Regulatory Expectations for Self Inspection and Data Integrity

Introduction

The UK Medicines and Healthcare products Regulatory Agency (MHRA) published an article titled “MHRA Expectation regarding Self Inspection and Data Integrity” on its website in January 2014. Through this article, the MHRA expressed its expectation that pharmaceutical companies should re-examine the importance of self-inspection and ensure the effectiveness of data integrity and traceability measures.

The MHRA subsequently published comprehensive guidance on data integrity in March 2015 (revised March 2015 as Revision 1.1), and later issued the “GXP Data Integrity Guidance and Definitions” in March 2018 (Revision 1), which expanded the scope from GMP to all GXP areas including Good Clinical Practice (GCP), Good Distribution Practice (GDP), Good Laboratory Practice (GLP), and Good Pharmacovigilance Practice (GPvP).

The Reality of Data Integrity Issues

Data integrity issues are not primarily caused by intentional fraud or falsification. Rather, they are predominantly attributable to human factors such as inadvertence, inadequate training, and insufficient oversight. Recent data from the MHRA reveals that between 2016 and 2023, lapses in data integrity accounted for nearly 40% of all critical and major GMP deficiencies reported. These failures frequently involve issues such as incomplete audit trails, shared system credentials, and undocumented data reprocessing.

The MHRA has been a global leader in defining expectations for data integrity, establishing the ALCOA+ principles (Attributable, Legible, Contemporaneous, Original, Accurate, plus Complete, Consistent, Enduring, and Available) as the foundation for data quality expectations. These principles apply to all GXP records, whether paper-based or electronic.

Global Regulatory Landscape and Inspection Trends

As pharmaceutical supply chains have become increasingly globalized, regulatory authorities worldwide have substantially increased the frequency of overseas inspections. However, with limited inspection resources, efficient inspection methodologies have become essential.

Recent Inspection Data (2024-2025)

The U.S. Food and Drug Administration (FDA) has demonstrated a significant escalation in its inspection activities. According to the FDA’s Office of Pharmaceutical Quality (OPQ) FY2024 Report on the State of Pharmaceutical Quality:

• The FDA conducted 989 drug quality assurance inspections in FY2024, representing a 27% increase from FY2023’s 776 inspections
• Foreign inspections reached an all-time high, comprising 62% of all quality assurance inspections
• Particular emphasis was placed on inspections in India and China, where 34% and 28% of sites in the Site Catalog, respectively, underwent inspection
• The FDA issued 105 warning letters for quality issues in FY2024, the highest in five years
• In May 2025, the FDA expanded its use of unannounced inspections at foreign manufacturing facilities, particularly in China and India

AI-Enhanced Inspection Targeting

In June 2025, the FDA launched its internal AI system called “Elsa,” which has introduced a new level of analytical precision in inspection targeting. This system uses data analysis to flag high-risk facilities based on patterns in compliance data, adverse event reports, and historical inspection outcomes, revolutionizing the FDA’s approach to risk-based inspection planning.

Remote Regulatory Assessments

A notable trend is the increasing shift toward hybrid inspections and remote regulatory assessments. Remote information requests or failure to respond to them accounted for almost a quarter of warning letters issued in FY2024. The FDA is increasingly relying on Section 704(a)(4) records requests as an efficient alternative or complement to physical inspections.

Evolution of Inspection Methodology

Traditional inspections focused on identifying deficiencies observed during limited on-site visits, typically lasting only a few days. Pharmaceutical companies would then correct the issues pointed out by inspectors. However, the number of problems and risks that inspectors can discover during such brief inspections is inherently limited. Therefore, merely correcting the errors discovered by inspectors does not guarantee the safety of citizens.

Quality Systems-Based Approach

Regulatory authorities such as the FDA have shifted their inspection approach from simply discovering errors and risks to investigating whether companies have established a robust Quality System (or Pharmaceutical Quality System) under the governance of senior management. This approach is fundamentally aligned with the ICH Q10 Pharmaceutical Quality System guideline, which provides a harmonized model for quality management throughout the product lifecycle.

