未分類

PIC/S Data Integrity Guidance Implementation: Comprehensive Overview and Current Status

PIC/S Data Integrity Guidance Implementation: Comprehensive Overview and Current Status

Introduction and Historical Context

On July 1, 2021, the Pharmaceutical Inspection Co-operation Scheme (PIC/S) officially implemented the “Good Practices for Data Management and Integrity in Regulated GMP/GDP Environments” (PI 041-1), marking a significant milestone in the harmonization of global pharmaceutical quality standards. This comprehensive 63-page guidance document represents the culmination of a five-year development process, beginning with the first draft issued in April 2016, followed by Draft 2 in August 2016, Draft 3 released for public consultation in November 2018, and finally the adoption by the PIC/S Committee on June 1, 2021.

The development of this guidance was not an isolated regulatory effort but rather a collaborative endeavor involving extensive stakeholder engagement. During 2019, professional pharmaceutical associations across the industry participated in a targeted consultation exercise, providing invaluable feedback that helped clarify regulatory interpretations and identify areas requiring further development in future revisions. This collaborative approach ensures that the guidance reflects both regulatory expectations and practical industry realities.

Understanding PIC/S: Organization and Authority

To fully appreciate the significance of PI 041-1, it is essential to understand the nature and authority of PIC/S itself. Originally established as the Pharmaceutical Inspection Convention, PIC/S evolved into the Pharmaceutical Inspection Co-operation Scheme while retaining both names in its official documentation, hence the abbreviation PIC/S. As of January 2026, PIC/S represents a global network of regulatory inspectors from over 50 participating authorities, including major pharmaceutical markets such as the European Union member states, the United States (through FDA representation), Canada, Japan, Australia, South Korea, Singapore, and many others.

Critically, PIC/S is an organization composed of regulatory inspectors and inspection authorities, not pharmaceutical manufacturers. This fundamental characteristic shapes the nature and purpose of PIC/S guidance documents. PI 041-1 is specifically written as an inspector’s guidance, providing regulatory authorities with a harmonized framework for conducting data integrity assessments during GMP and GDP inspections. However, the document simultaneously serves as an invaluable resource for pharmaceutical companies, offering clear insights into regulatory expectations, areas of greatest risk, and best practices for compliance.

PIC/S operates primarily through the development and maintenance of harmonized GMP and GDP guidelines, which are adopted by most participating authorities. The organization also provides training through the PIC/S Inspectorates’ Academy (PIA) and develops inspection-related resources to support consistent inspection practices across member jurisdictions.

Document Characteristics and Scope

Comprehensive Nature

The final version of PI 041-1 comprises 63 pages organized into 14 primary sections, representing a significant expansion from the 53 pages of Draft 3 issued in 2018. This growth reflects the incorporation of stakeholder feedback and the addition of clarifying examples and guidance based on practical implementation experience during the trial period. The document is recognized as one of the most comprehensive regulatory guidances on data integrity currently available, comparable in scope and detail only to the World Health Organization’s guidance on data integrity issued in 2016 (WHO Technical Report Series, No. 996, Annex 5).

The structural organization of PI 041-1 provides a logical framework covering all essential aspects of data integrity:

  1. Document History – Tracking the evolution and revision process
  2. Introduction – Context and rationale for the guidance
  3. Purpose – Defining the objectives and intended use
  4. Scope – Delineating applicability and boundaries
  5. Data Governance System – Establishing the foundational framework
  6. Organisational Influences on Successful Data Integrity Management – Addressing quality culture, ethics, and resource allocation
  7. General Data Integrity Principles and Enablers – Core concepts applicable across all systems
  8. Specific Data Integrity Considerations for Paper-Based Systems – Detailed requirements for paper records
  9. Specific Data Integrity Considerations for Computerised Systems – Comprehensive guidance on electronic systems including hybrid systems
  10. Data Integrity Considerations for Outsourced Activities – Managing third-party relationships
  11. Regulatory Actions in Response to Data Integrity Findings – Inspection outcomes and enforcement
  12. Remediation of Data Integrity Failures – Corrective action expectations
  13. Glossary – Terminology definitions
  14. Revision History – Documentation of changes

Scope of Application

PI 041-1 primarily applies to on-site inspections of facilities conducting manufacturing operations under GMP regulations and distribution activities under GDP regulations. The guidance explicitly states that its principles apply throughout the entire product lifecycle, from development through commercial manufacturing and distribution to final disposition. This lifecycle approach ensures consistent data integrity standards regardless of the product development stage or commercial status.

