Continuous Improvement in Data Integrity

Regulatory Foundation in Japan

Article 20, Paragraph 2 of the GMP Ministerial Ordinance was newly established through the 2021 revision to ensure data integrity in Japan, aligning with international regulatory expectations.

Article 20: Management of Documents and Records

Paragraph 2 stipulates that marketing authorization holders and manufacturers must have designated personnel perform the following duties based on documents prescribed in Article 8, Paragraph 2:

(i) Continuously manage to ensure that procedures and records to be created and retained are complete without omission.

(ii) Continuously manage to ensure that created procedures and records are accurate in content.

(iii) Continuously manage to prevent inconsistencies with the content of other procedures and records.

(iv) When omissions are found in procedures or records, or when inaccurate or inconsistent points are identified in their content, investigate the cause and take necessary corrective and preventive actions.

(v) Perform other duties necessary to ensure the reliability of procedures and records.

(vi) Create and retain records pertaining to the duties in the preceding items.

As clearly stated in items (i) through (iii), data integrity compliance requires continuous management. This reflects the global regulatory trend toward sustained vigilance in data governance, consistent with guidance from PIC/S, FDA, MHRA, and WHO.

Understanding Data Integrity: The ALCOA+ Principles

Before discussing continuous improvement, it is essential to understand what data integrity means in the pharmaceutical context. Data integrity is commonly defined by the ALCOA+ principles, which originated from FDA guidance and have been adopted internationally:

ALCOA (Original principles):

• Attributable: Data should be traceable to the individual who generated it
• Legible: Data must be readable and permanent
• Contemporaneous: Data should be recorded at the time the activity is performed
• Original: Data should be the original record or a true copy
• Accurate: Data must be error-free and reflect true observations

Extended principles (+):

• Complete: All data must be captured
• Consistent: Data should be recorded in a consistent manner
• Enduring: Data must remain accessible throughout the retention period
• Available: Data must be readily retrievable for review and inspection

Enhanced Awareness Leads to Greater Detection

When the number of police officers increases, parking violations detected also increase. Similarly, when police presence expands, speeding violations recorded rise as well. This does not mean that more people are committing these infractions; rather, the opportunities for detection have increased.

In the same way, when Medical Representatives (MRs) receive enhanced training on adverse event identification, the number of adverse event reports increases. Again, this does not indicate an actual increase in adverse events themselves, but rather an improvement in awareness and detection capabilities. This phenomenon is well-documented in pharmacovigilance literature and reflects improved signal detection rather than increased incidence.

The same principle applies to data integrity. Whether an organization believes it has no data integrity violations because none have been found, or whether violations truly do not exist, cannot be determined without detailed scrutiny and systematic investigation.

Risk-Based Approach to Data Integrity

Modern data integrity management adopts a risk-based approach, as recommended by ICH Q9 (Quality Risk Management) and emphasized in regulatory guidance from PIC/S and FDA. Organizations must first identify various risks that threaten data integrity, including but not limited to:

Traditional risks:

• Transcription errors when transferring data between systems or documents
• Input errors during manual data entry
• Calculation mistakes in formulas or computations
• Operational errors in equipment use or procedure execution

Digital-era risks:

• Audit trail manipulation or deletion in electronic systems
• Unauthorized access to data through inadequate access controls
• Data modification through hidden system functionalities
• Uncontrolled use of portable storage devices
• Inadequate backup and disaster recovery procedures
• Vulnerabilities in legacy systems lacking modern security features

Organizations need to reassess the reliability of historical data by conducting retrospective reviews. This process involves examining existing records, investigating system capabilities for data manipulation, and evaluating the adequacy of past controls.

The Three Phases of Data Integrity Management

Short-term Response: Detection and Awareness

Once organizations become aware of the various process risks, the detection rate of data integrity violations will increase substantially. This heightened detection should not be viewed negatively; rather, it represents an important step toward establishing a robust data integrity program. This is the short-term response to data integrity challenges.

During this phase, organizations typically conduct gap analyses against current standards, including:

• PIC/S PI 041-1 (Good Practices for Data Management and Integrity in Regulated GMP/GDP Environments)
• FDA Guidance for Industry: Data Integrity and Compliance with Drug CGMP (December 2018)
• MHRA GXP Data Integrity Guidance and Definitions (March 2018, revised 2021)
• WHO Technical Report Series No. 996, Annex 5 (Guidance on data integrity)

Mid-term Response: CAPA Implementation

When data integrity violations are detected, Corrective and Preventive Actions (CAPA) must be implemented to drive improvement. Improvements ensure both recurrence prevention and proactive mitigation of similar issues. This represents the mid-term response to data integrity challenges.