FDA’s Quality Management Maturity (QMM) Program

In 2022, the FDA initiated the Quality Management Maturity (QMM) program, which essentially scores companies on ICH Q10-like attributes including quality culture, governance, and continual improvement. A 2024 workshop report noted that QMM represents “the FDA’s blueprint for pharmaceutical excellence.” Achieving a high QMM score is increasingly becoming a competitive advantage and a key indicator of regulatory readiness.

What Inspectors Value: The Role of Competent Internal Auditors

What provides inspectors with confidence in a pharmaceutical or medical device company? The answer lies in the presence of competent internal auditors who conduct effective Self Inspections. Companies that demonstrate proactive identification and resolution of quality issues through robust internal audit programs are viewed more favorably during regulatory inspections.

Understanding Self Inspection vs. Self Checking

The term “Self Inspection” is translated as “自己点検” (self-checking) in Japanese regulations and guidance, but this translation is not entirely appropriate. Self Inspection involves proactively discovering and correcting or preventing risks through internal audits and other quality oversight activities on a daily basis. Rather than waiting for deficiencies to be identified during regulatory inspections, companies must implement active improvement initiatives on their own.

Self Inspection requires the autonomous discovery of latent issues (i.e., risks). The results of Corrective Actions, Preventive Actions (CAPA), and Self Inspection (internal audits) must be fed back into the management process. Management, through mechanisms such as Management Review, issues improvement directives and establishes quality objectives for the coming year.

Global Harmonization: PIC/S Data Integrity Guidance

The Pharmaceutical Inspection Co-operation Scheme (PIC/S), a global organization comprising GMP inspectors from more than 50 regulatory authorities, published its comprehensive guidance “Good Practices for Data Management and Integrity in Regulated GMP/GDP Environments” (PI 041-1) in July 2021. This guidance has been harmonized with documents published by other regulators including the WHO, OECD, and EMA.

2025 Updates to PIC/S Guidelines

PIC/S is currently undertaking significant revisions to several key chapters:

Revised Chapter 1 – Pharmaceutical Quality System (consultation period: September 3 to December 3, 2025): This revision incorporates changes that reflect the updated ICH guideline on Quality Risk Management, ICH Q9(R1), strengthening knowledge management and risk management across the product lifecycle. The revision emphasizes proactive identification of manufacturing risks to prevent shortages and mitigate supply chain vulnerabilities, thereby safeguarding patient safety and public health.

Revised Chapter 4 – Documentation (consultation period: July 7 to October 7, 2025): This revision highlights the importance of documentation in GMP compliance and supports the use of new technologies, hybrid solutions, and new services in documentation management. Risk-management principles are now central and integrated within the data governance system to ensure the accuracy, integrity, availability, and legibility of documents across all formats—paper, digital, or hybrid.

Revised Annex 11 – Computerised Systems (anticipated publication: June 2026 by European Community, September 2026 by PIC/S): This revision will include enhanced requirements for data integrity, particularly for “data in motion,” cloud services, and validation requirements for computerized systems.

Establishing a Culture of Quality and Continuous Improvement

To ensure data integrity, it is essential for everyone in the organization, from top management down, to participate in continuously operating the PDCA cycle (Plan-Do-Check-Act), thereby creating a system where the entire organization continuously improves through spiral upward progression. For this purpose, Self Inspection (internal audits) and corrective actions are extremely important for strengthening the organizational structure.

Companies must avoid the abandonment of root cause investigation, which would forfeit opportunities for self-improvement. In other words, it is essential to create a system for preventing recurrence to ensure that the same non-conformities do not repeatedly occur.

The Danger of Oversimplification

It is not strategically beneficial for the organization’s continuous improvement to assume that simple non-conformities require only corrective actions without root cause investigation or recurrence prevention. Simple non-conformities, in particular, if root cause investigation and recurrence prevention are neglected, will repeatedly emerge like a game of whack-a-mole, causing the PDCA cycle to stagnate.

Comprehensive Approach to Data Integrity

The Three Lines Model

Modern quality systems should incorporate a “three lines model” approach to data governance:

First Line: Operational management and process owners who generate and use data daily. They are responsible for ensuring data integrity at the point of creation and use.

Second Line: Quality Assurance and Quality Control functions that provide oversight, establish procedures, and monitor compliance. This includes conducting periodic data integrity reviews and trending analysis.

Third Line: Internal audit function (Self Inspection) that provides independent assurance to senior management and the board regarding the effectiveness of the data governance system.