An important consideration in the guidance is its application to remote inspections, also known as remote assessments. While PI 041-1 principles apply to remote inspections, the guidance acknowledges inherent limitations in remote assessment scenarios, particularly regarding the ability to verify data authenticity and compare original records with documented procedures. Consequently, for remote inspections, the guidance recommends focusing primarily on evaluating the data governance system itself rather than attempting comprehensive data verification activities that are more effectively conducted during on-site visits.

Regulatory Context and Limitations

A critical understanding for pharmaceutical professionals is that PI 041-1 addresses only GMP and GDP regulated activities. The guidance explicitly does not extend to Good Laboratory Practice (GLP) or Good Clinical Practice (GCP) environments. This limitation reflects PIC/S’s primary mandate focused on manufacturing and distribution inspection activities. Organizations subject to GLP or GCP requirements must refer to other appropriate guidances, such as the OECD GLP data integrity guidance or FDA and ICH GCP guidance documents, respectively.

It is also important to note that PI 041-1, like other PIC/S guidance documents, is not legally binding or directly enforceable under law. Rather, it provides interpretive guidance on how existing legal requirements in GMP and GDP regulations should be understood and applied in the context of modern data management practices. Inspection findings related to data integrity deficiencies must be referenced to applicable national legislation or specific paragraphs of the PIC/S GMP Guide (PE 009) or GDP Guide (PE 011), rather than to PI 041-1 directly.

Core Principles and Concepts

Foundational Understanding of Data Integrity

The guidance defines data integrity as “the degree to which data are complete, consistent, accurate, trustworthy, and reliable, and that these characteristics of the data are maintained throughout the data lifecycle.” This definition emphasizes that data integrity is not a static attribute achieved at the point of initial data capture, but rather a dynamic characteristic that must be actively maintained from the moment of data generation through all subsequent processing, storage, archival, and eventual retrieval activities.

This comprehensive definition aligns with and expands upon the FDA’s characterization of data integrity as encompassing “completeness, consistency, and accuracy of data,” while explicitly incorporating additional dimensions of trustworthiness, reliability, and lifecycle management that reflect the complexities of modern pharmaceutical operations.

The ALCOA+ Framework

Central to understanding data integrity requirements is the ALCOA+ framework, which PI 041-1 adopts and elaborates upon. The acronym represents fundamental attributes that all GMP/GDP data must possess:

Original ALCOA Principles:

  • Attributable – Data must be clearly traceable to the individual who generated, recorded, or modified it, including identification of the date, time, and location of the activity. For electronic systems, this requires robust user authentication and authorization controls.
  • Legible – Data must be recorded in a permanent, readable form that can be understood by all relevant personnel throughout the data retention period. This applies equally to handwritten entries in paper records and electronic data displays.
  • Contemporaneous – Data must be recorded at the time the activity is performed or as soon as practically possible thereafter. Retrospective data entry, transcription from temporary records, or reconstruction from memory is generally unacceptable and may indicate data integrity vulnerabilities.
  • Original – The first capture of data or information, or a certified true copy thereof if the original is not accessible. The guidance clarifies that for electronic systems, the original record includes all metadata necessary to reconstruct the activity, not merely the final processed result.
  • Accurate – Data must be free from errors, conform to protocol requirements, and faithfully represent the observations or activities performed. Accuracy extends beyond mere numerical correctness to include proper identification, labeling, and contextualization of data.

The “Plus” – Additional Attributes:

  • Complete – All data generated during an activity must be preserved and available, including any repeat analyses, retests, or investigations. Selective reporting of “favorable” results while omitting “unfavorable” data constitutes a serious data integrity violation. Completeness also requires preservation of all metadata, audit trails, and supporting documentation necessary to fully understand the data in context.
  • Consistent – Data and associated documentation must be internally consistent and free from unexplained contradictions. Sequence of events must be logical and chronological, with appropriate timestamps that align with process timelines. Consistency also applies across related datasets and between original records and reported summaries.
  • Enduring – Data must be recorded using durable materials and storage media that ensure preservation throughout the required retention period, which may span decades. For electronic data, this requires appropriate backup strategies, media refresh programs, disaster recovery capabilities, and migration plans to address technological obsolescence.
  • Available – Data must be readily retrievable and accessible for review, verification, audit, or inspection purposes throughout the retention period. This requires appropriate indexing, search capabilities, and access controls that balance security with legitimate access needs.

