Account

Gegevensintegriteit in GMP: Waar inspecteurs in 2026 daadwerkelijk naar zoeken

door | mei 4, 2026 | General | 0 Reacties

Why Data Integrity Is the Dominant GMP Finding of 2026

If you are preparing for a regulatory inspection in 2026, there is one area above all others where preparation must be demonstrably robust: data integrity.

Between 2016 and 2023, the FDA issued 1,766 Warning Letters to pharmaceutical manufacturers. A significant proportion cited data integrity deficiencies under cGMP and 21 CFR Part 11 expectations. In FY2025, the FDA’s Center for Drug Evaluation and Research increased its Warning Letter output by approximately 50% year-on-year, and data integrity violations remained among the most frequently cited systemic failures. Across the EU, EMA inspection reports and national competent authority (NCA) non-compliance statements tell a consistent story: unreviewed audit trails, shared user credentials, and gaps between electronic records and paper documentation are cited inspection cycle after inspection cycle.

What has changed in 2026, and what makes this year structurally different from previous cycles, is the regulatory framework itself. The EU GMP Chapter 4 (Documentation) draft, released in July 2025 with final implementation expected in 2026, has nearly doubled in scope, growing from 9 to 17 pages, and for the first time formally codifies ALCOA++ as a binding regulatory expectation in EU law. Simultaneously, the draft revision of EU GMP Annex 11 (Computerised Systems), also released in 2025, expanded from 5 to 19 pages and explicitly references ALCOA+ in the context of validated electronic systems, cloud computing, and artificial intelligence. The EMA’s Annex 11 is expected to be finalised in mid-2026.

This is not a tightening of existing guidance. This is a structural reclassification of data integrity from a documentation principle to a quality governance obligation. For QA and RA professionals, the operational consequences are significant.

From ALCOA to ALCOA++: Understanding the Regulatory Baseline

The original ALCOA mnemonic Attributable, Legible, Contemporaneous, Original, Accurate was coined by an FDA investigator in the 1990s as a practical tool for evaluating record quality during facility audits. It was never intended as a compliance ceiling.

The extension to ALCOA+ added five further attributes: Complete, Consistent, Enduring, and Available. The now-formalised ALCOA++ framework, as codified in the July 2025 EU GMP Chapter 4 draft, adds a tenth principle: Traceable, which explicitly addresses audit trail depth and the requirement to demonstrate a full chain of custody for all data modifications across the record lifecycle.

TierPrinciplesRegulatory Reference
ALCOAAttributable, Legible, Contemporaneous, Original, AccurateFDA 2018 DI Guidance; EMA 2021 Reflection Paper
ALCOA++ Complete, Consistent, Enduring, AvailableWHO TRS 996 Annex 5; MHRA GxP DI Guidance; PIC/S PI 041-1
ALCOA+++ TraceableEU GMP Chapter 4 draft (July 2025); EMA Annex 11 draft (2025)

For EU-regulated manufacturers and GDP-licensed wholesale distributors, the practical implication is this: by the time Annex 11 is finalised and Chapter 4 is fully implemented, regulators will hold your data governance framework against a ten-principle benchmark — codified in binding EU law — rather than guidance documents that allow interpretive flexibility. Sites operating on ALCOA+ alone will need to demonstrate traceability controls sufficient to satisfy the ALCOA++ standard.

The Seven Data Integrity Failure Modes Inspectors Find Most Often

Based on recurring FDA Form 483 observations, EMA inspection reports, and NCA non-compliance statements, the following seven failure modes account for the overwhelming majority of data integrity citations in pharmaceutical and GDP inspections.

1. Audit Trail Deficiencies in Validated Systems

The single most consistent finding across regulatory authorities: audit trails exist within the computerised system, but are not routinely reviewed as part of the quality oversight programme.

FDA investigators request raw audit trail extracts within minutes of initiating a system review. They are looking for evidence that:

  • Audit trails are enabled across all GxP-critical functions within the system
  • Audit trail review is performed on a defined, risk-based schedule, not only reactively following an incident
  • Review records are signed, dated, and retained as GMP records in their own right
  • Anomalies identified during audit trail review are routed into the deviation and CAPA system

The common failure is procedural: SOPs describe how to retrieve audit trail data but do not specify who reviews it, at what frequency, against what criteria, or how findings are escalated. Inspectors treat the absence of a structured audit trail review programme as a systemic data governance weakness, not a documentation gap.

2. Shared User Accounts and Generic Login Credentials

Attributability is the first principle of both ALCOA and ALCOA++. If an electronic record cannot be attributed to a specific individual, it cannot be considered compliant under any current regulatory framework.

Shared logins, whether for LIMS, ERP systems, chromatography data systems, or MES platforms are cited with high frequency in FDA 483 observations and EU inspection reports. The finding is typically straightforward: the audit trail identifies a transaction carried out under a shared or generic account (e.g., “admin,” “lab_user,” or a shared departmental login), making it impossible to determine individual accountability.

