Data integrity
Data integrity is the end-to-end assurance that GxP records are attributable, legible, contemporaneous, original, accurate, complete, consistent, enduring, and available, so regulators can trust that what your records say is what actually happened.
How does Data integrity apply to your shop floor?
Pick your industry and scale — Ask V5 rewrites the definition in your context, gives a worked example, and shows what V5 does on day one.
01What is data integrity?
Data integrity is the degree to which data and records can be relied on to represent what actually occurred. In regulated manufacturing, it is the difference between a record that can support a batch release decision and one that requires quarantine, investigation, or rejection. It applies equally to paper and electronic records, to metadata and raw data, and to the people and processes that create, transform, review, archive, and retrieve information.
ALCOA plus articulates what trustworthy records look like: attributable, legible, contemporaneous, original, accurate, complete, consistent, enduring, and available. These are not optional ideals. They are testable characteristics inspectors use to evaluate whether your documentation and computerized systems produce reliable evidence of compliance and product quality.
Regulators frame data integrity as a lifecycle obligation. Controls must be designed before data is generated, operate while data is in use, and persist through retention and retrieval. This view spans procedures, training, access control, audit trails, change control, backups, and governance. Failures anywhere in this lifecycle can undermine the reliability of decisions made using the data.
Global authorities have converged on a harmonized stance. WHO expectations reflected in technical reports, and PIC/S inspectorate practices, reinforce that data integrity is embedded within GMP principles rather than treated as a stand-alone program. See the WHO compilation in WHO TRS 1044 and alignment efforts captured in PIC/S Annex 1 alignment.
02Regulatory basis and standards
In the United States, 21 CFR Parts 210 and 211 establish cGMP requirements for drugs, and 21 CFR Part 11 sets criteria for using electronic records and signatures in lieu of paper and handwritten signatures. FDA’s Data Integrity and Compliance with cGMP guidance clarifies expectations for contemporaneous recording, secure audit trails, restricted access, and documented review. For medical devices, FDA’s Quality System Regulation and the Quality Management System Regulation transition further emphasize documentation controls and record retention.
In the European Union, EudraLex Volume 4, Annex 11 (Computerised Systems) and Annex 1 (Sterile Medicinal Products) embed data integrity across the pharmaceutical quality system. The EMA has reinforced risk-based approaches and the need for senior management oversight. The MHRA’s GxP Data Integrity Definitions and Guidance for Industry provides authoritative definitions and pragmatic compliance expectations that many inspectorates now reference.
ICH Quality Guidelines make the link explicit. ICH Q7 (APIs), Q9(R1) (Quality Risk Management), and Q10 (Pharmaceutical Quality System) require risk-based controls that enable reliable records, with data integrity treated as an inherent quality attribute. ISO 13485 for medical devices and ISO 9001 for quality management systems expect controlled records, validated software where appropriate, and retained evidence suitable for audits and inspections. USP general chapters and compendial procedures similarly presume trustworthy raw data and metadata.
Across these documents, the common thread is lifecycle control of data and metadata, with expectations tailored to the technology in use. Static and dynamic electronic records, for example, may require different methods of review and preservation. Understanding the distinction helps right-size controls without over- or under-engineering systems, as discussed in dynamic vs static records.
03Scope and applicability across GxP records
Data integrity covers every GxP record that informs product quality or patient safety. That includes master batch records and executed batch documentation, analytical raw data and calculations, equipment logs, environmental monitoring, cleaning and calibration evidence, supplier qualification files, training records, complaints, deviations, CAPAs, and release decisions. Distribution and pharmacovigilance records fall within scope when they influence quality risk or regulatory submissions.
It applies to paper and hybrid processes as much as to fully electronic systems. A bound, pre-numbered logbook with controlled entries is as much a data integrity control as a validated LIMS with secure audit trails. The choice of medium changes the technical controls required, not the obligation to maintain trustworthy records.
Timing is critical. Records that are created at the time work is performed are inherently more reliable and less error-prone than those reconstructed hours later. Regulators expect the discipline of contemporaneous recording to be normal practice, not a stretch goal, and to be backed by procedures and oversight.
