Guest Column | December 20, 2021

The Data Integrity Body of Knowledge Expands with New & Pending Guidances

By Kip Wolf, X-Vax Technology, @KipWolf


Expectations for data integrity in life sciences are defined both explicitly and implicitly by regulations and guidance. The understanding of existing and emerging risks to data integrity is constantly evolving as technology evolves and is reflected as accurately and contemporaneously as possible through regular release of additional guidance. Some of the contemporary guidance documents, both released and draft, are explained here to better understand their scope and relationship to one another and to provide an example of the ever-changing landscape of data integrity challenges and potential solutions.   

U.S. Regulations And Guidance

While some readers may be familiarizing themselves with the topic of data integrity for the first time, the concepts are not new. The predicate rules defined in the United States under Title 21 of the Code of Federal Regulations (21 CFR) describe requirements for data integrity. These requirements may not explicitly state data “integrity” but do imply such. The Data Integrity and Compliance With Drug CGMP Questions and Answers Guidance for Industry published by FDA in 2018 summarizes well the relationship of predicate rules to data integrity. Some examples include:

  • §§ 211.100 and 211.160 (requiring that certain activities be “documented at the time of performance” and that laboratory controls be “scientifically sound”).
  • § 212.110(b) (requiring that data be “stored to prevent deterioration or loss”).

There are also requirements for data integrity defined explicitly in 21 CFR Part 11, the Electronic Records; Electronic Signatures rule published in 1997. Both the preamble to 21 CFR Part 11 and the regulation itself include explicit reference to data “integrity,” with the preamble providing great context from the conversations of interpretation that led to the final rule. One example of this is:

  • § 11.10 – Controls shall be employed to “ensure the authenticity, integrity, and, when appropriate, the confidentiality of electronic records.”.

In addition to the final rule and preamble for 21 CFR Part 11, the Guidance for Industry Part 11, Electronic Records; Electronic Signatures — Scope and Application may provide some context for data integrity requirements and potential solutions by referring to a risk-based approach. In the guidance, the FDA indicated that enforcement action might not be taken as long as (among other things) there is an “acceptable level of record security and integrity,” assuming that the acceptable level is supported by documented evidence that is the result of sufficient risk assessment. 

European Guidelines

The European Medicines Agency (EMA), as a decentralized agency of the European Union (EU), is responsible for the scientific evaluation, supervision, and safety monitoring of medicines in the EU.

The EU rules, regulations, and guidelines that govern medicinal products are published in the EudraLex, which consists of many volumes and annexes. Included in these documents are Annex 11, the guidance for the use of computerized systems within GMP-related activities, which is the counterpart of U.S. 21 CFR Part 11. Annex 11 was originally published as a GMP-related guideline and in 1992, it also became part of the GLP and GCP requirements in Europe. Annex 11 was further revised and modernized in 2011. Explicit guidance on data integrity came from the EMA in the form of Q&A published online in August of 2016.

United Kingdom Guidance

The Medicines & Healthcare products Regulatory Agency (MHRA) further defined the risk-based approach to data integrity management with its ‘GXP’ Data Integrity Guidance and Definitions published in March 2018. This guidance provides detailed definitions and interpretation of requirements for key terms and concepts related to data integrity, including “ALCOA,” as excerpted below.

Data should be:

A – attributable to the person generating the data

L – legible and permanent

C – contemporaneous

O – original record (or certified true copy)

A – accurate

World Health Organization Guidance

The World Health Organization (WHO) published in 2016 the 50th report of the WHO Expert Committee on specifications for pharmaceutical preparations, which includes in Annex 5 guidance on good data and record management practices. The annex includes definitions and concepts similar to other guidance, as well as a chapter dedicated to “Quality risk management to ensure good data management” and other chapters that expanded concepts for data reliability and data life cycle management.

Guidance From Global Industry Groups

Industry groups provide forums for ongoing discussion of regulations and related guidance and in some cases produce their conclusions in written technical reports or other documents to share perspective and interpretation that may be useful to consider for the reader’s own application.

The International Society for Pharmaceutical Engineering (ISPE) cultivates a special interest group on data integrity and has produced a number of useful technical guidance documents under the society’s Good Automated Manufacturing Practice (GAMP) subcommittee. These include, in order of publication:

  • ISPE GAMP Guide: Records & Data Integrity, March 2017. The guide “provides principles and practical guidance on meeting current expectations for the management of GxP regulated records and data, ensuring that they are complete, consistent, secure, accurate, and available throughout their life cycle.”
  • ISPE GAMP RDI Good Practice Guide: Data Integrity —- Key Concepts, October 2018. This guide expands on the concepts in the Records and Data Integrity (RDI) guide published in March 2017 and “provides detailed practical guidance to support data integrity within a regulated organization.”
  • ISPE GAMP RDI Good Practice Guide: Data Integrity – Manufacturing Records, May 2019. This guide “provides practical and pragmatic advice on areas such as regulated records, data flows, and risk management approaches, with particular focus on process control systems, manufacturing execution systems, and the interfaces and relationship between them.”
  • ISPE GAMP RDI Good Practice Guide: Data Integrity by Design, October 2020. This guide “supports organizations as they embrace and implement a holistic approach by leveraging data governance and knowledge management activities to drive continual improvement in data integrity. The guide promotes a patient-centric mindset, focusing resources and management attention on quality best practices that inherently facilitate meeting regulatory compliance requirements.”

