Contributed by SME: Diane K Gates, President, CenPharma

503B outsourcing facilities sit at a difficult intersection. They operate with the pace and variability of a hospital pharmacy, but they are held to CGMP expectations that increasingly resemble those applied to large commercial drug product manufacturers. Nowhere is this tension more visible than in data integrity.

FDA has made it clear. If the data cannot be trusted, nothing else matters. For 503B facilities, that means moving beyond “Part 11 check-the-box” gap assessment lists to building a living, risk-based data integrity program that matches the complexity of their systems and workflows.

This article outlines a practical approach to data integrity assessments at 503B facilities, using three powerful tools:

1. A system checklist (per-system, per-instrument view)
2. A site data integrity risk assessment (program-level, risk-based view)
3. A data integrity walkthrough checklist (on-the-floor, behavior-focused view)

Together, they create a closed loop. From governance to risk assessment to system control to ongoing challenge and verification.

Start with First Principles: ALCOA++ in a 503B Context

Any assessment framework for 503Bs should be explicitly grounded in the ALCOA++ principles:

• Attributable: Who did what, when, and why is always clear
• Legible and permanent: Data can be read and remains intact over time
• Contemporaneous: Data is recorded at the time work is performed
• Original and true copy: The primary record is known and protected
• Accurate: Free from error or manipulation
• “++” Elements: Complete, consistent, enduring, available, integrity, robustness, transparency, accountability, and reliability

These assessment artifacts should not simply mention ALCOA++; they should force concrete evidence of ALCOA++ at each step, on the system, at the site, and in day-to-day operations.

1. System-Level Integrity: Make Each Instrument Defensible

A system checklist provides a strong foundation. For each system, whether within a quality control (QC) laboratory or in formulation/filling, it drives reviewers to answer the questions that really matter:

• Ownership and segregation of duties
  • Is there a named system owner and system administrator?
  • Is the administrative role separate from the business function that generates or approves data?
  • Are access levels defined and periodically challenged?
• Infrastructure and data storage
  • Is the system stand-alone, networked, or server-based?
  • Where is data actually stored (local PC, application server, cloud, removable media)?
  • Are backups defined, tested, and validated for restore, not just existence?
• Data review and audit trails
  • Is data reviewed in real time, at the end of the day, or in batches?
  • Does the system generate an audit trail that:
    • Cannot be disabled
    • Captures meaningful events (creation, modification, deletion, reprocessing)
    • Is routinely reviewed at a defined frequency
  • Is the audit trail review contemporaneous with data review or a separate periodic activity?
• Access control and session control
  • Does each user have a unique login and password?
  • Is system timeout enabled and aligned with SOPs?
  • Are access controls and roles documented, challenged, and revalidated?
• Laboratory-specific risks
  • For UPLC/HPLC and chromatography systems:
    • Are trial injections governed and visible in the data set?
    • Is manual integration allowed, and if so, under what controlled and justified circumstances?

This level of granularity allows a 503B facility to make a critical shift. It can go from generic “system is validated” statements to clear evidence that the data lifecycle for that instrument is controlled end-to-end.

Key Thought Point:
In 503B facilities, every “small” system can become the weakest link. A system checklist that treats each asset as if it were a major enterprise application changes the culture. No system is too small for real controls.

2. Site-Level Risk Assessment: Prioritize What Matters Most

While system-by-system checklists are essential, 503B facilities also need a cross-cutting, site-level view of risk. A site risk assessment organizes risk domains and assigns high, medium, or low (3 / 2 /1) scores based on specific, observable conditions.

Key domains include:

• Data governance
  • Is there a formal data integrity or data governance procedure?
  • Does it explicitly cover ALCOA++ concepts and definitions?
  • Is training required for all GxP personnel, and is there an anonymous reporting mechanism for data integrity concerns?
• Data integrity risk assessment
  • Does the site maintain a living inventory of GxP systems and assess their controls against regulatory and state board of pharmacy expectations?
  • Are controls risk-based, focusing on systems with highest potential impact to product quality and patient safety?
• Electronic data review
  • Are data and audit trails reviewed electronically, not just from printed reports?
  • Are repeat runs, aborted runs, and non-conforming tests explicitly brought into scope?
  • Is the frequency and scope of review defined in procedures and supported in practice?
• Data retention and backups
  • Are backups performed at defined frequencies and periodically tested for restoration and interpretability?
  • Is there clear responsibility and documentation for retention of all system data, not just final reports?
• Access control
  • Are roles, access levels, and admin privileges for computerized systems documented in procedures?
  • Are unique user IDs enforced, with shared accounts either eliminated or explicitly risk-assessed?
  • Are admin roles segregated from data-generating group, or, where not possible, supported by robust compensating controls and risk assessments?
• Document control
  • Are notebooks, logbooks, and other GxP documents issued, tracked, reconciled, and controlled?
  • Is this control approach clearly laid out in procedures and followed?

The scoring model (3 / 2 / 1) does more than color cells:

• It highlights where systemic weaknesses exist (e.g., no data integrity governance procedure, shared logins, no audit trail review).
• It quantifies total risk exposure, including unanswered questions.
• It gives leadership an actionable way to prioritize remediation instead of chasing every low-level deviation.

