrangements, and interfaces with other systems or processes to identify data flows.

 Ensure relationships between data and metadata are maintained intact and traceable throughout data
lifecycle.
 SOPs and training; validation activities should ensure adequate training and procedures are developed
prior to release of the system for GMP use.
 Configuration and design controls; the validation activities should ensure configuration settings and
design controls for good documentation practices are enabled

In the GCP area validation emphasis should be put on the TMF (Trial Master File) [76]. Surprisingly Many
companies just rate the TMF system as not GCP relevant and therefore do not validate. Nevertheless, it is
complex system with various supporting functions for a clinical study containing more than one system part
which is definitely GCP relevant. Especially when a GCP inspector must be given an account and access to
the TMF to read the contents without interference by the sponsor [76].

6.4 Audit Trail Review

One of the most controversial issues of Data Integrity is the Audit Trail Review. 21 CFR Part 11 mentions the
audit trail together with the requirements to establish the function frequently, but without the need of its
review [77]. The 2011 version of the EU Annex 11 explicitly requires the review of audit trails, but without
providing any details [37]. European Health Authority Inspectors specify the Release of Batches by the QP as
the most critical function, limiting the audit trail review on the QC/QA part of the pharmaceutical value chain.
FDA state that if 21 CFR 211 states a review that will include the audit trail [2]. For laboratory data an audit
trail review is required for each batch before release under 21 CFR 211.194(a)(8) [78].

Recent Warning Letters by the US FDA mention the lack of audit trail review as one of the critical deficiencies
when inspecting QC labs.

Audit Trail Review (ATR) should be divided into 3 different processes:

 System ATR: review of system parameter, review of access rights / profiles

 Metadata ATR: review of metadata parameters, process parameters…
 Raw Data ATR: review of generated / handled raw data.

Frequency for these 3 different ATRs should be a risk-based approach according to system criticality, data
criticality.

© Copyright: ECA Foundation, Germany – Copying, editing and distributing require the written agreement of the ECA Foundation Page 50 of 96
GMP, GCP and GDP Data Governance and Data Integrity

The comprehensive review of Audit Trails will require significant capacities in every company, if its scope (e.g.
to include critical data only) and extend are not carefully defined. Such assessment of the data in scope will
already mobilize a considerable workforce. The ECA has published a general Audit Trail Review SOP in order
to provide hands-on guidance to the industry.

For GCP systems it is important to provide the Audit trail data to all relevant users of the system for review,
e.g. in an EDC system to the Principal Investigator for review before signing the eCRF. The responsibility for
the review of the audit trail data needs to be detailed in agreements in detail e.g. as only the Principal
investigators are able to review the site - specific data while only the sponsor/CRO can review the audit trail
data for the data management activities in the EDC system.

At the same time, strategies for audit trail review should consider that clinical trial data are continuously
reviewed by various parties and people throughout the conduct of the trail. This can lead to a very targeted
audit trail review approach and reduce the overall burden. This approach and its justification need to be
documented.

© Copyright: ECA Foundation, Germany – Copying, editing and distributing require the written agreement of the ECA Foundation Page 51 of 96
GMP, GCP and GDP Data Governance and Data Integrity

7 Auditing for Data Integrity and Security of Records

Senior management should support internal Quality Audits as part of a system designed to identify and inform
management of opportunities to improve foundational systems and processes that impact data reliability.
Audit reports are to be used only for internal purposes so the audits are as candid and meaningful as possible
in identifying deficiencies and opportunities for corrective actions. Internal auditing is a specific requirement
under EU GMP Chapter 9; Self Inspection [5].

Paragraph 9.2 states that;

‘Self-inspections should be conducted in an independent and detailed way by designated competent

person(s) from the company. Independent audits by external experts may also be useful [5]’

FDA have specific and detailed advice for their inspectors regarding data integrity auditing as part of a CPG on
Pre Approval Inspection (PAI) [18].

Inspectors are instructed to;

Audit the raw data, hardcopy or electronic, to authenticate the data submitted in the CMC
section of the application and to verify that all relevant data were submitted in the CMC section
such that CDER reviewers can rely on the submitted data as complete and accurate [18].

Furthermore;

1. During the inspection, compare raw data, hardcopy or electronic, such as chromatograms,
spectrograms, laboratory analyst notebooks, and additional information from the laboratory with
summary data filed in the CMC section.
2. Raw data files should support a conclusion that the data/information in the application is complete
and enables an objective analysis by reflecting the full range of data/information about the
component or finished product known to the establishment.
3. Examples of a lack of contextual integrity include the failure by the applicant to scientifically justify
non-submission of relevant data, such as aberrant test results or absences in a submitted
chromatographic sequence, suggesting that the application does not fully or accurately represent
the components, process, and finished product [18].

7.1 Audit Focus

Generally speaking, internal audits may be conveniently categorised into:

System Audits

 Audit is comprehensive, includes several processes, and critical control points

Compliance Audits

 Focus is on compliance to regulations or specific specifications/procedures

Functional or Process Audits

 Focus is on one or more individual processes or components of a system

 Audit verifies inputs and outputs - do they meet predetermined specifications?
 Is the function or process in demonstrable a state of control?

© Copyright: ECA Foundation, Germany – Copying, editing and distributing require the written agreement of the ECA Foundation Page 52 of 96
GMP, GCP and GDP Data Governance and Data Integrity

From a data integrity viewpoint, system audits could target the IT infrastructure and compliance audits would
cover all policies and procedures from an operation viewpoint. For example, it could include review of audit
trail settings, change controls, user account management, user access controls etc.

Process audits would look in detail at specific critical areas e.g. QC laboratory data, production master batch
records, distribution records etc. Such audits may be vertical i.e. an end to end single batch trace covering all
process steps or horizontal i.e. taking examples at random across batches. Critical areas that should be
covered in all types is second person review and roles, responsibilities and accountabilities.

7.2 Tools for Auditing Data Integrity

When performing Data Integrity audits, it is important to keep in mind a “no blame” culture. There are many
examples of “Forensic-based audit approaches” where words like “crime”, “crime scene”, “clues”, “motive”
and “perpetrators” are used. Although the fundamentals of the technique may be useful in identifying DI
issues, the terminology is not. It indicates a mistrust in the people and the organization. If a good Data
Integrity culture, proper policies and training and good technical solutions have been established as described
in chapter 5, there is no reason to expect a breach in Data Integrity. Thus, by taking out any possible
motivation and limiting the opportunity for performing manipulations, controlling and monitoring the process
via internal audits should be straight forward and focused on unintentional breaches in Data Integrity.
Identification of these Data Integrity issues are the key for improving the process (Figure 18).

Figure 18: Improvement process

Tools for identifying Data Integrity issues may look at:

 Missing or inconsistent data

 Excessive number of outliers (indicates inefficient process or handling of data)
 Unexpected low variability in test results
 Excessive number of deviations to protocols or in data collection and reporting
 Excessive number of aborted runs
 Testing sequence and timing: Are people producing test results “faster” than the test sequence allows
or not in the right order?
 Duplicate files with same creation date

© Copyright: ECA Foundation, Germany – Copying, editing and distributing require the written agreement of the ECA Foundation Page 53 of 96
GMP, GCP and GDP Data Governance and Data Integrity

 Analyst Performance: Is analyst performance too good to be true (time to execute the test/ number
of samples)?
 Data review: Is the review process being too short? (indicates shortcuts taken in data review)
 Last access to the system vs last reported test result (indicates that the user account either has been
hijacked or shared to another user)
 Excessive User Access and roles changes: Is the same User ID changing back and forward several
times? (indicates conflict of interest and possible manipulation of audit trail and files)
 In the case of a CDS, excessive number of
o manual integrations (integration until passing behaviour),
o re-processed or modified runs vs right first time (indicates inefficiency of the process or
samples requiring reprocessing due to errors)
o short-runs (can indicate the use of test-trails and testing into compliance)
o multiple files/runs with the same sample name/lot number (can indicate the use of test-trials
and testing into compliance)

Tools for auditing progress in DI may look at:

 Are the new software/equipment’s URS, IQ/OQ addressing ALCOA+?

 Are new processes mapped regarding data flows?
 Is new personal trained in DI policies and procedures?

Once a state of control has been established, the use of Quality metrics or Key Performance Indicators may
be useful in having a DI quality oversight.

7.3 Quality Oversight

Data governance and data integrity policies and procedures are an integral part of the Pharmaceutical Quality
System and as such are subject to Quality oversight. The overall data governance system is defined in the
PIC/S Guide PI 041 [3];

The data governance system should ensure controls over data lifecycle which are commensurate with the
principles of quality risk management. These controls maybe:

Organisational
 Procedures, e.g. instructions for completion of records and retention of completed paper records;
 Training of staff and documented authorisation for data generation and approval;
 Data governance system design, considering how data is generated recorded, processed retained and
used, and risks or vulnerabilities are controlled effectively;
 Routine data verification; Periodic surveillance, e.g. self-inspection processes seek to verify the
effectiveness of the data governance policy.

Technical
 computerised system control
 automation

The requirement for self-inspection is specifically noted under the organisational periodic surveillance in
addition to routine data verification.

© Copyright: ECA Foundation, Germany – Copying, editing and distributing require the written agreement of the ECA Foundation Page 54 of 96
GMP, GCP and GDP Data Governance and Data Integrity

8 Illustrative Appendices

8.1 System Assessment

The data integrity assessment of the computerized systems implemented at the company should be done on
the basis of the system inventory which is required by all regulation, in particular the EU GMP Annex 11.
Depending of the scope of the risk assessment there are two options recommended which are outlined below
for the GMP area.

The results of the assessment should be used to prioritize detailed evaluations regarding availability and
appropriateness of data integrity controls, and any succeeding corrective and/or preventive actions, as
required.

8.2 Strategic Assessment of all GMP/GDP/GCP Systems

The assessment and prioritization should apply to any computerized system used in the GMP/GDP/GCP area
and listed in the Inventory of systems (including all interfaces described in related system descriptions), and
which maintain (directly or indirectly) data and/or records supporting GMP/GDP/GCP activities of the
company, regardless, if such data is generated or completed manually or electronically.

8.2.1 Prioritization Approach & DI Risk Assessment

Starting a comprehensive Data Integrity Program companies will very soon be aware that a prioritization
approach is needed in order to manage the risk. Therefore, the most critical systems in scope of such
strategy shall be examined in view of data integrity weaknesses and/or flaws at first. Later (e.g. in a Phase
II), all other operational computerized systems in scope shall be examined too. With regard to the risk-based
approach, the following prioritization criteria could be defined:

Table 3: Risk-based prioritization based on record criticality

Priority Criteria
1 QC systems that generate laboratory records that are subject to the following
predicate rules:
 21 CFR Part 211.160 -- - Laboratory Controls -- - General requirements
 21 CFR Part 211.165 -- - Testing and release for distribution
 21 CFR Part 211.166 -- - Stability testing
 21 CFR Part 211.167 -- - Special testing requirements
 21 CFR Part 211.194 -- - Laboratory records
2 Systems for which either all of the following answers are true:
 Are there instruments connected to the system?
 Is the system collecting raw data/source data?
 Is the system used to calculated dosing parameters or collecting data that are required
to calculate dosing parameters?
 Is data entered manually?
 Is the system directly or indirectly affecting patient therapy or therapy decision/Signal
detecting
OR
 If the system is used to generate a batch record.
3 Systems for which both of the following answers are true:
 Is the system used to generate data that is part of a batch record?
AND
 Does the system interface / load data to « Priority 1» systems?

© Copyright: ECA Foundation, Germany – Copying, editing and distributing require the written agreement of the ECA Foundation Page 55 of 96
GMP, GCP and GDP Data Governance and Data Integrity

A different approach for the Data Integrity Risk Assessment can be the following strategy taking into account
product, process and patient risk. In this context, all computerized systems must first be considered on the
basis of the system inventory and assessed according to a number of criteria - see table below.

 Static Data / Dynamic Data

 Impacting Quality (Release of batches)
 Management/Generation of Raw Data
 System used for validated/compendial methods (QC) or validated production processes
 Change of Parameters/limits described
 Is critical data from the system transcribed reading to paper records by individuals
 Number of interfaces with other systems
 Ratio department members / system users
 Complexity of the application
 Can data or metadata be changed / modified
 Can system malfunctions or bugs be discovered
 Can Parameters/limits/setpoints be changed or deleted by the operator
 Segregation of Duties
 User und Admin in one Person
 Number of Administrators
 Audit Trail compliant to regulations
 No. of malfunctions of application per year
 No. of malfunctions of sys. environment per year
 Annual Change history
 User Account Management

Assessment criteria (excerpt)

These criteria allow the overall risk to data integrity and the criticality of the audit trail to be determined in a
short period of time (a few minutes). It is imperative that the experts (Process Owner, System Owner, User)
perform this assessment as a team, as only these individuals can confidently answer the questions listed
above; if such system knowledge is not available, the assessment will not provide sound results. When
discussing the individual predefined questions, the participants can also define immediate measures for the
individual applications in order to promptly close any major compliance gaps that become apparent during the
discussion.

