The “Single Source of Truth” principle in biotech quality assurance

Quality assurance professionals use the single source of truth principle to ensure everyone in the company acts with confidence on the most current and accurate data.

The single source of truth principle (SSOT), stated in a few ways

SSOT is a data storage principle that originated in business software. The principle directs you to always source a particular piece of information from one place. It means that everyone in the company agrees that one view of data is the real, trusted number.

Stakeholders in a biotech or laboratory environment follow SSOT to make all scientific and quality decisions based on a single, definitive record that they all have appropriate access to.

SSOT also refers to the practice of aggregating the data from many systems within an organization to a single location. This does not mean all data is stored in this location, but that this hub contains accurate references to the definitive location of this data.

What are the advantages of an SSOT approach?

An SSOT approach will help achieve:

  • Clarity
  • Accessibility
  • A definitive record and a definitive analysis (i.e. avoiding duplicate records and analyses)
  • Accuracy (i.e. avoiding inconsistencies)

Where did this principle originate?

The field of quality has a long and laudable history of adapting successful practices from other industries and companies and promoting their spread.

The most celebrated example is the adoption of improved production processes from Japanese automakers after American automakers fell into universally poor quality in the decades after World War II.

Another example is the spread of checklists from aviation into surgery and other medical procedures. These checklists helped to reduce the frequency of “never events” (so called because they are completely unacceptable) such as leaving instruments inside a person or operating on the wrong body part.

SSOT’s origin is in enterprise software. Large companies especially deal with copious data from multiple siloed sources. They manage multiple computerized systems with software from various vendors. This leads to inefficiencies, redundancies, inconsistencies and the like between systems and individual data points.

A classic example is when the sales team uses one set of software and supply chain/order fulfillment uses another. When the two systems do not communicate with each other, and multiple workarounds are implemented to bypass this for routine work, the system can break down and cause a large order or non-routine work to be botched.

In recent years vendors have promoted solutions to fix this issue with (you guessed it) more software. These systems, one level above the rest in data abstraction, promise to aggregate all relevant computerized data in one single reference point. This solution sometimes works and sometimes amounts to an expensive extra layer of data and computerized workflows.

In this article I will explain how QA professionals in biotech can adopt the SSOT principle in their work. I do not necessarily promote the cloud computing solutions proffered on the market. I endorse continuing the spirit of adopting successful practices from other industries. I would like you to picture not just a software that further aggregates data, but the broader application of the SSOT principle. Think of examples in your company where a single definitive record would solve problems. I will provide several below.

SSOT is a data integrity principle

Data integrity is the overall accuracy, consistency and completeness of data. Data integrity also refers to the safety of data with respect to regulatory compliance, such as GMP compliance.

This data should be attributable, legible, contemporaneously recorded, original or a true copy, and accurate (ALCOA).

You won’t find SSOT referenced in any regulation. But language on data integrity requirements regarding “original or true copies” is found in 21 CFR Part 211:

“Records required under this part may be retained either as original records or as true copies such as photocopies, microfilm, microfiche, or other accurate reproductions of the original records.”

21 Code of Federal Regulations Part 211.194 Laboratory records also states:

“Laboratory records shall include complete data derived from all tests necessary to assure compliance with established specifications and standards, including examinations and assays” 


“A statement of each method used in the testing of the sample. The statement shall indicate the location of data that establish that the methods used in the testing of the sample meet proper standards of accuracy and reliability as applied to the product tested.”

The requirement on accuracy is found in:


“Appropriate controls shall be exercised over computer or related systems to assure that changes in master production and control records or other records are instituted only by authorized personnel. Input to and output from the computer or related system of formulas or other records or data shall be checked for accuracy. The degree and frequency of input/output verification shall be based on the complexity and reliability of the computer or related system. A backup file of data entered into the computer or related system shall be maintained except where certain data, such as calculations performed in connection with laboratory analysis, are eliminated by computerization or other automated processes. In such instances a written record of the program shall be maintained along with appropriate validation data. Hard copy or alternative systems, such as duplicates, tapes, or microfilm, designed to assure that backup data are exact and complete and that it is secure from alteration, inadvertent erasures, or loss shall be maintained.”


“Batch production and control records shall be prepared for each batch of drug product produced and shall include complete information relating to the production and control of each batch. These records shall include an accurate reproduction of the appropriate master production or control record, checked for accuracy, dated, and signed.”

Side note: What is a principle?

