Pharmacy Courses

Practical Risk-Based Guide for Managing Data Integrity | APIC - CEFIC

Data integrity refers to the accuracy, completeness, and consistency of CGxP data over its entire lifecycle. The steps that need to be overseen include the initial generation and recording, the processing (i.e., analysis, transformation, or migration), the outcome/use, the retention, retrieval, archive and finally the destruction.

Data integrity means that all the steps defined above are well managed, controlled and documented and therefore the records of the activities follow the ALCOA+ principles described in the guidelines. The ALCOA+ principles have been in place for several years in the industry and are widely known and implemented.

Achieving data integrity compliance, for paper, electronic and hybrid systems, requires translation of these principles into practical controls in order to assure CGxP-impacting business decisions can be verified and inspected throughout the data lifecycle.

This document is based on general Data Integrity requirements and gathers practical experiences from a number of companies operating in the sector that can be used as guidance to others. It is not an all- inclusive list of requirements but proposes a comprehensive approach that companies can adopt to help carry out their data integrity risk assessments.

The guide is essentially practical and therefore, after the presentation of the approach and of the tools, the document includes some examples of executed assessments, categorizations and checklists that can be used by any company according to their individual needs.

Each company can choose the appropriate tools and categorizations that apply to their own business processes and systems. This guidance applies to all CGxP processes and CGxP data used in the manufacture and analysis of APIs for use in human and veterinary drugs.

This document will not describe all the elements required for a data governance program in detail. However, some foundational principles are given below:

Organisational Culture

Organisational culture has the potential to increase the possibility for lapses in data integrity; intentional (e.g., fraud or falsification) or unintentional (e.g. lack of understanding of responsibilities and/or requirements). To reduce this potential, organisations should aspire to an open culture where subordinates can challenge hierarchy, and full reporting of a systemic or individual failure is a business expectation.


It is crucial that employees at all levels understand the importance of data integrity and the impact that they can have on CGxP data with the authorisations assigned for their job roles. Training is a major component of raising awareness and should be conducted periodically. The ALCOA+ concepts, and the acronym itself, are widely used by regulators and industry and should be incorporated into the program (e.g., within staff training, policies etc.).

System and Process Design

Compliance with data integrity principles can be encouraged through the consideration of ease of access, usability, and location. For example:

  • Control over blank paper templates for CGxP data recording
  • Control of spreadsheets used for calculations
  • Access to appropriate clocks for recording timed events
  • Accessibility of records at the locations where activities take place
  • User access rights and permissions that align with personnel responsibilities
  • Automation of CGxP data capture where possible
  • Access to electronic CGxP data for staff performing data review activities

Management Commitment

Senior management should ensure that there is a written commitment to follow an effective quality management system and professional practices to deliver good data management. The commitments should include

An open quality culture

  • Data integrity governance
  • Allocation of appropriate resources
  • Data integrity training for staff
  • Monitoring of data integrity issues with CAPA taken to address issues identified
  • Mechanisms for staff to report concerns to management

When assessing data integrity risks within an organization, companies may focus immediately on those systems or areas that are the most obvious in this context, such as a particular software, a specific lab system or instrument etc. Doing so creates the risk of forgetting less visible but still important areas, processes or systems, or of failing to address integrity issues concerning data flows between controlled environments.

Data integrity management approach (General Concept)

Minimum system requirements based on categories

Previous Post Next Post