Example for a first Risk Assessment

With the result of this initial, very time-saving risk analysis, the priority and sequence of further measures can
be entered into a - depending on the risk - graduated schedule and the CAPAs can be defined accordingly.
The completion of the individual CAPAs can be defined on a risk basis over a period of approximately two
years. Tab. below shows examples of a corresponding risk analysis based on the criteria above.

© Copyright: ECA Foundation, Germany – Copying, editing and distributing require the written agreement of the ECA Foundation Page 56 of 96
GMP, GCP and GDP Data Governance and Data Integrity

Example for an implementation timeline

Alternatively, these measures could be part of the data governance/integrity plan for a system or group of
systems and tracking of the progress through KPIs.

The next step is a detailed analysis of each individual computerized system using a checklist. Such checklists
are all very similar in structure and consist of lot of detailed questions.

Immediate measures
If there is neither time nor capacity for a risk analysis, there are a number of immediate measures that can be
taken in preparation for an inspection. These are listed, for example, in the MHRA GXP Data Integrity
Guideline [43].

8.2.2 Detailed Examination Strategy

Each operational computerized system listed in the inventory should be thoroughly scrutinized for adequate
consideration of the Data Integrity Principles to expose any gaps, weaknesses and/or flaws related to:

 Data management procedures

 Risk management throughout data life-cycle
 Definitions of raw data, source data and critical data
 Controls for data access, security and segregation of duties
 Validation of the intended use of data throughout its life-cycle
 Investigation program for compromised data and/or records
 Training of data integrity policies and procedures
 Applicability to contract manufacturers, contract research organizations and laboratories service
providers
 Auditing of systems used for creating, collecting, maintaining, analysing, reporting and retaining
information and data
 Record management controls
 Established Company Code of Conduct related to data and record management.

Out of date and replaced in 2012 with second edition which is aligned with GAMP 5.

Detailed guidance on the potential risks and validation approaches for various clinical systems is provided in
the GAMP® Good Practice Guide “Validation and Compliance of Computerized GCP Systems and Data” [68].

8.3 Process Management and Pharmaceutical Manufacturing

8.3.1 Data Integrity in the Manufacturing Areas

The concern of the investigators for data integrity has been in the last years mainly in the QC/QA areas with
more than 70% of the inspectional observations. Less than 10% of the data integrity warning letters are
dealing with manufacturing problems. Nevertheless, an increasing interest in manufacturing by the health
regulatory bodies came up in 2016 and is expected to continue, particularly in the biotechnology industry.

© Copyright: ECA Foundation, Germany – Copying, editing and distributing require the written agreement of the ECA Foundation Page 57 of 96
GMP, GCP and GDP Data Governance and Data Integrity

8.3.2 Types of manufacturing

In comparison to the laboratory environment, the manufacturing area is quite more complex. Not only filling
lines and the associated equipment is in scope, we have also different types of manufacturing to consider as
there is for example chemical production and biologic production, drug substance and drug product. Every
area of production types has their own requirements regarding equipment, data and processes.

Not to forget packaging, warehouse, and IPC with their own requirements on operation model, equipment
and connectivity to upper layer systems.

There is also a broad variety from standalone packaged units and embedded systems which data is linked by
a paper-based batch record, to fully integrated systems with no paper at all.

Typically, the complexity of systems increases with each layer bottom to top while the number of systems
increases in each layer from top to bottom (Figure 19).

Figure 19: Typical Manufacturing System Landscape

8.3.3 The ISA 95 Levels and related systems & equipment

ISA-95 is the international standard for the integration of enterprise and control systems [79]. For companies
that have several different types of manufacturing/automation facilities the ISA-95 standard offers a
framework for building a modular system architecture. It consists of a number of levels from field
instrumentation to the top-level ERP system (Figure 20). Each of these levels, which are sharing
manufacturing information, are impacting data integrity in a very different way, which will be outlined in the
following:

Field Instrumentation

Data sets on the machine/cell level are very often identical, in particular in Biotech. Operations: Same Data
and system patterns are applicable. There are no Data Lifecycle element requirements at this level.
Nevertheless, the routine qualification and maintenance are mandatory.

© Copyright: ECA Foundation, Germany – Copying, editing and distributing require the written agreement of the ECA Foundation Page 58 of 96
GMP, GCP and GDP Data Governance and Data Integrity

Figure 20: ISA 95 Framework

8.3.4 Programmable Logical Controllers (PLC)

Field instrumentation is interfacing usually with the PLC level to replace hard wired relays. PLCs are frequently
interfaced with each other and also to SCADA Systems, programming of PLCs is currently done using personal
computers with relatively sophisticated software. The basic function of PLCs is to receive inputs from field
level components like stencils or switches. Programming of the PLCs is usually performed by the engineering
department, the user has typically no direct interaction and influence on the data managed by the PLC. Their
qualification of the hardware and validation of the specific functions is integrated in the validation of the
manufacturing process.

The review of the PLC audit trails will add no value as there is no possibility for the user to manipulate data
transferred from the field instrumentation to the PLC. The Data Lifecycle elements at this level are typically
processing and transmitting, sometimes also intermediate saving of data. The PLC is from the data lifecycle
perspective responsible for the generation, transporting and processing of data.

8.3.5 SCADA (DCS) System

The SCADA technology (also called DCS Distributed Control System) is used to connect the PLCs with the MES
(manufacturing execution system). SCADA systems allow staff or supervisors to change the settings and to
monitor critical conditions like high temperature; lots of data is collected by them which can be monitored
using the HM interfaces (part of the machine that handles the human–machine interaction). The operator
interfaces enable monitoring and issuing of process commands, such as controller set point changes, are
handled through the SCADA supervisory computer system. It consists of membrane switches, keypads and
touchscreens. The SCADA also enables alarm conditions, such as loss of flow or high temperature, to be
displayed and recorded. SCADA systems are using combinations of radio and direct wired connections. The
remote management or monitoring function of a SCADA system is often referred to as telemetry.

The Data Lifecycle elements at this level are manual data capture, processing, transmission, saving and in
some cases evaluation of data, alarms and events.

8.3.6 Visualization Level

Integrated in the SCADA and HMI level there is a modern computerized device (screen) for the visualization
of complex tasks. Frequently the setup consists of a sensor, PLC and HMI. This significantly facilitates the
operation of equipment, example: SIMATIC HMI.

© Copyright: ECA Foundation, Germany – Copying, editing and distributing require the written agreement of the ECA Foundation Page 59 of 96
GMP, GCP and GDP Data Governance and Data Integrity

8.3.7 MES Level

The Production MES controls and coordinates manufacturing elements, material, equipment, personnel,
specifications and procedures for areas and units within a facility, e.g.

 Production Order Management

 Materials Management
 Plant Performance Analysis – Data collection necessary for Key Performance Indicators (KPIs)
 Detailed Production Scheduling and Reporting
 Quality Data, interfaced with Laboratory Information Management (LIMS)

At the MES level vast quantities of data coming from the PLCs and SCADA/HMI systems are collected. The
manufacturing execution system is the key element for scheduling, process management, electronic batch
recording, material tracking and quality management (or interface to the LIMS). Data in the MES provide a
complete history of manufactured batches or the device history record/batch record; it also contains
electronic approvals and full traceability of the product to raw materials and manufacturing process
parameters at every stage of the manufacturing process. A more modern MES will also collect data on
exceptional situations and trends of the manufacturing process including their time stamp. Such data will be
subject to the audit trail review prior to release of a batch by production. The validation of the MES is a
crucial element of every pharmaceutical manufacturing activity because critical data is managed, like the
recipe control and the batch record. A manufacturing execution system (MES) can be configured to flag
numbers modified, or set-up parameters out of specification. From that it is very clear that critical data
managed by the MES is subject to intensive audits trail definitions and their review prior to release of the
manufacturing batch or medical device. More less the full set of Data Lifecycle elements are applied at this
level, except archiving and deletion of process data.

8.3.8 ERP Level

Information that the top-level system or ERP (Enterprise Resource Planning) has about upcoming production
requirements is needed on the plant floor. Likewise, some of the production details from the plant floor is
valuable at the ERP level. There are many suppliers of ERP systems, however, one company, SAP, has the
largest market share, specifically in the pharmaceutical industry where the clear majority of API and dosage
form manufacturers use the SAP ERP system. Other leading ERP suppliers are Oracle and Microsoft. The ERP
system receives data (e.g. from the MES) which will be used for the implementation of critical pharmaceutical
decisions like the change of the batch status. Data complexity at the ERP level is very high; nevertheless,
there is some impact on data integrity, in particular for the management of access to data.

8.3.9 Types of data and their relevance for data integrity

In order to be able to find the relevant data from the data integrity perspective we have to distinguish
between process and event data on the one hand and configuration and system data on the other hand.

Even if this data is cGMP relevant, data integrity should be focused on the process and event data.
Configuration and system data, like parameters, software, and system settings, are usually well under change
control and a lot of additional controls are implemented.

8.3.10 Data Categories

 Process, alarm and event data

 Configuration and system data

© Copyright: ECA Foundation, Germany – Copying, editing and distributing require the written agreement of the ECA Foundation Page 60 of 96
GMP, GCP and GDP Data Governance and Data Integrity

8.3.11 Criticality of the data

Focusing on the criticality of process and event data is also relevant because this enables us to prioritize data
integrity using relatively simple risk assessments and to define the mitigations and measures we have to
implement or areas to improve.

A risk-based approach should at first focus on well-known data integrity issues and consider all computer
systems in the manufacturing area. Important elements are e.g.

 static/dynamic data
 process/event data
 controlled management of raw data
 segregation of duties in place
 control of parameter changes
 compliance of the audit trail

The overall data integrity risk can only be under strict control, if we have a clear understanding of the overall
criticality of the data.

There are several ways to determine the criticality of process and event data. Proximity to product and
equipment used can be one way. Another way could be data generated by the systems that will directly enter
the batch record, or any combination of that.

The following data should be in focus:

 Batch record data

 critical process parameters
 critical quality attributes.
 Product quality impact information (deviations).

8.3.12 Breakdown of the complex automation infrastructure

Owing to the complexity of the manufacturing environment it is necessary to breakdown the system
landscape into manageable parts. This might be done by functional aspects or system boundaries.

For example: very often you find similar systems and components in production like sensors, PLC, DCS, HMI,
SCADA and MES.

Figure 21: Example for Sensor(s), PLC and HMI

© Copyright: ECA Foundation, Germany – Copying, editing and distributing require the written agreement of the ECA Foundation Page 61 of 96
GMP, GCP and GDP Data Governance and Data Integrity

From the data integrity point of view (see schematic example above) all the sensors could be treated the
same way, if they generate data automatically. This could lead to a more simplified schematic diagram
(Figure 22).

Figure 22: Simplified example for Sensor(s), PLC and HMI

8.3.13 Leveraging grouping strategies

The identification of similar functional systems, with same components, functionality, software release etc.
can dramatically reduce the amount of systems to be checked and reduce the work significantly.

For the defence of this strategy it is recommended to define the rationale for the grouping.

This approach will also support you to identify harmonization opportunities later on.

8.3.14 Data Lifecycle Elements

Data Lifecycle elements are one of the key elements to control data integrity in the manufacturing
environment. Data Integrity strategies and risk mitigation have to apply at all phases of the data lifecycle.
Sometimes not all parts of a data lifecycle elements are fitting to a particular component; therefore, adoption
might be necessary. From a data point of view, it is important to demonstrate that all lifecycle components
are covert [47].

1. Data generation and capture automatically or manually

The data lifecycle starts usually with generation and capturing of data no matter if this is automatically
or manually generated data (e.g. continuous data flow from a sensor, alarm event or operator input
during process). But the results regarding data integrity requirements a quite different.
Date generation and automatic capture means data is generated by a sensor (e.g. temperature,
humidity, pressure etc.) and captured in a computerized system. For this kind of generated data, no
data integrity requirements should be applied.
Data generation and manual capture means that data is observed by person(s) and entered in a
computerized system through a human-machine-interface device. This is very different from to above
mentioned way. To be able to enter data in a system, there must be, of course, a system available.
This will lead to data integrity requirements that are related to computerized systems instead of simple
sensors.