Remediation requires individual, role-based access controls, with access rights determined by job function and GxP risk level. Periodic access reviews, documented and retained, are expected under Annex 11 and 21 CFR Part 11.

3. Backdating of Paper Records and Electronic Entries

Contemporaneous documentation is a fundamental ALCOA requirement. Regulators treat backdated entries as a data integrity finding regardless of whether the underlying data itself is accurate because backdating demonstrates that the site’s documentation culture permits falsification of timestamps.

In paper-based systems, backdating is detected through ink analysis, writing pattern analysis, and cross-referencing with environmental monitoring logs, equipment utilisation records, and personnel shift data. In electronic systems, it is detected when the creation timestamp of a record post-dates the event it purports to document, or when system clock manipulation is identified.

The corrective approach goes beyond re-training. Inspectors expect to see a root cause investigation that examines why contemporaneous documentation was not occurring, what systemic pressures (production throughput, understaffing, SOP design) contributed, and what controls have been implemented to prevent recurrence.

4. Incomplete Metadata in Chromatography and Analytical Systems

This finding has increased significantly in recent inspection cycles. Inspectors specifically request raw data, including metadata and injection sequences, from chromatography data systems (CDS). They compare this raw data with the reported results to identify:

  • Deleted or excluded injections without documented scientific justification
  • Sample re-runs without deviation records
  • Integration parameter changes applied retrospectively to alter result calculations
  • Mismatches between the system audit trail and the analyst’s notebook or batch record

Under the 2025 Annex 11 draft, sites must demonstrate that CDS and other analytical systems are configured to capture and retain all data, including failed runs and aborted sequences, in a manner that cannot be overwritten or selectively deleted. The concept of “raw data” under EU GMP, including all associated metadata, must be clearly defined in site procedures and aligned with the system’s technical configuration.

5. Data Transfer Integrity Across Hybrid Systems

Many sites operate hybrid environments where data is generated electronically, then transcribed manually into paper batch records or secondary electronic systems. Each transcription step is a data integrity risk point.

Inspectors evaluate whether:

  • Transcription controls (second-person verification or electronic transfer where feasible) are implemented and documented
  • The original electronic record, not the transcription, is treated as the primary GMP record
  • Discrepancies between source data and transcribed values are identified, investigated, and closed through the deviation system

The MHRA GxP Data Integrity Guidance and WHO TRS 996 are both explicit on this point: the original record, at the point of generation, constitutes the data of record. Paper transcriptions are secondary. Where sites rely on transcription as a primary control, they should be developing roadmaps toward direct electronic capture or validated transfer mechanisms.

6. Absence of a Formal Data Governance Policy

The EU GMP Chapter 4 draft explicitly requires companies to implement a “robust data governance system integrated into their quality management framework.” This is not satisfied by having an SOP on data integrity. A data governance system, as regulators now define it, requires:

  • A documented data integrity policy signed by site management and the QP
  • Risk-based mapping of all GxP data flows across the site, including third-party systems
  • Defined roles and responsibilities for data governance at departmental level
  • A regular data integrity self-inspection programme with documented outputs
  • Management review of data integrity metrics as a standing agenda item

Sites that cannot demonstrate governance infrastructure as distinct from documentation procedures are increasingly receiving critical observations in EU inspections. The regulator’s position is that data integrity cannot be managed at SOP level alone; it requires governance architecture embedded in the quality system.

7. Inadequate Supplier and Third-Party Oversight for Data-Generating Activities

GDP-licensed distributors and pharmaceutical manufacturers who outsource any GxP activity to contract organisations including testing laboratories, logistics providers, or software vendors, are responsible for the data integrity of those activities.

Inspectors are now routinely requesting evidence that:

  • Quality agreements with contract organisations address data integrity controls explicitly
  • Audit programmes cover data integrity as a standing audit element
  • Audit trail access rights extend to the contracting party where technically feasible
  • Incident management procedures cover data integrity events originating at third-party sites

The EMA’s 2021 Reflection Paper on GMP/GDP Data Integrity is explicit: the responsibility for data integrity cannot be contracted out.

The 2025–2026 Regulatory Changes You Must Be Responding To Now

EU GMP Chapter 4 (Documentation) Draft Revision (July 2025)

The revised Chapter 4 formally defines ALCOA++ in EU law, adds dedicated sections on data governance, and introduces requirements for risk-based data integrity controls covering computerised systems and artificial intelligence. Final implementation is expected in 2026. Sites should be conducting gap assessments against the draft now, not waiting for the final text.

