...

Data Integrity & Digital QMS in API Manufacturing: Why Buyers Care

A formulation company makes a large order from a supplier that has a WHO-GMP certificate. The batch order passes in-house QC. Then a regulatory audit triggers a series of problems.

The supplier had disabled an HPLC audit trail. Results that did not meet specifications were deleted and re-run with substituted values. Manufacturing batch records were completed after the fact.

This was a real case. The USFDA cited it in over 80 Warning Letters from 2012 to 2024. The majority of the letters were directed at Indian API and formulation companies.

The biggest concern for API suppliers is data integrity.

This blog explains what it is and why it is important to buyers, and will show you how to check for data integrity before you place an order.

Data Integrity Failures: The API Quality Risk Buyers Cannot See from a Certificate

Certificates are usually issued by past audits and do not necessarily indicate what occurs at a facility currently.

This section describes why data integrity in API manufacturing processes is an invisible risk to buyers until it is too late.

What Is Data Integrity in API Manufacturing?

Data Integrity in API manufacturing means that all data in a production and testing continuum and batch release is recorded in a complete format and in a manner that is auditable and cannot be altered.

It includes everything from paper records, electronic systems, and lab instruments, to LIMS, ERP, and all digital audit logs.

what is data integrity in api manufacturing

The principle is simple; data must reflect the real events that occurred during manufacturing and not be a reconstructed version that is assembled to achieve a passable result

The WHO Technical Report Series 996 Annex 5 (2016) cites WHO with the following explanation of data integrity:

“The degree to which data are complete, consistent, accurate, trustworthy and reliable” at each stage in the data lifecycle, from creation to archiving.

The ALCOA+ data integrity pharma audit checklist takes the standard described in WHO TRS 996 Annex 5 and expands upon it with the nine data integrity attributes:

Attributable, Legible, Contemporaneous, Original, Accurate, Complete, Consistent, Enduring, Available.

It is expected that each regulated API manufacturer demonstrates compliance with all nine tested attributes, both in paper and electronic formats.

The question of why data integrity matters for API buyers as a supplier goes beyond just complying with regulations.

It is the first trust and guarantee between the buyer and seller that the results of the analysis in the Certificate of Analysis reflect the true results and not the manipulated results of the employee.

Why Is Data Integrity a Buyer Risk: Not Just a Regulatory Risk?

Many of the API buyers come across this question of why data integrity matters for API buyers as a supplier compliance issue.

When a supplier fails a USFDA data integrity in API manufacturing inspection, U.S. FDA investigators consider every batch released under that approval as potentially harmful, which includes any authorized batch that is already in the API buyer’s product pipeline.

API buyers who do not have data integrity in the API manufacturing and verification system in place at the API suppliers’ qualification stage are, in effect, exposed to unknown data integrity risks in all the API batches they procure.

While the suppliers bear the regulatory sting, the buyers ultimately feel the commercial, clinical, and reputational impact.

As recorded in the USFDA Import Alert database, USFDA Import Alert 66-40 (Detention Without Physical Examination) applies to instances where USFDA Import Alert data integrity violations have been identified.

Once included under this alert, products of a facility are detained at all US ports of entry.

The implication of this is that buyers will sooner or later experience a disruption in the supply of the entire range of APIs that they source from the affected manufacturer.

The Certificate Gap: What a WHO-GMP Certificate Does NOT Tell a Buyer

A WHO-GMP certificate indicates that, at the time of the inspection, the premises in question were compliant with GMP.

However, it does not attest to data integrity in API manufacturing compliance, or the control of the systems being validated, or the manipulation of the audit trail, or HPLC pharmaceutical OOS result manipulation.

Importantly, certificates remain valid for up to three years, and do not concern the changes that take place under production loads outside of regulatory scrutiny.

This is the buyer’s blind spot, and it is where the majority of data integrity failures occur.

Micro-Summary: Data integrity is the verifiable assurance of data accuracy and completeness of all GMP records throughout the data lifecycle. WHO’s ALCOA+ is the benchmark.

Import Alert 66-40 confirms that a supplier’s data integrity failure creates a direct, retroactive supply risk for buyers, irrespective of which entity holds the regulatory approval.

Having identified the scope of the risk, let’s examine what data integrity failures actually mean in the context of regulatory enforcement, and what the financial implications are for buyers.