Risk-Based Approach to Data Integrity

In accordance with ICH Q9(R1) Quality Risk Management principles, organizations should implement risk-based approaches to data integrity:

• Data Flow Mapping: Identify and document every point where critical GXP data are generated, processed, and archived. This mapping forms the foundation for data integrity risk assessment.
• Data Criticality Assessment: Establish data criticality and inherent integrity risk. The degree of effort and resources applied to organizational and technical controls should be commensurate with data criticality in terms of impact on product quality.
• Control Strategy: Implement appropriate controls based on risk assessment, including both technical controls (e.g., audit trails, access controls, electronic signatures) and procedural controls (e.g., data review procedures, training programs, oversight activities).

Technology and Data Integrity

Electronic Systems and Hybrid Approaches

Organizations increasingly use electronic systems to capture, process, report, and store GXP data. When computerized systems are used, system design should always provide for the retention of full audit trails to show all changes to data while retaining previous and original data. It should be possible to associate all changes to data with the persons making those changes, and changes should be time-stamped with reasons provided. Users should not have the ability to amend or switch off the audit trail.

For organizations transitioning from paper-based to electronic systems, hybrid systems (combining electronic and paper-based records) may be used temporarily. However, these hybrid systems must be carefully controlled and should achieve equivalence to the integrated audit trail requirements described in regulatory guidance.

Cloud Computing and Service Providers

With the increasing adoption of cloud-based systems and Software as a Service (SaaS) solutions, organizations must thoroughly vet vendors’ security measures, backup procedures, and validation strategies. While cloud systems offer significant benefits, the regulated company maintains ultimate responsibility for data integrity and must retain control over specific configurations and records.

Supply Chain Considerations

Data integrity requirements extend throughout the pharmaceutical supply chain. Contract manufacturing organizations (CMOs), analytical testing laboratories, and other service providers must maintain the same standards of data integrity as the contracting company.

Particularly High-Risk Areas

Recent regulatory data highlights specific areas of elevated risk:

Active Pharmaceutical Ingredient (API) Manufacturers: Over the past five years, 72% of API manufacturing sites subject to FDA regulatory actions were sites that exclusively supply compounding pharmacies, despite these sites representing only 18% of API manufacturers. This four-fold overrepresentation in regulatory actions suggests systemic quality issues within this subset of the supply chain, with violative sites predominantly located in China (51%) and India (30%).

Over-the-Counter (OTC) Manufacturers: In FY2024, 65% of quality-related import alerts targeted manufacturers of OTC monograph drug products.

Organizations must implement robust supplier qualification, ongoing monitoring, and periodic audit programs to ensure supply chain partners maintain appropriate data integrity standards.

Management Responsibilities and Quality Culture

Senior management bears ultimate responsibility for establishing and maintaining an effective pharmaceutical quality system and ensuring data integrity. This includes:

• Quality Policy and Objectives: Establishing clear quality policies that emphasize the importance of data integrity and setting measurable quality objectives that are communicated throughout the organization.
• Resource Allocation: Ensuring adequate resources (personnel, infrastructure, equipment, and training) are available to maintain data integrity throughout the product lifecycle.
• Organizational Culture: Creating a transparent and open work environment where personnel are encouraged to freely communicate failures and mistakes, including potential data reliability issues, so that corrective and preventive actions can be implemented. The organizational reporting structure should permit information flow between personnel at different hierarchical levels without barriers.
• Management Review: Conducting periodic reviews of the pharmaceutical quality system, including data integrity metrics, to identify opportunities for continual improvement. The review should examine:
  • Process performance and product quality trends
  • CAPA effectiveness
  • Results of internal and external audits (including Self Inspection findings)
  • Regulatory inspection outcomes
  • Changes in regulatory requirements
  • Innovation and improvement opportunities

Training and Competency

Personnel at all levels must understand the importance of data integrity and their individual responsibilities. Training programs should cover:

• Basic principles of data integrity (ALCOA+)
• Company-specific procedures for data generation, processing, and storage
• Proper documentation practices for both paper and electronic systems
• Identification and reporting of potential data integrity issues
• Consequences of data integrity failures (patient safety, regulatory, legal, ethical)
• Case studies demonstrating both good and poor data integrity practices

Training should be documented, and competency should be assessed through practical evaluations, not merely through attendance records or knowledge tests.

