The Misconception of Printing to Paper: “Not GxP Compliant, So Print It Out!?

In a previous column, we examined whether cloud storage services must comply with FDA 21 CFR Part 11 requirements. Unfortunately, some companies overreact to compliance concerns—to the point where they cease using electronic data altogether.

However, consider this reality: commercial off-the-shelf (COTS) software like Microsoft Excel is not inherently validated for GxP compliance. Yet many pharmaceutical and life sciences companies routinely use Excel to perform GxP-regulated activities. The key is not to avoid such tools entirely, but rather to implement them properly.

What matters most is establishing appropriate standard operating procedures (SOPs), ensuring adequate security controls, and executing work strictly in accordance with those documented procedures. Equally important is implementing quality assurance mechanisms such as quality control (QC), quality assurance (QA), and internal audit functions.

The “Hybrid System” Trap

I frequently hear from companies: “Our system isn’t Part 11 compliant, so we print electronic records to paper and have them signed (or stamped).” This approach is fundamentally flawed—in fact, it’s counterproductive.

More importantly, these so-called “hybrid systems”—where electronic records are printed to paper for signature—actually facilitate GxP violations rather than prevent them. Our organization has repeatedly warned about the dangers of hybrid systems.

The critical vulnerability of hybrid systems is this: historical electronic data can be altered, reprinted, and then signed with backdated signatures. This creates an untraceable record manipulation pathway.

Consequently, the FDA and other regulatory authorities worldwide do not trust paper records printed from electronic systems. As industry guidance notes, regulatory scrutiny of hybrid systems has intensified significantly in recent years, with inspectors viewing inadequately controlled hybrid systems as compliance liabilities rather than solutions.

The “Typewriter Excuse” Precedent

This issue has deep historical roots. In early FDA warning letters addressing data integrity, inspectors discovered that companies were manipulating electronic laboratory data, then printing the altered results and backdating signatures—what became known in the industry as the “typewriter excuse” approach, named after an analogous paper-based fraud method. The fundamental problem remains: when source data exists electronically but only paper copies are retained for official records, the opportunity for undetectable data manipulation is substantial.

Regulatory Reality: Part 11 Applies from Creation

A fundamental misunderstanding persists: FDA 21 CFR Part 11 and similar regulations like Japan’s ER/ES Guidelines apply from the moment electronic records are created—regardless of whether they are ultimately printed to paper. Printing electronic data does not exempt an organization from electronic record regulations.

Simply put, this “workaround” does not work.

The scope section of Japan’s ER/ES Guidelines explicitly states that even when the final format is paper-based media, if electromagnetic records or electronic signatures are used at any stage in the process, the guidelines apply. Similarly, FDA’s guidance on Part 11 scope clarifies that the regulation applies to records created, modified, maintained, archived, retrieved, or transmitted in electronic form.

As of 2025, FDA enforcement trends show that approximately 60-65% of warning letters cite data integrity issues, with hybrid systems representing a recurring pattern of non-compliance. The FDA’s 2023 draft guidance on data integrity strongly discourages the creation of new hybrid systems and encourages companies to transition toward fully electronic workflows. While existing hybrid systems may be grandfathered, they must demonstrate robust controls ensuring that paper records are exact, unalterable copies of electronic source data—a standard that is extremely difficult to achieve and verify.

The Business Case Against Hybrid Systems

Organizations make significant IT investments to implement electronic systems, yet then incur substantial additional costs and effort printing massive volumes of documentation and storing physical records. This approach is both inefficient and wasteful.

The path forward requires proper SOPs governing electronic record and signature use, combined with rigorous adherence to these procedures.

Modern Compliance Framework: Beyond Part 11

While Part 11 compliance remains important, the regulatory landscape has evolved significantly:

Data Integrity as the Core Principle: Modern regulatory expectations center on data integrity principles commonly summarized by the ALCOA+ acronym:

• Attributable
• Legible
• Contemporaneous
• Original
• Accurate
• Plus: Complete, Consistent, Enduring, and Available

Risk-Based Approach: The FDA’s emerging Computer Software Assurance (CSA) guidance, expected to be finalized in 2025, shifts focus from comprehensive system validation (CSV) toward risk-based testing that concentrates resources on high-risk functionalities. This approach reduces non-value-added activities while maintaining data integrity assurance.