2. Data processing & transmission.

Processing means that data is transformed according given rules or control logic, for example from one

© Copyright: ECA Foundation, Germany – Copying, editing and distributing require the written agreement of the ECA Foundation Page 62 of 96
GMP, GCP and GDP Data Governance and Data Integrity

physical value to a meaningful information like temperature, humidity or pressure. Applying algorithms
to “process” data might also part of this data lifecycle element and can result in creation of additional
data (e.g., calculations, alarms, metadata etc.). Transmission to other systems in case components are
connected to each other.

3. Data save
Save is relevant if the data is stored permanently for the first time. In terms of data integrity backup
and restore are the important elements to consider.

4. Data review, evaluation and reporting during production process

Any decision made on reviewing, assessing or reporting data. This could be reviewing alarms by
operator or any quality decision during manufacturing. For the review of data directly after entering by
the operator the second person review by a peer is required for critical entries. Regardless of this first
check an audit trail review must be performed before the release of the batch for further processing or
quality control.

Data Review by Exception

The reviewing process of data after completion of the batch process is an extremely difficult task
because the amount of data is tremendous and is challenging to decide between normal process
ranges and deviations from the limits. In addition, “suspicious” data should drop an exception and may
identified and flagged by the system. The data review by exception is the best way to focus on data
that are critical and need to be verified, e.g. prior to the release of an API batch. Systems should be
configured in a way that enables the flagging of unusual conditions which needs to be reviewed.
Electronic records are always an advantage in the review process, because their data is easily
accessible.
Please keep in mind: Reviewing all data all the time is impossible.

5. Data archiving
Data has to be stored unchangeable after normal operational usage during retention period. It is not
relevant, if an archive system is used or data is permanently stored online. In both cases the process
must have been included in the qualification and validation tasks.

6. Data deletion
After the end of the retention period the deletion of data is the last step in the data lifecycle. This
process should also be well documented and follow Good Documentation Practice. The decision to
delete data is very cumbersome because most managers are reluctant to erase GxP data. The decision
for deletion must be taken by the data (process) owner and executed by the system owner.

Figure 23: Production Data Lifecycle

© Copyright: ECA Foundation, Germany – Copying, editing and distributing require the written agreement of the ECA Foundation Page 63 of 96
GMP, GCP and GDP Data Governance and Data Integrity

8.3.15 Audit Trail Review in the context of the ISA95 framework

The necessity for the review of audit trails in the manufacturing area must be based on a sound risk
assessment of the different levels/layers of the electronic systems: What layers are relevant for Data Integrity
considerations and the review of audit trails (which is very time consuming in a complex system landscape)?
The table below may be used as a guidance for the definition of the data criticality and audit trail review [80].

The most relevant layer for data integrity is the MES level where most of the critical data are processed.

8.3.16 Risk analysis and mitigation measures

A risk analysis of the data lifecycle elements will show the potential harms of the data.
For each potential harm mitigations should be defined. Depending on the maturity of the existing measures,
additional measures should be taken or existing measures should be adapted.

8.3.17 Data integrity risk mitigation measures

To summarize the large number of activities outlined above the following elements are crucial for data
integrity:

1. Backup & Restore

2. Archiving concept
3. Disaster Recovery
4. Segregation of Duties on operating system level
5. Segregation of Duties on application level
6. Data Audit Trail Review
7. System periodic Audit Trail Review
8. Electronic Record (ER)/ Electronic Signatures (ES)
9. Password policy
10. User Accounts
11. Access control (role-based profile/access rights).

Not all measures have to apply to each lifecycle elements.

It is always a good approach to identify the mitigation measures to the lifecycle elements. This enables you to
identify the necessary data integrity checks and mitigation measures you have to apply.

This should be done for each component of a particular system. To lower the efforts to execute these
assessments it is also best practice to group similar systems to form a “system family”.

© Copyright: ECA Foundation, Germany – Copying, editing and distributing require the written agreement of the ECA Foundation Page 64 of 96
GMP, GCP and GDP Data Governance and Data Integrity

8.3.18 Events & Alarms

In the production process control center there are lots of alarms coming up during a working day. Each alarm
represents an indication for an “out of control” situation or a deviation from normal process parameters. Very
frequently it can be observed that operators are just acknowledging an alarm without taking further notice
because they are aware that such alarm is coming up very frequently and that there is no critical situation
occurring. The problem is that operators are getting too many alarms which is exceeding their capacity to
deal with them. Sometimes they are losing the ability to deal with the “real important alarms”. In these
cases, it may be advisable to recheck the alarm limits.

8.3.19 Process Documentation impacted by Data Integrity

8.3.19.1 The Recipe - Process Parameters

In a full integrated environment, the parameters are defined in the recipe. Therefore, the recipe is one of the
most important documents in manufacturing as all processes are based on the instructions defined in this
document. This document must be under very strict change control, with limited access only for authorized
people, e.g. the head of production.

The parameters in the manufacturing area are set on the basis of the definitions in the recipe; it needs to be
assured that the parameters are transferred to the machine settings by people with administrator access
rights. Setting of parameters is a typical action that needs to be controlled using the four-eye-principle, i.e.
the second person in the manufacturing area is checking the correct execution immediately after the action.

8.3.19.2 Batch Manufacturing Record (BMR)

The batch record is the most important document in the manufacturing process as it is tracing the complete
cycle of the lot. It is created for each intermediate in the API, filling and packaging processes. Before issuing
a BMR it has to be verified that the current version with the suitable batch size is edited by the authorized
person/department. In order to maintain the data integrity requirements, it is mandatory to include checks for
manual entries (e.g. for weights, raw material numbers) by a second individual, i.e. there must be space
available on paper (or entries possible in electronic systems) for the second person reviewer. Deviations
occurring during the manufacturing process should be recorded in the BMR, e.g. in the “Comments” field or -
in case of severe discrepancies - a reference to the deviation report number. After finishing the manufacturing
steps, prior to hand-over of the BMR to QA, the audit trail review (for electronic systems only) must be
performed by production. The result of the Audit Trail Review is documented using the appropriate checklist
for the specific process and handed over to QA who will - after completion of analytics - release the batch.

8.3.20 Supporting documents and forms

In case of using supporting controlled paper templates or forms in the manufacturing area please refer to
section 9.6. of this guideline.

The same requirements as in QC/QA (e.g. issuing and reconciliation) have to be applied to manufacturing
operations.

8.4 The Laboratory

8.4.1 Recording records by observation

Recording records by observation is common in pharmaceutical manufacturing and analysis, for example
recording the colour or odour of samples in analysis or dilutions during sample preparation. The problem from

© Copyright: ECA Foundation, Germany – Copying, editing and distributing require the written agreement of the ECA Foundation Page 65 of 96
GMP, GCP and GDP Data Governance and Data Integrity

a data integrity perspective is the lack of evidence available for a second person to review the activities
objectively to confirm that procedures were followed and that the recorded result is correct.

The MHRA GxP data integrity guidance [43] states:

Data may be generated by (i) manual means - a paper-based record of a manual observation, or (ii)
electronic means - ….

When manually recorded data requires stringent oversight, consideration should be given to risk-
reducing supervisory measures. Examples include contemporaneous second person verification of
data entry, or cross checks of related information sources (e.g. equipment log books).

With this in mind we can look and evaluate various manual observations and the risks that they pose.

8.4.2 Recording Results from an Analytical Balance

Given the critical nature of the analytical balance in quality control either in weighing samples, preparation of
analytical reference solutions, buffers and mobile phases it is not surprising that regulatory guidance is very
stringent:

Automated data capture or printers attached to equipment such as balances [42].

Put at its simplest, if you are making a weighing then recording the weight by observation is unacceptable
and evidence from an attached printer is essential documented evidence of the weights and the weighing
sequence. An alternative is direct data capture by a computerised system e.g. instrument data system, LIMS
or ELN, this approach is a better long-term objective as the process is automated and there is no transcription
checking to perform.

8.4.3 Colour and Odour Determination

Colour and the outdated odour determination are non-destructive tests and therefore the sample is still
available for the second person reviewer to examine and either check against a colour palette or smell to
verify the tester’s observations were correct. Therefore, these tests are relatively low risk and determination
by observation should continue to be used. Recording of the result could also be by direct entry into a
computerised system such as a LIMS or ELN to avoid transcribing the result after writing it down.

8.4.4 Observing Results from Simple Instruments

In cases such as pH meters, polarimeters and other simple instruments where there is no data system and
the only way of recording the result is by observation. Depending on the criticality of the measurement, then
their either needs to be a second person to verify the observation or that it is evaluated indirectly by use in an
analysis. As a minimum, the investment in a printer if the instrument is capable of being linked is worthwhile
and will save much effort; better still is the interfacing to an instrument data system or another informatics
application.

8.4.5 Recording Sample Preparation Observations

During the preparation of samples for analysis there may be times when a specific dilution from a range of
options needs to be recorded. This will be done directly into a laboratory notebook or a controlled blank form
for the specific analysis being undertaken. These records are difficult to verify directly by a reviewer and it is
usually the case that if the analysis is acceptable, then the dilution must be correct.

The emergence of QR coded volumetric glassware means that the process of recording which flask or pipette
can be automated by scanning the code into a computerised system. If the identity of each item of glassware

© Copyright: ECA Foundation, Germany – Copying, editing and distributing require the written agreement of the ECA Foundation Page 66 of 96
GMP, GCP and GDP Data Governance and Data Integrity

and its size were in the system, each time an electronic workflow was executed, not only is there a check that
the right size flask or pipette were used but the identity was automatically captured contemporaneously,
saving the laborious task of manually recording the glassware used.

8.5 The Clinical Trial

8.5.1 Process overview and Data Life Cycle

The following processes are relevant for Clinical Trials:

 Initiation and submission for approval

 Project Management
 (e)CRF
 (Site and Partner/Supplier) Qualification
 Investigational Product and its Supply Chain
 Subject Recruitment
 Data Entry and Review (including monitoring)
 Adverse Events-Reporting
 Mid Study Changes
 Statistics
 Closure & Submission
 Quality Assurance
 (Sample) Logistics
 Archiving

8.5.2 Critical Records / Data

Critical records / data in Clinical Trials include:

 Study Protocol
 Informed consent
 Site Qualification
 Inclusion Criteria for Patients
 Randomization / Blinding / Trial Supply
 Data Collection and Database Lock
 Sponsor/Investigator TMF
 Safety Reports
 Statistical Analysis Data
 Study Report

8.6 Blank Forms

8.6.1 Quo Vadis Blank Forms?

The control of Blank Forms is a topic which is coming up in many Health Regulatory Inspections. In general, it
is not a good idea to use Blank Forms: in case it cannot be avoided comprehensive controls must be in place.
Guidance documents from the FDA, MHRA and PIC/S outline what needs to be done to control blank forms
[2, 3, 43]. It is recommended to look at this in two phases [81]:

 Control of the master template through the phases of design, review, approval and secure storage
 Use of the pre-numbered form created from the master template in a laboratory to record regulated
work

© Copyright: ECA Foundation, Germany – Copying, editing and distributing require the written agreement of the ECA Foundation Page 67 of 96
GMP, GCP and GDP Data Governance and Data Integrity

8.6.2 Control of the Master Template

The controls required for blank templates in two phases first developing and controlling the master template
and second how it should be used are outlined below. The way this will be presented in the two figures that
follow is as cross functional process flow diagram. This has the following functions that need to interact in
order to control master templates for each blank form and use them in a compliant manner:

 Data governance
 Quality
 Generation
 Distribution
 Completion
 Review

Not all six functions are needed for either of the two phases of the work but all are required across the two
phases when looked at holistically. The overall process of controlling the master template is shown in Figure
24.

 Each blank form should have an owner allocated to it. This will typically be the subject matter expert
(SME) of the overarching standard operating procedure, analytical procedure or work instruction that
controls the use of the form. The form will be designed to accommodate the work and collect
records according to the applicable process.

 This form can be designed using a word processor or even a spreadsheet, however the template
must have the name and the version number of the form embedded into it as well as the procedure
number to which the form relates. One point that must be ensured is that there is sufficient space
for an analytical chemist to enter a value or result.

 When complete the form needs to be reviewed by a different person to ensure that the form is
correct and accurate and matches the requirements of the controlling procedure. If changes are
required, the form is returned to the author for update.

