March / April 2017

Computers & Data Integrity in Drug Manufacturing: US & EU Regulations 1978-2016

Yoel Bergman

US regulations on computers in drug manufacture first appeared in 1978, followed by the EU in 1992. Understanding the different motives for regulations, modifications, and approaches could help better comprehend current US and EU regulations, especially those on data integrity.

Computers and software are used for a wide variety of purposes in the drug manufacturing industry, and are generally classified for either automation control or data handling. After their wide use in the industry began in the late 1970s and early 1980s, regulations on their design, operation, and data handling were needed to minimize risk to product quality and patient safety—the main goals of the current good manufacturing practices (GMP). These GMP, with other relevant regulations and documented policies, are the first to be followed by the industry.

US computer regulations were first introduced in the updated 1978 GMP (US Code of Federal Regulations [CFR] 21, Part 211) focusing on data accuracy. Following questions from the industry in the early 1980s, more regulations were added to cover lifecycle issues.

The initial EU computer regulations, introduced as Annex 11 of the EU GMP in 1992,23 did address several parts of the lifecycle, but too concisely, leading professional bodies to write supplemental guides. By 2011, Annex 11 computer regulations generally concerned either the operational phase or the project phase.

One aim of regulations in the project phase was to promote computerized audit trails and access controls that would help meet data-integrity and other GMP requirements in the operational phase. Another was to ensure built-in quality and proven performance by requiring supervision and testing of computer planning, development, coding, and construction, ending with the industry acceptance tests. Here, regulations first appearing in the 1980s prompted the industry to acquaint itself with design, coding, and release phases.

Computer validation, the rigorous test method recommended to prove regulatory compliance with specifications and consistent intended performance began to be implemented by the industry with supplements from suppliers. Lopez has recently pointed out that between 1990 and the mid-2000s computer validations were the focal point in site audits.1 Consensus standards have helped the industry plan and perform validations. For detailed guidance on computer validation, the GAMP® 4 Guide (Validation for Automated Systems) was recommended by an FDA 2003 guidance18 and GAMP® 5 (A Risk-Based Approach to Compliant GxP Computerized Systems) in 2015 by an MHRA guidance.21 As the importance of computer validation became apparent, detailed requirements to enhance data integrity were added to the 2015 MHRA guidance and the 2016 FDA draft guidance.22

US computer regulations were first introduced in the updated 1978 GMP

Necessary data integrity attributes were identified by the acronym ALCOA: attributable, legible, contemporaneous, original (or a true copy), and accurate. Computer validations under these guidelines verify data integrity workflows that ensure ALCOA, as correct data recordings verified by audit trails, and proper calculations by manufacturing execution system (MES). Since systems that produce electronic data (MESs, enterprise resource planning, laboratory information management systems) interface differently the features to ensure ALCOA validations will differ.

In the operational phase, regulations are aimed largely at data integrity, although this term was little used at the beginning and its scope was limited at first. The 1978 GMP, for example, required measures for data accuracy that nowadays are part of ALCOA. The 1997 CFR Title 21, Part 11, added additional design and procedural requirements to safeguard, among other things, the integrity of electronic records (ERs) which included different forms of digital information, including electronic data. (Part 11 was not strictly part of the GMP but applied to the industry.)

The requirements became stricter over time. As an example, the 1992 Annex 11 recommended the use of computerized audit trails; Part 11 in 1997 made them compulsory and specified what is to be recorded. The updated 2011 Annex 11 added the need for periodic review of audit trail information to its previous recommendation. The 2015 MHRA and the 2016 FDA draft guidance cover audit trails, periodic reviews, and who should perform them.

By 1978 the regulations above were applied to common operations on different computers. In the 1980s, the FDA began to issue policies on specialized computer operations. In one example, the GMP required significant stages during manual production to be recorded on a batch record by the operator, checked by a supervisor, with both required to record their names. In a computerized process, fewer checks were required.

By 2016, the United States and European Union covered similar aspects and closed the differences on issues such as data and records (to be discussed in the sections below). These advances and growing similarities were facilitated by guidelines published by international organizations and authorities such as ISPE/GAMP, APV, ICH, and others. A detailed review of their contributions, however, would require a separate article. Suffice to say that their essential concepts eventually found their way into the regulations.

