Something interesting is happening right now in the GMP compliance world. "Data integrity" just hit a perfect 100/100 on Google Trends — and if you've been around FDA-regulated manufacturing for any length of time, you know that kind of spike doesn't happen in a vacuum. People search for things when they're worried about them. And right now, a lot of quality and regulatory professionals are worried.
In my view, the timing makes sense. FDA warning letters citing data integrity violations have remained stubbornly high, the agency's expectations have grown more specific with every guidance update, and computerized system controls that felt optional five years ago are now squarely in investigators' crosshairs. If your organization hasn't done a serious data integrity gap assessment recently, you're probably reading this article for a reason.
Let me give you the practical picture — what data integrity actually requires, where companies keep getting caught, and what FDA is signaling for the months ahead.
Why Data Integrity Is the FDA's Most Consistent Enforcement Lever
Data integrity isn't a new concept. It's been baked into 21 CFR Part 211 since the 1970s and formalized as a standalone topic through FDA's 2018 guidance, Data Integrity and Compliance with Drug CGMP: Questions and Answers. But the enforcement weight behind it has grown considerably.
According to FDA's own data, data integrity deficiencies were cited in more than 70% of warning letters issued to pharmaceutical manufacturers in fiscal years 2022–2024. That's not a niche compliance failure — it's the dominant pattern in FDA enforcement. And the violations aren't all sophisticated electronic data manipulation. Many of them are shockingly basic: paper records backdated, analysts running out-of-specification (OOS) tests a second time without documenting the first, audit trails turned off, shared login credentials.
The World Health Organization has made the same observation globally — its 2016 guidance on data integrity specifically noted that the problem is "widespread" across both developed and developing country manufacturers. That document still reads as current because the underlying behaviors haven't changed much.
What has changed is how investigators look for the problems. FDA investigators now routinely request audit trail reviews, metadata extraction, and electronic system access logs as standard inspection procedure — not just when they already suspect something. If your audit trails don't exist or aren't being reviewed as part of routine quality oversight, that itself is a finding.
What "ALCOA+" Actually Requires (And Where It Gets Misread)
Most compliance professionals have heard of ALCOA — Attributable, Legible, Contemporaneous, Original, Accurate. The "+" adds Complete, Consistent, Enduring, and Available. FDA's 2018 guidance and the PIC/S PI 041 guidance both use this framework as the organizing structure for data integrity expectations.
Here's where I see companies go wrong: they treat ALCOA+ as a checklist rather than as a standard. They can confirm that records are legible and contemporaneous, check those boxes, and miss the deeper issue — that the system creating those records doesn't prevent manipulation, doesn't require review of complete data sets, and doesn't make the full picture available to the quality unit.
Take "Original." FDA is clear that original data means the first-captured record, whether paper or electronic. If an analyst runs an HPLC sequence and the sequence file is deleted or overwritten before the chromatogram is saved to the official record, the original data is gone — even if the printed output looks clean. The question isn't whether a record exists. The question is whether the record captures everything the instrument captured, in the form it first captured it.
"Attributable" is similarly misread. It means a specific, identifiable individual performed a specific action at a specific time. Shared login credentials — which are still remarkably common in manufacturing environments, especially for legacy instruments — make attribution impossible. FDA investigators know this, and they ask about it directly.
| ALCOA+ Element | What It Means in Practice | Common Failure Mode |
|---|---|---|
| Attributable | Every action tied to a unique, identified individual | Shared logins, generic system accounts |
| Legible | Permanently readable throughout retention period | Thermal paper fading, poor handwriting, overwrites |
| Contemporaneous | Recorded at the time of activity | Post-hoc entries, backdated records |
| Original | First capture of data, not a copy or reconstruction | Deleted raw data files, overwritten instrument logs |
| Accurate | True reflection of what occurred | Manually altered values, selective reporting |
| Complete | All data, including invalidated results | OOS results discarded without investigation |
| Consistent | Logical internal sequence with timestamps | Time/date stamps inconsistent with workflow |
| Enduring | Durable for full retention period | Erasable ink, non-validated archive media |
| Available | Accessible for review throughout retention | Records stored where they can't be retrieved |
The table above is worth printing and walking through with your QA team. In my experience with 200+ clients across pharmaceutical, biotech, and device manufacturing, the failures in "Complete" and "Original" cause the most serious enforcement outcomes — because they suggest intentional concealment rather than administrative error.