Responding to Data Integrity Findings

When data integrity issues are identified, whether through internal discovery or regulatory inspection, organizations must respond appropriately:

Internal Discovery

When data integrity issues are discovered internally through Self Inspection or other quality monitoring activities:

1. Immediate Action: Take immediate steps to prevent further compromise of data integrity
2. Impact Assessment: Assess the potential impact on product quality, patient safety, and regulatory compliance
3. Root Cause Investigation: Conduct thorough investigation to identify systemic causes, not just individual errors
4. CAPA Implementation: Develop and implement effective corrective and preventive actions
5. Verification: Verify the effectiveness of CAPA through follow-up monitoring
6. Regulatory Notification: Consider whether regulatory notification is required based on the severity and impact of the issue

Regulatory Findings

When regulatory authorities identify data integrity deficiencies:

1. Timely Response: Provide comprehensive written responses within specified timeframes
2. Acknowledgment: Acknowledge the specific findings without making unfounded claims or denials
3. Comprehensive CAPA: Develop robust corrective and preventive action plans that address root causes
4. Timeline: Provide realistic timelines for CAPA completion with interim milestones
5. Resources: Demonstrate commitment of adequate resources to address findings
6. Follow-Up: Keep regulators informed of progress and any obstacles encountered

Future Outlook and Emerging Trends

Artificial Intelligence and Machine Learning

Regulatory authorities are increasingly using AI and machine learning tools for risk-based inspection planning and targeting. The FDA’s “Elsa” system represents just the beginning of this trend. Organizations should prepare for increasingly sophisticated regulatory oversight that can identify patterns and anomalies across large datasets.

Advanced Manufacturing Technologies

The pharmaceutical industry is adopting advanced manufacturing technologies including continuous manufacturing, point-of-care manufacturing, and AI-enabled process control. PIC/S held its 2025 Annual Seminar (November 5-7, 2025, in Hong Kong) focused on these “Advanced Technologies in Pharmaceutical Manufacturing.”

These technologies present both opportunities and challenges for data integrity. While they can provide enhanced process understanding and control, they also generate unprecedented volumes of data that must be appropriately managed and protected throughout the product lifecycle.

Decentralized Clinical Trials

The increasing adoption of decentralized clinical trials (DCTs) and digital health technologies creates new data integrity challenges. Regulatory authorities have published guidance on the use of digital health technologies in drug development, but implementation must ensure that data integrity principles are maintained across distributed systems and geographically dispersed trial sites.

Supply Chain Resilience

Recent drug shortages have highlighted the fragility of pharmaceutical supply chains. The EU has proposed that future marketing authorization holders should build and maintain shortage prevention plans. In the United States, efforts to increase domestic manufacturing and reduce dependence on foreign pharmaceutical suppliers may reshape the global supply chain landscape, with significant implications for quality oversight and data integrity assurance across that supply chain.

Conclusion

Data integrity is a fundamental aspect of pharmaceutical quality that requires sustained attention from all levels of an organization. It cannot be achieved through inspection alone but must be built into the organizational culture and supported by robust quality systems.

Effective Self Inspection programs, functioning as part of a comprehensive pharmaceutical quality system aligned with ICH Q10 principles, represent a critical component of ensuring data integrity. Organizations that proactively identify and address data integrity risks, rather than waiting for regulatory authorities to discover problems, will be better positioned to meet the evolving expectations of global regulators.

The regulatory landscape continues to evolve, with increasing harmonization through international organizations like PIC/S and ICH, coupled with more sophisticated and risk-based inspection approaches. Organizations must remain vigilant and adaptable, continuously improving their quality systems and data governance practices to meet these heightened expectations.

By establishing a genuine culture of quality, investing in competent internal audit functions, implementing risk-based data integrity controls, and maintaining effective CAPA systems, pharmaceutical companies can ensure the reliability of their data, protect patient safety, and maintain regulatory compliance in an increasingly complex global environment.

The ultimate goal is not merely compliance with regulations, but the consistent delivery of safe, effective, and high-quality medicines to patients worldwide. Data integrity is the foundation upon which this goal rests, and Self Inspection is the organizational mechanism through which data integrity is continuously assured and improved.