Attribution is equally foundational. Every action must be traceable to a uniquely identified individual or system, together with the date, time, and context. This is the essence of attributable recording, and it extends to review and approval signatures. Where procedural steps are complex, well-designed electronic work instructions help standardize execution and reduce opportunities for ambiguous or incomplete entries.
04How data integrity works in practice
Start with governance. Senior management must set expectations, resource the controls, and monitor performance. Procedures should translate ALCOA plus into concrete behaviors for authors, reviewers, and approvers. Training must be role-specific and reinforced through routine oversight, including management walkthroughs and quality metrics that track timely, error-free documentation.
On the shop floor and in the lab, systems should make the right action the easy action. Role-based access, unique credentials, and time-synchronized systems support attribution and contemporaneity. Secure, computer-generated audit trails capture who did what, when, and why. Reviewers examine not only reported results but also metadata and audit trails commensurate with risk.
Document control keeps templates current and prevents uncontrolled copies. Change control ensures changes to methods, software, or equipment do not silently erode data reliability. Backup and archival plans protect records against loss or corruption for the full retention period. Periodic review verifies that controls remain effective as processes and technologies evolve.
The digital backbone matters. An EBMR/eDHR platform can enforce step sequencing, prevent skipped fields, and prompt contemporaneous entries. Strong authentication, such as password plus token, helps deter shared logins and repudiation risk. Together with risk-based validation, these elements demonstrate that your electronic records are both technically and procedurally trustworthy.
05ALCOA plus principles in depth
ALCOA plus provides a concise, testable vocabulary for what trustworthy records look like. The first five elements—attributable, legible, contemporaneous, original, accurate—describe the essential nature of a single record. The four “plus” elements—complete, consistent, enduring, available—extend that lens across record sets and over time.
These principles are technology-agnostic. Whether an operator signs a paper batch record with indelible ink or authenticates an electronic entry with a compliant e-signature, the expectation is the same: the record can withstand scrutiny and support the decision it informs. Controls should be proportionate to process risk, yet rigorous enough to deter and detect error or malfeasance.
Well-implemented ALCOA plus also improves efficiency. Clear attribution reduces rework. Legibility and consistent structure accelerate review. Enduring, available records reduce cycle time for audits and recalls. A robust traceability data model helps express these qualities across materials, equipment, people, and process steps.
| Principle | What it means | Illustrative control |
|---|---|---|
| Attributable | Who performed an action or created a record is uniquely identifiable, with date and time. | Unique user IDs, role-based access, e-signatures tied to individuals. |
| Legible | Records are readable and permanent for the entire retention period. | Indelible ink on controlled forms, validated viewers for electronic formats. |
| Contemporaneous | Data is recorded at the time the work is performed. | Time-stamped entries at point of work, enforced step sequencing. |
| Original | The first capture or a certified true copy is preserved with metadata. | Direct machine data capture, certified scans with verification. |
| Accurate | Entries reflect reality without error or unjustified manipulation. | Calibrated instruments, double-checks, automated calculations with verification. |
| Complete | All data, including out-of-spec and repeat runs, is retained. | Retention of all audit trail events, no deletion or selective exclusion. |
| Consistent | Chronology and data sets align across systems and versions. | Synchronized clocks, version control, controlled templates. |
| Enduring | Records persist in tamper-evident form for the retention period. | Validated backups, write-once media or controls that ensure integrity. |
| Available | Records can be retrieved promptly for review or audit. | Indexed archives, tested retrieval procedures, disaster recovery drills. |
06Common pitfalls and misinterpretations
Most data integrity citations do not involve sophisticated hacking or exotic system failures. They come from everyday practices that slowly degrade trust: reconstructing entries after the fact, signing for someone else, discarding trial runs that did not work, keeping unofficial spreadsheets, or allowing uncontrolled copies to circulate. These behaviors create both objective gaps in the record and subjective doubt in reviewers’ minds.