© Copyright: ECA Foundation, Germany – Copying, editing and distributing require the written agreement of the ECA Foundation Page 68 of 96
GMP, GCP and GDP Data Governance and Data Integrity

Figure 24: A Process for Controlling a Master Template for a Blank Form [81]
Generation

Owner creation Blank

Form
of document Document draft
Request
template
Distribution
Completion

Owner
Review

technical
review, sign off
& date stamped

Change & Version

Control
Blank
Quality

Quality review,
Version Document Document
sign off & date
control Version x use
stamped
Governance

Secure storage
Data

in protected IT
environment

 When technical reviews are complete, there needs to be a quality function review and approval and
when approved, the date of approval is added to the master form.
 The form should be signed either handwritten or by electronic signature
 Assuming that no changes are required, the template master now needs to be stored securely either
in an IT environment on the network or in an electronic document management system with
restricted access to it.

At the end of this first process we now have a blank template that is version controlled and under secure
storage.

To ensure that only the current version of the template is used there needs to be an effective process for the
withdrawal of the old template and replacement with new version. The Quality function needs to maintain a
track and trace system for the control of all the blank templates e.g. title, reference number including version
number, release date, applicable procedure and storage location.

8.6.3 Use of the Blank Template

Instead of printing or photocopying a blank form, a formal process for issuing a controlled and numbered
version of the document is required.

 The process starts with a request made to the person or group who manages the issue and
reconciliation of blank forms. This function will typically be outside of the laboratory, typically this
would be a Quality Assurance role to ensure independence of operation. An authorised analyst will

© Copyright: ECA Foundation, Germany – Copying, editing and distributing require the written agreement of the ECA Foundation Page 69 of 96
GMP, GCP and GDP Data Governance and Data Integrity

request a specific form from the document controller who will issue a uniquely numbered version of
the blank form created from the current version of the template.

 The unique number is entered into a track and trace system and the name of the requester is entered
along with the date / time of issue. This track and trace system in its simplest form is a bound
logbook with numbered pages with the entries handwritten by the document controller with
information such as date of issue, unique form number, person/ department to whom the form was
issued to.

 The distributed copies of these blank forms should be designed to avoid photocopying either by the
use of a secure stamp and ink colour, or by the use of coloured paper not available in the laboratory.
An electronic system that can issue forms with a unique number as well as copy number may be an
alternative but stringent validation needs to ensure that this process is secure and only one copy is
allowed to be printed. Otherwise a controlled copy will only be issued on paper as an electronic
version could be reprinted (the same as blank forms today).

You can see the compliance overhead just reading the text or look at Figure 25.

The forms will be used in a regulated laboratory and completion of them should follow good documentation
practices e.g. contemporaneous with the work being executed, completion with an indelible pen, entries that
need to be corrected must be done without obscuring the original entry then initialled and dated along with
the reason for change. Any blank areas not used need to be struck through initialled and dated. Users must
not use ditto marks. Don’t use a date stamp. Inspectors will now check to see that the person who filled out
the form was actually on site when the form was claimed to be completed if falsification is suspected.

 If there is a mistake and a new form is needed, then the form needs to be returned to the document
controller but before a new form is issued there need to be a documented rationale for why the form
needs to be replaced. The old form must be retained and a new form issued.

 At the completion of the work a reviewer needs to check that work completed correctly and if any
calculations are included on the form, they need to be verified as correct including rounding.

 The form along with other documented evidence is collated into the batch record and the form is
reconciled with the track and trace system.

© Copyright: ECA Foundation, Germany – Copying, editing and distributing require the written agreement of the ECA Foundation Page 70 of 96
GMP, GCP and GDP Data Governance and Data Integrity

Figure 25: Use of a Controlled Blank Template [81]

Generation
Distribution

Blank
Document Ver x
Blank Execution
Issued with
Document required of task
unique ID
Completion

Authorised Issued to Completed

User Authorised User Document Ver x
Request Time & Date of Issue Issued with
unique ID

Completed &
Review

Second person Reviewed

review, sign off Document Ver x
& date stamped with unique ID

Blank Unique ID
Quality

Document Document Document Quality Track & Collation into the

Version x Version x Use Trace System Batch record
Governance

Secure storage in
Secure Transfer
Data

protected IT
to Archive
environment

8.6.4 Are Paper Records the Best Way Forward?

See from the processes outlined in Figure 24 and Figure 25 are far more complex that just using a blank form
as we have done previously. However, the whole pharmaceutical industry is now picking up the bill for other
people’s laxity, mistakes and falsification. We now come to our earlier question – is paper the best way to
record GMP data? Looking above the answer is no.

BUT…..

The problem is that many of the software applications that are used in regulated laboratories today are ill-
equipped to take over many of the functions currently performed on paper today. This is due either to
inability to expand from their core functionality or poor compliance features such as records stored in
operating system files, inadequate audit trail functions including review and electronic signatures not on the

© Copyright: ECA Foundation, Germany – Copying, editing and distributing require the written agreement of the ECA Foundation Page 71 of 96
GMP, GCP and GDP Data Governance and Data Integrity

records that are signed. Suppliers and users need to work together to ensure adequate functionality and
compliance features and this will take time.

BUT…...

Even with the best software some activities laboratories may still need to be recorded on paper such as any
dilutions made during sample preparation. This work will need to be recorded on paper and manually entered
into an application such as a chromatography data system.

8.6.5 Summary

We have looked at an area of regulatory concern – control of blank forms. We have outlined one way to
achieve this in terms of processes but the mechanism (word processor file or an electronic document
management system) is left to the reader. The process is slow and cumbersome and is really a driver for
capturing as much data as possible electronically during an analysis to reduce the compliance overhead.

Please remember, just because you have always worked this way does not mean you can continue to work
this way.

8.7 Hybrid Systems

Hybrid systems where both paper and electronic records exist and are kept are much discouraged and
possess a threat to data integrity [3, 47, 82] . However, there are some systems, such as legacy systems
were this is unavoidable. In that case, mitigating controls should be in place.

8.7.1 Record Types in Hybrid Systems

There are several types of hybrid records:

 Records obtained from the processing of physical observations such as processing of SDS-PAGE and
other in-gel techniques
 Records obtained/originated directly from stand-alone computerized instruments such as
spectrophotometers and FT-IR.
 Records obtained from fully electronic computerized systems but firms have defined paper as raw
data. A corollary is where a laboratory used instruments that has the capability to capture and store
electronic data but paper was the only record was subject to an FDA warning letter [83]

The last type has no place in current GMP requirements.

The first two types of hybrid records are often created by legacy systems. This kind of analytical instruments
and systems often have generic logon, lack audit trails and features for electronic signatures.

One of the first problems with legacy system is that they usually have shared or generic logon credentials.
Thus, actions on electronic records cannot be attributable. A possible mitigation would be to establish
signatures on paper records or a logbook of actions and persons that accessed the system. This is not ideal
and such systems should be identified for replacement as soon as possible.

8.7.2 Electronic Source Data in Clinical Trials

In clinical studies, the investigator owns the source data, regardless of where the data is located. The data
may be under the control of the sponsor, a central clinical laboratory, an EDC provider, or a central image
reader, but the ownership is not transferred; the sponsor owns the data derived from the source data in a
data management process.

© Copyright: ECA Foundation, Germany – Copying, editing and distributing require the written agreement of the ECA Foundation Page 72 of 96
GMP, GCP and GDP Data Governance and Data Integrity

According to the FDA Guidance for Industry: Electronic Source Data in Clinical Investigations [84] : “Capturing
source data electronically and transmitting it to the eCRF should:

 Eliminate unnecessary duplication of data

 Reduce the possibility for transcription errors
 Encourage entering source data during a subject’s visit, where appropriate
 Eliminate transcription of source data prior to entry into an eCRF
 Facilitate remote monitoring of data
 Promote real-time access for data review
 Facilitate the collection of accurate and complete data”

These benefits are only be achieved if the tools and the processes for data collection and capture are defined
and strictly controlled.

If data originates from a device/instrument and the device/instrument generates a raw data file, then that
raw data file including the associated metadata are considered the source data. Even if that device or
instrument is directly interfaced (and validated) with an eCRF, then the eCRF only contains a transcript of the
source data.

8.7.3 Audit Trail

The next problem is the non-existing audit trail. Again, no track of actions and who made them, when and
why is available. WHO (Appendix 1) recommends the following approach [47]:

" Where an existing computerized system lacks computer-generated audit trails, personnel may use
alternative means such as procedurally controlled use of logbooks, change control, record version control or
other combinations of paper and electronic records to meet GxP regulatory expectations for traceability to
document the what, who, when and why of an action. Procedural controls should include written procedures,
training programmes, review of records and audits and self-inspections of the governing process(es)".

8.7.4 Risk-Based Process Review

It is thus acceptable to use alternative means like logbooks to record the actions and ensure traceability. But
it also says that these logbooks should be controlled and reviewed via established procedures and training.
This is an extra burden for the second person reviewer as he/she only reviews the subset of data provided as
a printout and must have access to the logbook to be able to review what is not on the paper.

A risk-based approach to the review process is recommended.

8.7.5 Retention of Records

The last problem is the retention and archiving of records. What are you going to keep: the paper, the
electronic record or both?

At the beginning of the Part 11 journey, most companies decided to keep print-outs and destroy (delete) the
electronic records. According to FDA, this is only acceptable if the paper printout is a complete copy of the
original record, i.e. only acceptable for static records. This approach is not acceptable for dynamic records as
the dynamic format, i.e. metadata is not preserved. As discussed on the FDA web site, printouts from a
computerised system are not true copies under 21 CFR 211.180(d) and are not exact and complete as
required by 21 CFR 211.68(b) [85]. This is also reiterated in the data integrity guidance in Question 10 [2].

To illustrate how to mitigate all these problems, an example for the handling of SDS-PAGE records is shown.

© Copyright: ECA Foundation, Germany – Copying, editing and distributing require the written agreement of the ECA Foundation Page 73 of 96
GMP, GCP and GDP Data Governance and Data Integrity

In brief, SDS-PAGE is a gel technique where samples (proteins) are separated by size on a polyacrylamide gel
when an electric field is applied. The final result is visualized by staining the gel (like a photograph). This type
of technique is often used as an Identity test but also as a purity test. In that case, an image of the gel is
processed in order to determine purity of each band in relation to the sum of bands. Although the SDS-PAGE
gel is the primary observation/record, a scanned image (electronic record) is processed to the final reportable
result where GMP decisions are made. The whole process is illustrated in Figure 26.

Figure 26: The Data Lifecycle and record handling in an SDS gel technique for the separation of proteins

Let us assume that the SDS-PAGE processing software is installed on a stand-alone computer linked to a flat-
bed scanner. The software uses logon credentials and has user segregation. The scanner is managed within
the software. However, the user can choose different scanning parameters that will need to be fixed and
controlled via procedures in order to obtain reproducible scanned images between users.

The next step is to process the scanned image by assigning lanes and position of each protein band. When
this is done, the software will then calculate percentage of purity based on the raw absorbance of each band.
A report (pdf) can be made that can be printed for review and control against the original gel. The report can
also be stored in a database or transferred to Excel and manually transcribed to LIMS.

© Copyright: ECA Foundation, Germany – Copying, editing and distributing require the written agreement of the ECA Foundation Page 74 of 96
GMP, GCP and GDP Data Governance and Data Integrity

For the printed report to be acceptable, it must be a complete copy of the original electronic record. This
means that all information necessary to obtain the final result must be on paper (e.g. link to the original SDS-
PAGE gel, lane and band definition, raw absorbance, band intensity, filter used, operator, etc..). Once it has
been verified by the reviewer that indeed it is an accurate copy, the record can be signed. Unfortunately, the
software does not have electronic signatures and the electronic record cannot be signed but can be kept
secured in the database for which backup procedures are in place. So, the question is, do we still need the
paper report or can it be discarded after review?

Another problem that should be mentioned here is that the gel is usually scanned in wet form before drying it
for preservation purpose. Thus, once the gel has been scanned, the image (observation) cannot be
reproduced but still reprocessed by the software to obtain new final result. Again, procedural controls and
training must be in place to assure that creation, modification and deletion of electronic records are
performed according to data integrity principles.

8.7.6 Media Change

Combining paper and electronic records in one system it might be useful to define a media change procedure
describing how to convert paper records to electronic records in a defined way assuring data integrity.

This may be a straight forward procedure or following a risk-based approach depending on the nature of the
records involved. Points to cover in the conversion and review procedure and by the records requirements are
set by ALCOA+ (6.1 Definition of ALCOA+).

