Zamann Pharma Support logo

Siedlerstraße 7 | 68623 Lampertheim, Germany

Data Integrity: Key requirements for Computerized Systems

What is Data Integrity?

Ensuring Data Integrity: Critical for Accurate, Reliable, and Secure Data in Pharmaceutical Manufacturing.

Data integrity ensures that data generated throughout the manufacturing process is accurate, reliable, and secure. Data integrity refers to the completeness, consistency, and accuracy of data throughout its lifecycle, from creation and processing to storage and retrieval.

By implementing Data integrity (DI)  controls, organizations can embrace new technologies and digital innovations, paving the way for automated production systems. This integration is vital for upgrading outdated systems and improving operational support. Maintaining data integrity involves adhering to procedures, guidelines, and standards right from the design stage. Whether data is stored for a short or long duration, and regardless of how frequently it’s accessed, its accuracy, completeness, and trustworthiness remain intact if data integrity is ensured. This is vital in the pharmaceutical industry where safe, effective, and high-quality drugs are paramount.

The concept of data integrity is often explained through ALCOA+, which stands for Attributable, Legible, Contemporaneous, Original, Accurate, Complete, Consistent, Enduring, and Available. Each of these terms emphasizes different aspects of maintaining data integrity. For more details, please refer to ALCOA +.

Data integrity Dos and Don’ts by FDA


  • Establish clear and comprehensive guidelines for data handling to ensure accuracy and consistency.
  • Vigilantly double-check data entries to minimize errors.
  • Create a Clear and Comprehensive Audit Trail and maintain detailed records of data access, including who accessed it and when.
  • Train Employees on Data Integrity and Compliance. Offer thorough training sessions on proper data handling practices.
  • Regularly Perform Internal Audits. Conduct frequent audits to validate data accuracy and integrity.
  • Document All Data-Related Activities and Changes. Keep exhaustive logs of all data modifications.
  • Utilize Electronic Signatures and Controls. Implement secure access systems through password protection and electronic signatures.
  • Maintain Data Security and Confidentiality. Use encryption and other measures to protect sensitive information.
  • Promptly Address Data Integrity Issues. Swiftly investigate and rectify any discrepancies or issues.
  • Stay Up to Date with Regulatory Guideline. Continuously educate yourself and your team on the latest compliance requirements.


  • Avoid altering or falsifying information to fit desired outcomes.
  • Delete Data Without Documentation: Never erase records without proper authorization and documentation.
  • Prevent unauthorized access by not sharing passwords.
  • Take immediate action upon noticing any discrepancies or inconsistencies.
  • Always prioritize data protection and address potential security breaches promptly.
  • Document all data handling actions accurately, without relying on memory.
  • Avoid relying on obsolete software or tools for data management.
  • Maintain transparency and integrity by not falsifying records to hide errors.
  • Report any data breaches or incidents without delay to relevant parties.
  • Ensure continuous training and supervision to uphold data integrity standards

Need help with Data Integrity Assessments?

Importance of Data Integrity for pharmaceutical companies

Data integrity plays a pivotal role in both the pharmaceutical and medical device industries due to several critical factors

  • Regulatory Compliance: Adhering to strict regulations is essential for ensuring the safety and efficacy of products. Data integrity guarantees compliance with regulatory standards set forth by agencies like the FDA and ensures that products meet the required quality and safety standards.
  • Patient Safety: Maintaining accurate and reliable data is imperative for ensuring patient safety. Inaccurate or incomplete data could lead to errors in diagnosis, treatment, or monitoring, potentially jeopardizing patient health.
  • Quality Assurance: Data integrity is fundamental in maintaining the quality and consistency of pharmaceuticals and medical devices. By ensuring the accuracy and completeness of data throughout the manufacturing process, companies can uphold high-quality standards and mitigate risks associated with product defects or recalls.
  • Reputation and Trust: Building and maintaining trust within the healthcare industry and among consumers relies heavily on data integrity. Companies with a reputation for consistently producing reliable and safe products are more likely to gain the trust of healthcare professionals and patients, leading to long-term success and credibility in the market.