Another frequent error is conflating software features with compliance. A system may have audit trails, permission models, and e-signatures, yet still fail if procedures allow backdating or if training normalizes the use of generic accounts. Conversely, organizations sometimes overcorrect by freezing improvements for fear of validation burden, which can leave high-risk manual workarounds in place longer than necessary.
Finally, teams can misread guidance and aim for perfection in low-risk contexts while missing high-impact weaknesses. A risk-based lens should prioritize controls where data informs product release, sterility assurance, or patient treatment decisions. This is where structured, guided shop-floor data collection and robust supervisory review make the biggest difference.
- Re-entering values later to “clean up” illegible or incomplete entries without preserving the original and justifying the change
- Using uncontrolled, locally saved spreadsheets for calculations that affect release decisions
- Copying prior batch entries into a current record without verification or attribution
- Deleting or failing to retain audit trail events viewed as “noise” or “non-critical”
- Relying on out-of-sync system clocks that distort the true chronology of events
- Treating hybrid systems as paper-only, skipping electronic review of metadata and audit trails
07Relationship to neighboring frameworks and controls
Data integrity is intertwined with, but distinct from, several other disciplines. Computer system validation demonstrates that software consistently performs as intended in its intended use. Information security protects confidentiality, integrity, and availability against unauthorized access or loss. Quality risk management ensures controls are proportionate to the potential impact on product quality and patient safety. A robust quality system connects all three in daily operations.
Regulatory programs rely on this interplay. Part 11 and Annex 11 expect validated systems and technical safeguards. GMP expects sound documentation practice and management oversight. ICH Q9(R1) expects that organizations apply risk thinking to review effort and control design, for example deciding when to examine audit trails in depth versus sampling, based on process criticality and system design.
Clinical and pharmacovigilance processes bring additional nuances. Electronic source data, case report forms, and safety databases have their own operational standards, yet the same ALCOA plus qualities apply. Effective electronic data capture and well-governed interfaces reduce manual transcription and support end-to-end traceability from manufacture to patient outcomes.
Supply chain and serialization layers also matter. When materials, components, and finished goods traverse multiple parties, the integrity of identity, status, and environmental data determines whether chain-of-custody and quality decisions are defensible. Harmonized master data, controlled handoffs, and well-defined responsibilities help preserve context over time.
08High-risk contexts: sterile manufacturing, labs, and distributed supply chains
Some environments amplify the consequences of data integrity weaknesses. In sterile manufacturing, the link between process parameters, environmental monitoring, and aseptic behavior is tight, and EU GMP Annex 1 raises expectations for contamination control strategy, trend analysis, and contemporaneous documentation. Records that are vague, incomplete, or delayed can undermine the sterility assurance case quickly.
In analytical laboratories, raw data is often dynamic and instrument-generated. Controls must ensure original data and metadata are protected from manipulation while remaining accessible for review and reprocessing when scientifically justified. Instrument qualification, method validation, audit trails covering acquisition and processing, and controlled reporting templates work together to maintain a clear chain from sample receipt to reported result.
Distributed supply chains create complexity in context preservation. Temperature, shock, and location data acquired during storage and transport inform product disposition decisions and sometimes shelf-life calculations. Data must be time-aligned, tamper-evident, and interpretable by quality personnel who did not generate it. Failure to maintain this context can lead to incorrect release or unnecessary wastage.
Where monitoring is essential, electronic evidence should be captured and safeguarded appropriately. Calibrated data loggers, validated gateways, and secure repositories reduce transcription, while procedures define when excursions trigger investigation. In weigh–dispense and other material-handling operations, enforced identification, reconciliation, and verification help bind actions to people, places, and equipment with minimal ambiguity.
09Implementing data integrity and how V5 supports it
Implementing strong data integrity begins with a formal risk assessment that inventories record types, systems, and processes, then ranks them by impact and vulnerability. From there, build a remediation plan that clarifies governance, updates procedures, defines roles and training, tightens access and attribution, and upgrades systems where control-by-procedure is insufficient. Validation and change control ensure that new and modified controls work as intended without introducing new risks.
