ISPE GAMP RDI: A Practical Records & Data Integrity Programme You Can Defend

ALCOA+ is the spine of every modern data integrity citation. Attributable: every record ties to a uniquely identified person and a timestamp from a trusted clock. Legible: human and machine-readable for the full retention period, including the metadata that gives the record meaning. Contemporaneous: captured at the time of the activity, not reconstructed end-of-shift from notebooks or memory. Original: the first capture (or a true certified copy) is preserved, not the transcribed summary. Accurate: the record reflects what actually happened, with the calculations and rounding rules documented. Complete: all data including reprocessed, failed, and out-of-spec results are retained — the deleted-injection scandal lives here. Consistent: the sequence of events is recorded in true chronological order across all systems involved. Enduring: retained on durable media for the regulated retention period (typically batch life + 1 year, or the longer of contract/statutory). Available: retrievable on demand for review, audit and inspection within the inspection window. The GAMP RDI guide is structured around exactly these nine attributes, with worked examples for each.

GAMP RDI breaks the data lifecycle into six explicit phases: generation, processing, review, reporting, retention and disposal. Each phase has its own failure modes, and most data integrity citations occur at the transitions. Generation breaks when instruments are uncontrolled (shared logins, unlocked audit trails, manual overrides). Processing breaks when raw data is exported to Excel and the integrity controls are dropped at the export boundary. Review breaks when audit trail review is theoretical — signed off without being looked at. Reporting breaks when CoAs and batch records aggregate values without traceability back to source. Retention breaks when records are migrated, format-shifted or moved to lower-tier storage without an integrity check. Disposal breaks when records are destroyed before the retention period closes or after a hold notice has been raised. The GAMP RDI guide explicitly maps each phase to inspectable evidence: who, what, when, on what system, against what SOP, and where the audit trail review is recorded.

MHRA, FDA and PIC/S PI 041 all expect routine, risk-based audit trail review for GxP critical systems — and almost no inspector accepts 'we review trails when we investigate deviations' as evidence of routine review. The GAMP RDI guide is unambiguous: define what events warrant review (changes to critical parameters, overrides, deletions, OOS reprocessing, user privilege changes), define the cadence (per-batch for QC release-impacting systems, monthly or quarterly for lower-risk systems), define the reviewer (independent of the data generator), and capture the review itself as a controlled record. The pragmatic challenge is volume: a modern LIMS or MES produces thousands of audit trail events per shift, and human review of every event is neither feasible nor required. The guide endorses risk-based filtering and exception-based review — but the rules, thresholds, and the rationale for them must be documented and validated.

A hybrid record is one where part lives in an electronic system and part on paper (or in an uncontrolled spreadsheet) — and where neither part is the complete record on its own. Hybrid records dominate FDA 483s and EU GMP deficiencies because they are easy to create accidentally (instrument prints raw data to a chromatogram while the integration parameters live in a paper logbook) and almost impossible to defend without a written hybrid-record policy. The GAMP RDI guide requires: a documented inventory of hybrid records, an explicit definition of which medium is the original raw data, a cross-reference mechanism (electronic record references the paper logbook entry by ID and vice versa), and a retention policy that covers both media for the full period. The strategic answer is to eliminate hybrid records over time — but the tactical answer for the records you have today is rigorous policy plus an inspectable hybrid-record register.

Excel is the most commonly used GxP application that no one validates. The GAMP RDI guide treats spreadsheet-based calculations the same as any other computerised system: classify under GAMP 5 (typically Category 5 because of bespoke macros), validate the formulas and locked cells against intended use, control versions, restrict modification rights, and capture the audit trail of every change. Realistically, the right answer for high-volume or high-risk spreadsheet processes is to migrate them into validated systems (LIMS, eQMS, MES). For the spreadsheets that remain, the controls must include: a locked validated template, a controlled change process, periodic re-validation, and — critically — the discipline that the validated spreadsheet is the original record, not a transcription of a paper original.

GAMP RDI insists that data integrity is owned, not aspired to. The guide names four roles that must exist (regardless of titles): the Data Owner (accountable for a defined data domain — e.g. analytical QC data — and its lifecycle controls), the System Owner (accountable for the computerised system that holds the data), the Process Owner (accountable for the business process that generates and consumes the data), and the QA Data Integrity Lead (independent oversight, programme governance, periodic effectiveness review). Each role has explicit deliverables: the Data Owner approves retention rules and access policies, the System Owner approves the validation state and periodic review, the Process Owner signs off the SOP linking data capture to the process, and the QA Data Integrity Lead approves the RDI programme and reports to senior management on its effectiveness. Without named roles, data integrity becomes IT's problem — which is precisely the failure mode regulators have been calling out for a decade.

ALCOA+ Enduring and Available together require that records remain retrievable in their original meaning for the full retention period — which for batch records can be 30+ years. GAMP RDI separates two distinct activities that companies routinely conflate: backup (operational restore from recent storage, measured in days to weeks) and archive (long-term preservation, format migrations, integrity verification). Both must be validated. Both must be tested. Backup tests prove you can restore last week's data within the recovery time objective. Archive tests prove you can render and review a 10-year-old chromatogram including its raw data and metadata. The classic failure is the company that has perfect daily backups but cannot open a 2014 CDS file because the vendor dropped support — and the records are GxP-relevant for another decade.

For cloud-hosted GxP systems, GAMP RDI requires an explicit shared-responsibility matrix: who is accountable for which control (encryption at rest, key management, backup integrity, audit trail retention, data residency, security incident response, breach notification timelines). The matrix is not optional — both MHRA and FDA inspectors have begun asking for it by name. The vendor's SOC 2 attestation and ISO 27001 certificate are necessary but not sufficient: you still need the matrix that maps the controls to your regulated processes and your validation file. The same applies to supplier-managed multi-tenant audit trails: if the vendor manages the audit trail database, you must have contractual and technical assurance that you can retrieve your audit trail for any inspection, including during a contract dispute.

GAMP RDI does not replace GAMP 5, Annex 11 or 21 CFR Part 11 — it sits on top of them. GAMP 5 covers how you validate the system; Annex 11 and Part 11 cover what controls the system must implement for electronic records and signatures; RDI covers how you operate the system over its full lifecycle to keep the records defensible. An audit-ready RDI programme cross-references all three: the validation file (GAMP 5), the electronic-record controls register (Annex 11 / Part 11), and the RDI operational evidence (audit trail review, hybrid-record register, periodic data-integrity effectiveness review). When an inspector pulls a thread on one record, the three documents should converge on the same answer.

Days 1 to 10: appoint the QA Data Integrity Lead and document the four governance roles; complete a hybrid-record inventory and a GxP spreadsheet inventory. Days 11 to 25: rank systems by data-integrity risk (criticality of data, volume, complexity, regulatory exposure); for the top tier, define audit trail review filters, cadence, and reviewers, and capture the rationale. Days 26 to 40: validate the audit trail review against three weeks of real data to confirm the filters surface what they should; close the gaps in the validation file (Annex 11 controls register, retention rules per record class). Days 41 to 55: run a mock inspection on one tier-one system — pull a record, walk the inspector through GAMP 5 validation, Annex 11 / Part 11 controls, and RDI operational evidence; capture the gaps and close them. Days 56 to 60: present the RDI programme effectiveness metrics to senior management and book the next quarterly review. Most companies see citations drop and inspection prep time collapse from weeks to days by month four.