DIRA Data Integrity Risk Assessment for GMP Audits

DIRA Data Integrity Risk Assessment: how to make it audit-proof

During EMA, FDA and PIC/S audits, Data Integrity is one of the first topics reviewed. The DIRA – Data Integrity Risk Assessment is the tool inspectors use to verify whether a company is able to identify and control data-related risks.
A weak or missing DIRA can lead to critical observations, especially when controls related to ALCOA+, audit trails, backups and the data lifecycle are not adequately implemented.

Regulatory framework: what authorities require

  • WHO 2021: requires a DIRA for all systems and processes generating GxP data.
  • PIC/S PI 041: Data Governance must include assessment and mitigation of Data Integrity risks.
  • EMA Annex 11 / EU GMP: requires controls proportionate to data criticality.
  • FDA 21 CFR Part 211/11: record integrity, audit trails, individual logins.

Inspectors verify that the DIRA is documented, current, complete and linked to real CAPAs.

What inspectors look for

1. Clear mapping of data flows

Auditors often ask: “Show me where this data originates.”
They want to confirm that the company understands the full data lifecycle and its vulnerability points.

2. Risk assessment based on ALCOA+

Failing to analyse Attributable, Original or Available almost always results in an observation.

3. Consistent technical and organisational controls

Examples include:

  • active and regularly reviewed audit trail
  • individual user access
  • verified and tested backups
  • up-to-date and enforced SOPs

4. Mitigation actions actually implemented

Inspectors request proof: screenshots, logs, registers, training records.

5. Updates and governance

A DIRA that is 3 years old with no revisions is considered non-compliant.

How to avoid critical observations

Strategies from the guide:

✔️ 1. Link each risk to a specific phase of the Data Lifecycle

Inspectors appreciate analyses showing real risks:
data loss in archiving, manipulation during processing, backdating during recording, etc.

✔️ 2. Clearly identify data criticality

Batch release data and QC test results inherently carry high risk.

✔️ 3. Implement robust audit trail controls

Warning Letters frequently cite inactive or unreviewed audit trails.

✔️ 4. Validate Excel sheets and manual calculations

Auditors routinely request validation of critical calculations.

✔️ 5. Eliminate shared accounts

Direct violation of the ALCOA attribute Attributable → guaranteed observation.

🗂️ Audit readiness: essential documentation

  • complete and signed DIRA
  • data flow mapping
  • risk list with scoring
  • evidence of implemented mitigation measures
  • Data Integrity Committee minutes
  • audit trail review logs
  • backup & restore test results
  • related CAPAs with progress tracking

🔴 Typical mistake → ✔️ Recommended corrective action

Mistake: generic DIRA with unjustified “medium” ratings
Correction: define numerical criteria and include concrete failure-mode examples

Mistake: DIRA not linked to real processes
Correction: map actual data flows with screenshots or system references

Mistake: mitigation actions not implemented
Correction: open CAPA, assign responsibilities, track progress in Quality Council

Conclusion

A strong DIRA demonstrates to inspectors that the company understands its data, its risks and its vulnerabilities — and that a mature Data Governance system is in place.
Keep your organisation audit-ready. Discover the full guide on GuideGxP.com

Back to blog

Looking for something specific?

DISCOVER THE FULL GXP CATALOG