What Actually Happens When Data Integrity Fails: Warning Letters, Import Alerts & Commercial Consequences

Regulatory enforcement data documents a consistent pattern of failure. The consequences are not limited to the supplier.

This section presents three verified enforcement realities every API buyer must understand.

USFDA Warning Letters: The Documented Pattern of API Data Failures

Since 2012, the USFDA has issued more than 80 Warning Letters citing data integrity in API manufacturing deficiencies in pharmaceutical manufacturing, with the majority targeting facilities in India and China.

usfda warning letters the documented pattern of api data failures

The violations follow a consistent pattern across multiple documented enforcement actions:

  • Audit trail HPLC pharmaceutical OOS result manipulation, audit trails disabled on HPLC, dissolution, and GC instruments.

  • Out-of-specification results were deleted and re-run until passing values were obtained.

  • Batch manufacturing records are backdated in paper and electronic systems.

  • Shared user login credentials eliminate individual attributability.

  • Unauthorised deletion of original electronic batch records API cGMP compliance data.

Each is a GMP violation under 21 CFR Parts 211 and 11. Each carries the same commercial consequence: supply disruption, product recall risk, and loss of regulatory standing.

EMA and MHRA: European Regulators Are Equally Uncompromising

The European Medicines Agency and the UK Medicines and Healthcare products Regulatory Agency have both issued detailed data integrity guidance and taken enforcement action against non-compliant API manufacturers.

MHRA GxP data integrity guidance pharmaceutical from March 2018, remains the most operationally detailed regulatory guidance document on data integrity globally.

The MHRA states explicitly that data integrity problems are “frequently symptomatic of poor quality culture,” identifying systemic management failure, not merely technical gaps, as the root cause.

MHRA has issued multiple Statements of Non-Compliance for Indian API manufacturers following remote and on-site inspections since 2020.

EMA inspections of third-country API manufacturers routinely cite MHRA GxP data integrity guidance, pharmaceutical-equivalent failures, and EU non-compliance findings that trigger cross-recognition alerts to TGA (Australia) and Health Canada, extending the commercial impact well beyond the originating market.

The Commercial Cascade: What a Supplier’s Data Integrity Failure Costs the Buyer

For API buyers, a supplier’s data integrity in API manufacturing failure triggers a documented commercial cascade. The steps are consistent:

  • Regulatory agencies notify the buyer’s national authority.

  • Already-received batches are quarantined pending investigation.

  • Finished product inventory is placed on hold.

  • Customer supply commitments are missed.

  • The buyer must notify their own regulators, and in some markets, file a Field Safety Corrective Action or product recall.

The financial and reputational cost borne by the buyer for a failure in a digital QMS pharmaceutical API supplier that they never adequately verified is consistently larger than the cost of proper supplier qualification would have been.

Now that the regulatory and commercial consequences of data integrity in API manufacturing failures are established, let us examine what a genuinely compliant digital QMS pharmaceutical API supplier looks like in practice.

What a Compliant Digital QMS Looks Like in a Modern API Facility

Compliance requires specific, verifiable system architecture. This section defines each element from ALCOA+ through to EU Annex 11 API supplier qualification against verified regulatory standards.

The ALCOA+ Framework: The Globally Accepted Data Integrity Standard

The ALCOA+ data integrity pharma audit checklist is the universal standard adopted by WHO, USFDA, MHRA, and PIC/S. Every GMP data point must satisfy nine attributes.

A supplier who cannot demonstrate this compliance framework across all GMP data-generating systems fails the baseline standard for any regulated market.

Key attributes include:

  • Attributable: individual login identifying who recorded it; shared credentials are a disqualifying violation.

  • Legible: permanently readable, not overwritten or degraded.

  • Contemporaneous: recorded at the time of the activity, not retrospectively.

  • Original: first capture, not a transcription from another medium.

  • Accurate: correct, complete, with no selective deletion.

The extended ALCOA+ attributes Complete, Consistent, Enduring, and Available require that all data, including failing results, be retained, that records follow chronological logic, and that data remain retrievable for inspection at any time.

21 CFR Part 11: The US Electronic Records and Signatures Standard

21 CFR Part 11 compliance Indian API manufacturer requirements govern all electronic records and signatures used in pharmaceutical manufacturing for the US market.

21 cfr part 11 the us electronic records and signatures standard

Compliance requires validated computer systems with enabled audit trails, unique user IDs and access controls, system-generated timestamps that cannot be manually modified, and electronic signature controls equivalent to handwritten signatures.

