MHRA GxP Data Integrity Expectations – Practical Controls for Regulated Manufacturers

This hub connects SG Systems Global glossary entries and concepts relevant to MHRA GxP data integrity expectations: ALCOA+, audit trails, computerised systems, access control, record retention, and batch-record evidence.

Updated December 2025 • MHRA GxP data integrity expectations, ALCOA and ALCOA+, audit trail controls, computerised system validation (CSV), access management, record retention and archival, GxP data lifecycle • QA, QC, CSV leads, IT, manufacturing and laboratory managers

MHRA GxP data integrity expectations are not a new regulation; they are a clear, pragmatic interpretation of existing GxP requirements applied to data in both paper and computerised systems. In practice, they translate into how you design your QMS, how your MES, LIMS, and ERP behave, and how well you can defend the integrity of data in inspections.

“Data integrity failures are rarely ‘IT problems’ – they are management, culture and system design problems that just happen to show up in the data.”

1) What MHRA Means by GxP Data Integrity

“Data integrity” under MHRA is not just about preventing fraud. It is about ensuring that GxP decisions are made on data that are complete, consistent, and accurate throughout the data lifecycle – from creation and processing through review, reporting, retention, and archival.

• Data Integrity – fitness of data to support GxP decisions.
• GxP – the umbrella for GMP, GDP, GLP, GCP and related practices.
• ALCOA / ALCOA+ – baseline attributes for trustworthy GxP data.
• 21 CFR Part 11 and EU Annex 11 – regulatory frameworks for electronic records and signatures.

MHRA emphasises that data integrity is a GxP-wide obligation – not just for QC labs or clinical systems, but also for manufacturing, warehousing, complaints, pharmacovigilance, and any other process that generates GxP-relevant data.
That includes your batch records, cleaning records, temperature mapping, calibration, training, and quality events.

In practice, this means you need to be able to answer two simple inspector questions for any data set:

• “Can we trust that this data is complete and has not been altered without detection?”
• “Can you show us how this data was generated, reviewed, and used to make decisions?”

2) ALCOA and ALCOA+: Turning Acronyms into Design Rules

Most regulated companies can recite ALCOA. Far fewer have actually designed their systems and procedures so that ALCOA(+) falls out naturally from how people work.

• ALCOA / ALCOA+ – Attributable, Legible, Contemporaneous, Original, Accurate + Complete, Consistent, Enduring, Available.
• Audit Trail (GxP) – how you make records attributable, contemporaneous, and reviewable.
• Data Retention & Archival – how you make records enduring and available.

Some practical patterns that align with MHRA expectations:

• Attributable: no shared logins; all GxP actions are tied to named users via user access management.
• Contemporaneous: records captured at the time of the activity – not transcribed from scrap notes or “end of shift” memory.
• Original: the electronic record generated by the system is the primary record; paper printouts are copies, not the evidence.
• Accurate & Complete: calculations are systemised, checks are enforced, and audit trails show corrections and reasons – not overwritten values.
• Enduring & Available: records and metadata are retained in usable formats for as long as required by GxP, not trapped in legacy boxes or inaccessible backups.

The design question to ask for each process: “If a user tried to bypass ALCOA+, what would stop them – the system, the procedure, or nothing?” MHRA expects the answer to be “the system and the procedure,” not “trust us.”

3) Governance, QMS and Culture – Data Integrity Starts on Paper

Before you worry about MES configuration or LIMS audit trails, MHRA expects a governance framework for data integrity inside your QMS.

• Quality Management System (QMS) – the container for policies, procedures and governance.
• Policies – QMS Governance & Control – including a dedicated data integrity or GxP data governance policy.
• Training Matrix & Role-Based Competency – ensuring staff understand data integrity responsibilities.
• Internal Audit – including routine data integrity audits and walk-throughs.
• Risk Management (QRM) – capturing data integrity risks explicitly.

MHRA guidance repeatedly stresses culture:
falsifying, backdating, or “tidying” data to make them look better is a quality and leadership problem, not just a technical control failure.
You need:

• Clear expectations: written, practical guidance on data recording, corrections, and use of unofficial notes.
• Safe escalation: staff feel able to report data issues without fear of blame.
• Real consequences: deliberate falsification is treated as a serious quality and ethical breach.

Without this, even the best system configuration will be undermined by “workarounds” and shadow spreadsheets.

4) Computerised Systems, Access Control & Audit Trails

MHRA expects computerised GxP systems to be validated, appropriately configured, and operated in a way that supports data integrity – not just “Part 11 tick-boxes.”

• Computer System Validation (CSV)
• User Access Management (Roles & Permissions)
• Audit Trail – GxP
• Change Control for configuration and master data.
• User Requirements Specification (URS) | IQ / OQ / PQ

Key MHRA-aligned practices:

• No shared accounts: production, lab, and admin accounts are personal; “generic operator” logins are a red flag.
• Role-based permissions: users can only do what their role requires; configuration, deletion, and backdating are tightly controlled.
• Audit trails enabled and meaningful: for creation, modification, deletion, and critical configuration changes; readable, filterable and reviewable by QA.
• Time synchronisation: system clocks are managed so audit trail sequences are reliable and defendable.
• Backups and restoration tests: data and metadata (including audit trails) are backed up and can be restored without loss or corruption.

A good sanity check: could QA review and understand what happened with a batch or result using only the system and its audit trails – without asking IT to run ad hoc database queries?
If not, your configuration is not inspection-ready.