Some modern interpretations have extended this framework to ALCOA++, adding Traceable as a tenth attribute. Traceability emphasizes that any changes to data or metadata must not obscure the original record, and all modifications must be captured in a comprehensive audit trail that allows reconstruction of the complete data history. While PI 041-1 does not explicitly use the ALCOA++ terminology, the concept of traceability is thoroughly embedded throughout the guidance’s requirements for change control and audit trails.

It is crucial to emphasize that these ALCOA+ principles apply equally to all data formats: electronic records, paper records, hybrid systems (combining electronic and paper elements), and other forms such as photographs, chromatograms, and audiovisual recordings. The fundamental expectation of data integrity does not vary based on the recording technology employed.

Data Governance System Framework

PI 041-1 positions data governance as the comprehensive system through which organizations ensure data integrity. The guidance defines data governance as “the sum total of arrangements which provide assurance of data quality.” This encompasses not only technical controls and procedural requirements but also organizational culture, management commitment, resource allocation, and competency management.

The data governance system must be integrated within the broader Pharmaceutical Quality System (PQS) for GMP entities or the Quality System for GDP entities. This integration ensures that data integrity considerations are embedded in all quality system elements, including:

  • Quality risk management processes
  • Change control systems
  • Deviation and investigation procedures
  • Corrective and preventive action (CAPA) programs
  • Management review activities
  • Internal audit and self-inspection programs
  • Vendor qualification and oversight
  • Training and competency assessment

A fundamental principle emphasized throughout PI 041-1 is that data governance must address data ownership and accountability throughout the complete data lifecycle. Organizations must clearly define roles and responsibilities for data generation, review, approval, retention, archival, and eventual disposition. This includes establishing appropriate segregation of duties to prevent conflicts of interest and implementing controls to prevent both intentional and unintentional unauthorized changes or deletions.

Risk-Based Approach to Data Integrity

PI 041-1 explicitly endorses and requires a risk-based approach to both data governance design and inspection activities. Organizations are expected to conduct data integrity risk assessments that:

  • Focus on business processes rather than merely IT system functionality
  • Evaluate complete data flows from initial capture through final disposition
  • Consider both electronic and paper-based elements
  • Assess potential vulnerabilities to intentional manipulation and unintentional errors
  • Evaluate the criticality of data to product quality and patient safety
  • Consider complexity, subjectivity, and process consistency factors

Based on these risk assessments, organizations should implement proportionate control measures that address identified vulnerabilities without imposing unnecessary burden on low-risk activities. Similarly, inspectors are directed to employ critical thinking and risk-based judgment when conducting data integrity assessments, focusing inspection resources on areas of greatest risk and regulatory significance.

Organizational and Cultural Dimensions

A particularly noteworthy aspect of PI 041-1 is its substantial attention to organizational influences on data integrity. Section 6 of the guidance emphasizes that successful data integrity management requires more than technical controls and procedural compliance. Essential organizational enablers include:

Quality Culture – Management must establish and maintain a work environment that is transparent, open, and psychologically safe, where personnel feel empowered and encouraged to report errors, deviations, and potential data integrity issues without fear of punitive consequences. A punitive culture that penalizes error reporting inevitably drives data integrity violations underground, making them more difficult to detect and remediate.

Code of Ethics and Policies – Organizations should establish clear ethical expectations and data integrity policies that are communicated to all personnel and reinforced through training, performance management, and visible leadership commitment.

Resource Allocation – Adequate resources, including appropriate staffing levels, qualified personnel, suitable facilities and equipment, and sufficient time to perform tasks properly, are essential prerequisites for data integrity. Chronic understaffing, unrealistic productivity targets, or inadequate training budgets create conditions conducive to data integrity failures.

Management Review – Regular management review of quality metrics, data integrity indicators, and audit findings provides leadership with visibility into organizational performance and enables timely intervention when issues emerge.

These organizational dimensions recognize that data integrity is fundamentally a human factors challenge. Even the most sophisticated technical controls will prove inadequate if the organizational environment incentivizes or permits data integrity compromises.

Application to Paper-Based and Electronic Systems

A critical aspect emphasized throughout PI 041-1 is that data integrity principles apply equally to paper records and electronic records. This principle addresses a common misconception that data integrity is primarily or exclusively an electronic records concern. While electronic systems present certain unique challenges (such as the ease of data deletion or modification), paper systems have their own vulnerabilities (such as loss, damage, or alteration of original records).

