Is Data Integrity Sufficiently Addressed Through Security and Audit Trails?

The Common Confusion Between Data Integrity and 21 CFR Part 11

Many organizations confuse data integrity with 21 CFR Part 11 compliance. In other words, there is a misconception that data integrity is solely about ensuring the reliability of electronic records.

However, the principles of data integrity apply equally to both electronic records and paper-based records. This is a fundamental point that must be understood.

Let me pose a question to readers: “Which is more important for patient safety—the falsification of electronic records or the falsification of paper records?”

The answer is: “They are equally important.”

In their approach to data integrity, many companies place excessive emphasis on electronic record reliability. This represents a confusion between data integrity and 21 CFR Part 11 compliance.

Can Security and Audit Trails Guarantee Data Integrity?

Research suggests that up to 80% of data integrity violations stem from human error. However, when attending various seminars and presentations, the content predominantly focuses on computer system security measures and replacing equipment with systems that have audit trail capabilities.

So, will implementing security measures and audit trail functions prevent human errors? The answer is “No.”

To ensure data integrity, it is crucial to protect original data from all unintended modifications—whether deliberate or accidental—in both electronic and paper-based records. This protection must extend across the entire data lifecycle.

Understanding ALCOA+ Principles

Modern data integrity requirements have evolved beyond simple security controls to encompass comprehensive data governance. The pharmaceutical industry now follows ALCOA+ principles (Attributable, Legible, Contemporaneous, Original, Accurate, Complete, Consistent, Enduring, Available), which were established to address both technical controls and human factors. These principles, endorsed by the FDA, MHRA, WHO, and PIC/S, recognize that data integrity cannot be achieved through technology alone.

Will 21 CFR Part 11 Be Revised?

It is probable that 21 CFR Part 11 will not be substantially revised in the foreseeable future. The reasons are twofold: first, it is specifically focused on electronic records; and second, as mentioned above, it cannot prevent human errors.

Furthermore, 21 CFR Part 11 is entirely preoccupied with “how to prevent fraud and how to detect fraud.” While fraud should never occur, one must ask: among the vast number of records, what proportion are actually falsified due to fraud?

The equation “Fraud cannot occur” ≠ “Data integrity is guaranteed” holds true.

In data integrity, we must prevent human errors, implement double-checking mechanisms, and ensure reliability. By doing so, we can initially address approximately 80% of data integrity violations.

The Current State of 21 CFR Part 11 and Recent Regulatory Guidance

While a complete revision of 21 CFR Part 11 has not occurred since its original promulgation in 1997, the FDA has issued important supplementary guidance to address modern challenges. In October 2024, the FDA finalized its guidance document “Electronic Systems, Electronic Records, and Electronic Signatures in Clinical Investigations: Questions and Answers,” which clarifies the application of Part 11 principles to contemporary digital technologies, including real-world data sources, digital health technologies, and remote data collection systems. Additionally, the FDA’s draft guidance on Computer Software Assurance (CSA), expected to be finalized in late 2025, promotes a risk-based approach to validation that complements Part 11 requirements by encouraging manufacturers to prioritize validation efforts on systems that impact product quality and patient safety.

Rather than revising Part 11 itself, regulators have expanded their focus to comprehensive data integrity through guidance documents such as the FDA’s “Data Integrity and Compliance with cGMP” (December 2018), MHRA’s “GxP Data Integrity Guidance and Definitions” (March 2018), and WHO’s “Guidance on Good Data and Record Management Practices.” These documents emphasize that data integrity encompasses much more than electronic record controls—it requires a holistic approach including organizational culture, data governance, quality risk management, and human factors.

Addressing the Root Causes: Culture and Process

Recent studies published in pharmaceutical journals confirm that the majority of data integrity issues arise from factors such as poor quality culture, organizational behavior, inadequate leadership, deficient processes, and inappropriate technology implementation—not from the absence of electronic controls alone. Research indicates that over 80% of quality deviations and approximately 25% of all quality faults in pharmaceutical manufacturing are attributed to human error, including both unintentional mistakes and failures to follow proper procedures.

This evidence reinforces the critical point: technical security measures and audit trails, while necessary components of a compliant system, are insufficient to guarantee data integrity. Organizations must invest equally—if not more—in developing a strong quality culture, providing comprehensive training on data integrity principles, implementing effective data governance frameworks, establishing clear accountability, and designing robust processes that minimize the opportunity for errors.

Practical Steps for Comprehensive Data Integrity

To achieve genuine data integrity compliance, pharmaceutical manufacturers should implement a multi-layered approach:

Data Governance: Establish clear ownership and accountability for data throughout its lifecycle, from creation through disposition. This includes defining roles and responsibilities, implementing change control procedures, and maintaining comprehensive documentation of all data-related activities.

Quality Culture: Foster an organizational environment where personnel understand the importance of data integrity to patient safety and feel empowered to report issues without fear of retribution. Leadership must demonstrate commitment through resource allocation and consistent messaging.

Risk-Based Controls: Apply Quality Risk Management (QRM) principles to identify where data integrity risks are highest and implement proportionate controls. Not all data requires the same level of control—focus resources where they matter most for product quality and patient safety.

Technical Controls: Implement appropriate electronic systems with features such as audit trails, electronic signatures, access controls, and data backup mechanisms—but recognize these as enablers rather than complete solutions.

Training and Competency: Ensure all personnel involved in data generation, processing, review, and reporting receive thorough training on data integrity principles (ALCOA+), good documentation practices, and the specific procedures relevant to their roles. Training should emphasize why data integrity matters, not just how to comply with rules.

Continuous Monitoring: Conduct regular data integrity audits, system reviews, and effectiveness checks to identify gaps before regulatory inspections reveal them. Use metrics and trending to drive continuous improvement.

Conclusion: A Balanced Perspective

Data integrity in pharmaceutical manufacturing requires a balanced approach that addresses both technical and human elements. While 21 CFR Part 11 provides important controls for electronic records and electronic signatures, it represents only one component of a comprehensive data integrity program. Security features and audit trails are necessary but not sufficient conditions for ensuring data integrity.

True data integrity emerges from the intersection of robust technical controls, well-designed processes, clear accountability, comprehensive training, and—most importantly—an organizational culture that values quality and transparency. By addressing the root causes of data integrity failures, particularly human error and inadequate processes, pharmaceutical manufacturers can build systems that not only satisfy regulatory requirements but also genuinely protect patients and ensure product quality.

The focus should not be on whether fraud can occur, but rather on creating an environment where accurate, reliable, and trustworthy data is generated as a matter of course. This requires commitment, investment, and vigilance across all levels of the organization. Only through this comprehensive approach can data integrity be truly assured, protecting both patients and the organization’s regulatory standing.