The Most Common Route to a Warning Letter
Data integrity findings are now the single most frequently cited category in FDA warning letters to pharmaceutical manufacturers. That was not true fifteen years ago. It has become true as manufacturing has digitised, regulators have become more forensically capable, and the consequences of data manipulation have become better understood.
The problem is not always deliberate fraud. Some of the most damaging data integrity findings involve systems that were poorly designed, electronic records that did not generate adequate audit trails, or paper-based practices that made retroactive correction too easy. The intention may have been innocent. The regulatory consequence is the same.
What ALCOA+ Actually Means
ALCOA is the foundational data integrity framework used by regulators globally. The FDA’s guidance on data integrity and compliance with CGMP and the EMA’s guideline on data integrity in GMP regulated environments both reference it. ALCOA+ extends the original five principles with four additional attributes.
| Principle | What It Requires | Common Failure Mode |
| Attributable | Every data entry must be traceable to the person who made it and the time it was made | Shared login credentials; no timestamp on handwritten entries; analyst initials missing |
| Legible | Records must be readable permanently; corrections must not obscure the original entry | Correction fluid (Tipp-Ex) used on paper records; overwriting rather than single strikethrough |
| Contemporaneous | Data must be recorded at the time the action is performed, not reconstructed later | Batch records completed from memory after the event; worksheet data transferred to official record hours later |
| Original | The first recording of data is the original; it must be preserved | Raw analytical data deleted after transcription; original printouts discarded |
| Accurate | Data must reflect what actually happened | Values rounded to meet specification; results selectively excluded without justification |
| Complete (+) | All data, including invalidated runs and out-of-trend results, must be retained | Deleted HPLC injections not captured in audit trail; only passing results forwarded for review |
| Consistent (+) | Processes must be applied the same way every time | OOS investigations applied differently depending on whether the result affects batch disposition |
| Enduring (+) | Records must be stored for the required retention period in a readable format | Electronic records in obsolete formats; backup systems not validated |
| Available (+) | Records must be accessible to the relevant personnel and to inspectors when required | Records stored offsite without retrieval procedure; electronic systems unavailable during inspection |
The Audit Trail: Where Most Data Integrity Problems Hide
Modern computerised systems generate audit trails automatically. Every action taken in the system, every entry, every modification, every deletion, is recorded with a timestamp and a user ID. If the system is properly configured and the audit trail is routinely reviewed, data integrity problems are caught early.
If the audit trail is not reviewed, problems accumulate invisibly until an inspector reviews it during an inspection and finds patterns that suggest manipulation. Deleted runs. Repeated injections after failing results. Entries made at times inconsistent with the production schedule. These patterns are exactly what regulators look for.
Routine audit trail review, by supervisors and by quality oversight, is not an optional activity. It is a core GMP control.
Paper vs. Electronic Records: The Practical Risks of Each
Paper Records
Paper records are not inherently less secure than electronic ones, but they carry specific risks. Corrections are easy to make, and the standard for compliant correction (single line through the error, initials, date, reason) is frequently not followed. Records can be lost, damaged, or retrospectively completed. Handwriting is sometimes illegible. None of these are evidence of fraud, but all of them can generate data integrity findings.
Electronic Records
Electronic systems introduce different risks. Shared login credentials mean that attributability is lost. Audit trail review is neglected. Electronic data is backed up to unvalidated systems. Spreadsheets are used for GMP calculations without access controls or formula protection. The sophistication of the system does not guarantee the integrity of the data if the controls around it are inadequate.
What a Data Integrity-Mature Manufacturing Partner Looks Like
A CDMO with a genuine data integrity culture does not wait for inspections to review audit trails. Its quality oversight routinely checks that records are contemporaneous, that analytical runs are complete, and that any deviations from the expected pattern are investigated rather than rationalised. Its training programmes cover data integrity specifically, not just as a module in a GMP overview, but as a standalone topic with case studies and practical application.
When evaluating a CDMO, asking specifically about audit trail review procedures and data integrity training is a legitimate and revealing due diligence question.
Ardena’s Approach to Data Integrity
Data integrity controls at Ardena are embedded in the quality management system across all sites, covering both paper-based batch records and electronic systems including LIMS, chromatography data systems, and manufacturing execution systems. Audit trail review is built into the quality oversight programme, and data integrity is addressed in site training as a distinct topic.