For paper-based systems, the guidance provides detailed expectations covering:

  • Generation, distribution, and control of blank forms and templates
  • Point-of-use control to prevent unauthorized removal or alteration
  • Requirements for contemporaneous entries made in permanent ink
  • Handling of errors and corrections
  • Voiding of unused fields
  • Protection against loss or damage
  • Retention and archival considerations

For computerized systems, the guidance addresses:

  • System validation throughout the lifecycle
  • Access controls and security measures
  • Audit trail functionality and review
  • Data backup and disaster recovery
  • Electronic signatures and identification
  • Integration between systems and data transfer processes
  • Cloud computing and Software as a Service (SaaS) considerations
  • Legacy system management

Hybrid systems, which combine electronic data processing with paper-based records or manual signatures, require particular attention to ensure that both components meet data integrity requirements and that the relationship between electronic and paper elements is clear and auditable.

Regulatory Responsibility and Expectations

PI 041-1 unambiguously establishes that the responsibility for maintaining data integrity rests entirely with the pharmaceutical organization subject to inspection. The guidance explicitly states that companies have “full responsibility and a duty to assess their data management systems for potential vulnerabilities and take steps to design and implement good data governance practices to ensure data integrity is maintained.”

This assignment of responsibility means that organizations cannot reasonably claim ignorance of data integrity requirements, blame IT vendors or service providers for system deficiencies, or assert that resource constraints justify non-compliance. While the guidance serves as a resource to help organizations understand expectations, it is ultimately the company’s obligation to proactively identify and address data integrity risks regardless of whether they have been specifically highlighted in regulatory guidance or inspection findings.

From an inspection perspective, PI 041-1 directs inspectors to employ systematic approaches to evaluate organizational data governance systems, investigate specific data integrity concerns identified through risk assessment or preliminary observation, and escalate significant findings for appropriate regulatory action. The guidance also addresses inspector conduct, emphasizing the importance of critical thinking, professional skepticism, and fair evaluation of both strengths and weaknesses in organizational systems.

Current Status and Future Developments

As of January 2026, PI 041-1 remains the current, authoritative PIC/S guidance on data integrity for GMP and GDP operations. The guidance continues to be actively applied in inspections conducted by PIC/S participating authorities worldwide. While no formal revision of PI 041-1 has been announced or published as of this writing, several related regulatory developments merit attention:

Related GMP Guidance Updates – In 2025, PIC/S initiated public consultation on revised versions of several core GMP guidance chapters that intersect with data integrity considerations:

  • Chapter 1 (Pharmaceutical Quality System) – Consultation period September 3 to December 3, 2025, incorporating updates to align with ICH Q9(R1) on Quality Risk Management
  • Chapter 4 (Documentation) – Consultation period July 7 to October 7, 2025, highlighting the importance of documentation in GMP compliance and supporting new technologies, hybrid solutions, and modern documentation management approaches
  • Annex 11 (Computerised Systems) – Consultation period July 7 to October 7, 2025, establishing enhanced requirements for computerized system lifecycle management, quality risk management application, data integrity assurance, audit trails, electronic signatures, and system security

These concurrent guidance updates will create a more integrated regulatory framework where data integrity requirements in PI 041-1 are reinforced and complemented by updated core GMP requirements.

Emerging Technology Considerations – PIC/S has also initiated development of entirely new guidance addressing emerging technologies with significant data integrity implications:

  • Draft Annex on Artificial Intelligence – Establishing requirements for the use of AI and machine learning in active substance and medicinal product manufacturing, including selection, training, and validation of AI models, with emphasis on intended use definition, performance metrics, and training data quality

These developments indicate ongoing regulatory evolution to address technological advancement while maintaining fundamental data integrity principles.

Remote Assessment Guidance – In January 2025, PIC/S implemented new guidance documents on remote assessments (PI 056-1 and PI 057-1), which provide updated direction on conducting inspections in virtual or hybrid formats. While these documents acknowledge the limitations of remote assessment for comprehensive data verification, they reinforce the applicability of PI 041-1 principles to all inspection modalities.

Ongoing Training and Inspector Development – The PIC/S Working Group on Data Integrity continues active development of training materials for the PIC/S Inspectorates’ Academy and other inspection-related resources. This ongoing work ensures that inspectors remain current with evolving industry practices and maintain consistent interpretation of data integrity requirements across participating authorities.

