Data Integrity, Part 11, Annex 11 & Audit Trails — Making Electronic Records Defensible

This topic is part of the SG Systems Global regulatory & operations glossary.

Updated November 2025 • data integrity, ALCOA(+), 21 CFR Part 11, EU Annex 11, audit trails, CSV/GAMP 5, user access management, record retention & archival, raw vs processed data, hybrid systems • Pharma, Biologics, Medical Devices, Dietary Supplements, Food & Beverage, Meat, Bakery, Cosmetics, Chemicals

Data integrity is the idea that records used to make quality and regulatory decisions are trustworthy. Not just because you say so, but because the way they’re generated, stored and changed makes cheating, quiet rewriting or silent loss of information visible and very hard to get away with.

In the paper world, this was about ink, signatures and line-throughs. In the electronic world, it’s about how MES, LIMS, SCADA, historians, QMS, WMS and spreadsheets behave together. This is where ALCOA(+), 21 CFR Part 11, EU Annex 11, GxP audit trails, Computer System Validation (CSV) and record retention & archival all meet.

“If someone can quietly change a critical value, a decision, a signature or a timestamp in your system without leaving a trail, you don’t have data integrity. You have electronic white-out.”

1) Data integrity & ALCOA(+) — what “good data” looks like

Your data integrity and ALCOA(+) entries define the baseline. Regulators expect records to be:

• A — Attributable. You can tell who did what, when, with which system or instrument.
• L — Legible. Readable long term (no fading, no obscure codes, no inaccessible file formats).
• C — Contemporaneous. Recorded at the time of the activity or as close as practical, not backfilled days later.
• O — Original. Original record or a true copy, not an untraceable rewrite.
• A — Accurate. Free of unjustified alterations; calculations correct; values within expected precision.

ALCOA “+” adds:

• Complete: Nothing missing (e.g., all batches, including failures).
• Consistent: Chronology, units, formats and metadata make sense.
• Enduring: Records survive for the full retention period.
• Available: You can retrieve them promptly for review, audit or recall.

Every design decision in MES, WMS, LIMS, SCADA and data lakes should be judged against this: does this feature make it easier or harder to achieve ALCOA+?

2) 21 CFR Part 11 & EU Annex 11 — the electronic records/sigs rulebook

21 CFR Part 11 (FDA) and EU Annex 11 (EMA/European GMP) are the core references for electronic records and signatures:

• Part 11. Applicable when electronic records and signatures are used in place of paper and handwritten signatures to fulfil regulatory requirements. It covers system validation, audit trails, record retention, signature controls, security and more.
• Annex 11. Similar themes, with a bit more emphasis on IT infrastructure, risk-based approaches and system life cycle.

They expect, among other things:

• Validated systems (CSV, often following GAMP 5).
• Secure, role-based access control (UAM).
• Computer-generated, time-stamped audit trails for additions, changes and deletions.
• Electronic signatures with defined meaning, linked to records, not easily repudiated.
• Controls over copies, prints and exports.

V5 is explicitly designed to fit inside this mental model: e-signatures, audit trails, role-based access and configuration all line up with Part 11/Annex 11 expectations.

3) User Access Management (UAM) — who is allowed to do what

Every serious data-integrity failure has a permission problem underneath. Your User Access Management (UAM) glossary sets the tone:

• Unique accounts. No shared logins, no generic “operator” accounts, no admin passwords written on whiteboards.
• Role-based permissions. Users get only the privileges they need: operators can record data and launch deviations, but not change recipes or disable interlocks; QA can review and sign; admins manage configuration but don’t sign batch records.
• Segregation of duties. The same person should not be allowed to create, approve and release their own changes or batch records.
• Lifecycle management. Joiners, movers and leavers are handled promptly; dormant accounts are disabled; privileges are reviewed regularly.

V5 implements UAM at MES, WMS and QMS levels. Designing roles and permission sets correctly is half the battle; the other half is enforcing “no work outside the system” so people don’t bypass these controls with spreadsheets and side systems.

4) Audit trails — proving what changed, when and why

GxP audit trails are where data integrity either survives or dies. An audit trail is not just “we track changes” — it must be:

• Automatic. Generated by the system, not by user goodwill.
• Time-stamped. With reliable, synchronised time sources across systems.
• Attributable. Each entry shows who did what.
• Contextual. You can see old value, new value, reason (where appropriate) and which record or batch the change affects.
• Secure & reviewable. Audit trails cannot be edited, and QMS procedures require periodic review of critical audit trails (e.g., for recipes, batch results, release decisions).

In V5, audit trails exist for configuration changes (recipes, workflows, limits), transactional data (batch steps, results, status changes) and QMS events (deviations, CAPA, approvals). They can be filtered and reported for investigations and routine reviews.

5) CSV & GAMP 5 — risk-based validation of systems

Your Computer System Validation (CSV) and GAMP 5 entries spell out the “how” of proving that systems do what you claim:

• Classification & risk. Systems and functions are categorised (e.g., Category 3/4/5 in GAMP) and validated based on risk to product quality and patient/consumer safety.
• Requirements & specs. Clear user requirements, functional and design specifications; traceability matrices to test cases.
• Testing & evidence. Installation, operational and performance testing, including negative and boundary tests for critical functions.
• Lifecycle. Validation is not a one-off; changes, patches, upgrades and integrations require impact assessment and, where needed, revalidation.

For V5, this means:

• Configuration (recipes, workflows, rules) is documented and under change control.
• Standard functions are leveraged where possible; customisations are minimised and heavily justified.
• Validation focuses on what V5 actually does in your environment—how it is configured and integrated—not on abstract feature lists.