5) Data Lifecycle – From Creation to Archival

MHRA frames data integrity across the data lifecycle, not just at the moment of entry. That means controls at creation, processing, review, reporting, retention, and archival stages.

• Record Retention & Data Integrity Archival
• Data Retention & Archival
• Tests & Laboratory Analyses Review
• GxP Data Lake & Analytics Platform

Some lifecycle checkpoints:

• Creation: data are captured directly in validated systems where possible; temporary notes are controlled; transcriptions are minimised and verified.
• Processing: calculations, transfers, and interfaces are validated; error handling is defined; manual data manipulations are visible and justified.
• Review & approval: electronic signatures (where used) are meaningful; reviewers see raw data, metadata, and audit trails – not just summaries.
• Reporting: printed or exported reports are clearly identified as copies; they reference the source system and data set.
• Retention & archival: records remain readable, retrievable and linked to their metadata for the full retention period, even across migrations and system replacements.

In a modern architecture, this often means a combination of primary systems (MES, LIMS, QMS, ERP) and a GxP-aware data lake where data, context, and integrity evidence can be analysed together without breaking their chain of custody.

6) Risk-Based CSV and Periodic Review – Staying Ahead of Inspections

MHRA expects risk-based validation and ongoing assurance – not one-time CSV followed by years of drift.

• Computer System Validation (CSV)
• Quality Risk Management (QRM)
• Periodic Review (map to your internal entry if created)
• Change Control | Release Status

Practical elements of MHRA-aligned CSV:

• Risk-based URS: identify which functions are critical to data integrity and focus testing there.
• Traceability: link requirements → risks → tests → reports so you can show why the system is fit for use.
• Configuration management: system configuration and master data (roles, workflows, limits) are under formal change control.
• Periodic review: at defined intervals, you review incidents, deviations, change history, audit trail issues, and vendor patches to confirm the system remains in control.

The inspection risk is highest when systems have been live for years without proper change control or review. MHRA guidance explicitly calls out “validation once, then ignore” as a failure mode.

7) Lab & Analytical Data Integrity Traps

Many serious data integrity findings have originated in QC labs – especially chromatography and other analytical systems.
MHRA expectations extend straight into how you run those instruments and manage their software.

• HPLC and other instrument systems under data integrity scrutiny.
• ISO/IEC 17025 – Testing & Calibration Lab Competence
• LIMS | ELN
• Test Method Validation (TMV)

High-risk patterns MHRA looks for:

• Workstations where analysts can delete or overwrite chromatograms without trace.
• “Trial injections” that are conveniently excluded from results and not documented.
• Reprocessing chromatograms until desired results are achieved, without justification.
• USB sticks, local folders, or “offline” storage that bypass LIMS or centralised archives.

The target state is straightforward:
raw data, processed data, methods, integration parameters, and audit trails are stored securely; analysts have only the privileges needed; reviews (including audit trail review) are baked into release decisions.

8) Shop-Floor MES, Batch Records & Data Integrity

For manufacturers, the most visible expression of data integrity is the batch record.
MHRA expects electronic and hybrid batch records to demonstrate what actually happened on the line – not what should have happened.

• MES – Manufacturing Execution System
• Electronic Batch Record (eBMR) | Automated Batch Records
• Batch Record Lifecycle Management
• Hard-Gating Electronic Pass/Fail Controls
• Access Management and Electronic Operator Sign-Off

MHRA-aligned MES patterns:

• Enforced workflows: critical steps (material verifications, parameter checks, IPCs) are hard-gated; the system will not let operators skip them.
• Real-time capture: weights, IDs, scanning events, and process parameters are captured as they occur, not documented later from memory.
• Exception visibility: deviations, out-of-limit events, and manual overrides are clearly flagged in the eBMR and routed through QA review.
• Configuration control: recipes, limits, and workflows are versioned and under change control.
• Review by exception: the system surfaces the minority of batches that truly need deep review, based on rules and exception data.

This is where platforms like V5 can align very naturally with MHRA expectations – by making the “right way” of working the easiest way and embedding data integrity into the everyday operator experience.

9) How to Use This MHRA GxP Data Integrity Cluster

If you’re building or tightening a data integrity programme to satisfy MHRA and other regulators, use this glossary cluster as a structured roadmap:

• Start with principles: review Data Integrity, ALCOA(+), and Audit Trails.
• Align the QMS: ensure policies, training, internal audits, and QRM references to data integrity are explicit and current.
• Map critical systems: MES, LIMS, QMS, ERP and lab instruments – capture their data integrity risks and controls.
• Close obvious gaps: shared logins, weak audit trails, uncontrolled spreadsheets, manual transcription loops.
• Design for inspectors: make it easy to show who did what, when, why, and under which approved procedure.
• Monitor and improve: feed data integrity findings into CAPA, PQR/APR, and periodic reviews.

The target state is simple to describe and hard to fake: GxP data are trustworthy by design, not by assertion. When MHRA (or any other regulator) asks “Why should we trust this record?”, your systems, procedures and culture answer for you.

Related Reading (Glossary)
• Core Principles: Data Integrity | ALCOA / ALCOA+ | Audit Trail (GxP) | 21 CFR Part 11 | EU Annex 11

• QMS & Governance: QMS | Policies & Governance | Training Matrix | Internal Audit | QRM

• Systems & CSV: CSV | User Access Management | Change Control | MES | LIMS | GxP Data Lake

• Records & Archival: Record Retention & Archival | Data Retention & Archival | eBMR | Batch Record Lifecycle | PQR | APR