QA is a technical field but it is nonetheless guided by principles. With the right set of principles, you can develop the specific practices (or tools or techniques) to fit any situation.

To go back a step further, principles flow from values. In biotech our values might include the promotion of human health through safe and effective devices and drugs. Principles that flow from this value might include, “All data we produce or make decisions on should be accurate and complete.” And a technique or requirement that flows from this principle might include, “All study-related raw data will be automatically stored in a central, read-only repository with full audit trail capability.”

SSOT is a principle because it guides our behavior without specifying the practices we need to do to accomplish a goal. If you understand SSOT, you will be able to apply it flexibly in your audits/inspections, SOPs and validations.

Simple examples

A problem with a hard-to-see asset tag

During routine lab activities an analyst must frequently document the asset number and calibration due date for various equipment such as vortexers, incubators and spectrophotometers.

If the asset tag and calibration sticker are located on the back of the equipment in a hard-to-see place, the analyst may invent a workaround and write this info on a piece of lab tape with a marker and place this on the front of the equipment where it is easier referenced, saving several moments of searching each time this info must be recorded.

To the analyst, this is a good example of problem solving and efficiency. But it compromises the equipment data recorded on the form. Suppose the true asset tag were replaced but the improvised sticky note containing old information continued to be used to record the equipment identity.

A solution to a hard-to-see asset tag

The SSOT perspective tells us that the improvised sticker is an unreliable copy. The true source of the equipment info is a little hard to define. In this case, reliability exists along a continuum.

The least reliable source is the asset tag and calibration sticker. These may be placed by a single equipment/calibration coordinator without a verifier. They may be misplaced, handwritten, difficult to read, etc. The calibration sticker might have been placed by an outside vendor in an inconsistent format across equipment.

The next most reliable source may be the equipment database. An Excel spreadsheet is unreliable. An actual database in Access might be better because of the ability to pull reports. A piece of software such as Qualcy Calibration/PM Software will provide much greater functionality and accuracy.

But even these databases must be fed with data, often transcribed, from the calibration certificate, equipment validation record, and asset number log. This leaves open the question of what the single source of truth is.

To address all these difficulties, apply the SSOT principle: The calibration coordinator must place the equipment tags in an easy-to-see place for the analyst to reference. The coordinator should convert the outside vendor’s calibration sticker into an internally developed sticker that is consistent across equipment with respect to date format, placement, and required fields. Transcription from certificates, manuals and validations into the equipment database should be verified and reviewed wherever possible. And the analyst’s SOPs and forms should clearly indicate where they get required equipment information, and who to notify when it appears to be missing.

The problem of duplicate entries

In the various spreadsheets and databases of biotech quality assurance, duplicate entries are a classic problem. 

A solution to duplicate entries

A database can get around this problem by assigning each row or column a Primary Key number, which is a unique identifier referring to all the information in that row or column. 

A lot number assignment problem

Laboratory staff must often assign lot numbers for in-process components or for a testing procedure. Lot numbers are often assigned in a way that encodes the date of the procedure. If several people are at work at once, they risk duplicating the lot number.

A lot number assignment solution

Apply the SSOT principle to establish a definitive record of lot number assignment. SOPs should define in detail how lot numbers are assigned and explain any prohibited practices.

You may choose to establish a single paper logbook, centrally located, for assigning lot numbers. This avoids the problem of two remote users trying to create a new record at once and duplicating the new lot number entry.

You may detail procedural controls: the operator or analyst must assign the lot before beginning work, not during or after producing a component successfully. They assign this lot number before entering the lab and beginning work, not “when they have a moment.”

You may establish a QA-issued lot number assignment log. All lots are issued by QA, handwritten or printed on a QA-issued batch record. Controlled work may only be conducted on these forms. The forms will be clearly marked when they are QA-issued so that analysts will easily notice when they are using a form that was not issued appropriately.

More complex examples of the problem

Problem of a complicated but critical spreadsheet

Supplier qualification produces voluminous records. As your quality system grows, you may have implemented a spreadsheet as a quick fix to track the file location and contents for each supplier. 

As this system grows, the spreadsheet will inevitably become more unstable and inaccurate, especially if it was never validated for this purpose.

One of the most important bits of information in this supplier information repository is the status of the supplier: is it low-risk, medium-risk, or high-risk, and is it approved? If this information exists in a spreadsheet accessed by any staff member who may submit a purchase order, by purchasing, by quality, and others, then the risk of inadvertent changes to these supplier status cells is too great to leave to chance.