Practical Implications for Pharmaceutical Organizations

Strategic Considerations

Pharmaceutical companies operating under GMP or GDP regulations, regardless of geographic location, should recognize PI 041-1 as establishing global expectations for data integrity management. Even organizations not directly subject to inspection by PIC/S member authorities will likely encounter these expectations through:

  • Customers or partners requiring PI 041-1 compliance as a contract requirement
  • Regulatory authorities in non-PIC/S jurisdictions adopting similar expectations
  • Industry standards and professional association guidances referencing PI 041-1
  • Regulatory convergence through multilateral recognition agreements

Consequently, a strategic approach to data integrity should:

  • Treat PI 041-1 as defining minimum acceptable practices rather than aspirational goals
  • Integrate data integrity considerations into quality system design from the outset
  • Invest in organizational culture development alongside technical controls
  • Maintain awareness of evolving regulatory interpretations and enforcement trends
  • Benchmark practices against industry leaders rather than minimum compliance

Operational Implementation

From an operational perspective, organizations should undertake systematic programs to:

  1. Conduct Comprehensive Data Integrity Risk Assessments – Evaluate all business processes, data flows, and systems (both paper and electronic) to identify potential vulnerabilities. These assessments should be documented, regularly reviewed, and updated when processes or systems change.
  2. Develop Robust Data Governance Frameworks – Establish clear policies, procedures, roles, responsibilities, and performance indicators for data integrity. Ensure integration with the broader quality system and alignment with PI 041-1 expectations.
  3. Implement Appropriate Technical and Procedural Controls – Based on risk assessment findings, deploy proportionate controls to address identified vulnerabilities. This includes both preventive controls (such as access restrictions, validations, and training) and detective controls (such as data review, audit trail monitoring, and self-inspection activities).
  4. Invest in Quality Culture Development – Foster an organizational environment where data integrity is valued, supported by adequate resources, and reinforced through leadership behavior, performance management, and recognition systems.
  5. Establish Effective Training Programs – Ensure all personnel understand data integrity principles, their specific responsibilities, and the consequences of data integrity failures. Training should be role-specific, regularly refreshed, and include practical examples relevant to actual job responsibilities.
  6. Implement Robust Monitoring and Continuous Improvement – Regularly review data integrity indicators, investigate anomalies or potential issues, conduct periodic self-inspections focused on data integrity, and implement corrective and preventive actions when deficiencies are identified.

Inspection Readiness

Organizations should prepare for data integrity inspection by:

  • Maintaining readily accessible documentation of data governance systems, risk assessments, and control measures
  • Ensuring that data integrity responsibilities and accountabilities are clearly defined and understood
  • Conducting mock inspections or self-assessments using PI 041-1 as a reference
  • Developing clear explanations of system design rationale, particularly for computerized systems
  • Establishing processes for efficiently retrieving and presenting data, audit trails, and supporting documentation
  • Training personnel likely to interact with inspectors on appropriate responses to inquiries

Conclusion

The implementation of PIC/S PI 041-1 in July 2021 represented a significant milestone in global harmonization of data integrity expectations for GMP and GDP operations. As a comprehensive, inspector-focused guidance developed through extensive collaboration among regulatory authorities and informed by industry stakeholder input, PI 041-1 provides both regulatory inspectors and pharmaceutical organizations with a clear, detailed framework for understanding and implementing data integrity requirements.

The guidance’s emphasis on fundamental principles (ALCOA+), risk-based approaches, data governance systems, and organizational culture ensures its continued relevance despite technological evolution and changing industry practices. While PI 041-1 itself has not been formally revised since its July 2021 implementation, the ongoing development of related GMP guidance (particularly Chapter 4 on Documentation and Annex 11 on Computerised Systems) and emerging technology-specific guidance (such as for artificial intelligence applications) demonstrates continued regulatory attention to data integrity as a critical patient safety and product quality concern.

For pharmaceutical organizations, PI 041-1 should be viewed not merely as a compliance obligation but as a valuable resource for developing robust, sustainable data integrity practices that support both regulatory compliance and operational excellence. The investment in strong data governance systems, appropriate technical controls, adequate resources, and positive quality culture pays dividends not only in inspection outcomes but in improved decision-making quality, reduced quality incidents, and enhanced organizational reputation.

As the pharmaceutical industry continues its digital transformation journey, incorporating advanced technologies such as artificial intelligence, machine learning, cloud computing, and process analytical technology, the fundamental principles articulated in PI 041-1 remain sound and applicable. Success in this evolving landscape requires maintaining focus on these core principles while thoughtfully adapting implementation strategies to leverage new technological capabilities while managing associated risks.

Issues with Hybrid Systems in Pharmaceutical Operations Previous post The Difference Between Qualification and Validation Next post

Related post

Comment

There are no comment yet.