The risk-based approach may cover the number and role of the reviewers (4.8 Roles and Responsibilities),
and if the paper record is going to be archived after conversion. Following the DI principles there must only
be one Original record at the time, the converted Paper record becomes a (true) copy after conversion, or the
Electronic Record is further used as a true copy. This must be defined and clearly documented on/with the
record.

8.8 Spreadsheets

The difficulties associated with spreadsheets in terms of data integrity and security represent one of the
greatest challenges in the regulated environment. In the control and completion of blank forms discussed, in
section 9.4, the basic requirements were outlined i.e.

 Development of a secure template

 Distribution of controlled copies
and
 Storage of the completed record within a QMS ‘track and trace’ system.

These are the same for a spreadsheet.

However, the problem with the spreadsheet is much more complex especially as the end product is hybrid
record i.e. the completed template must be stored electronically as the primary E-record and a system must
be in place to link any printouts with it. In addition, the development and validation process for the
spreadsheet template must be clearly defined and documented. The most commonly used spreadsheet is
Microsoft Excel™ and for the purposes of guideline it will be used to illustrate issues and problems faced
when operating within a regulated environment.

In order to use a spreadsheet in a regulated environment it is necessary to;

 Specify and develop the spreadsheet in a controlled manner

 Demonstrate validation for intended use

© Copyright: ECA Foundation, Germany – Copying, editing and distributing require the written agreement of the ECA Foundation Page 75 of 96
GMP, GCP and GDP Data Governance and Data Integrity

 Maximise protection of the secure master template

 Control the distribution and completion of each copy of the secure template
 Save the completed template as an e-record under a new file name to a network
 Link the primary e-record with the paper printout (record signature linking)

8.8.1 Data integrity model for spreadsheet templates

The data integrity model referred to earlier has specific elements for spreadsheets as illustrated in Figure 27.
These may be summarised as;

Foundation level:

 Training and culture for data integrity

 Procedure for good documentation practice

Level 1:

 Development and validation of the spreadsheet and release of the validated master template

Level 3:

 Operational use of the validated spreadsheet template

 Second person reviewer training

Figure 27: Overview of the data integrity model for spreadsheet templates

PHARMACEUTICAL QUALITY SYSTEM

Quality Ass’nce Production Quality Control

LEVEL 3: LEVEL 3:
Batch Manufacture for the Right Product Right Analysis for the Right Reportable Result
Data Supporting Right Quality of a Product Data Acquired and Transformed that are Complete,
Batch Record meets Marketing Authorisation Consistent and Accurate
Quality Oversight

Compliance checks
of work
LEVEL 2: LEVEL 2:
Data integrity Right Manufacturing Process for the Right Job Right Analytical Procedure for the Right Job
audits Process Validation and On‐going Control Validated / Verified Under Actual Conditions of Use

Data integrity
investigations
LEVEL 1: LEVEL 1:
Right Equipment & Systems for the Right Job Right Instrument & Systems for the Right Job
Qualification and / or Validation for Intended Qualification and / or Validation for Intended
Purpose Purpose

FOUNDATION:
Right Culture and Ethos for Data Integrity (DI)
Management Leadership, DI Policies and Procedures, Staff DI Training

© Copyright: ECA Foundation, Germany – Copying, editing and distributing require the written agreement of the ECA Foundation Page 76 of 96
GMP, GCP and GDP Data Governance and Data Integrity

Explicit regulatory guidance regarding data integrity for spreadsheets is currently limited to that of the MHRA,
in the draft GXP guidance issued in July 2016 [86] that specifies that

Spreadsheet printouts not representative of original data and therefore the e-record must be saved and

 Where relevant audit trail functionality does not exist (e.g. within legacy systems and spreadsheets)
an equivalent level of control may be achieved for example by the use of log books, protecting each
version and change control

In addition, the FDA data integrity guidance, question 12 [2], regarding when does electronic data become a
cGMP record states that “When generated to satisfy a cGMP requirement, all data become a cGMP record”.
Printing to PDF is not acceptable as the completed spreadsheet electronic file is part of complete data (as
required by 21 CFR 211.194(a) [34]).

8.8.2 Development and validation of spreadsheet templates

It is not within the scope of this guideline to discuss this topic in detail. However, it is both necessary and
sufficient to describe the main activities and associated processes. Little regulatory guidance or expectations
on the development and validation of Excel spreadsheets has been published. GAMP 5 Second Edition has a
section on control of spreadsheets in Appendix S3 on End User Applications including Spreadsheets [57]. As
mentioned earlier, there is a conflict in that just a paper printout is suggested if simple calculations are
performed. Don’t try this at home.

Figure 28: Associated processes for the development and validation of spreadsheet templates

© Copyright: ECA Foundation, Germany – Copying, editing and distributing require the written agreement of the ECA Foundation Page 77 of 96
GMP, GCP and GDP Data Governance and Data Integrity

Figure 29: Overview of main activities for the development and validation of spreadsheet templates

USER
REQUIREMENTS
SPECTIFICATION

Technical Controls:
Procedural Controls: Access control
Data governance policy Data integrity input control
SOP for Excel spreadsheet development Development Calculation verification
Data Integrity
SOP for Excel spreadsheet validation and Decision integrity
Definition of inputs formulae and outputs Controls Protection: cell, sheet, workbook
Validation
Test plan and test cases & template
Validation Summary Report File naming convention
IT infrastructure controls

Signed off &

Secure
Excel Template

The main features of the necessary parts of the process are shown in the Figure 28 & Figure 29.

The technical controls in Excel have improved over the years and for versions 2013 and 2016 include the
ability to add password protect or encryption at the File, Workbook, and Worksheet levels in addition to the
technical controls within a worksheet. At the file level, it does have an option for digital signatures.
Unfortunately, they are not secure as they may be removed easily.

Regarding an audit trail, Excel does have a rudimentary one called Track Changes but only for shared
workbooks and it does not track all changes, for example format changes, although it does have a change
history sheet. That said it is not satisfactory for use in a compliant environment because it is only kept for a
specified interval and periodically deleted. It deletes any part of the change history that is older than the
number of days that were specified the last time the workbook was saved. The track changes feature was
not designed to meet either Part 11 or Annex 11 requirements.

For record signature linking it is important to populate the fields in the spreadsheet margin with appropriate
information such as file name, create date/time and print date/time to ensure the linkage between electronic
record and paper printout.

For these reasons it cannot be relied upon so a secure template is the only feasible option.

© Copyright: ECA Foundation, Germany – Copying, editing and distributing require the written agreement of the ECA Foundation Page 78 of 96
GMP, GCP and GDP Data Governance and Data Integrity

8.8.3 Distribution and control of spreadsheet templates

Figure 30: Process for Distribution and control of spreadsheet templates

The distribution and control of spreadsheet templates is similar in nature to that of document templates as
shown in Figure 30 with the main difference being the necessity of saving a secure e-record.

The user:

 accesses a copy of the secured spreadsheet template under the Quality ‘Track and Trace’ system
within the QMS
 enters personal identification data
 enters data under SOP control
 ensures that the second person review process is actioned

The second person reviewer:

 enters personal identification data

 carries out any data transcription checks
 commits the completed file to be saved to a secure location with new name in accordance with the
file naming convention SOP. There should be technical and/or procedural controls in place to prevent
overwriting of saved file
 In the event of reviewer find a data transcription error, they should;
 Correct the error
 Raise a deviation
 Resave the file with a new but related filename in the secure location. Hence the file naming
convention needs include option for multiple versions of a saved file.

Note that date and time stamps are provided by the Network for each operation.

© Copyright: ECA Foundation, Germany – Copying, editing and distributing require the written agreement of the ECA Foundation Page 79 of 96
GMP, GCP and GDP Data Governance and Data Integrity

8.8.4 Control of completed spreadsheet templates as e-records

Once the completed template has been saved it is the primary record. If a printout is required, then there
must be a secure method of record and signature linking and traceability to the e-record. Figure 31 illustrates
an overview of a typical process. This process is usually carried out in accordance with an SOP and confirmed
by audit. See Section 8.0 for more details.

Figure 31: Process for control of completed spreadsheet templates as e-records

8.9 Chromatographic Integration

One of the major sources of data falsification and poor data management practices is the ability of analytical
scientists to manipulate chromatography data by changing the various integration parameters. As a result,
there is increased regulatory scrutiny of this subject. This needs to be countered by a procedure for
chromatographic integration coupled with effective staff training and, where available, technical controls
implemented in the chromatography data system to limit manual integration.

This section is written on the basis of small molecule chemistry. For analysis involving biologicals,
macromolecules and biotechnology then there needs to be a risk-based approach to justify the overall
approach to integration. However, it is likely that there will be a greater proportion of manually integrated
chromatograms in these types of analyses.

8.9.1 Rules of Integration

There are three basic rules of chromatographic integration:

 Rule 1: Do NOT use default integration parameters. Ensure that each set of integration parameters is
tailored to an individual analytical procedure and do not use a one size fits all approach. For Beer-
Lambert’s law to hold the samples and standards must be consistently integrated, otherwise the
fundamental comparison of absorbance versus concentration cannot be performed.
 Rule 2: The function of a CDS is not to compensate for your poor method development or separation.
There is a belief in many laboratories that a CDS can be used to salvage an analytical run but this is
not the case. Robust and validated methods should reduce or eliminate this issue.
 Rule 3: Understand what is happening in the CDS.
Just because you get a number from a CDS you don’t always have to believe the result. Use your
eyes to look and your brain to think. For example, look at the integration codes (e.g. BB or BV) are

© Copyright: ECA Foundation, Germany – Copying, editing and distributing require the written agreement of the ECA Foundation Page 80 of 96
GMP, GCP and GDP Data Governance and Data Integrity

these the ones expected? Are baselines positioned where they should be and are they as expected?
Are retention times and peak shapes consistent throughout the run?

In his book on chromatography integration methods, Dyson notes that improving the chromatography must
always take precedence over setting up the CDS [87]:

If a chromatographer finds it necessary to tweak the parameters continuously in order to achieve

consistent measurement of standard samples, it is a clear indication that more work is needed to
bring the instrument and analysis under control.

This is because excessive use of manual integration to compensate for poor method development or
chromatographic separation increases the risk to data integrity (accuracy), and increases time to generate,
review and release results.

8.9.2 How Can Manual Integration Result in Falsification?

Using manual integration to falsify chromatographic data can arise in a number of ways, but the two main
ways are [88]:

 Peak Shaving – placing the baselines to reduce the peak area on integration to enhance the analyte
amount in a sample (only the standards are shaved) or reduce the amount of analyte reported (by
shaving the sample and not the standards). In Figure 32 the first eluting peak line 1 shows the
automatically integrated peak baselines peak shaving shown with line 2.

 Peak Enhancing – adjusting the baselines for integration to increase the area of a peak. Again, the
enhancement of sample areas over the standards can increase the calculated amount in the sample
or if reduction is required, the enhancement of the standards only is performed. Figure 32 line 3
shows how the minor or second eluting peak in the chromatogram can be enhanced.

Figure 32 shows the exaggerated enhancement and shaving of peaks but sometimes all that is required are
small changes to bring a non-conforming batch into compliance with a specification. This is where reviewers
need to be aware of what changes can be made and be vigilant to prevent this from occurring. There is also
the need to trend analytical results as required under EU GMP Chapter 6 on Quality Control to highlight out of
expectation (OOE) and out of trend (OOT) results as well as those that are out of specification (OOS). As
results out of trend or expectation may identify the actions of an individual analyst which may warrant closer
inspection.

© Copyright: ECA Foundation, Germany – Copying, editing and distributing require the written agreement of the ECA Foundation Page 81 of 96
GMP, GCP and GDP Data Governance and Data Integrity

Figure 32: Examples of Chromatography Peak Shaving (2) and Peak Enhancing (3)

In addition, inspectors and auditors will look for a number of factors to determine if there is unauthorised
manual manipulation of a peak:

 Discovery of manual integration that is not traceable or retrievable. A chromatographer should be

able to demonstrate that same results can be obtained if data files from a run are reprocessed – a
red flag is raised if this cannot be done quickly and while an inspector is looking at the task. This
could also be accompanied by an inspector looking to see if the CDS audit trail has been turned off
temporarily to conduct falsification.
 Electronic data is not available. A focus on paper as the raw data coupled with electronic records that
have been deleted or not saved means that data cannot be reprocessed and the result confirmed.
The question of falsification is raised and the laboratory is on the slippery slope to compliance hell.
 Integration parameters are different for standards and the unknown samples of the same run or
between replicate injections of the same unknown sample in an analytical batch.
 Evidence that the audit trail in the system has been turned off and then on again a few minutes later:
what changes have been performed that are not recorded?

