Distinguishing Between Part 11 and Data Integrity: A Comprehensive Understanding and Appropriate Response
Introduction
In recent years, data integrity compliance has become a critical issue for pharmaceutical companies. However, when examining case presentations, publications, and seminars from many organizations, it becomes apparent that there is a common confusion between data integrity compliance and Part 11 compliance. This confusion can hinder the implementation of effective data integrity measures.
This article clarifies the differences between these two concepts and explains truly effective approaches to data integrity compliance.
Misconceptions About Data Integrity Compliance
Many companies operate under the misconception that data integrity compliance simply means implementing security and audit trail functions in computerized systems such as analytical instruments. This is a significant misunderstanding.
The reason is that the majority of events threatening data integrity (i.e., record reliability) actually stem from human error. Multiple industry research studies report that approximately 80% of process deviations and 30-40% of quality defects in the pharmaceutical industry are related to human error.
Human Error and Data Integrity
Consider this important question: Which poses a greater risk to patient safety—data that has been deliberately falsified or data that has been incorrectly recorded due to human error?
The answer is: both are equally serious.
From a patient safety perspective, it does not matter whether data was intentionally falsified or mistakenly recorded due to human error. In either case, if products are released based on inaccurate data, patient safety may be compromised.
Therefore, the highest priority in data integrity compliance should be reducing the occurrence of human error.
Types of Common Human Errors
Frequent human errors in the pharmaceutical industry include:
- Transcription errors (e.g., when transferring handwritten records to systems)
- Calculation errors (manual calculations or use of inappropriate formulas)
- Input errors (typos, transposition of numbers during data entry)
- Reagent errors (wrong type, expired materials, improper preparation, inadequate storage conditions)
- Procedural errors (misunderstanding steps, assumptions, SOP non-compliance)
- Sample mix-ups
- Improper equipment use or failure to calibrate
Understanding the Nature of Human Error
The critical point is that even with security and audit trail functions in computerized systems such as analytical instruments, human error itself cannot be prevented.
Human error occurs with a certain probability and is inevitable. After all, there is no such thing as a person who never makes mistakes. Humans work in complex environments, and various factors such as fatigue, stress, working conditions, procedure complexity, and communication gaps can influence error occurrence.
Regulatory authorities’ perspectives also reflect this understanding. Simply citing “human error” as the root cause of a deviation is no longer acceptable. EU GMP Guidelines Section 1.4 explicitly states that when human error is suspected, it must be justified after ensuring that process, procedural, or system-based errors or problems have not been overlooked if present.
Approaches to Preventing Human Error
To prevent human error, multi-layered mechanisms (Quality Management System: QMS) are necessary, including:
- Double-check and cross-check systems: Multiple-person verification for critical steps
- Clear and concise SOPs: Creation of procedures that are easy to understand and follow
- Appropriate training and education: Continuous training and competency assessment
- Error-proof design (Poka-Yoke): Implementation of mechanisms that prevent incorrect operations
- Effective communication: Information transfer systems between shifts and departments
- Risk assessment: Identification of error-prone processes and implementation of countermeasures
- Fostering quality culture: Open reporting culture, non-punitive approach
- Work environment optimization: Appropriate lighting, noise management, adequate workspace
- Appropriate staffing: Optimization of workload, right person for the right job
Data Integrity Applies Equally to Paper and Electronic Records
Data integrity compliance should not be limited to electronic records.
Consider this question again: Which poses a greater risk to patient safety—falsification of electronic records or falsification of paper records?
The answer is: both are equally serious.
International regulatory guidance from MHRA, WHO, PIC/S, and others clearly indicates that data integrity principles apply regardless of the record medium. The ALCOA+ principles (Attributable, Legible, Contemporaneous, Original, Accurate, plus Complete, Consistent, Enduring, and Available) apply to paper-based systems as well.
Manufacturing facilities still commonly use paper media for creating manufacturing records. Adequate attention must be paid to data integrity compliance for paper-based records.
Key Management Items for Paper Records
- Control of blank forms (distribution, storage, disposal)
- Version control of templates
- Ensuring contemporaneous recording during entry
- Appropriate correction methods (single-line correction, reason documentation, signature and date)
- Storage and retrievability of paper records
- Original record management after digitization
Human Errors Preventable Through IT Implementation
Of course, digitizing records can prevent certain types of human error.