A solution to a complicated but critical spreadsheet

You may consider clearly defining the spreadsheet as a document that only references the actual supplier qualification record. You may insist in your procedural controls that staff reference only the original records when purchasing a component from a supplier.

But even with these controls, people will naturally use the accessible and easy to use spreadsheet instead of pulling up scanned or archived records containing the original supplier designations.

To address this, apply the SSOT principle and provide easy access to the supplier qualification records and the true, current supplier status. Ensure that anyone who orders can see these records without hassle. When a supplier’s status is changed, the previous records should be clearly marked so or obsolesced. Detail in an SOP that the reviewer of the purchase order will verify the supplier status before signing off. Validate the spreadsheet or supplier management software and audit it regularly (perhaps once a year) for accuracy against the supplier records. Ensure that no one feels compelled to use a second-hand file when ordering raw materials.

The problem of paper copies

Biotech and research are paper-dominated industries. We are far from replacing handwritten records, although we are getting there slowly. Consequently every firm must decide how to treat copies of paper records.

For example, how does one mark a copy as a copy? What does “exact copy” or “working copy” mean? Can you write on the copy? Can you retain a contaminated original in the lab and continue working on a copy outside the lab for review and approval? Is there a record of how many copies were made? If a significant change was made to the original, is there a way to track down all the copies and make sure the change is reflected in each one of them, or that they are replaced with the current, updated copies? For which purpose should I look into the original data set and which process can safely use data from the copy?

A solution to paper copies

Apply the SSOT principle to insist that the original be used wherever possible.

Implement procedural controls such as the following by detailing them in your SOP that covers good documentation practices:

  • Copies will only be clearly marked as such by the person who made the copy.
  • All copies will be made in a certain color paper that is unmistakable (pink or green for example).
  • All copies will have an expiration date.
  • Beyond this expiration date, the copy must be shredded.
  • Copies can be used only for analysis and are not considered raw data for scientific, quality or business decisions.

Prohibit copies from being filed in additional physical folders when a reference to the original would suffice.

Ensure that each original record pertaining to a quality subsystem (e.g. CAPA, nonconformance, validations, internal audits) has a numbering system that allows for a unique identifier, which allows easy and unambiguous reference. 

Ensure that the record can be pulled up easily in a repository of scans by those who may need to reference them. Ensure that all scans have a watermark superimposed on them to clearly indicate they are not originals.

The problem of multiple document control statuses

Your company has two separate document control systems, one for controlled procedures and one for pilot procedures. Which is the one for released products? Are they totally segregated? Do they feed into each other regularly or with specific exceptions? Do pilot documents sometimes accidentally get used as controlled documents, and vice versa?

A solution to multiple document control statuses

A biotech company must segregate design and development work from controlled production. Design and development benefit from having more flexible procedures. But the experimental components must not mix inadvertently with the controlled outputs. One way to do this is to unambiguously separate them and implement procedural controls to prevent this. 

Components generated under pilot status must be marked unambiguously. The documents used in these procedures must be clearly marked as pilot procedures. These designations must carry through to any components generated using these pilot components as starting materials.

A problem of inaccessible records

Quality system records such as nonconformance reports, planned deviations and CAPAs are locked in a repository that only QA has access to. Production and research staff need the specifics in these folders in order to do their job (for example, to carry out the planned deviation or to understand the corrective action prescribed after a nonconformance). If the finalized document is in a physical folder on someone’s desk or in archives, and laboratory staff is working off of a Word draft or a copy of the in-process record from before it was finalized, then they may be using incorrect or incomplete information.

You may even have the problem of individual staff running their own version of archives right in their office. This is unacceptable, but it happens. An individual finds they are working on so many files so frequently, that they no longer abide by the archival procedure and they set up their own cabinet brimming with records. People who need access to originals find they must search through the controlled archives and also message scattershot an array of individuals who also might have the file.

A solution to inaccessible records

Apply an SSOT approach. Staff need access to the finalized folder or an accurate, current version of it. They should not rely on drafts and incomplete versions of the plan when doing their work. They could access this in a network repository where the scan of the finalized record is housed. They could reference only the original record, if the building is small and the record can be physically brought into the lab.

Ideally, you will migrate your quality system procedures into a third party software or one that was developed in-house. This software will make these procedural controls inherent in the design. For example, instead of relying on a user to remember to copy stamp a sheet of paper, the software will imprint the sheet with a copy watermark and a printed expiration date.