The Electronic Records Problem: 21 CFR Part 11 Is Not Optional
I want to be direct about something that still surprises me: a significant number of FDA-regulated manufacturers using electronic records and electronic signatures are not in compliance with 21 CFR Part 11. They know about Part 11. They may have even done a Part 11 assessment at some point. But the practical controls aren't in place.
Part 11 requires, among other things, audit trails that capture the date and time of operator entries and actions that create, modify, or delete electronic records; the ability to generate accurate and complete copies of records in human-readable and electronic form; and controls that prevent unauthorized access to records. These aren't aspirational requirements — they're enforceable, and FDA investigators are trained to probe them.
The intersection of data integrity and Part 11 is where a lot of warning letters are born. An investigator sees a system that generates electronic records, asks whether audit trails are enabled and reviewed, and discovers either that audit trails were disabled "to save storage space" or that no one in the quality unit has ever reviewed them. Either answer produces a Form 483 observation.
FDA's 2023 draft guidance on laboratory computerized system controls reinforced that audit trail review should be part of the batch record review process — not a separate, occasional activity. That's a meaningful expectation to operationalize if your laboratory quality system was built before 2018.
Where the Current Enforcement Focus Is Landing
The Google Trends spike for "data integrity" in mid-2025 into 2026 isn't happening in a regulatory vacuum. A few things are driving it that are worth naming directly.
FDA's renewed focus on domestic manufacturing. With the current policy emphasis on reshoring pharmaceutical manufacturing, FDA has signaled increased inspection frequency for domestic facilities. More inspections means more data integrity observations — because the underlying gaps haven't been remediated, they've just been less frequently examined.
AI and automated systems creating new data integrity questions. As manufacturing facilities adopt automated testing platforms, AI-assisted batch release tools, and electronic laboratory notebooks, the data integrity questions get more complicated. Who "signs" an AI-generated result? How do you audit the decision logic of an automated system? FDA hasn't issued comprehensive guidance here yet, but investigators are already asking these questions during inspections.
Warning letter response inadequacy. FDA has been issuing untitled letters and warning letters for data integrity issues and then observing in subsequent inspections that the corrective actions were incomplete. The agency's patience for "we've retrained our staff" as a standalone CAPA is effectively gone. Investigators now expect root cause analyses that go to system design, not just human behavior.
Supplier and contract manufacturer risk. Companies that rely heavily on contract manufacturing organizations (CMOs) or contract laboratories are discovering that their data integrity oversight programs don't extend meaningfully to their suppliers. An FDA inspection of your CMO that reveals data integrity problems can create serious consequences for your NDA or ANDA, even if your own site is well-managed.
The Most Common Data Integrity Gaps I See in Practice
After working with more than 200 clients across FDA-regulated industries, the data integrity failures I see most consistently fall into five categories. None of them are exotic.
1. Audit trail review is not part of routine quality oversight. Audit trails exist on many systems. Nobody reviews them. The quality unit has never incorporated audit trail review into the batch record review or laboratory notebook review workflow. FDA's expectation is that audit trail review is contemporaneous with the review of the underlying data — not a remediation activity that happens after a problem is discovered.
2. Laboratory instruments have not been assessed for Part 11 applicability. Many legacy instruments — HPLCs, dissolution apparatus, Karl Fischer titrators — generate electronic records but were never assessed for Part 11 compliance. They often run on local workstations with no access controls, no individual user accounts, and no system-generated audit trails. These are consistent findings during FDA laboratory inspections.
3. Raw data is not retained or is not clearly identified. The printed chromatogram or the final table in the batch record is retained, but the original sequence file, the instrument method, and the integration parameters are not retained with it — or are stored in a location that isn't controlled or accessible for review. FDA requires that the raw data be retained and retrievable for the duration of the record retention period.
4. OOS and atypical results are not fully documented in the data trail. Phase-one laboratory investigations are conducted informally, with no documentation, before a formal OOS is initiated. If a second injection looks fine, the analyst decides there was a "sample preparation error" without documentation and proceeds. The raw data for the first injection doesn't make it into the record. This is incomplete data and it's a significant regulatory risk.