Operationalize the plan by designing records that capture necessary context the first time, where work happens. Enforce contemporaneous entries, standardize units and terminology, and embed checks that catch omissions or inconsistencies at entry. Strengthen supervisory review to include audit trails and metadata proportional to risk, and close the loop with metrics that track timeliness, error rates, and recurring failure modes.
Sustain performance with management review, internal audits, and ongoing learning. Periodically challenge assumptions by sampling records from high-risk areas and by stress-testing recovery and retrieval. As processes digitize and regulations evolve, revisit the risk assessment and adjust controls to keep the balance between efficiency and assurance.
Frequently asked questions
Q.What does ALCOA plus stand for and why does it matter?+
It stands for attributable, legible, contemporaneous, original, accurate, complete, consistent, enduring, and available. These qualities make records reliable enough to support GMP decisions, inspections, and product release without reconstruction.
Q.Is 21 CFR Part 11 the same as data integrity?+
No. Part 11 defines how electronic records and signatures can be trustworthy and equivalent to paper. Data integrity is broader, covering people, processes, and records across the entire GxP lifecycle, whether paper, hybrid, or digital.
Q.Are audit trails always required for electronic systems?+
For GxP-significant data, regulators expect secure, computer-generated audit trails that record creation, modification, and deletion of data and metadata. Review should be risk-based and commensurate with the system’s impact on product quality.
Q.How long must we retain GxP records?+
Retention periods are set by specific regulations and marketing authorizations. As a rule, retain records at least through the product’s shelf life plus one year, or as otherwise required by regional legislation and license conditions.
Q.Can shared logins ever be compliant?+
Shared logins undermine attribution and are routinely cited as data integrity violations. Each user should have unique credentials and defined privileges, with authentication and training that deter password sharing and enable accountability.
Q.How do inspectors evaluate data integrity during audits?+
Inspectors sample records for ALCOA plus qualities, examine audit trails and metadata, and test whether procedures and system controls operate in practice. They focus on high-risk processes and trace critical decisions back to raw data.
Q.What is the best first step if we find a data integrity gap?+
Stop the problematic practice, assess potential impact on product quality and released lots, and open a deviation. Then define corrective and preventive actions, strengthen oversight, and report to management for transparent governance.
Primary sources
- U.S. FDA — Data integrity and cGMP expectations
- Electronic Code of Federal Regulations (21 CFR Parts 11, 210, 211)
- EudraLex Volume 4 — EU GMP (Annex 11, Annex 1)
- EMA Human Regulatory — Quality and GMP Framework
- MHRA — GxP Data Integrity Guidance
- PIC/S — Inspectorate guidance and GMP resources
- WHO — GMP and Quality Assurance resources
- ICH Quality Guidelines (Q7, Q9, Q10)
- ISO 13485 — Medical Devices Quality Management
- USP — Standards and compendial quality expectations
- NIST — Digital identity and cybersecurity references
Further reading
- ALCOA plusA concise breakdown of the nine attributes regulators expect to see in every GxP record.
- Data integrity by designPractical ways to embed ALCOA plus into systems and procedures before data is generated.
- MHRA data integrity guidanceKey definitions and inspection expectations from the UK authority widely referenced by regulators.
- WHO GMP TRS 1044 (2022)WHO’s consolidated GMP positions, including data and record management expectations.
- Dynamic vs static recordsUnderstanding how record type drives review, preservation, and validation strategy.
- Contemporaneous recordingWhy timing matters and how to make real-time entries routine in operations.
- Attributable recordingControls that tie every GxP action to a unique individual with context.
- Electronic work instructionDigitized SOP guidance that reduces ambiguity and enforces complete entries.
- Traceability data modelStructuring data so materials, equipment, and people stay linked across the process.
- Data loggerHow electronic devices capture and protect environmental data for quality decisions.
Explore this topic
Data integrity sits inside this topic cluster in our glossary. Every neighbour is one click away.
Electronic records, signatures, audit trail and ALCOA+ data-integrity principles.
V5 Ultimate ships with the Data integrity controls already wired in — audit trail, e-signatures, validation evidence. Free trial, no credit card, onboard in days, not months.
