Data Integrity is not a new concept. It is integrated with all GxP activities and decision-making. MHRA first published a guidance document in 2015. Then all other authorities such as EMA, US FDA, PIC/s, WHO published draft or final guidelines on Data Integrity.


All the authorities expect data to be compliant with ALCOA+ principles. To ensure this compliance, the pharmaceutical company should perform Data Integrity Risk Assessment (DIRA) for the GxP process and procedure.


Organizations are expected to implement, design and operate a documented system that provides an acceptable state of control based on the data integrity risk with supporting rationale. An example of a suitable approach is to perform a data integrity risk assessment (DIRA) where the processes that produce data or where data is obtained are mapped out and each of the formats and their controls are identified and the data criticality and inherent risks documented. (Reference:‘GXP Data Integrity Guidance and Definitions’ published by MHRA in 2018).


Data risk assessment should consider the vulnerability of data to involuntary or deliberate amendment, deletion or recreation. Control measures which prevent unauthorised activity and increase visibility / detectability can be used as risk mitigating actions……Risk assessment should include a business process focus (e.g. production, QC) and not just consider IT system functionality or complexity. (Reference:Data Integrity (New August 2016)-Guidance on good manufacturing practice and good distribution practice: Questions and answers published by EMA). A similar approach was also published in ‘GOOD PRACTICES FOR DATA MANAGEMENT AND INTEGRITY IN REGULATED GMP/GDP ENVIRONMENTS’ in 2021 by PIC/s. 


If the review frequency for the data is not specified in CGMP regulations, you should determine the review frequency for the audit trail using knowledge of your processes and risk assessment tools. The risk assessment should include evaluation of data criticality, control mechanisms, and impact on product quality. (Reference: Data Integrity and Compliance With Drug CGMP-Questions and Answers-Guidance for Industry published by US FDA in 2018).


WHO published a draft duideline on Data Integrity where they mentioned the requirement of Data Integrity Risk Assessment (DIRA) to ensure control of Data. (Reference:  QAS/19.819/Rev.1, June 2020).


From the above-mentioned regulatory requirements, it is clear that Data Integrity Risk Assessment (DIRA) is a mandatory requirement now. 


Resource Person: M. Raihan Chowdhury