Key additions of practical significance:

  • Formal definition of “data governance system” as a mandatory QMS component
  • Explicit requirement to define and retain “raw data” inclusive of all metadata
  • Controls for AI-generated data and decisions in GMP contexts
  • Requirements for data integrity in cloud-hosted and hybrid environments

EU GMP Annex 11 (Computerised Systems) — Draft Revision (2025)

The Annex 11 draft has expanded from 5 to 19 pages and explicitly references ALCOA+ for the first time in EU GMP text. Key changes include:

  • Mandatory system-generated, immutable audit trails for all GxP-critical functions
  • Role-based access controls with documented periodic review
  • Specific requirements for backup validation, recovery testing, and data migration
  • Cloud computing provisions, including data residency, access controls, and audit trail portability
  • AI and machine learning provisions for validated decision-support systems

ICH E6(R3) — Good Clinical Practice

While primarily relevant to clinical operations, ICH E6(R3), finalised January 2025 and now applicable in the EU (from July 2025), places data governance at the core of clinical trial oversight. For organisations operating across GCP and GMP environments, the convergence of data integrity expectations across guidelines is directionally consistent: regulators are moving toward a unified, lifecycle-wide data governance standard.

Building an Inspection-Ready Data Integrity Programme: A Framework for QA Professionals

An effective data integrity programme in 2026 requires four integrated components:

1. System architecture controls: All GxP-critical computerised systems must have audit trails enabled, role-based access configured, and data flow documented. Where legacy systems cannot meet current expectations, validated compensating controls or system replacement roadmaps are required.

2. Procedural controls: SOPs must specify not just how to generate compliant records, but how audit trails are reviewed, how anomalies are escalated, how hybrid systems are managed, and how transcription is controlled. The critical procedural gap most sites carry is the absence of a structured audit trail review SOP with defined frequency, scope, reviewer qualification, and output documentation.

3. Governance infrastructure: A data integrity policy, risk-based data flow mapping, defined roles and responsibilities, and integration of data integrity metrics into management review. This is the component most often absent in sites that otherwise have adequate SOPs.

4. Culture and training: Technical controls fail when the documentation culture does not support them. Training programmes must address why data integrity matters clinically and regulatorily not just what the rules are. Inspectors assess culture through personnel interviews; the answers given by operators and analysts carry significant evidential weight in the inspection report.

Conclusion: Data Integrity Is Now a Governance Obligation, Not a Documentation Requirement

The regulatory direction is unambiguous. With the formalisation of ALCOA++ in EU GMP Chapter 4, the expanded Annex 11, and the continued enforcement intensity of FDA and EMA inspections, data integrity in 2026 is a quality governance discipline assessed at system, process, and cultural level not a set of documentation requirements managed at SOP level.

For QA and RA professionals, the questions that matter ahead of your next inspection are not “do we have a data integrity SOP?” but:

  • Can we demonstrate a functioning audit trail review programme with documented outputs?
  • Have we mapped all GxP data flows, including third-party systems, against the ALCOA++ framework?
  • Does our management review agenda include data integrity metrics?
  • Can every individual who generates GxP data be uniquely identified in every system they use?
  • Do our quality agreements with contract organisations address data integrity explicitly?

If the answer to any of these is uncertain, the time to address it is before an inspector asks.

How Truex Consultancy Can Help

At Truex Consultancy, we work with pharmaceutical, biotech, and healthcare manufacturers to build inspection-ready data integrity programmes that go beyond procedural compliance.

Our services include:

  • Data integrity gap assessments Data integrity gap assessments
  • against current FDA, EMA, MHRA, and PIC/S expectations, including the 2025 draft revisions to EU GMP Chapter 4 and Annex 11
  • Audit trail review programme design, including SOP development, reviewer qualification frameworks, and output documentation templates
  • Data governance policy development and integration into existing Quality Management Systems
  • Inspection preparation support, including mock inspector interviews and data integrity-focused pre-inspection reviews
  • Training and competency development for QA, laboratory, manufacturing, and management personnel

If you are unsure where your site stands on data integrity readiness, start with our GMP Compliance Self-Assessment, a structured, practical tool that identifies gaps across your quality management system, including data governance controls.

Start Your GMP Self-Assessment →

Contact Our GMP Experts →

References and Further Reading

  • FDA, Data Integrity and Compliance With CGMP: Guidance for Industry (2018)
  • EMA, Reflection Paper on GMP/GDP Data Integrity (EMA/155013/2021)
  • EMA, Draft Revision of EU GMP Chapter 4: Documentation (July 2025)
  • EMA / PIC/S, Draft Revision of EU GMP Annex 11: Computerised Systems (2025)
  • WHO, Good Data and Record Management Practices (Annex 5, TRS 996)
  • MHRA, GxP Data Integrity Guidance (v1.1, 2018)
  • PIC/S, PI 041-1: Good Practices for Data Management and Integrity in Regulated GMP/GDP Environments (2021)
  • ICH E6(R3), Good Clinical Practice (finalised January 2025)
  • Park Y et al., Trends in FDA Data Integrity Enforcement 2016–2023: Analysis of 1766 Warning Letters. Ther Innov Regul Sci. 2026 Jan;60(1):190–198.

Truex Consultancy provides specialised GMP and GDP compliance consulting for life sciences companies across Europe. Based in the Netherlands, we support pharmaceutical, biotech, and medical device organisations in achieving and sustaining inspection-ready quality systems.

© 2026 Truex Consultancy | All Rights Reserved

Reactie verzenden

Je e-mailadres wordt niet gepubliceerd. Vereiste velden zijn gemarkeerd met *