In recent years, global pharmaceutical organizations have adapted to new rules established by agencies such as the US Food and Drug Administration (FDA) and the European Medicines Agency (EMA). Some such regulations relate to data and focus on subjects such as computerized systems, electronic records and signatures, and attributable, legible, contemporary, original, and accurate (ALCOA+) standards. Data governance and data integrity are critical for compliance, requiring companies to maintain paper and electronic records.

Quality control (QC) laboratories generate many records that are fundamental to assuring the quality and safety of pharmaceutical products. A key challenge for the pharmaceutical industry is guaranteeing the integrity of records that are generated during production processes, both in electronic and paper format. The FDA is one of the primary regulatory bodies that has set a standard for data integrity in the pharmaceutical industry.

In 2013 and 2014, the agency made a significant number of noncompliance observations related to data integrity and governance. Those inspections laid groundwork for developing the FDA’s 2016 draft guidance on Data Integrity and Compliance with CGMP, which the World Health Organization (WHO) followed with Guidance on Good Data and Record Management Practices, and the United Kingdom’s Medicines and Healthcare products Regulatory Agency (MHRA) followed with MHRA GxP Data Integrity Definitions and Guidance for Industry (1–3).

The latter document proposes a revision of data integrity from a global perspective by including good practice standards for laboratory work, product distribution, clinical studies, and pharmacovigilance. Further publications include the International Society for Pharmaceutical Engineering’s (ISPE’s) 2017 good automated manufacturing practice (GAMP) guide on Records and Data Integrity and the FDA’s 2018 Data Integrity and Compliance With Drug CGMP: Questions and Answers (still valid as of January 2024) (4, 5).

The updated regulations and lack of global knowledge about data-integrity standards have created problems for many organizations and given rise to regulatory gaps. Companies continue to have issues with

• poor documentation practices

• inadequate maintenance

• inadequate availability of records throughout a data life cycle

• falsification of test data

• omission of out-of-specification data

• weak data security

• insufficient audit trails

• poor document back-up and archival.

Organizations often struggle to interpret and comply with data-integrity regulations. Guidelines and international publications related to data integrity and governance are designed to help companies achieve maximum compliance and ensure product quality, data integrity, and patient safety. But many countries have adopted changes gradually. To create document systems that comply with industry regulations, organizations need to understand data integrity fully. According to the FDA, data integrity is defined as the security of data — in paper or electronic form — from a regulatory and best-practices standpoint. You can help ensure data security by checking your organization’s compliance with each ALCOA+ attribute:

Attributable — Data are uniquely identifiable through the questions “Who? When? What? And why?”

Legible — Data are readable and traceable, and their permanence is ensured.

Contemporary — Data are recorded at the time of performance.

Original — Data are captured from the source and are maintained and secured.

Accurate — Data are correct, valid, truthful, and reliable.

The “+” in “ALCOA+” refers to additional principles. Data and metadata are complete and can be used to recreate any event. Data are consistent, meaning that they are generated in the same way every time. Data are durable and remain intact during an entire retention period. And data are accessible and made available for workers to reference.

Implementing data integrity is necessary within a quality system for an organization to achieve proper data governance. That enables companies to establish processes based on continuous monitoring, system validation, ALCOA+ metrics, data life cycles, and data-integrity fundamentals.

One area of special consideration is a company’s QC laboratory. It is where analytical and microbiological controls are performed on samples that are taken during a manufacturing process and when data inputs can influence a final product before its release. But what does data-integrity compliance look like in a laboratory? How do you identify whether a record is ALCOA+ compliant?

Ensuring ALCOA+ Compliance

Laboratory data are attributable when technicians write signatures, initials, and dates on records or when electronic equipment logs a user identification (ID) and password within its system records among the activities performed during a given operation. Tracing a user ID, date, and electronic signature to a generated record ensures data-integrity compliance.

In a paper format, data are legible when records are made based on good documentation practices, thus ensuring durability. For example, original data need to be visible even after corrections or cancellations, with associated signatures, new dates, and written justifications. And in electronic format, data should be available in a printable and readable format. Electronic data should be easy to access and interpret, with a complete audit history intact, even if the data themselves are deleted or modified.

Data are contemporaneous if they are recorded when they are generated. In electronic form, a computerized system should be able to store their history in real time.

Paper data are considered to be original when they are verified by a second person after being recorded manually or when corrections are made according to good documentation practices. In a computerized system, the originality of a record is confirmed when the versioning or audit trail is active or complete, and a backup copy is created and verified.

Finally, data are accurate when output records are printed or written and original documents that support gathered information are safeguarded.

Data are complete when companies can access all digital backups that are generated by a computerized system when that system is decommissioned. Data are consistent when they follow a logical sequence of operations; for example, drafting, reviewing, and then approval. Data are durable and accessible when, during the time of validation and archiving, they are easy to consult, and they comply with retention rules.

Whether records are in paper or electronic form, it is important that companies comply with ALCOA+ guidelines, thereby ensuring data governance and integrity as required by regulatory agencies. Complying with such requirements represents a great challenge for the pharmaceutical industry because often there is no clear approach to implementing a quality system for data governance. Maintaining data integrity is a continuous undertaking, but understanding and applying the associated guidelines will put companies that adopt them at the forefront of the industry.


1 Data Integrity and Compliance with CGMP: Guidance for Industry. US Food and Drug Administration: Rockville, MD, 2016;

2 Annex 5. Guidance on Good Data and Record Management Practices. World Health Organization: Geneva, Switzerland, 2016;

3 MHRA GxP Data Integrity Definitions and Guidance for Industry. Medicines and Healthcare products Regulatory Agency: London, 2018;

4 ISPE/GAMP. GAMP Records and Data Integrity Guide. International Society for Pharmaceutical Engineering, 2017;

5 Data Integrity Compliance with Drug CGMP: Questions and Answers. US Food and Drug Administration: Rockville, MD, 2018; 


Julio Merino is general manager of services for Mexico and senior associate partner, Daniela Reyes is project manager officer, and corresponding author Gaurav Walia is principal of computer systems validation, all at PQE Group, Località Prulli 103/c 50066 Reggello, Florence, Italy; [email protected].

You May Also Like