Critically, 21 CFR Part 11 compliance Indian API manufacturer obligations extend to standalone analytical instruments, including HPLC, dissolution apparatus, and balance software, even where those instruments are not connected to a central LIMS.

This is the most commonly violated area in USFDA inspections.

Buyers supplying the US market directly or through a formulation partner must verify Part 11 compliance across all GMP electronic systems without exception.

Actiza’s validated digital QMS for API manufacturing is designed and validated to meet 21 CFR Part 11 requirements across LIMS, EBR, eDMS, and CAPA, including standalone analytical instrument audit trail controls.

EU Annex 11: The European Computer System Validation Standard

EU Annex 11 API supplier qualification requirements are the European equivalent of 21 CFR Part 11, with additional obligations for risk management throughout the system lifecycle, supplier assessment of software vendors, and periodic revalidation following system changes.

For manufacturers supplying EU markets, EU Annex 11 API supplier qualification compliance must be demonstrated across LIMS, ERP, SCADA, building management systems, and all GMP-relevant software.

EMA inspectors routinely probe Annex 11 compliance as a proxy for overall data integrity culture.

Digital QMS Architecture: What ‘Fully Digital’ Actually Means

A genuinely compliant digital QMS pharmaceutical API supplier integrates six core validated systems, each with role-based access control, automated audit trails, and validated backup.

Facilities describing themselves as “digital” while retaining paper-based batch manufacturing records for critical production steps are operating hybrid systems, which require explicit documentation of paper record controls under the ALCOA+ data integrity pharma audit checklist.

SystemFunctionGMP RelevanceGAMP 5 CategoryValidation RequirementAudit Trail Requirement
LIMSAnalytical data managementAll laboratory testing recordsCategory 4/5Full IQ/OQ/PQMandatory — all entries
ERP (EBR)Electronic batch recordsProduction and release dataCategory 4/5Full IQ/OQ/PQMandatory — all changes
eDMSControlled document managementSOPs, specifications, master recordsCategory 3/4OQ/PQDocument version history
CAPA SystemCorrective and preventive actionsQuality event managementCategory 3/4OQ/PQFull change trail
Deviation ManagementNon-conformance trackingBatch disposition dataCategory 3/4OQ/PQEvent and closure trail
Change ControlSystem and process change managementValidation lifecycleCategory 3/4OQ/PQAll change approvals

Source: ISPE GAMP 5 2nd Edition 2022 / WHO TRS 996 / ICH Q10

The Data Integrity Culture Indicator: What Audits Should Actually Probe

WHO-GMP data integrity expectations API guidance consistently identifies that data integrity in API manufacturing failures is cultural, not merely technical.

A supplier can operate a validated LIMS and still have operators instructed to re-test OOS results until they pass.

The most revealing audit indicators are behavioural:

  • Frequency and depth of internal data integrity self-inspections.

  • Evidence of CAPA closure for previous MHRA GxP data integrity guidance, pharmaceutical observations.

  • Training records demonstrating staff understanding of ALCOA+ data integrity, pharma audit checklist requirements.

Whether QA reviews audit trail, HPLC pharmaceutical OOS result manipulation controls as part of routine batch release, not solely when a regulatory inspector requests access.

MHRA GxP data integrity guidance, pharmaceutical (2018) states that data integrity problems are “frequently symptomatic of poor quality culture.”

WHO guidance further identifies “normalised deviance” where rule-breaking becomes habitual and accepted as the primary mechanism behind data integrity in API manufacturing failures.

Technical system validation alone is therefore insufficient evidence of true compliance.

A compliant digital QMS pharmaceutical API supplier requires ALCOA+-aligned systems, validated under GAMP 5 methodology, meeting 21 CFR Part 11 compliance, an Indian API manufacturer, and EU Annex 11 API supplier qualification standards, with a quality culture that reviews audit trails routinely, not only at inspection.

Now that the compliance architecture is defined, let us address three honest limitations buyers must acknowledge before qualifying any API supplier.

What Buyers Must Know: Three Honest Limitations

Transparency is central to sound supplier qualification. Three realities must be acknowledged before any procurement decision.

Paper-Based Systems Are Still Present And Not Automatically Non-Compliant

Not all WHO-GMP certified API manufacturers have completed the digital transition.

Many facilities operate hybrid systems a validated LIMS for analytical data and an ERP/EBR for some production records  while retaining paper-based batch manufacturing records for certain production activities.