Software will not fix all problems and it may create new ones. For example, if your document software comes with a limited set of licences, and staff cannot access the forms they need at the right time, they may resort to hoarding of forms or accessing unfinished copies that are not as reliable. This brings you back to the original problem.

There is a continuum of truth and reliability

Often you must proceed with imperfect data to avoid not proceeding at all. In these instances you should assess where along the reliability continuum your information lies.

Suppose your company produces vast quantities of data in support of regulatory approval for a medical device. To finalize your application for approval, you must assemble data from many sources of varying reliability.

At the bottom of the reliability continuum is information floating around in email, Microsoft Teams messages and Slack. Next up is various spreadsheets, PDFs and statistical software containing analyses. Next up is memos and internal reports generated without a formal review process. Next is reports from outside labs (which must be interpreted within their predefined scope). At the highest level of reliability are reports and other documents generated internally according to a written procedure for review and approval.

What does ISO 13485 say about SSOT?

The international standard ISO 13485 (2016 revision) on quality management systems for medical device makers states that:

  • The company will ensure that relevant versions of applicable documents are available at points of use.
  • The organization shall document procedures to define the controls needed for the identification, storage, security and integrity, retrieval, retention time and disposition of records
  • Records shall remain legible, readily identifiable and retrievable. Changes to a record shall remain identifiable

Think about how you can meet these requirements using an SSOT approach. The concepts of a definitive record, an SSOT, and document control are closely intertwined and they feed off each other in the upward spiral of quality.

Example from a regulation

FDA’s GMP regulations state:

  • Each manufacturer shall establish and maintain a DHF for each type of device. The DHF shall contain or reference the records necessary to demonstrate that the design was developed in accordance with the approved design plan and the requirements of this part.
  • Each manufacturer shall maintain a quality system record (QSR). The QSR shall include, or refer to the location of, procedures and the documentation of activities required by this part.
  • The equipment identification, calibration dates, the individual performing each calibration, and the next calibration date shall be documented. These records shall be displayed on or near each piece of equipment or shall be readily available to the personnel using such equipment and to the individuals responsible for calibrating the equipment.

As you can see, the required documents such as the device history file can reference the original without having to contain a copy in the file.

Calibration records must be “readily available” to users. “Readily available” is an extension of the ALCOA principles cited above and sometimes stated as ALCOA+: “complete, consistent, enduring and available.” These last four principles extend beyond the immediate recording and disposition of data and indicate it must be available for inspection over the lifetime of the record.

Example from an FDA warning letter

In this warning letter to a large American device maker, the FDA cited the following:

“Your firm failed to follow its CAPA procedures when evaluating a third party report, in that your firm released a product risk assessment, an updated risk assessment and its corresponding corrective action, before approving the CAPA request for this issue. Your firm conducted a risk assessment and a corrective action outside of your CAPA system. Your firm did not confirm all required corrective and preventive actions were completed, including a full root cause investigation and the identification of actions to correct and prevent recurrence of potential cybersecurity vulnerabilities, as required by your CAPA procedures. Additionally, your firm did not confirm that verification or validation activities for the corrective actions had been completed, to ensure the corrective actions were effective and did not adversely affect the finished device.”

In this case, the company perhaps paid big bucks to a third party to conduct a risk assessment in response to a CAPA. When the risk assessment was completed, the company failed to fold it into the quality system. Perhaps it was locked in a lengthy report in unwieldy PDF format. 

To meet the requirements of 21 CFR 820.100(a), and their own CAPA procedures, the company should have conducted this CAPA within the quality system in a closed-loop manner and not allowed the outside risk assessment to sit there independently and feed into product release decisions independently of the CAPA system.

Last word

The single source of truth is a principle from enterprise software that applies to biotech quality assurance. Apply this principle in biotech QA to ensure your people act confidently from a single, agreed-upon source of information.


From other industries

This fascinating article explains why Google stores billions of lines of code in a single repository.

From the medical device industry

This article from a Greenlight Guru leader extolls following SSOT principles for medical device CAPA systems and promotes their software for doing so. One reason among several cited is that a CAPA seldom affects only one quality subsystem.

About the photo

My birding friend and I visited Mirror Lake in the Mount Hood National Forest in Oregon. Gray jays are bold and inquisitive. They approached us and ate our peanuts as we snacked next to this frozen alpine lake.