8.9.3 What is Manual Integration?

Although regulatory authorities require control of manual integration there was no definition of what this
constitutes. However, in 2015 there was not a definition available for manual integration in the scientific
literature.

Which raises an important question: if we can’t define manual integration – how can we write an SOP on the
integration as a whole?

© Copyright: ECA Foundation, Germany – Copying, editing and distributing require the written agreement of the ECA Foundation Page 82 of 96
GMP, GCP and GDP Data Governance and Data Integrity

8.9.4 Scope of a Chromatographic Integration SOP

We have to balance sound science with regulatory compliance in the integration procedure. There has to be
a definition of when manual reintegration is scientifically sound and is defendable – provided that it is covered
in the integration SOP.

A suggested flowchart for consideration of integration is shown in Figure 33 [88]. It begins with the
completion of the chromatographic run and the automatic integration of peaks by the original processing
method. The resulting chromatograms are reviewed by the chromatographer to see if retention times and
peak shapes are as expected, the peak(s) have been correctly identified, baseline placement is as required by
the analytical procedure, and the sample is integrated consistently with the standard. There may be other
criteria that an individual laboratory wishes to apply. We now come to a decision point: is the run
acceptable? If yes, the individual results and the reportable value are calculated and all is well. All data at
this point have been calculated automatically by the CDS, the chromatographer is merely confirming what the
software has done conforms to pre-defined expectations.

However, if the integration is not acceptable we move to a second decision point. This asks if manual
integration (whatever that term may cover) is permitted for this analytical procedure. If not the next stage is
a laboratory investigation. What methods could we consider for inclusion for no manual integration? Perhaps
measurement of active pharmaceutical ingredients (APIs) or registered methods for finished product for the
active ingredient.

Figure 33: A Suggested Flow Chart for Manual Intervention and Manual Integration

© Copyright: ECA Foundation, Germany – Copying, editing and distributing require the written agreement of the ECA Foundation Page 83 of 96
GMP, GCP and GDP Data Governance and Data Integrity

Manual integration should be specifically prohibited in the following circumstances:

 Symmetrical peaks that have acceptable baseline to baseline fitting following automatic integration.
 Enhancing or shaving peak areas to meet SST acceptance criteria or allowing a run to meet the test
specification

Now we come to what constitutes “manual integration” and Figure 33 presents three options. The outcome
required is consistent and appropriate manual integration that is scientifically defensible and we will present
this in the next section.

8.9.5 Manual Intervention versus Manual Integration

In Figure 33 options 1 and 2 are shown as manual intervention and option 3 as manual integration [88]. Let
us discuss the reasoning:

 Option 1: Peaks have slipped out of a window and they are not correctly identified. The automatic
integration is acceptable and all that is required is to change the peak windows in the integration
method and reprocess. Baseline placement is automatic.
Peak areas are not changed by this approach.
 Option 2: Parameters in the integration or processing method need to be adjusted and then applied
to all injections in the run. An example could be change of the peak threshold or minimum area to
reduce the impact of baseline noise. Baseline placement is automatic.
Peak areas may or may not be changed under his option but there is no manual placement of the
baselines by an analyst.
 Option 3: Manual placement of baselines by the chromatographer is required due to say a late
running peak or noise if undertaking an impurity analysis.
Baseline placement is manual.
Peaks areas will be changed by the reintegration.

Options 1 and 2 are manual intervention but the baseline placement is performed by the CDS and is not
altered by a chromatographer. These are the preferred options and easier to justify scientifically. Option 3 is
where everything else fails and a chromatographer goes through individual chromatograms and repositions
the baselines where appropriate. This latter point is important, it is an exercise of scientific judgement that
needs to be backed up by the procedures within the integration SOP.

8.9.6 Chromatographic Integration in Practice

Returning to the scenario discussed earlier when at the top of the flowchart in Figure 33. If the automatic
integration has failed because the peaks have slipped out of the retention windows (Option 1 in the manual
intervention section) should a laboratory investigation be started? Especially if the peak windows are
readjusted and after reintegration the run passes as peaks are now correctly labelled but there is no change
as the peak areas are unchanged. Although this situation is classified under “manual integration” by
regulatory authorities, there is no change to the actual measurement of the peaks of interest.

Should this situation be classified as manual integration? No – this is a manual intervention but not
reintegration. This is not intended to be word play but a means of trying to define exactly what the
regulators want in light of zero guidance and multiple citations on the subject. In addition, with modern CDS
there will be an audit trail of changes made.

Regardless of the content of the final SOP, chromatographers must be trained to perform manual integration
using a scientifically sound, justifiable and transparent process. We are looking at consistency of integration
technique among all chromatographers to ensure consistency of approach which can be provided via a CDS

© Copyright: ECA Foundation, Germany – Copying, editing and distributing require the written agreement of the ECA Foundation Page 84 of 96
GMP, GCP and GDP Data Governance and Data Integrity

by copying methods and chromatograms to a training project / directory and allowing chromatographers to
integrate the same files. One outcome of the training is that trained chromatographers think about where
they place a baseline when manually integrating a peak so that it is scientifically justified and complies with
the laboratory procedure.

Another outcome of the training is that all must understand that unauthorised manual integration outside of
the scope of the SOP is considered as data falsification. The more times that a run is reprocessed either via
manual intervention or manual integration the more quality assurance and regulatory scrutiny it will attract.

As a final comment, chromatographic integration should be included in the data integrity self-inspections to
ensure that the training and procedure are being complied with in operational use. Further information on
peak integration is found in a 2019 article [89].

8.9.7 Do Not Use Hybrid Systems

The 2016 WHO guidance [47] as well as the PIC/S guidance [3] make it very clear that hybrid systems are
not recommended for use in a regulated environment. WHO [47] in the section on Special risk management
considerations for controls to ensure that actions and records are attributed to a unique individual it states:

The use of hybrid systems is discouraged, …. (Page 29).

The hybrid approach is likely to be more burdensome than a fully-electronic approach (Page 30)

Replacement of hybrid systems should be a priority (Page 30).

In the same context PI-041, section 9.10, states [3]:

Hybrid systems require specific and additional controls in reflection of their complexity and potential
increased vulnerability to manipulation of data. For this reason, the use of hybrid systems is
discouraged and such systems should be replaced whenever possible.

However, it is not just the regulatory rationale that should be considered for replacement of hybrid systems,
the business driver for faster and more compliant working is a major factor. Here electronic working coupled
with the rationale use of electronic signatures will enable faster release of finished products onto the market.

8.9.8 Understand the Predicate Rule

Although the 21 CFR 11 regulation is 25 years old, it is important to understand the underlying GMP predicate
rule (21 CFR 211). There are two explicit requirements in the laboratory for signature: §211.194(a)(7) for the
tester performing the analysis and §211.194(a)(8) for the signature of the reviewer [34]. Although there are
other implicit requirements for signature e.g. reviewed, approved, verified, typically only two signatures are
required for each test carried out. The remainder of the activities in an electronic system involves attributing
actions to a specific individual authorised to do the work via a unique user identity that must not be shared
with other users. Unfortunately, many suppliers still are failing to get audit trails right.

8.9.9 Ensure the Software Application Can Work Electronically

In PI-041, section 9.1.4., there is an interesting quote about the design of GxP software [3]:

The processes for the design, evaluation, and selection of computerised systems should include
appropriate consideration of the data management and integrity aspects of the system. Regulated
users should ensure that vendors of systems have an adequate understanding of GMP/GDP and data
integrity requirements, and that new systems include appropriate controls to ensure effective data
management.

© Copyright: ECA Foundation, Germany – Copying, editing and distributing require the written agreement of the ECA Foundation Page 85 of 96
GMP, GCP and GDP Data Governance and Data Integrity

Prior to starting a project for electronic working, it is important that the software application is:

 Compliant with the technical requirements for both electronic records and electronic signatures for 21
CFR 11, EU GMP Annex 11 and Chapter 4 [35, 37, 77]
 Electronic signatures can be applied where the predicate rules state and on other records mandated
by the business and quality
 The system can be interfaced to other applications to ensure that there is no manual data
transcription and transcription checks
 The software can incorporate any required calculations currently performed by spreadsheets
 The application can support a documented second person review including audit trail entries

In summary please make sure that purchase of any computerised system for a regulated environment has
two critical components:

1. A supplier who understands data integrity and GXP regulatory requirements

2. A software that is containing technical controls to ensure both data integrity and GXP compliance

8.9.10 Simplify the Business Process

When implementing an electronic system, the current business process is mapped and the bottlenecks
identified. Where there are existing computerised systems, including spreadsheets, they should be mapped
onto the process. Then the existing process should be challenged to streamline and simplify the process and
eliminate as much paper as possible. Where possible the new system or new software version should be
configured as little as possible and custom coding should be avoided unless there is a specific business
requirement for this.

When implementing an electronic system there are three essential design requirements:

 Data capture at the source: acquire as much data electronically at the source of generation.
 Eliminate transcription error checking: Never print or re-enter data manually into a system, always
transfer the data electronically. This also includes elimination of printing and use of spreadsheet files.
This also applies to interfacing between applications: validate once and use many the interface times.
 Know where the data is stored: File naming conventions may be essential if the data systems do not
provide this automatically. Knowing where the data is stored enables efficient retrieval

Although many tasks in a process can be automated, often there may be tasks that cannot be automated as
the software application does not have the functionality to perform the work. In which case, there may still
be manually entered data e.g. dilutions made during sample preparation.

8.10 GDP – Good Distribution Practices

Data is defined to be critical when it is used to support critical GxP decisions where creation, modification or
deletion would have a high consequence to patient safety and/or product quality. The data is typically
captured in the form of electronic and/or paper records, for example raw data, recipes, methods, metadata.

GDP: Voice of the Regulators

In a 2018 blog an MHRA inspector gave some GDP Data Integrity examples are given from GDP inspections
[90].

When reviewing data, Terry Madigan, who has been GDP Inspector since 2009, asks himself ''does this data
matter (i.e. is it critical) and if so, can I trust what I see?''

© Copyright: ECA Foundation, Germany – Copying, editing and distributing require the written agreement of the ECA Foundation Page 86 of 96
GMP, GCP and GDP Data Governance and Data Integrity

Sometimes data integrity problems are easy to spot, for example when a thermometer has not been
calibrated and staff does not know how to use it. So sometimes, the lack of quality of data might be due
to poor training or to the use of poor equipment. More difficult are cases of intended falsification of data.
This is often supported by non-robust or poorly defined processes. Better written procedures, recording and
record review could already help.

MHRA encourages stakeholders to use computerised systems providing they are "appropriately qualified and
controlled". Non-trackable software (like WhatsApp) for quality-critical event reporting is not an option (this
has been proposed by some wholesalers). Also, "the use of robots and electronic audit trails can lead to a false
sense of security in relation to data integrity", especially when "work-arounds are created".

GDP Critical Data

Within the GDP environment, there are several critical data involved such as temperature and distribution
records which are necessary for product market release and to ensure data has not been falsified. GDP
related data is also required for product traceability to ensure products have been sold and distributed to
authorized customers and exist within legitimate supply chain. This reduces the risk of falsification and
counterfeit drugs in the market. GDP information is also very important to support critical decisions during
product recall.

GDP for Medical products and auxiliaries used in Clinical Trials faces additional challenges as the
(re-) packaging and the blinding of the treatment is critical to the success of the trails in additions to the
product quality aspects listed above. Often these processes are supported by Interactive Response System
(IRT).

Critical Process Parameters and Critical Alarms (such as Temperature Data) need to be defined with required
actions within the GDP environment. These actions will also need to be recorded so that the alarm and event
logs can be reviewed, where appropriate, to support critical decisions.

The ALCOA + principles are applicable for GDP related data as stated earlier in section 7 of this document:

There are two types of GDP Data Type: Static and Dynamic

 Static: Data which is set-up initially and updated on a need basis. This is generally process
specification or parameters.
 Dynamic: Data which is completed on routine basis during operations.

Data criticality is determined by SQUIPP impact (i.e. Safety, Quality, Identity, Potency, or Purity) on the
product. Although, some GDP related data is important to ensure distribution is under control, it is not
necessarily classified as critical.

The following table provides an overview of the responsibility and checks for the different data types in the
GDP area.