6) Hybrid systems, spreadsheets & “paper on top of electronic”

Some of the worst data-integrity problems come from half-moves: electronic systems “supported” by manual logs, spreadsheets and unofficial exports. Common anti-patterns:

• Spreadsheets as primary records. Critical calculations and decisions happening in Excel, with no version control, audit trail or access control.
• Paper on top of electronic. Operators printing out screens, writing on them and filing them as the “real” record while ignoring the underlying database.
• Manual transcription loops. Writing data from instruments onto paper, then typing into LIMS, then exporting to spreadsheets for CPV.

None of this is aligned with ALCOA+. If electronic data exists and is used for release or quality decisions, that data (and its audit trails) are the regulated record—no matter how many PDFs you print on top.

V5’s stance is to reduce these hybrids: get data into structured, transaction-safe tables with audit trails, and provide exports and reports from there, rather than letting spreadsheets become unofficial systems of record.

7) Record retention, archival & retrieval

Record retention & archival is the boring part of data integrity — until you need old records for a long-running product, legal case or post-market safety review.

• Retention periods. Defined per product/market/regulation (e.g., X years after expiry or batch release), documented in policies.
• Archival. Data and documents are moved to environments that are still secure, readable and searchable, with audit trails preserved.
• Migration. System upgrades and migrations must preserve data integrity; validation must show that data hasn’t been corrupted or lost.
• Retrieval. You must be able to retrieve specific batch records, trends, audit trails and approvals within reasonable timeframes, not after three days of hunting tapes.

V5 can sit either in the “active” tier (current operations) or have a long-term archive strategy around it. In either case, database backups, export formats and report designs should be chosen with 10–20 year timelines in mind, not just next quarter’s audit.

8) How V5 Traceability implements data integrity in day-to-day operations

V5 Traceability is built with data integrity as a design principle, not a bolt-on:

• Unique users & UAM. No shared logins; role-based permissions; enforced password and session policies; direct mapping of roles to functions in MES, WMS and QMS.
• Built-in audit trails. All critical configuration changes and transactional events have audit trails recording who, what, when, old/new values and, where applicable, reasons.
• Electronic signatures. E-signatures with defined meaning (e.g., “performed”, “reviewed”, “approved”) tied to specific records and steps.
• Time synchronisation. V5 deployments align to a common time source so cross-system event sequences (MES, WMS, LIMS, historians) are interpretable.
• Controlled exports & integration. V5 Connect provides structured APIs so external systems (LIMS, ERP, data lakes, AI) consume data in controlled ways with proper logging, not via uncontrolled direct DB access.
• Validation-ready configuration. Configuration is parameterised and documented so CSV under GAMP 5 is tractable: you can show which functions you’re using and how, without reverse-engineering your own system.

Combine that with good governance and risk management, and you get electronic records that can withstand auditors, inspectors and your own future questions.

FAQ — Data Integrity, Part 11, Annex 11 & Audit Trails

Q1. Do we need to be “fully Part 11 compliant” before using electronic records?
You need a realistic, risk-based implementation of Part 11/Annex 11 controls for any records you rely on for GxP or food-safety decisions. That doesn’t mean perfection or over-engineering every low-risk system. It does mean you cannot ignore access control, audit trails, validation and retention for core systems like MES, LIMS, QMS, WMS.

Q2. Are PDFs of reports enough to satisfy data-integrity expectations?
No. PDFs are “renderings” of underlying data. Regulators increasingly expect access to the dynamic, original electronic records (with their audit trails), not just static printouts. If decisions are based on an MES database, LIMS tables or a historian, those are the GxP records, not the exported PDFs.

Q3. How dangerous are spreadsheets in a regulated environment?
Used carefully as temporary analysis tools, spreadsheets are manageable. Used as primary systems of record for calculations, deviations, CAPA, batch data or traceability, they are a major data-integrity risk: no robust access control, weak audit trails, easy to overwrite or version incorrectly. They should be aggressively reduced in GxP-critical flows.

Q4. How often should we review audit trails?
At minimum: whenever investigating significant deviations, OOS/OOT events, data anomalies or suspected misconduct. In addition, many regulators expect periodic (e.g., monthly/quarterly) reviews of audit trails for high-risk areas (batch results, specs, recipes, user admin) as part of routine QMS activities.

Q5. Do cloud deployments make data integrity harder?
They change the risk profile but don’t inherently make it worse. Cloud deployments require clear controls over access, tenancy, backups, disaster recovery and change management, but they can also improve standardisation, monitoring and resilience. The same Part 11/Annex 11 and ALCOA+ principles apply; they just involve your cloud provider’s practices as well.

Q6. Where should we start if our current state is “mixed paper, mixed systems, lots of Excel”?
Start by identifying the highest-risk record flows: batch records, lab results, deviations/CAPA, traceability events. Move those into structured, audited systems (V5 MES/QMS/WMS + LIMS) and lock down spreadsheets to analysis-only roles. Implement basic UAM, audit trails and retention policies, and then expand coverage to lower-risk areas over time.

Related Reading (Glossary)
• Core Principles & Rules: Data Integrity | ALCOA(+) | 21 CFR Part 11 | EU Annex 11
• Controls & Validation: Audit Trail (GxP) | User Access Management (UAM) | Computer System Validation (CSV) | GAMP 5 | Record Retention & Archival
• Related Systems: eBMR | LIMS | MES | WMS | QMS
• V5 Platform: V5 Solution Overview | V5 MES | V5 QMS | V5 WMS | V5 Connect API