Cloud Systems and Modern Technologies: Cloud-based quality management systems (eQMS) and laboratory information management systems (LIMS) are increasingly adopted in the life sciences sector. As of 2025, approximately 58% of pharmaceutical companies use digital validation systems, with an additional 35% planning adoption within two years. These modern platforms often incorporate Part 11 controls by design, including:

• Automated audit trails with immutable, time-stamped records
• Role-based access control with multi-factor authentication
• Electronic signature capabilities linked to unique user identities
• Built-in data integrity safeguards

International Harmonization

Regulatory requirements are converging globally:

EU Annex 11: The European Medicines Agency’s Annex 11 to EU GMP guidelines addresses computerized systems with requirements substantially aligned with FDA Part 11, though with some differences in scope and emphasis on risk management throughout the system lifecycle.

Japan’s ER/ES Guidelines: Japan’s Ministry of Health, Labour and Welfare (MHLW) issued guidelines for electromagnetic records and electronic signatures that parallel Part 11 requirements, with particular emphasis on authenticity, readability, and retainability of electronic records.

WHO and ICH Guidance: The World Health Organization and International Council for Harmonisation provide additional frameworks supporting consistent global implementation of electronic record controls.

Practical Implementation Guidance

For organizations seeking to move beyond hybrid systems:

1. Gap Assessment: Conduct a comprehensive evaluation of current practices against Part 11, ER/ES, and Annex 11 requirements.

2. Procedural Controls: Develop and implement SOPs covering:

   • System access controls and user administration
   • Audit trail review procedures
   • Electronic signature execution and meaning
   • Change control for system modifications
   • Data backup and disaster recovery
   • System validation and periodic review

3. Technical Controls: Implement systems with:

   • Unique user credentials (no shared accounts)
   • Time-stamped audit trails capturing all data changes
   • Secure electronic signatures meeting regulatory criteria
   • Data integrity verification mechanisms
   • Appropriate validation documentation (IQ/OQ/PQ)

4. Quality Culture: Foster an organizational culture that:

   • Values data integrity as fundamental to patient safety
   • Provides adequate training on GxP requirements
   • Supports appropriate resource allocation for compliance
   • Encourages reporting of data integrity concerns

Contemporary Enforcement Trends

Recent FDA warning letters (2024-2025) reveal consistent patterns:

• Inadequate access controls allowing unauthorized data modification
• Failure to lock analytical data from editing after initial capture
• Insufficient audit trail review and investigation of anomalies
• Laboratory staff possessing administrator rights enabling uncontrolled data deletion
• Shared login credentials compromising attribution and accountability
• System clock manipulation to conceal data alterations

These findings demonstrate that merely implementing electronic systems is insufficient; organizations must establish and maintain comprehensive data governance programs.

Conclusion

The practice of printing electronic records to paper as a “compliance strategy” represents a fundamental misunderstanding of regulatory requirements and creates unnecessary risk. Part 11 and equivalent regulations apply from the moment electronic records are created, and hybrid systems introduce vulnerabilities that can facilitate rather than prevent data integrity violations.

The solution is not to retreat from electronic systems but to implement them properly with appropriate technical controls, procedural safeguards, and organizational commitment to data integrity. Modern cloud-based platforms, risk-based validation approaches, and internationally harmonized standards provide viable pathways for efficient, compliant operations.

Organizations must develop comprehensive data governance strategies that include validated systems, documented procedures rigorously followed, appropriate training, and robust quality oversight. Only through such integrated approaches can companies satisfy regulatory expectations while realizing the full benefits of digital transformation in pharmaceutical manufacturing and research.

The era of hybrid systems as an acceptable compliance approach has ended. Organizations should prioritize transitioning to fully electronic workflows with appropriate controls rather than perpetuating practices that regulatory authorities view as inherently high-risk and increasingly unacceptable.