This is not automatically a GMP violation. Paper systems can meet ALCOA+ data integrity pharma audit checklist requirements when properly controlled using indelible ink, contemporaneous recording, and documented error correction procedures.

Buyers should explicitly ask which GMP activities remain paper-based, what controls govern paper record integrity, and request the site’s Computerised System Inventory to understand the full scope of the digital-paper boundary.

Remote Audits Have Real Limitations for Data Integrity Verification

Post-pandemic remote audits have documented limitations for verifying QMS before buying an API from India.

A remote audit can review documentation, interview QA staff, and observe system demonstrations, but it cannot access live audit trails under actual production conditions, detect standalone analytical instruments with local data storage bypassing central LIMS, or observe operator behaviour during real batch processing.

For high-volume, regulated-market API procurement, an on-site audit or a qualified third-party audit is strongly recommended as part of initial supplier qualification under any rigorous way to verify QMS before buying API from India protocol.

A Certificate of Analysis Is Not Proof of System Compliance

A batch CoA confirms a test result; it does not certify that the data generating that result was managed with integrity under the WHO-GMP data integrity expectations API standards.

The CoA is the output of the QMS. Buyers must verify the QMS behind the CoA.

A CoA from a facility with a disabled audit trail, HPLC pharmaceutical OOS result manipulation controls, is a document without verifiable integrity.

Request Actiza Pharma‘s data integrity documentation pack for supplier qualification to understand what a verified documentation package looks like in practice.

Now that the limitations are acknowledged, let us move to the practical verification framework every buyer should apply.

6-Step Buyer Verification Framework: How to Verify Data Integrity Before Qualifying a Supplier

This framework is actionable, supplier-agnostic, and directly applicable to any method to verify QMS before buying API from the India procurement programme.

StepVerification ActionWhat to Ask / CheckRisk if Skipped
Step 1Request Computerised Systems InventoryAsk for a complete list of all GMP-relevant computerised systems — LIMS, ERP, SCADA, standalone instruments (HPLC, GC, dissolution, balance software). Each should show: validation status, last revalidation date, GAMP 5 category, and whether audit trail is enabled.Undisclosed paper-based systems or unvalidated instruments remain invisible — highest source of data integrity violations
Step 2Verify Audit Trail StatusConfirm audit trails are enabled (not disabled) across all analytical instruments. Request evidence of periodic audit trail review as part of batch release documentation — not just at inspection time.Disabled audit trails are the #1 cited violation in USFDA Warning Letters — a supplier cannot demonstrate ALCOA+ compliance without them
Step 3Check USFDA Import Alert StatusSearch FDA’s import alert database (IA 66-40 specifically) for the supplier’s facility name and address. A current listing is a disqualifying finding — no buyer should procure from a facility under active data integrity import alert.Active IA 66-40 listing means buyer’s products can be detained at US ports retroactively — severe supply and regulatory risk
Step 4Review Regulatory Inspection HistoryRequest Form 483 observations (USFDA) and Warning Letter history. Check EudraGMDP for EMA non-compliance statements. Request MHRA inspection reports for UK-market buyers. Look specifically for data integrity observations in the last 3 years.Undisclosed recent DI observations indicate unresolved systemic risk — a CAPA may be in progress but remediation incomplete
Step 5Conduct Data Integrity Audit SectionEnsure buyer audits include a dedicated DI section: live system demonstration, audit trail sample review, interview with QA Data Integrity owner, review of DI SOP and training records, and evidence of at least one recent CAPA closure for a DI observation.Audits without a DI section miss the most common and commercially damaging category of pharmaceutical GMP failure
Step 6Include Data Integrity in Quality AgreementQA must explicitly cover: (a) notification of any DI observation from any regulatory authority within 30 days; (b) audit trail preservation requirements; (c) prohibition on deletion or overwriting of original data; (d) CAPA obligations with defined timelines and buyer approval rights.Without contractual DI obligations, the buyer has no legal recourse and no early warning system when supplier compliance deteriorates

Actiza’s 21 CFR Part 11 and EU Annex 11 compliant QMS for API manufacturing supports full documentation provision across all six verification steps, including Computerised Systems Inventory, audit trail review protocols, regulatory inspection history, and DI SOPs.

Micro-Summary Section 5: The six-step framework addresses how to verify QMS before buying API from India workflow  from Computerised Systems Inventory through contractual data integrity obligations.