One notable difference between 1978 and 2016 was the EU emphasis, beginning 1992, on protecting electronic data. In the United States this was a more complicated story, with the 1978 GMP focusing (as did the later EU Annex) on electronic data. Little was said about electronic records that come out of the processes or labs tests. This changed in 1997 with the introduction of Part 11, where process and other records became the basic entities to be protected.

US regulations have also tried, much more than those in the EU, to justify new regulations on existing ones made in the days of manual operation and hardcopies. In addition, all EU computer regulations can be found in a single source and further explained by consensus standards. US regulations and policies post 1978 are covered by US CFR Title 21, Parts 11 and 211, and five policy guides. Various FDA guidelines, although not strictly regulations, have provided more detailed requirements and perspectives.


The following paragraphs examine the main evolutions in computer regulations in chronological order. Key changes described in the introduction are underscored:

1963—First US GMP issued: On 14 February 1963, the FDA issued the first GMP 2 (CFR 21, Part 133, changed in 1975 to the current Parts 210 and 211).3 There was no mention of computers, electronics, or automated equipment, only equipment in general. The final rule on the GMP in the June 20 1963 Federal Register did allow the use of automatic, mechanical, or electronic equipment, possibly following a proposal by the industry, or rethinking by the FDA.4 The permission to use electronic equipment in the 1960s was relevant to local electronic controllers, since very few digital computers were in use. By the 1970s, digital computers were integrated for on-line control. In the early 1980s, computer systems became inexpensive and powerful enough to be used extensively.5 ,6

1978—First regulations on computers in US GMP: In 1976, the FDA proposed including computer regulations in its planned major update of the GMP.7 A public discourse ensued. In 1978, the updated GMP was issued, including newly required checks on input and output data in daily operations and backing electronic master batch records that were entered.8 When the GMP was published in the Federal Register, the FDA commissioner remarked that ERs were allowed, as were those created during batch operations. This took place even before clear permission to use ERs; specific instructions were not given until Part 11 in 1997.

1983—FDA Guide to Inspection of Computerized Systems in Drug Processing:This guide, known as “the Blue Book,” was published to educate FDA staff and inspectors on technology and regulations and to answer industry questions that arose in the early 1980s. It presented requirements for industry not found in the 1978 GMP, such as computer validation reports, the need to understand the structure and content of application source code, controlling in-house software development through procedures, periodic backups, monitoring of computer operations and alarms, system recovery checks, and maintenance. The guide’s detailed technical explanations on computers are still helpful today.9

1982 to 1987—Five FDA official compliance policy guides: The CPGs put Blue Book issues, including those on the project phase, into a more official framework. Other issues included industry and vendor responsibilities over the fitness of the software, industry controls over the source code, the need for validating the performance of the batch computer program, and equating the application/code to a master batch record for the purpose of applying existing GMP controls to the software.10 Lopez remarked that the FDA attention to computers was not very significant until 1988.11 Computers seem to have become important in 1988 following the maturation of a comprehensive policy based on the CPGs.

1987—FDA Guideline on General Principles of Process Validation: This guideline concerned process validation, first required in 1978. The first step, installation qualification, was intended to provide evidence on proper equipment design, construction, and operations, including the capability to control the process.12 Since control involves software, it touched areas under computer validations as well, creating a potential for duplicate tests. In addition, the term “installation qualification” (and later “operation qualification”) was adopted by some in computer validation as the first stage in computer on-site validation, replacing software terms such as integration, functional and performance tests.

1991—Good Automated Manufacturing Practice (GAMP®) Forum: A UK forum of industry members and officials was formed in response to various FDA findings of noncompliance by local drug manufacturers during audits in 1991.13

1992—New EU GMP Annex 11, Computerised Systems: This document focused on securing electronic data in daily operations while covering in brief the whole computer lifecycle. Development records, validation reports, secure access controls, and an audit trail on operators’ activities were required. Some measures soon appeared in the US Part 11. The Annex did not provide enough guidance on how to perform validations or what to require from the suppliers, and was soon considered by some as too concise.

