Data Integrity and the Role of Standard Operating Procedures

Ensuring data integrity requires more than creating a single company-wide Standard Operating Procedure (SOP). Rather, data integrity elements must be integrated into all SOPs across every department throughout the organization.

For example, in processes where data transcription occurs, double-check procedures should be incorporated to address the risk of transcription errors. When calculations are performed, verification procedures should be added to prevent calculation mistakes. When data entry is required, input verification procedures must be clearly defined.

SOPs are not merely tools for regulatory compliance—they are practical instruments designed to prevent specific errors in actual work environments. It is essential to develop effective procedures that reflect the realities of workplace operations. Additionally, regular reviews and updates must be conducted to address emerging risks and issues, ensuring that SOPs remain current and aligned with evolving regulatory expectations such as those outlined in FDA’s guidance on data integrity (December 2018), EMA’s Q&A on data integrity (updated through 2023), and WHO’s guidance on data integrity (2023). The principles of ALCOA+ (Attributable, Legible, Contemporaneous, Original, Accurate, plus Complete, Consistent, Enduring, and Available) should be consistently applied across all procedures.

Human Error and the Importance of Training

Appropriate education and training are indispensable for preventing human errors.

A particularly noteworthy point is that experienced personnel are more prone to careless mistakes. This occurs because experienced workers tend to perform tasks without consulting SOPs, and their faster work pace makes error detection more difficult. In contrast, beginners work more slowly, and they receive greater attention from colleagues, making errors easier to detect. However, because experienced personnel often handle critical data, their errors can have a more significant impact on data integrity.

Therefore, education and training must be provided not only to new employees but also continuously to experienced personnel. When new systems or procedures are introduced, it is especially important to provide appropriate training to all employees. This training should emphasize data integrity principles, the risks associated with deviations from established procedures, and the importance of maintaining a questioning attitude regardless of experience level. Regular refresher training helps reinforce proper practices and addresses complacency that may develop over time.

Training programs should also include scenario-based exercises that simulate real-world situations where data integrity could be compromised, enabling personnel to recognize and respond appropriately to potential issues. Documentation of all training activities is essential for demonstrating compliance with regulatory requirements, including those specified in 21 CFR Part 11 for electronic records and Part 211 for pharmaceutical manufacturing.

Management of Paper Records and Electronic Records

Both paper records and electronic records hold equal importance in data integrity. Falsification of paper records and falsification of electronic records carry the same gravity with respect to patient safety.

Particular attention must be paid to the management of hybrid systems. When electronic records are created and then printed for handwritten signatures, many companies mistakenly consider the printed paper record as the original. This is incorrect. The combination of electronic records and handwritten signatures constitutes a hybrid system, and both the electronic record and the paper record must be treated as equally important originals.

Record Type	Status	Management Requirements
Electronic Record Only	Original	Maintain with electronic signature per 21 CFR Part 11; ensure backup and archive procedures
Paper Record Only	Original	Maintain with handwritten signature; protect against loss, damage, and unauthorized alteration
Hybrid System (Electronic + Paper with handwritten signature)	Both are originals	Retain both records; ensure content consistency; verify date/time alignment; implement controls for both formats

Consequently, electronic records must not be deleted, and both types of records must be properly retained with verification of content consistency between them. Date and time integrity is also critical—alignment between the creation date/time of the electronic record and the signature date/time on the paper record is required.

In hybrid systems, organizations must establish clear procedures that define:

• Which record serves as the primary source for each data element
• How discrepancies between electronic and paper records should be identified and resolved
• The retention periods for both formats, ensuring compliance with applicable regulations (typically a minimum of the product’s lifecycle plus additional years as required by regional regulations)
• Access controls and audit trail requirements for both electronic and paper components
• Backup and disaster recovery procedures that address both formats

The FDA’s guidance on data integrity emphasizes that in hybrid systems, the complete data set includes both the electronic and paper components. Organizations must implement adequate controls to ensure the integrity, accuracy, and reliability of both formats throughout their lifecycle. This includes maintaining audit trails that track all interactions with the data, whether in electronic or paper form.

Furthermore, when transitioning from paper-based systems to electronic systems, or when implementing hybrid approaches, organizations should conduct thorough risk assessments to identify vulnerabilities specific to their operational context. These assessments should consider factors such as:

• The complexity of data flows between electronic and paper formats
• The frequency of data transcription or transfer between formats
• The criticality of the data to product quality and patient safety
• The adequacy of existing controls and the need for additional safeguards

Regular audits and self-inspections should verify that hybrid systems are functioning as intended and that data integrity is maintained across both electronic and paper components. Any identified gaps should be promptly addressed through corrective and preventive actions (CAPA), with appropriate documentation maintained to demonstrate ongoing compliance and continuous improvement efforts.

Note: This document reflects current regulatory expectations as of early 2025, based on guidance from FDA, EMA, WHO, and the PIC/S (Pharmaceutical Inspection Co-operation Scheme). Organizations should regularly monitor regulatory updates and adjust their data integrity practices accordingly to maintain compliance with evolving requirements.