The Parenteral Drug Association (PDA) cultivates an interest group on data integrity and has produced technical reports to provide a summary of best practices. These include, in order of publication:

  • PDA Technical Report No. 80 (TR80) Data Integrity Management System for Pharmaceutical Laboratories, August 2018. The technical report “summarizes data integrity risks and the best practices, including audit approaches, that can be utilized to develop a robust data integrity management system for laboratory settings with both manual and electronic processes that firms can follow to achieve compliance and mitigate risks.”
  • PDA Technical Report No. 84 (TR84) Integrating Data Integrity Requirements into Manufacturing & Packaging Operations, September 2020. The technical report “addresses data integrity from the perspective of manufacturing operations. It discusses regulatory trends, risk management concepts, and recommendations for implementing appropriate data integrity controls in manufacturing operations applicable to paper-based, electronic-based, and hybrid systems.”

The Pharmaceutical Inspection Convention (PIC) and the Pharmaceutical Inspection Co-Operation Scheme (PIC Scheme) operate in parallel (commonly referred to as PIC/S) and have been considering data management and integrity for many years, culminating in a final guidance published as Good Practices for Data Management and Integrity in Regulated GMP/GDP Environments in July 2021. The stated purpose of the PIC/S guide is to provide “guidance for Inspectorates in the interpretation of GMP/GDP requirements in relation to good data management and the conduct of inspections.” The guide was in draft for many years before final publication and has been of great interest to the community as it is one of the few guides that has provided detailed definitions for terms, including definitions for the data integrity principles of ALCOA+ as well as a detailed glossary of terms related to data integrity.

The ISPE GAMP guides, the PDA technical reports, the PIC/S guide, and the many related data integrity interest groups provide very detailed interpretation of the regulations and how to comply with them through examples of best practices that may be considered in the context of the reader’s own business needs.

Data Integrity Guidance For The Future

There are a number of draft and pending guidances related to data integrity. The WHO coordinated in 2019 a draft data integrity guidance for comment (Guideline on Data Integrity - Draft for Comments, World Health Organization, 2019) that suggests explicitly the alignment of data integrity concepts to quality risk management as defined by the International Conference on Harmonisation (ICH).  

A guidance just recently published on Oct. 27, 2021, shows how data integrity requirements span industry segments. The Good Machine Learning Practice for Medical Device Development: Guiding Principles defines “10 guiding principles that can inform the development of Good Machine Learning Practice (GMLP). These guiding principles will help promote safe, effective, and high-quality medical devices that use artificial intelligence and machine learning (AI/ML).” The guidance is the joint work product of the FDA, Health Canada, and the MHRA. This shows the international potential of regulatory requirements and the collaborative motivations of contemporary health authorities. It also shows the cross-segment opportunities for understanding similar data integrity requirements (e.g., between medical device and pharmaceuticals/biotech), as data integrity is clearly a critical success factor for meeting many of the guiding principles related to training data sets or available data, to name a few.

A draft technical report related to data integrity is also currently being reviewed by the Standards Committee of the American Society for Quality (ASQ) that may result in a universal data integrity standard. The comprehensive and industry agnostic standard may include guidelines for collection, recording, and retaining data within the scope of quality management systems and may be published sometime in 2022. 

The data integrity body of knowledge continues to expand while relying on predicate rules and leveraging previous guidance. As demonstrated in this article, there seems to be a shift in the thinking within the life sciences community and existing health authorities as well as a collaboration across a variety of technical capabilities and innovations. Evolving technologies, such the next iteration of the internet (e.g., Web 3.0), blockchain/bitcoin, artificial intelligence, and machine learning, all present challenges to our classic concepts of data integrity as much as new opportunities for meeting data integrity requirements. And meeting our data integrity requirements must always be considered in the broad context of a contemporary body of knowledge. Today’s innovative data integrity solutions must meet tomorrow’s emerging requirements rather than simply addressing yesterday’s rules and regulations.


  1. 21 CFR PART 11—ELECTRONIC RECORDS; ELECTRONIC SIGNATURES. U.S. Food and Drug Administration (FDA), March 20, 1997.
  2. Data Integrity and Compliance With Drug CGMP Questions and Answers Guidance for Industry. U.S. Food and Drug Administration (FDA), December 13, 2018.
  3. Guidance for Industry Part 11, Electronic Records; Electronic Signatures — Scope and Application. U.S. Food and Drug Administration (FDA), August 2003.
  4. EudraLex - Volume 4 Good Manufacturing Practice (GMP) - Annex 11: Computerised Systems. European Commission, January 2011.
  5. Guidance on Good Manufacturing Practice and Distribution Practice: Questions Answers – Data Integrity Section. European Medicines Agency, August 2016.
  6. GXP’ Data Integrity Guidance and Definitions. Medicines and Healthcare Products Regulatory Agency (MHRA), March 2018.
  7. WHO Expert Committee on Specifications for Pharmaceutical Preparations, Fiftieth Report. World Health Organization, 2016.

About The Author:

Kip Wolf is the head of technical operations and portfolio management at X-Vax Technology, Inc., where he manages internal operations and outsourced partner relationships/activities, and leads the project management office that oversees the company’s portfolio of R&D projects. His technical experience includes the fields of quality assurance and regulatory affairs, GMP and IT compliance, technical operations, and product supply. His areas of leadership expertise include business transformation, new business development, organizational change leadership, and program/project management. He has led business process management groups at Wyeth Manufacturing and at Merck Research & Development. Prior to joining X-VAX, he supported the company as a principal consultant at Tunnell Life Sciences Consulting, where he led the data integrity practice. Wolf can be reached at