Benefits of Digitization
For example, connecting standalone analytical instruments such as electronic balances to LIMS (Laboratory Information Management System) through a network can achieve the following effects:
- Prevention of transcription errors: Analytical data such as weighing values are automatically transferred, eliminating manual transcription
- Prevention of input errors: Keyboard typing mistakes are reduced
- Prevention of calculation errors: In validated systems, calculations are automated and accuracy improves
- Data protection: Data can be protected from intentional and unintentional alterations such as overwriting, changes, and deletions
- Audit trail: Records of who changed what and when are automatically generated
- Access control: Prevents unauthorized users from accessing or modifying data
Limitations and Prerequisites of Digitization
However, these effects are only valid when the following prerequisites are met:
- Appropriate analytical methods: The analysis implementation methods must be valid
- Accurate analysis programs: Analysis programs and parameters must be properly configured
- Correct raw data: The acquired raw data itself must be correct
- Appropriate system validation: It must be verified that the system functions as intended
If human error occurs during the process of generating raw data, digitization cannot prevent it. For example, errors such as analyzing the wrong sample, using equipment without proper calibration, or using incorrect reagents cannot be prevented solely through system digitization.
Part 11 Compliance is Limited Data Integrity Compliance
Purpose and Scope of Part 11
21 CFR Part 11 (Code of Federal Regulations Title 21 Part 11) is a regulation established by the FDA in 1997 that defines requirements for the use of electronic records and electronic signatures.
The main purposes of Part 11 are, regardless of whether accidental or intentional:
- To make it difficult to easily alter electronic records (Security)
- To make alterations detectable (Audit trail)
Differences Between Part 11 and Data Integrity
Part 11 does not directly address the human error countermeasures mentioned above. Part 11 primarily focuses on the following technical and procedural controls:
- System validation
- Audit trail functionality
- Access control
- Electronic signature requirements
- Record copying and archiving
- System change control
Additionally, Part 11 is limited to electronic records. The FDA’s 2003 guidance introduced a risk-based approach, encouraging the determination of Part 11’s scope based on impact on product quality and patient safety rather than uniformly applying Part 11 to all electronic systems.
Furthermore, the latest guidance issued by the FDA in October 2024, “Use of Electronic Records and Electronic Signatures in Clinical Investigations Under Part 11 — Questions and Answers,” clarifies that external data sources such as electronic health records (EHRs) are not assessed for Part 11 compliance at the point of data acquisition.
Comprehensive Approach to Data Integrity
On the other hand, data integrity is a more comprehensive concept. Guidance from MHRA, WHO, PIC/S, and others indicates that data integrity includes:
- Organizational culture and data governance
- Both paper and electronic records
- Prevention of human error
- Process design and risk management
- Training and competency management
- Technical controls (system security and audit trails)
- Supply chain-wide management (including contract organizations)
Relationship Between Part 11 Compliance and Data Integrity Compliance
The following table organizes the differences between Part 11 compliance and data integrity compliance:
| Item | Part 11 Compliance | Data Integrity Compliance |
| Regulatory Origin | FDA (United States) | Multiple regulatory authorities (FDA, MHRA, WHO, PIC/S, etc.) |
| Target Media | Electronic records only | Both paper and electronic records |
| Primary Focus | Technical controls (security, audit trail) | Comprehensive data lifecycle management |
| Human Error Countermeasures | Outside direct scope | Core element |
| Organizational Culture | Not mentioned | Important element (quality culture, open reporting culture) |
| Risk Approach | Risk-based approach introduced since 2003 | Risk-based approach is fundamental |
| Scope of Application | Records submitted to FDA or required to meet regulatory requirements | All data and records across GxP activities |
| Process Design | No explicit requirements | Error-proof design is recommended |
| Paper Record Management | Outside scope | Important management target |
| Supplier Management | Limited | Data integrity at contract organizations also managed |
Conclusion
Part 11 compliance and data integrity compliance are different.
Part 11 defines specific technical and procedural requirements to ensure the reliability of electronic records and electronic signatures. Data integrity, on the other hand, is a comprehensive concept ensuring completeness, consistency, and accuracy of data throughout the data lifecycle, regardless of the record medium.
To achieve effective data integrity compliance, a multifaceted approach is necessary, including:
- Fostering quality culture: Management commitment and an open, transparent organizational culture
- Establishing data governance: Risk-based management systems according to data criticality
- Human error countermeasures: Error-proof design, training and education, double-check systems
- Addressing both paper and electronic records: Application of ALCOA+ principles regardless of medium
- Appropriate technical controls: System security and audit trail functions as needed
- Continuous improvement: Regular self-inspections, implementation of CAPA (Corrective Action and Preventive Action)
Simply adding security and audit trail functions to computerized systems does not achieve true data integrity. Converting paper records to electronic format does not solve the problem either. What is important is for the entire organization to understand the importance of data integrity and to integrate process design, human resource development, quality culture, and technical controls.
The latest regulatory guidance also emphasizes the importance of organizational culture, risk management, and continuous improvement, not just technical controls. To truly protect patient safety and ensure product quality, it is essential to approach data integrity from this comprehensive perspective.
Comment