1996—APV Guideline Computerized Systems: Published by the German based International Association for Pharmaceutical Technology (APV) forum and intended to supplement Annex 11, this guidance was based on the software development, quality, and project standards ISO 9001/ISO-9000-3. It added development requirements from the software world to regulations that grew out of immediate manufacturing concerns, which are the central issues in the EU and US GMP. The guideline was appended to the 1996 GAMP guide.14

1995–1996—First and second editions of the GAMP Supplier Guide: The guides introduced specific supplier and industry responsibilities on testing and documenting activities such as planning, design, and implementation. These were applied to all system parts, including software, hardware, peripherals, equipment, and electricity.14 The detailed activities in each major phase were described, and document templates were appended for user requirements specification, software design specification, etc. The guide introduced a risk-based approach to determine the extent of validations, according to the type of software being purchased or developed. More commercially proven software with no options for users to change the program, were required for less validations. Like the APV guideline, the GAMP guide was based on general software quality standards ISO 9001/ISO-9000-3 and British/Swedish TickIT, providing important and missing-guidance on how to plan and test computers for pharmaceutical use.

1997—US CFR Title 21, Part 11, Electronic Records; Electronic Signatures: Since records are primary evidence for compliance, the industry met with the FDA in 1991 to determine on how to accommodate ERs under the GMP. The GMP requires protected storage of various on-site records, such as batch, production, laboratory, distribution, and complaints. Each record type is required to present specific types of data. It was therefore a primary technical and procedural concern when going electronic. Soon the scope was expanded to apply to the other regulated sectors, such as medical devices.

After the issuance in 1997, the industry had to comply with both the more detailed Part 11 as well as with the existing GMP in Parts 210 and 211.15 While Part 11 was restricted only to those systems that handle electronic records, Part 211 applied to data in general. Thus, computers that control or measure and yield simple printouts, for example, were still required to comply with the GMP electronic data requirements.

ERs in Part 11 were defined as any combination of digital information in various forms—text, graphics, data, audio, or pictorial. As Part 11 aimed to protect ERs, it included requirements for controlled user access, computer validations, protected storage of ERs, and computerized audit trails on operator creations, changes, and deletions (similar to the 1992 Annex 11). New measures were the concepts of closed and open systems and regulations on electronic signatures not found in EU regulations.16

Despite consultation with the industry, Part 11 soon turned out to be controversial. The industry did not clearly understand that Part 11 applied to ERs that replaced specific and official paper records. The status of hybrid systems—those with ERs printed and signed at the end of the process—was also unclear. Cross-the-board requirements for validation of any system that complies with Part 11 and the need to implement computerized audit trails turned out to be burdensome, and believed by some to be unnecessary. Richman suggested in 2005 that the industry was not generally prepared for Part 11 due to an underestimation of the needed changes and costs, clouded by great efforts at the time to implement process validations. Yet since 1997, Part 11 has been a high-profile center of attention and a catalyst of a significant, but grudgingly accepted, culture change in the industry’s approach to software and computerized systems.17

2002—FDA General Principles of Software Validation; Final Guidance for Industry and FDA Staff: This document provided detailed guidance on software project management, development, and documentation, including validation methods. The scope, methodology, documents, and their contents were similar to those in the APV and GAMP, guiding theindustry on issues as software development and validations.

2003—FDA Guidance for Industry: Part 11, Electronic Records Electronic Signatures—Scope and Application: By 2003, the FDA recognized that Part 11 (a) no longer fits the agency’s stated direction with respect to risk-based assessments of compliance, (b) some broad interpretations of the rule could serve to restrict the use of electronic technology, which was not what FDA intended, (c) compliance costs had increased to a level unforeseen by the architects of the policy, due to broad interpretations, and (d) it discouraged innovation and technological improvement without benefitting public health. As a result, the FDA decided to exercise “enforcement discretion,” which enabled the agency to highlight and enforce egregious violations, but take a risk-based approach in less meaningful cases.