The CAPA process should follow a structured approach:

Investigation phase:

• Root cause analysis using tools such as fishbone diagrams or the “5 Whys” technique
• Determination of the scope and impact of the violation
• Assessment of whether the issue is isolated or systemic

Action phase:

• Immediate corrective action to address the specific violation
• Broader corrective action to eliminate the root cause
• Preventive action to prevent similar violations in related processes

Verification phase:

• Effectiveness checks to confirm that actions have resolved the issue
• Ongoing monitoring to ensure sustained improvement

This systematic approach aligns with ICH Q10 (Pharmaceutical Quality System) requirements for continual improvement and is expected by regulatory authorities worldwide.

Long-term Response: Sustained Continuous Improvement

Unfortunately, even with repeated improvements, errors cannot be reduced to zero. Data integrity violations will inevitably occur to some extent. The critical point here is to continue implementing data integrity measures persistently, accepting this reality while striving for excellence.

To use an analogy, it is like wringing a dry towel—organizations must continuously monitor data integrity violations and implement improvements relentlessly. This embodies the essence of continuous management required by the GMP Ministerial Ordinance.

Building a Quality Culture for Sustained Improvement

Modern regulatory thinking emphasizes that technical controls alone are insufficient for maintaining data integrity. PIC/S PI 041-1 and other guidance documents stress the importance of organizational culture in supporting data integrity.

Elements of a strong data integrity culture include:

Open communication environment: Staff should feel comfortable reporting errors and near-misses without fear of punitive consequences. This “no-blame” culture (when appropriate) encourages transparency and learning.

Management commitment: Senior leadership must demonstrate visible commitment to data integrity through resource allocation, participation in quality reviews, and consistent messaging about its importance.

Adequate resources: Organizations must provide sufficient staffing, training, equipment, and systems to enable compliant operations. Resource constraints are frequently identified as root causes in data integrity failures.

Continuous training: Personnel at all levels require regular training not just on procedures, but on the principles and importance of data integrity, tailored to their specific roles.

Appropriate controls: Technical and procedural controls should be designed based on risk assessment and should not create unreasonable burdens that might incentivize workarounds or data manipulation.

Leveraging Technology for Continuous Monitoring

Modern pharmaceutical quality systems increasingly rely on technology to support continuous data integrity monitoring:

Electronic Quality Management Systems (eQMS): These systems can automate deviation tracking, CAPA management, and trending analysis to identify patterns that might indicate systematic data integrity issues.

Data analytics and visualization: Advanced analytics tools can identify anomalies in data patterns that might be missed by routine review, such as unusual data distributions, repeated values, or timing inconsistencies.

Automated audit trail review: Software tools can systematically review electronic audit trails for suspicious activities, such as frequent data modifications, deletions, or after-hours access.

Periodic review dashboards: Real-time dashboards providing metrics on data integrity indicators enable management to identify trends and take proactive action before issues escalate.

Regulatory Expectations for Continuous Improvement

International regulatory authorities have made clear that data integrity is not a one-time project but an ongoing commitment. Recent warning letters from FDA and inspection findings from European authorities consistently cite failures in:

• Ongoing monitoring of data integrity controls
• Trending and analysis of data integrity metrics
• Regular review and update of data governance procedures
• Sustained management oversight of data integrity programs
• Continuous improvement based on self-inspections and CAPA findings

Organizations should establish key performance indicators (KPIs) for data integrity and review them regularly at management review meetings, as required by ICH Q10. Examples of useful metrics include:

Metric Category	Example Indicators
Detection	Number of data integrity issues identified per quarter
Resolution	Average time to complete investigation and CAPA
Effectiveness	Recurrence rate of similar data integrity violations
Culture	Number of staff-reported concerns vs. inspection findings
System Performance	Audit trail review completion rate, system downtime

Conclusion: An Endless Journey

Data integrity management has no endpoint; continuous improvement is both expected and necessary. As systems evolve, new risks emerge, and regulatory expectations advance, organizations must maintain vigilance and adapt their data integrity programs accordingly.

The journey from initial awareness to mature data integrity culture follows a predictable path: increased detection leading to systematic improvements, which in turn establish a foundation for sustained compliance. However, the destination is not a static state of perfection but rather an ongoing commitment to quality, transparency, and continual learning.

Organizations that embrace this philosophy—viewing data integrity not as a regulatory burden but as a fundamental element of pharmaceutical quality—will be best positioned to meet current expectations and adapt to future regulatory developments. The investment in robust data governance, supported by appropriate technology and embedded in a strong quality culture, ultimately protects patients and strengthens public trust in pharmaceutical products.

As stated in GMP Ministerial Ordinance Article 20, Paragraph 2, the requirement is clear: continuous management. This is not merely a Japanese regulatory expectation but a global pharmaceutical industry imperative, reflecting the shared commitment to ensuring that the data supporting drug quality, safety, and efficacy can be trusted completely.