Key requirements for Computerized Systems

  • Companies use various computerized systems for operational tasks, ranging from simple setups to complex integrated systems, all affecting product quality. These systems must adhere to GMP and GDP requirements.
  • Organizations must understand their computerized systems’ nature and usage and assess associated data integrity risks. Critical systems impacting product quality should be managed within a Pharmaceutical Quality System to prevent manipulation.
  • When designing or choosing computerized systems, prioritizing data management and integrity is essential. Vendors should grasp GMP/GDP and data integrity requirements, while legacy systems might need extra controls for compliance.
  • Regulated users should comprehend the significance of data generated by these systems and adopt a risk-based approach to manage data and metadata. Ensuring complete capture and retention of critical data is crucial.
  • Understanding a system’s role in business processes helps assess data vulnerability and risk. During inspections, inspectors should utilize the company’s expertise for system assessment. Whether outsourcing or not, regulated entities maintain responsibility for compliance and effective data management controls. 

Lets understand the key requirements of data integrity for Computerized system as below. 

  • Regulated companies must establish and follow robust controls to ensure data integrity throughout the system lifecycle. This involves incorporating data management and integrity considerations from the outset of system procurement and maintaining them throughout. Functional Specifications (FS) and User Requirement Specifications (URS) for regulated users should comprehensively address these requirements.
  • Special attention is needed when purchasing critical GMP/GDP equipment to ensure proper evaluation of data integrity controls before procurement.
  • Legacy systems should undergo evaluation to determine if their current configuration and functionality align with good data management practices. If existing systems lack adequate controls, additional measures should be explored and implemented
  • Validation of computerized systems must align with GMP/GDP guidelines. However, validation alone doesn’t ensure adequate protection of generated records. Validated systems can still be vulnerable to loss or alteration due to accidents or malicious intent. Therefore, it’s crucial to supplement validation with administrative and physical controls, along with user training.

The input text outlines key considerations and requirements for regulated companies regarding data integrity in computerized systems:

  • Establishment and Enforcement of Controls: Regulated companies must implement controls to ensure data integrity throughout the lifecycle of systems and data. This includes comprehensive addressing of data management needs in Functional and User Requirement Specifications (FS/URS).
  • Procurement and Evaluation of Systems: When procuring GMP/GDP critical equipment, special attention must be given to ensuring adequate data integrity controls are in place. Existing legacy systems should be evaluated for compliance with good data management practices, and additional controls should be implemented if necessary.
  • Tracking and Documentation: Regulated users must maintain records of their computerized systems, including system names, locations, purposes, evaluations of system function and importance, validation status, and references to validation documents.
  • Validation Requirements: New systems require a Validation Summary Report compliant with Annex 15 requirements, detailing critical system configurations, access controls, approved users, audit trail frequency, and procedures for user management and data handling. Existing systems should have relevant documents outlining these requirements available and maintained.
  • Validation Master Plan and Testing: Companies should have a Validation Master Plan outlining validation policies and requirements for computerized systems. Validation extent should be risk-based, with defined tests for compliance before routine use. Prospective validation is recommended, and tests should follow GMP Annex 15 requirements.
  • Periodic Evaluation and Updates: Computerized systems need periodic evaluation covering deviations, changes, upgrade history, performance, and maintenance to maintain data integrity. The frequency of re-evaluation should be determined by risk assessment. Timely updates for operating systems and network components are essential to safeguard data integrity, along with applying security patches promptly and under controlled conditions.
  • Migrations to newer platforms companies should plan and execute application migrations to newer platforms before they become unsupported and isolate unsupported operating systems from the network as much as possible while carefully designing remaining interfaces and data transfer processes to prevent vulnerabilities. Caution should be exercised with remote access to unsupported systems due to inherent security risks.
  • Data transfer : During validation, it’s crucial to assess and address interfaces to ensure accurate data transfer. These interfaces should incorporate built-in checks for secure data entry and processing, minimizing integrity risks. Verification methods may include secure transfer, encryption, and checksums. Interfaces between systems should be designed and qualified for automated transfer of GMP/GDP data.
  • Check for compatability: When updating system software, users must ensure compatibility with existing and archived data. If necessary, data conversion to the new format should be facilitated. If conversion isn’t feasible, the old software should be maintained and available for accessing archived data during investigations.
  • When older software becomes unsupported, preserving data accessibility becomes crucial. Maintaining legacy software in a virtual environment can extend its lifespan, but if that’s not feasible, migration to a compatible file format may be necessary. This format should retain as much of the original data’s integrity as possible. If full migration isn’t possible, assess options based on data importance and risk. Choose a migration format that balances long-term accessibility with potential loss of dynamic functionality. Additionally, assess system vulnerability to unauthorized changes and document all risk mitigation controls. Recognize that maintaining accessibility might mean accepting some loss of attributes or dynamic functionality during migration.
  • User access controls: Access controls must be configured and enforced to prevent unauthorized access, changes, or deletion of data in computerized systems. The level of security measures depends on the criticality of the system.
  • Data integrity: Safeguards against accidental alterations or intentional tampering are necessary to maintain data integrity. This involves evaluating system designs, ensuring physical security of hardware, and implementing network security measures against local and external threats.
  • Network protection: Security measures, including firewalls, intrusion detection systems, and regular vulnerability scans, are essential to detect and prevent potential threats. Protection levels should be aligned with the assessed risk of the data.
  • Electronic signatures: Robust controls for authenticity and traceability of electronic signatures are required, including permanent linkage to associated records, timestamp logging, and adoption of advanced methods like biometrics.
  • USB device restrictions: To enhance system security, USB device usage on critical systems hosting GMP/GDP data should be restricted. Ports should be configured for approved purposes, and all USB devices must undergo proper scanning before use.
  • Companies must prioritize data integrity by selecting computerized systems with appropriate electronic audit trail functionality, upgrading older systems if necessary. Systems lacking audit trails should implement alternative verification methods, ensuring compliance during system validation.
  • Audit trail functionalities should be enabled and locked, with procedures established for determining data requirements and conducting independent reviews, overseen by the quality unit. Electronic-based systems must configure audit trails to capture critical activities, recording detailed parameters for comprehensive tracking of actions and entries.
  • Systems should be designed for the correct capture of data whether acquired through manual or automated means . Manual data should adhere to specified formats, undergo validation, and be verified by a second operator or validated software. Changes should be documented in an audit trail and reviewed by authorized personnel. Automated data capture requires validated interfaces, secure storage formats, and software checks to ensure data completeness and metadata accuracy.
  • Data changes must adhere to authorized procedures, including manual integrations and reprocessing of lab results. The quality unit must ensure changes are necessary and done by designated individuals, retaining original data. All modifications to raw data require full documentation and approval by qualified individuals.
  • Regulated users must conduct risk assessments to identify critical GMP/GDP relevant electronic data and audit them for accuracy and integrity, with all changes duly authorized. Standard Operating Procedures (SOPs) should detail second-operator checks, encompassing raw data, summaries, and logs. Audit trail reviews should be integrated into routine data assessments,
  • Frequency and roles for audit trail reviews should align with data importance, with significant changes triggering thorough investigations and documented actions to address quality or data integrity issues
  • The company’s quality unit should establish a program and schedule to conduct ongoing reviews of audit trails based upon their criticality and the system’s complexity in order to verify the effective implementation of current controls and to detect potential non-compliance issues. These reviews should be incorporated into the company’s self-inspection programme.
  • Data storage and backup procedures must encompass original data, metadata, and audit trails securely. Routine backups should be stored remotely, accessible in readable formats even after software updates. Metadata retention is crucial for reconstructing activities. Archived data must be secured separately, accessible, and regularly tested for restoration procedures. Printing legible records, including metadata, and establishing disposal procedures for electronically stored data are essential expectations.

Hybrid systems require specific controls due to their complexity and vulnerability to data manipulation, discouraging their use and advocating for replacement where feasible. Each element should adhere to manual and computerized system guidelines, employing quality risk management principles. A comprehensive system description outlining components, functions, data controls, and interactions is necessary. Procedures must manage manual-to-automated data interfaces, review processes, approval criteria for data outputs, and risks associated with hybrid systems, emphasizing control verification


By prioritizing DI now, companies can enhance efficiency and productivity while delivering high-quality products.Maintaining data integrity in cGMP compliance is not merely a regulatory requirement; it’s a fundamental necessity for pharmaceutical manufacturers. The consequences of data integrity breaches can be severe, both in terms of regulatory actions and patient safety. By implementing best practices, investing in staff training, and leveraging technology, pharmaceutical companies can ensure data integrity throughout the manufacturing process. This commitment not only meets regulatory expectations but also upholds the highest standards of product quality and patient well-being.

Useful linkes:

Sagar Pawar

Sagar Pawar

Computer System Validation Specialist