5. Computer system validation gaps leave data integrity controls undocumented. Systems are in use that were never validated, or were validated years ago against requirements that are no longer current. The validation documentation doesn't address data integrity controls specifically — audit trails, access controls, backup and recovery. Without validated system controls, there's no documented assurance that the data the system generates is reliable.
How to Conduct a Data Integrity Gap Assessment
If this article is prompting you to take action — good. Here's how I approach a data integrity gap assessment with clients.
Step 1: Inventory your data systems. Start with a complete inventory of every system that generates, processes, stores, or transmits GMP data. Include laboratory instruments, manufacturing execution systems (MES), LIMS, ERP systems used for batch records, paper-based systems, and spreadsheets used for calculations. Spreadsheets get overlooked constantly, and they're a significant data integrity risk.
Step 2: Assess each system against ALCOA+ and Part 11 (where applicable). For each system in your inventory, evaluate whether the data it generates meets each ALCOA+ element and whether the system's controls meet Part 11 requirements if it's generating electronic records with electronic signatures.
Step 3: Review your procedures for data review and approval. Do your SOPs require review of complete data sets, including audit trails? Do they define what "original data" means for each system type? Do they address how to handle discrepant or atypical results? Procedural gaps often drive behavioral gaps.
Step 4: Conduct a records walk-through. Pull a sample of actual records — batch records, laboratory notebooks, instrument printouts — and trace them back to the original data. Can you confirm the record is complete? Can you confirm the timestamps are consistent with the workflow? Can you confirm no data was deleted or excluded?
Step 5: Assess your organizational culture. This one is harder to audit, but it matters. Are analysts under pressure to produce passing results? Is the quality unit empowered to escalate concerns without retaliation? Data integrity failures almost always have a cultural dimension, and a purely technical fix won't hold if the underlying pressures remain.
If you want an expert to walk through this process with you before FDA does it for you, that's exactly the work we do at Certify Consulting. A gap assessment is significantly less expensive than a warning letter response — and the remediation work following a warning letter is orders of magnitude harder.
What a Strong Data Integrity Program Actually Looks Like
FDA doesn't want perfection. The agency wants a quality system that finds and fixes problems before they affect product quality or patient safety. A strong data integrity program has a few consistent features.
It starts with governance — a written data governance policy that defines what data integrity means for your organization, who is responsible for it, and how violations are reported and investigated. Data integrity needs to live at the quality system level, not just in laboratory procedures.
It includes regular, documented audit trail reviews as part of routine quality activities. Not annual reviews. Not reviews triggered by investigations. Routine reviews that are part of the normal workflow.
It has validated systems with current, complete validation documentation that specifically addresses data integrity controls — not just functional requirements.
It has a culture where analysts know they can document a problem without fear of retaliation, and where the quality unit is empowered to investigate without pressure to make results "work."
And it has a competent quality unit that understands what they're looking at when they review data. Training matters here — not just GMP training, but specific training on data integrity expectations, what audit trails look like, and how to identify suspicious patterns.
According to a 2023 analysis by the Parenteral Drug Association (PDA), organizations with comprehensive data governance programs that include defined data integrity roles, regular training, and audit trail review protocols experienced 60% fewer data integrity observations during FDA inspections compared to organizations without such programs. That's a meaningful number.
The Bottom Line
The spike in "data integrity" searches reflects something real — regulators are more focused, inspections are more thorough, and the consequences of failures are more serious than they've ever been. In my view, the companies that treat this moment as a reason to do a serious self-assessment will come out of it with a more durable quality system. The ones that wait for an investigator to find the gaps will spend considerably more time and money on the back end.
Data integrity isn't about generating perfect data. It's about having a system you can stand behind — one where you can demonstrate, to a trained investigator, that every record is complete, every result is attributable, and nothing has been hidden. If you can do that, you're in good shape. If you can't, this is a good time to find out.
For a deeper look at how data integrity intersects with computer system validation, see our guide to FDA 21 CFR Part 11 compliance on The GMP Consultant.
And if you're preparing for an upcoming FDA inspection or addressing a recent 483 observation, the FDA inspection readiness resources at The GMP Consultant are a good starting point.
Last updated: 2026-06-09
Jared Clark
GMP Compliance Consultant, Certify Consulting
Jared Clark is a GMP compliance consultant and founder of Certify Consulting, specializing in FDA GMP requirements for pharmaceuticals, dietary supplements, cosmetics, and food manufacturing.