Key Thought Point:
Regulators increasingly expect 503B facilities to justify where they spend their compliance energy. A mature facility can point to a site-level risk assessment and say, “Here is why we are focusing remediation on electronic data review and access control first, and here is how we will measure improvement.”

3. The Walkthrough: Converting Policy into Practice

Policies and risk assessments are essential, but data integrity failures are almost always exposed in daily behavior. That is where a walkthrough checklist becomes transformational.

This checklist is structured to drive real conversations and live demonstrations, not paper-only reviews, across critical domains:

Data integrity oversight

• Is there an overarching data governance system: policy, data integrity program, and governance plan for both paper and electronic data?
• How is training conducted on data integrity concepts (ALCOA++)?
• Does the deviation process explicitly address data integrity events?
• Are vendors assessed for data integrity practices?

Raw data control

• Is electronic data explicitly defined as raw data, in line with FDA expectations?
• Are true copies (including metadata) maintained and verified?
• Can activities be reconstructed end-to-end from raw data through to release decisions?

GxP systems and validation

• Is there a complete list of GxP systems, and are they validated holistically for hardware, software, user interface, and procedural controls?
• For stand-alone or user-configurable instruments, what controls prevent data manipulation or deletion?
• How is data transferred to secure locations, and how does the site ensure all data/metadata is captured and remains a true copy?

System access and rights

• Are system administrators limited and independent from data generators?
• Can users delete, overwrite, move, or save data outside controlled locations?
• Are there unique user IDs, password policies, and traceability of who did what, when?
• Are audit trail and security configurations demonstrated online with the auditee, not just described in SOPs?

Paper records and warehouse/production processes

• Are batch records, logbooks, notebooks, and forms:
  • Controlled on issuance?
  • Reconciled after use?
  • Reviewed against supporting evidence (e.g., balance logs, dispensing records)?
• For warehouse and ERP systems:
  • Who can change material status?
  • Are master data and recipes controlled, validated, and access-restricted?
  • Can any critical activities be performed outside the system?

Laboratory operations and chromatography

• Can people trace CoA values back to raw data, sequences, instruments, and files?
• Are critical operations documented contemporaneously, and is there evidence of second-person review?
• For chromatography:
  • Are trial runs controlled and visible?
  • Are manual integrations justified, documented, and periodically challenged?
  • Is the audit trail on, tamper-resistant, and reviewed for anomalies like aborted runs or parameter changes?

Excel and local tools

• Are spreadsheets:
  • Validated and periodically revalidated?
  • Read-only and password-protected, with controlled change processes?
  • Stored in secure locations with appropriate backup and access control?
• Where spreadsheets are not validated, is there documented full second-person verification, including formulas?

Electronic data review and audit trails

• Do review procedures explicitly require review of electronic data and metadata (including audit trails)?
• Where automated audit trails are not available, is there a manual mechanism that still preserves originality and traceability, with a plan to upgrade?
• Does the audit trail review:
  • Capture interrupted or aborted sequences and investigate them?
  • Challenge changes in instrument methods, processing methods, and integration parameters?
  • Document and justify any manual integrations or inhibited peaks?

Key Thought Point:
The walkthrough checklist shifts the conversation from “show me the SOP” to “show me how this actually works today.” For 503B facilities, this is where leadership can directly see whether culture, not just documentation, is aligned with data integrity expectations.

4. Connecting the Dots: From Findings to a Risk-Based Improvement Plan

The real power of these three tools emerges when they are used together:

1. Site risk assessment identifies the highest-risk domains:
   • Example: Access control scores “High”.
2. System checklists then target specific systems in those domains:
   • Example: Chromatography data systems, lab PCs, and compounding records in the ERP.
3. A walkthrough checklist validates whether:
   • The documented controls are actually in use.
   • Staff can demonstrate how data integrity is implemented in routine operations.

From there, leadership can build a prioritized remediation roadmap, such as:

• Short term (0-6 months): Validate or retire high-risk spreadsheets.
• Medium term (6-18 months): Embed data integrity training into onboarding and annual curricula, with scenario-based case studies.
• Long term (18+ months): Integrate data integrity oversight into metrics and management review (e.g., percent of systems with completed risk assessments, percent of audit trails reviewed on time, number and severity of data integrity events). Also, move toward a fully electronic, risk-based data review, with less reliance on paper and manual reconciliations.

5. What “Good” Looks Like for a 503B Data Integrity Program

A mature 503B compounding facility can demonstrate that:

• Every critical system has a current system checklist that proves how data is generated, stored, reviewed, backed up, and protected.
• The site-level risk assessment is up to date, clearly prioritized, and directly linked to remediation plans.
• Data integrity walkthroughs are part of routine self-inspection and are used to challenge, not just confirm, existing practices.
• Data integrity is not just an IT or QA topic; it is a cross-functional responsibility spanning operations, QC, QA, IT, and leadership.
• When regulators ask, “How do you know your data is reliable?”, the answer is evidence-based, not aspirational.

Used together, the system checklist, site risk assessment, and walkthrough checklist form an integrated framework that 503B facilities can use to move from reactive compliance to proactive assurance.