Name of Data Criti Process Step Description and Purpose Type of Respon‐ Verification
Data Type ‐cal Record sibility
Customer Static No Customer Creation Approval of Customer to Paper Quality Single Check
License and Approval receive and distribute and Periodic
products. Licence provided Check
by Health Authority
Quality Static No LSP / Customer Agreements/Contracts with Paper Quality Single Check
Agreement Agreements Service Provider to define and Periodic
Quality requirements Check

© Copyright: ECA Foundation, Germany – Copying, editing and distributing require the written agreement of the ECA Foundation Page 87 of 96
GMP, GCP and GDP Data Governance and Data Integrity

Name of Data Criti Process Step Description and Purpose Type of Respon‐ Verification
Data Type ‐cal Record sibility
Distribution Static No Route and Shipping Data from LSP and Paper / Logistics Single Check
Risk Lane Assessment Customer to build DRA to Electronic and Periodic
Assessment for Distribution assess risk and provide Check
mitigations
Temp. Static Yes Product Stability Stability limits (Temp/Time) Paper / QC / Quality Double Check
Excursion limits outside of for Distribution derived Electronic and Periodic
Allowance label claim during from QC thermo‐stability Check
Distribution data

Temp. Dyna Yes Product Stability Cumulated time out of Paper / Warehouse/ Double Check
Excursion mic limits outside of refrigeration during Electronic Logistics /
Allowance label claim during distribution and storage Quality
Distribution activities recorded during
routine activities
Temp. Static Yes Product Temp set‐ Product temp limits (e.g. Paper / QC / Quality Double Check
Conditions up (Label Claim) 2°C to 8°C) within Electronic and Periodic
for Product from stability data acceptable temperature Check
range based on product
shelf‐life data
Transfer Dyna Yes Product transfer Time between transfer to Paper Warehouse/ Double Check
Time mic between minimize product exposure Logistics /
loading/unloading to non‐controlled Quality
or within buildings temperature/humidity
conditions based on SOP
Storage Static No Storage Storage area indicator Electronic Warehouse Double Check
Section linked to Warehouse and
Indicator inventory management
Receipt Dyna No Receipt Process and Check done by Warehouse Paper/ Warehouse Double Check
checks of mic acceptance and recorded for incoming Electronic / Quality
shipment delivery for non‐
conformance (e.g. Product,
Quantity, Damage, Expiry,
Temperature)
Temp data Dyna Yes Distribution To record temperature Paper/ Warehouse/ Double Check
from Data mic Temperature during distribution Electronic Logistics /
Logger / compliance activities – To verify if Quality
Indicator / product temperature is
Truck Print‐ within acceptable
out temperature range
Temp and Dyna Yes Storage compliance To record temperature and Paper/ Warehouse/ Double Check
Humidity mic humidity during storage Electronic Quality
data from activities – To verify if
Data Logger product temperature is
/ Temp within acceptable
Probe temperature range
(System)
Shipping Static No System used to Master Data set‐up with Paper/ Warehouse/ Double Check
and distribute products the shipping and Electronic Quality
Monitoring monitoring solution for
Systems distribution
Delivery Dyna No Distribution process Recorded for outbound Paper Logistics Single Check
Record mic delivery including
documents such as Packing
list, Invoice, Airway bill,
CMR, Bill of Lading,
Customs Clearance
document, Proof of
Delivery (POD)

© Copyright: ECA Foundation, Germany – Copying, editing and distributing require the written agreement of the ECA Foundation Page 88 of 96
GMP, GCP and GDP Data Governance and Data Integrity

Name of Data Criti Process Step Description and Purpose Type of Respon‐ Verification
Data Type ‐cal Record sibility
Expiry Static No Inventory To manage inventory pro‐ Paper/ Warehouse Single Check
Information Management actively to reduce product Electronic
waste. FEFO (First Expiry
First Out) principles should
be used.
Proof of Dyna No Delivery Proof Document which provides Paper/ Logistics Single Check
Delivery mic evidence that delivery has Electronic
(POD) been received by
consignee.

© Copyright: ECA Foundation, Germany – Copying, editing and distributing require the written agreement of the ECA Foundation Page 89 of 96
GMP, GCP and GDP Data Governance and Data Integrity

9 Technical Glossary

Accurate Data must be accurate without errors and data edits must be documented and
traceable.

ALCOA A commonly used acronym for “attributable, legible, contemporaneous, original and
accurate”.

ALCOA+ A commonly used acronym for “attributable, legible, contemporaneous, original and
accurate”, which puts additional emphasis on the attributes of being complete,
consistent, enduring and available – implicit basic ALCOA principles.

Attributable It must be recorded who acquired the data or performed an action and when the data
was acquired or an action was performed.

Audit trail Audit trails are complete sets of metadata that contains information associated with
actions and are records of GMP critical information. E.g. creation, modification or
deletion of records, as well as information associated to the actions which enable the
reconstruction of a full set of data to the final reportable result.

Available Over the lifetime of a data set it must be available for review, audits and inspections.

Complete All data must at all times be present and available, including any repeated sampling or
re-analysis performed on the sample.

Consistent All separable parts of a data set, such as the sequence of events, must be dated and/or
time-stamped in expected sequence.

Contemporaneous The acquiring of data or performance of action must be documented at the time of the
activity.

Controlled factor A factor which state of control is constant and unchanged throughout the course of the
data generating process.

Data Data means all original records and true copies of original records, including source data
and metadata, information associated to the generation of data and all subsequent
transformations and reports of these data (derived data), which are generated or
recorded at the time of the GxP activity and allow full and complete reconstruction and
evaluation of the GxP activity.

Data governance The totality of arrangements to ensure that data, irrespective of the format in which
they are generated, are recorded, processed, retained and used to ensure a complete,
consistent and accurate record throughout the data lifecycle

Data lifecycle All phases in the life of data from initial generation and recording through processing
(including transformation or migration), use, data review and retention,
archiving/retrieval and decommissioning.

© Copyright: ECA Foundation, Germany – Copying, editing and distributing require the written agreement of the ECA Foundation Page 90 of 96
GMP, GCP and GDP Data Governance and Data Integrity

Derived data Derived data is data that has been processed by a computerized system or by manual
handling (e.g. calculations). In situations where the derived data cannot be re-
generated and they are used in GMP decisions the derived data becomes raw data.

Direct Data Direct data is data collected from an original source.

Dynamic record Records in dynamic format, such as electronic records, that allow for an interactive
relationship between the user and the record content.

GDP Formerly “Good Documentation Practice”. The acronym now is commonly used for
“Good Distribution Practice”.

GMP Data Data acquired or collected as part of commercial production, production to clinical
studies or development activities including supporting activities such as qualification of
equipment and validation of processes and analytical methods (including raw data,
derived data, metadata and information associated to the generation of data). Equally
applicable to non-electronic data (e.g. paper) and data of electronic origin.

Electronic Data Electronic data means any combination of text, graphics, data, audio, pictorial or other
representation in digital form that is created, modified, maintained, archived, retrieved,
or distributed by a computer system.

Enduring All data must be stored on proven storage media regardless of whether it is
documented on paper or stored electronically.

Hybrid record This refers to the use of a computerized system in which there is a combination of
original electronic records and paper records that comprise the total record set that
should be reviewed and retained.

Indirect Data Data that has been used for a purpose different to that for which it was originally
collected.

Legible All parts of the data set must be readable.

Management E.g. vice president, senior director, director, department leader, manager or team
leader.

Metadata Metadata are attributes of data. The metadata describe data and provide context and
meaning. E.g. when was the data recorded, which sample was used, who recorded the
data, has the data been changed since recording and if so which changes have been
made.

Original Data should be documented as the original documentation e.g. original electronic file,
original printouts (e.g. from weight), observation or be a true copy thereof.

© Copyright: ECA Foundation, Germany – Copying, editing and distributing require the written agreement of the ECA Foundation Page 91 of 96
GMP, GCP and GDP Data Governance and Data Integrity

Process In this context, process is defined as all processes impacting GMP data. E.g. LIMS
system, equipment software, validated processes and validated methods. In this context
process is not limited to processing of data by computerised systems.

Process handling This could be e.g. quality assurance (QA), IT-personnel, system owners, process owners
personnel or project teams.

QRM Quality Risk Management

Raw Data Raw data is any original record that is the result of original observations and activities
taking place as part of commercial production, production to clinical studies or
development activities.

Static record A static record format, such as a paper or pdf record, is one that is fixed and allows
little or no interaction between the user and the record content.

True copy An exact verified copy of an original record. The copy is accurate and complete and
preserves content and meaning (i.e. all data, metadata and functionality) and it is
clearly documented when and by whom verification has been performed.

Uncontrolled factor A factor which state of control potentially can change through the course of the data
generating process.

© Copyright: ECA Foundation, Germany – Copying, editing and distributing require the written agreement of the ECA Foundation Page 92 of 96
GMP, GCP and GDP Data Governance and Data Integrity

10 References

1. R.D.McDowall, Data Integrity and Data Governance: Practical Implementation in Regulated

Laboratories. 2019, Cambridge: Royal Society of Chemistry.
2. FDA Guidance for Industry Data Integrity and Compliance With Drug CGMP Questions and Answers
2018, Food and Drug Administration: Silver Spring, MD.
3. PIC/S PI-041 Good Practices for Data Management and Integrity in Regulated GMP / GDP
Environments Draft. 2021, Pharmaceutical Inspection Convention / Pharmaceutical Inspection
Cooperation Scheme: Geneva.
4. EudraLex - Volume 4 Good Manufacturing Practice (GMP) Guidelines, Chapter 1 Pharmaceutical
Quality System. 2013, European Commission: Brussels.
5. EudraLex - Volume 4 Good Manufacturing Practice (GMP) Guidelines, Chapter 9 Self Inspection. 2001,
European Commission: Brussels.
6. ICH Q2(R1) Validation of Analytical Procedures: Text and Methodology. 2005, International
Conference on Harmonisation: Geneva.
7. USP General Chapter <1220> Analytical Procedure Lifecycle. 2022, United States Pharmacopoeia
Convention Inc: Rockville.
8. ICH Q2(R2) Validation of Analytical Procedures, Step 2 Draft. 2022, International Council on
Harmonisation of Technical Requirements for Registration of Pharmaceuticals for Human Use (ICH):
Geneva.
9. ICH Q14 Analytical Procedure Development. Step 2 draft. 2022, International Council on
Harmonisation of Technical Requirements for Registration of Pharmaceuticals for Human Use (ICH):
Geneva.
10. FDA Guidance for Industry Process Validation: General Principles and Practices. 2011, Food and Drug
Administration: Silver Spring, MD.
11. EudraLex - Volume 4 Good Manufacturing Practice (GMP) Guidelines, Annex 15 Qualification and
Validation. 2015, European Commission: Brussels.
12. ICH E6 (R2) Guideline for Good Clinical Practice 2018, International Conference on Harmonisation:
Geneva.
13. R.J.Davis, Judge Wolin's interpretation of curent Good Manufacting Practice Issues contined in the
Court's riuling United States versus Barr Laboratories, in Development and Validation of Analytical
Methods, C.L.R.a. T.W.Rosanske, Editor. 1996, Pergammon Press: Oxford. p. 252.
14. Administration, F.a.D., Inspection of Pharmaceutical Qualiy Control Laboratories. 1993, Rockville, MD:
Food and Drug Administration.
15. Administration, F.a.D. Able Laboratories Form 483 Observations. 2005 1 Jan 2016]; Available from:
http://www.fda.gov/downloads/aboutfda/centersoffices/officeofglobalregulatoryoperationsandpolicy/o
ra/oraelectronicreadingroom/ucm061818.pdf.
16. Administration, F.a.D., Compliance Program Guide 7346.832 Pre-Approval Inspections, in Chapter 46
New Drug Evaluation. 2010, Food and Drug Adminsitration: Silver Springs MD.
17. FDA Compliance Program Guide CPG 7346.832 Pre-Approval Inspections. 2019, Food and Drug
Administration: Sliver Spring, MD.
18. FDA Compliance Program Guide CPG 7346.832 Pre-Approval Inspections. 2022, Food and Drug
Administration: Silver Spring. MD.
19. Scheme, P.I.C.P.I.C., Aide-Memoire Inspection of Pharmaceutical Quality Control Laboratories (PI-
023-2). 2007, Geneva: Pharmaceutical Inspection Convention / Pharmaceutical Inspection
Cooperation Scheme.
20. PIC/S Computerised Systems in GXP Environments (PI-011-3). 2007, Pharmaceutical Inspection
Convention / Pharmaceutical Inspection Co-operation Scheme (PIC/S): Geneva.
21. (PIC/S), P.I.C.S., Computerised Systems in GXP Environments (PI-011-3), P.I.C.S. (PIC/S), Editor.
2007, Pharmaceutical Inspection Convention / Scheme (PIC/S): Geneva.
22. Administration, F.a.D. Questions and Answers on Current Good Manufacturing Practices, Good
Guidance Practices, Level 2 Guidance - Records and Reports. 2014 [cited 2015 29 October];
Available from:
http://www.fda.gov/Drugs/GuidanceComplianceRegulatoryInformation/Guidances/ucm124787.htm.
23. FDA Pharmaceutical cGMPs for the 21st Century: A Risk-Based Approach. 2002, Food and Drug
Administration: Rockville, MD.