Each step directly maps to a documented enforcement risk category identified in USFDA, EMA, or MHRA actions.

FREQUENTLY ASKED QUESTIONS

Q1: Is 21 CFR Part 11 compliance required if I am not selling in the US market?

A: 21 CFR Part 11 compliance Indian API manufacturer requirements apply specifically to FDA-regulated products for the US market.

However, equivalent requirements exist in every major regulated market, EU GMP Annex 11 for Europe, PIC/S guidance for member countries, and WHO technical guidance for WHO-prequalified products.

Buyers supplying regulated markets outside the US should verify compliance with the applicable market-specific electronic records standard rather than assuming Part 11 is the only relevant framework.

Q2: What is the difference between a digital QMS and an Electronic Batch Record (EBR)?

A: A complete quality management infrastructure containing LIMS, ERP, eDMS, CAPA, deviation management, and the control systems for changes is what a digital QMS pharmaceutical API supplier is.

An Electronic Batch Record is one specific component within that system, the electronic version of the paper batch manufacturing record that documents every step of a production batch.

Electronic batch records API cGMP compliance requirements are governed by 21 CFR Part 11 in the US and EU GMP Annex 11 in Europe. A supplier can have an EBR without having a fully integrated digital QMS.

Q3: Can a supplier pass a WHO-GMP inspection and still have data integrity failures?

A: Yes, and this is precisely the risk described in Section 1.2.1. WHO-GMP data integrity expectations API compliance is assessed at a specific point in time during an inspection visit.

Between inspections, which can be three or more years apart, a facility may develop data integrity deficiencies, particularly under production pressure.

A WHO-GMP certificate confirms past inspection status, not continuous data integrity in API manufacturing compliance. This is why independent buyer qualification using the framework in Section 5 is essential.

Q4: What is ALCOA+ and why does it matter for API procurement?

A: ALCOA+ is the globally accepted framework of nine data integrity attributes for pharmaceutical GMP data management, adopted by WHO, USFDA, EMA, MHRA, and PIC/S.” Fix “PIC/s” → “PIC/S.

CONCLUSION

The shift in global pharmaceutical regulation has made data integrity in API manufacturing the primary quality risk signal, ranking ahead of test results, facility certificates, and standard GMP audits.

USFDA, EMA, MHRA, WHO, and PIC/S are fully aligned: a supplier with sound chemistry but compromised data management cannot supply regulated markets reliably over time.

API buyers who qualify suppliers without systematically verifying digital QMS pharmaceutical API supplier compliance are carrying a risk they cannot quantify until it materialises as a supply disruption, a product recall, or a regulatory notification.

The 6-step verification framework in Section 5 is actionable, supplier-agnostic, and directly applicable to any API procurement programme.

Apply it before every new supplier qualification and at every periodic re-qualification cycle.

Ready to Qualify a Supplier That Meets Every Step?

Actiza Pharmaceutical Pvt. Ltd. manufactures WHO-GMP certified APIs with a fully validated digital QMS pharmaceutical API supplier infrastructure covering 21 CFR Part 11 compliance, Indian API manufacturer requirements, EU Annex 11 API supplier qualification, and the complete ALCOA+ data integrity pharma audit checklist across LIMS, EBR, eDMS, and CAPA systems.

We provide complete data integrity documentation packs for buyer qualification: Computerised Systems Inventory, audit trail review protocol, regulatory inspection history, DI SOP, and Zone IVb stability data, where applicable.

Request your documentation package or schedule a qualification call with our QA team today.

About the Author

Nilesh Mendpara MD of ACTIZA PHARMA Profile Image
Nilesh Mendpara

Nilesh Mendpara is the Managing Director of Actiza Pharmaceutical PVT. LTD., based in Surat, Gujarat, India. With over 10 years of experience in the pharmaceutical industry, Nilesh is passionate about spreading pharmaceutical knowledge and staying ahead of industry trends. He holds a Master of Pharmacy (Distinction) and a Bachelor's in Pharmacy from Rajiv Gandhi University of Health Sciences. Under his leadership, Actiza Pharmaceutical aims to be the most trusted partner for pharmaceutical exports worldwide, ensuring the highest standards of quality and safety. Connect with Nilesh to explore opportunities in advancing global healthcare.

[Read more]
Request A Call Back

We are a 100% export-oriented company and do not engage in domestic sales within India.