The 2003 guide was an outcome of the updated policy. It provided a more precise and narrower definition of ERs subject to Part 11. For those systems that did comply with Part 11, less enforcement would be applied on validation requirement, audit trails, record retention, record copying, and systems that were operational before the effective date of Part 11 (also known as legacy systems). The industry was given the authority to decide what systems to validate and the extent of validations. The decision to apply computerized audit trails was also relegated to the industry. In both cases, a risk-based approach to quality was recommended for making the decisions. For further guidance on computer validations, the agency recommended the GAMP 4 guide or FDA “General Principles of Software Validation.”18

2003—PIC/s Good Practices for Computerised Systems in Regulated “GxP” Environments: This guide was intended to supplement EU Annex 11 as the APV, especially after the publication of US Part 11. It covered all the phases and aspects of the lifecycle including development, systems daily operations, and the use of electronic records and signatures.19

2011—Annex 11 Update: As stated on its first page, the Annex was updated for the first time since 1992 due to the increasing complexity of computerized systems.20 It seemed to have attempted to close gaps with Part 11 and the various guides published to supplement it. More controls on suppliers, development, and (electronic) data were introduced and reference was made, albeit briefly, to ERs and ESs. The annex recommended a risk-assessment process for determining the extent of validations and when data integrity controls shall be applied as audit trails.

Like the 2003 FDA version, the updated Annex 11 seems to have been intended to prevent overspending. Like the 1992 version, it remained focused on electronic data and not records. Data was considered electronic information entered into and coming out of the computer, to be stored and retrieved. This implied that data includes all types of digital information, including electronic records, which were viewed as a special set of data, as for batch release. In Part 11, this was the other way around as electronic data was a component in the ER. One novelty of the 2011 update was the expectation that computer design and operation can minimize risk to data integrity, in addition to minimizing risk for the two main GMP goals, product quality and patient safety.

2015—MHRA GMP Data Integrity Definitions and Guidance for Industry March 2015: While its focus is on computers, the guidance was intended to list the UK Medicines and Healthcare Products Regulatory Agency’s expectations on data integrity, whether the data is recorded by hand or by computerized means (although the focus is on computers). It develops the computer and integrity requirements of the 2011 Annex 11 in greater detail, including definitions of electronic data (raw data, manipulated data, and metadata), with records as a special data type. Specific data governance measures were introduced to ensure the integrity of data on computers and or paper. One example is new recording and review requirements for audit trails.

Validations play an important part in the guidance, and industry is required to supplement supplier validations by validating the systems with electronic data for their intended use. As intended use includes compliance with the integrity governance requirements, validation becomes a major tool to demonstrate integrity compliance. The guidance recommends, as does the 2003 FDA guidance, the GAMP Guide for executing the validations. This indicates again, the importance of consensus guidelines in the field of validation mentioned in the paragraphs above.21

Consensus standards have helped the industry plan and perform validations. 

2016—FDA Data Integrity and Compliance with CGMP -Draft Guidance: The guide follows increasing FDA observations on current GMP violations involving data integrity during site inspections. It stresses that commonly found requirements on electronic data and records integrity can be inferred from the GMP in Part 211. Examples include backing up original data or complying with record-keeping practices that prevent data from being lost or obscured, a requirement that can be met with a computerized audit trail. Not all can be traced to the GMP, and the guidance refers readers to Part 11 to comply with electronic signatures and record-keeping requirements. The guidance can thus be viewed as one single main and updated document for complying with GMP integrity requirements, as in the MHRA. The guidance emphasizes that any data needed to satisfy a CGMP requirement becomes a CGMP electronic record, thereby helping to minimize or eliminate the differences between electronic data and records. Audit trail reviews, as in the MHRA, are required and industry validations for intended use are deemed necessary.22

Summary And Conclusions

This essay examined EU and US regulations on computers in the industry from their beginning in 1978 through 2016. Regulations were added during that period to the entire computer lifecycle, as regulators became aware of important issues that provided assurance on data integrity and computer performance. This was aided by professional bodies working through international cooperation. The current 2015 MHRA and 2016 FDA draft guidance on data integrity provide updated and more stringent requirements. Overall, EU and US regulations from 1992 onward have become similar; despite the bumpy road in forming the regulations and compliance, they have catalyzed needed changes in this highly regulated industry.


The paper was first presented at the July 2016 International Committee for the History of Technology (ICOHTEC) annual symposium in Porto, Portugal, in the newly formed interest group for history of information technologies (HIT). I wish to thank coordinators Professors Dick van Lente and Hans-Joachim Braun as well as Moshe Chechik, Ido Cohen (Protalix), Oron Dilmoni, Alon Avni (Teva), with whom I have discussed questions in this article. Thanks also to the anonymous reviewers for their thoughtful remarks.