© Copyright: ECA Foundation, Germany – Copying, editing and distributing require the written agreement of the ECA Foundation Page 93 of 96
GMP, GCP and GDP Data Governance and Data Integrity

24. FDA Final Report Pharmaceutical GMPs for the 21st Century - A Risk-Based Approach. 2004, Food and
Drug Administration: Rockville, MD.
25. ICH Q9 Quality Risk Management. 2005, International Conference on Harmonisation: Geneva.
26. ICH Q9 (R1) Quality Risk Management. 2021, International Council for Harmonisation: Geneva.
27. R.D.McDowall, Do You Really Understand the Cost of Noncompliance? Spectroscopy, 2020. 35(11): p.
13-22.
28. Ranbaxy Laboratories Ltd & Ranbaxy Inc: Consent Decree of Permanent Injunction. 2012.
29. R.D.McDowall, The Role of Chromatography Data Systems in Fraud and Falsification. LCGC Europe,
2014. 27(9): p. 486-492.
30. Cetero Research Untitled Letter (11-HFD-45-07-02). 2011, Food and Drig Administration: Silver
Spring, MD.
31. FDA Letter to ANDA Sponsors Conducting Bioequivalence Studies at Cetero Research. 2011; Available
from: http://www.fda.gov/downloads/drugs/drugsafety/ucm267907.pdf.
32. D.Garde. Former Cetero shutters its operations, leaving sponsors and patients locked out. 2013;
Available from: Former Cetero shutters its operations, leaving sponsors and patients locked out.
33. Inspection Observations. 2020; Available from: https://www.fda.gov/inspections-compliance-
enforcement-and-criminal-investigations/inspection-references/inspection-observations.
34. 21 CFR 211 Current Good Manufacturing Practice for Finished Pharmaceutical Products, F.a.D.
Administration, Editor. 2008: Sliver Spring, MD.
35. EudraLex - Volume 4 Good Manufacturing Practice (GMP) Guidelines, Chapter 4 Documentation, E.
Commission, Editor. 2011: Brussels.
36. EudraLex - Volume 4 Good Manufacturing Practice (GMP) guidelines, Part 2 - Basic Requirements for
Active Substances used as Starting Materials. 2014, European Commission: Brussels.
37. EudraLex - Volume 4 Good Manufacturing Practice (GMP) Guidelines, Annex 11 Computerised
Systems. 2011, European Commission: Brussels.
38. EudraLex - Volume 4 Good Manufacturing Practice (GMP) Guidelines, Chapter 6 Quality Control. 2014,
European Commission: Brussels.
39. 21 CFR 312 Inventigational New Drug Application. 1987, Food and Drug Administration: Rockville,
MD.
40. Agency, M.a.H.p.R. MHRA expectation regarding self inspection and data integrity 2013 [cited 2013
01 Jan 2016]; Available from:
http://webarchive.nationalarchives.gov.uk/20141205150130/http://www.mhra.gov.uk/Howweregulat
e/Medicines/Inspectionandstandards/GoodManufacturingPractice/News/CON355490.
41. Agency, M.a.H.p.R., MHRA GMP Data Integrity Definitions and Guidance for Industry 1st Edition.
2015, Medicines and Healthcare products Regulatory Agency, London.

42. Agency, M.a.H.p.R., MHRA GMP Data Integrity Definitions and Guidance for Industry 2nd Edition.
2015, Medicines and Healthcare products Regulatory Agency: London.
43. MHRA GXP Data Integrity Guidance and Definitions. 2018, Medicines and Healthcare products
Regulatory Agency: London.
44. 21 CFR 58 Good Laboratory Practice for Non-Clinical Laboratory Studies. 1978, Food and Drug
Administration: Washington, DC.
45. OECD Series on Principles of Good Laboratory Practice and Compliance Monitoring Number 1, OECD
Principles on Good Laboratory Practice. 1998, Organsation for Economic Co-operation and
Development: Paris.
46. al, N.A.K.e. Data Integrity in Global Clinical Trials: Discussions From Joint US Food and Drug
Administration and UK Medicines and Healthcare Products Regulatory Agency Good Clinical Practice
Workshop. Clinical Pharmacology and Therapeutics 2020 18 November 2022]; Available from:
https://ascpt.onlinelibrary.wiley.com/doi/10.1002/cpt.1794.
47. WHO Technical Report Series No.996 Annex 5 Guidance on Good Data and Records Management
Practices. 2016, World Health Organisation: Geneva.
48. Draft Good Data and Records Management Practices 2015, World Healh Organisation: Geneva.
49. FDA Draft Gudance for Industry Data Integrity and Compliance with cGMP. 2016: Silver Spring, MD,
USA.
50. OECD Series on Principles of Good Laboratory Practice (GLP) and Compliance Monitoring, Number 22,
Advisory Document of the Working Party on Good Laboratory Practice on GLP Data Integrity 2021,
Organisation of Economic Cooperation and Development Paris.

© Copyright: ECA Foundation, Germany – Copying, editing and distributing require the written agreement of the ECA Foundation Page 94 of 96
GMP, GCP and GDP Data Governance and Data Integrity

51. R.D.McDowall, How Static Are Static Data? LCGC Europe, 2022. 35(2): p. 66-71.
52. FDA Guidance for Industry: Computerised Systems Used in Clinical Investigations. 2007, Food and
Drug Administration Rockville, MD.
53. Burgess, R.D.M.a.C., The Ideal Chromatography Data System for a Regulated Laboratory, Part 1: The
Compliant Analytical Process. LC-GC North America 2015. 33(8): p. 554 - 557.
54. Burgess, R.D.M.a.C., The Ideal Chromatography Data System for a Regulated Laboratory, Part 2:
System Architecture Requirements. LC-GC North America, 2015. 33(10): p. 782-785.
55. Burgess, R.D.M.a.C., The Ideal Chromatography Data System for a Regulated Laboratory, Part 3:
Essential Chromatographic Functions for Electronic Ways of Working. LC-GC North America, 2015.
33(12): p. AAA - BBB.
56. Burgess, R.D.M.a.C., The Ideal Chromatography Data System for a Regulated Laboratory, Part 4:
Assuring Regulatory Compliance LC GC North America, 2016. 34(2): p. 144 - 149.
57. Good Automated Manufacturing Practice (GAMP) Guide 5, Second Edition. 2022, Tampa, FL:
International Society of Pharmaceutical Engineering.
58. FDA Guidance for Industry General Principles of Software Validation. 2002, Rockville, MD: Food and
Drug Admnstration.
59. R.D.McDowall, The Humble Instrument Log Book. Spectroscopy, 2017. 32(12): p. 8-12.
60. EudraLex - Volume 4 Good Manufacturing Practice (GMP) Guidelines, Chapter 7 Outsourced Activities.
2013, European Commission: Brussels.
61. OECD Series on Principles of Good Laboratory Practice and Compliance Monitoring Number 17 on
Good Laboratory Practice Application of GLP Principles to Computerised Systems. 2016, Organisation
for Economics Co-Operation and Development: Paris.
62. Notice to sponsors on validation and qualification of computerised systems used in clinical trials.
2020, European Medicines Agency: Amsterdam.
63. EMA Draft Guideline on Computerised Systems and Electronic Data in Clinical Trials. 2021, European
Medicines Agency: Amsterdam.
64. GAMP Guide Records and Data integrity. 2017, Tampa, FL: International Society for Pharmaceutical
Engineering.
65. GAMP Good Practice Guide: Data Integrity - Key Concepts. 2018, International Society for
Pharmaceutical Engineering: Tampa, FL.
66. GAMP Good Practice Guide Data Integrity for Manufacturing Records. 2019, Tampa, FL: International
Society for Pharmaceutical Engineers.
67. GAMP Good Practice Guide: Data Integrity by Design. 2020, Tampa, FL: International Society for
Pharmaceutical Engineering.
68. GAMP Good Practice Guide: Validation and Compliance of Computerized GCP Systems and Data (Good
eClinical Practice). 2017, Tampa, FL: International Society of Pharmaceutical Engineers.
69. ICH Q10 Pharmaceutical Quality Systems. 2008, International Conference on Harmonisation: Geneva.
70. McDowall, C.B.a.R.D., What's in a Name? LC-GC Europe, 2016. 28(11): p. 621 - 626.
71. Agency, E.M., Procedure for Conducting GCP Inspections Requested by the EMEA: Annex III
Computer Systems, E.M. Agency, Editor. 2007, European Medicines Agency: London.
72. S.W.Wollen. Data Quality and the Origin of ALCOA in The Compass Summer 2010, Newsletter of the
Southern Regional Chapter, Society of Quality Assurance. 2010; Available from:
http://www.southernsqa.org/newsletters/Summer10.DataQuality.pdf
73. Reflection paper on expectations for electronic source data and data transcribed to electronic data
collection tools in clinical trials. 2010, European Medicines Agency: London.
74. Draft Guideline on Computerised Systems and Electronic Data in Clinical Trials. 2021, European
Medicines Agency: Amsterdam.
75. R.D.McDowall, Is Traceability the Glue for ALCOA, ALCOA+ or ALCOA++? Spectroscopy, 2022. 37(4):
p. 13 - 19.
76. EMA Guideline on the content, management and archiving of the clinical trial master file (paper
and/or electronic). 2018, European Medicines Agency: London.
77. 21 CFR Part 11; Electronic Records; Electronic Signatures Final Rule. Federal Register, 1997. 62(54):
p. 13430 - 13466.
78. 21 CFR 211 Current Good Manufacturing Practice for Finished Pharmaceutical Products. 2008, Food
and Drug Administration: Sliver Spring, MD.
79. ISA-95 Enterprise-Control System Integration Part 1. 2010, International Society for Automation:
Research Triangle Part, NC.

© Copyright: ECA Foundation, Germany – Copying, editing and distributing require the written agreement of the ECA Foundation Page 95 of 96
GMP, GCP and GDP Data Governance and Data Integrity

80. W.Schumacher and S.Schoettle. Data Integrity in the Production Area. in 6th Global Quality Assurance
Conference. 2020. Sendai, Japan.
81. C Burgess and R.D. McDowall, Paper, Paper Everywhere but None of it Controlled. LCGC Europe,
2016. 29(9): p. 498 - 504.
82. WHO Technical Report Series 1033, Annex 4 Guideline on Data integrity. 2021, World Health
Organisation: Geneva.
83. FDA Warning Letter BBC Group Limited. 2021; Available from: https://www.fda.gov/inspections-
compliance-enforcement-and-criminal-investigations/warning-letters/bbc-group-limited-614659-
08042021.
84. FDA Guidance for Industry: Electronic Source Data in Clinical Investigations. 2013, Food and Drug
Administration: Rockville, MD.
85. FDA Questions and Answers on Current Good Manufacturing Practices, Good Guidance Practices,
Level 2 Guidance - Records and Reports. 2010 22 Dec 2019 ]; Available from:
https://www.fda.gov/drugs/guidances-drugs/questions-and-answers-current-good-manufacturing-
practices-records-and-reports.
86. MHRA GXP Data Integrity Definitions and Guidance for Industry, Draft version for consultation July
2016. 2016, Medicines and Healthcare products and Regulatory Agency: London.
87. N.Dyson, Chromatographic Integration Methods. 2nd Edition ed. 1998, Cambridge: Royal Society of
Chemistry.
88. R.D.McDowall, Where Can I Draw The Line? LCGC Europe, 2015. 28(6): p. 336-342.
89. H.Longden and R.D.McDowall, Can We Continue to Draw the Line? LCGC Europe, 2019. 21(12): p.
641–651.
90. T.Madigan. I Don't Believe It! 2018 19th November 2022]; Available from:
https://mhrainspectorate.blog.gov.uk/2018/05/25/i-dont-believe-it/.

© Copyright: ECA Foundation, Germany – Copying, editing and distributing require the written agreement of the ECA Foundation Page 96 of 96