|

ALCOA+ Principles and Implementation

1. Purpose and Scope

This article defines the principles of ALCOA and ALCOA+ and establishes how they are implemented as enforceable controls within computerized systems and procedures. It focuses on ensuring that GxP data remains reliable, traceable, and suitable for regulatory decision-making throughout its lifecycle.

Scope includes all data generated, processed, reviewed, and retained within GxP systems.

2. ALCOA and ALCOA+ Overview

ALCOA defines the fundamental attributes required for data integrity:

  • Attributable
  • Legible
  • Contemporaneous
  • Original
  • Accurate

ALCOA+ extends these principles with additional expectations:

  • Complete
  • Consistent
  • Enduring
  • Available

These principles are not theoretical. They must be translated into specific system and procedural controls.

3. Attributable

Data must be traceable to the individual who generated or modified it.

  • unique user identification
    • each user is assigned a unique ID
    • shared accounts are not permitted
  • user authentication
    • secure login controls verify user identity
    • actions are linked to authenticated users
  • audit trail linkage
    • all data changes are recorded with user identification
    • traceability is maintained across the data lifecycle
  • electronic signatures
    • actions such as approval and review are attributable to individuals

4. Legible

Data must be readable and understandable throughout its lifecycle.

  • human-readable format
    • records can be displayed in a clear and interpretable format
    • reports accurately reflect underlying data
  • standardized data formats
    • consistent units, formats, and terminology are used
    • ambiguity in interpretation is eliminated
  • preservation of readability
    • data remains readable after archival
    • systems support long-term access without loss of clarity

5. Contemporaneous

Data must be recorded at the time the activity is performed.

  • real-time data capture
    • data is recorded directly into the system at the time of execution
    • backdating or delayed entry is restricted
  • system-generated timestamps
    • date and time are automatically recorded by the system
    • timestamps are secure and cannot be modified
  • controlled manual entry
    • where manual entry is required, procedures define timing expectations
    • justification is required for delayed entry

6. Original

Original data must be preserved and not overwritten.

  • retention of raw data
    • original records are maintained alongside processed results
    • data is not replaced by calculated values
  • protection from overwrite
    • systems prevent deletion or modification of original entries
    • changes are recorded as new entries
  • version control
    • multiple versions of data are tracked
    • history of changes is preserved

7. Accurate

Data must correctly reflect the observed value or result.

  • validated systems and calculations
    • system functions and algorithms are verified
    • calculations produce correct and consistent results
  • data verification and review
    • review processes confirm accuracy of entered and generated data
    • discrepancies are identified and resolved
  • error prevention controls
    • system checks prevent invalid or out-of-range entries
    • controls reduce risk of manual error

8. Complete

All required data must be captured and retained.

  • inclusion of all data
    • no selective recording or omission of results
    • all relevant data points are retained
  • audit trail completeness
    • all changes and actions are recorded
    • no gaps in traceability
  • retention of metadata
    • contextual information such as time, user, and method is preserved

9. Consistent

Data must follow a logical and chronological sequence.

  • chronological order
    • events are recorded in correct time sequence
    • timestamps reflect actual order of activities
  • consistent workflows
    • processes follow defined and controlled steps
    • deviations are documented
  • standardized procedures
    • consistent methods are used across similar activities

10. Enduring

Data must be preserved in a durable and secure manner.

  • secure storage
    • data is protected from loss, corruption, or unauthorized access
    • storage systems are validated
  • archival controls
    • long-term storage maintains data integrity
    • formats remain stable over time
  • protection against degradation
    • controls prevent data loss due to system failure or obsolescence

11. Available

Data must be accessible for review and inspection.

  • timely retrieval
    • data can be retrieved without delay
    • systems support efficient search and access
  • accessibility for inspection
    • records are available in human-readable format
    • supporting metadata and audit trails are accessible
  • continuity of access
    • data remains accessible throughout retention period
    • system changes do not compromise availability

The diagram below maps each ALCOA+ principle to the specific system and procedural controls used to enforce it. It demonstrates how data integrity expectations are implemented through measurable and testable controls within computerized systems.

Vertical mapping of ALCOA plus data integrity principles to corresponding system and procedural controls including user access, audit trails, timestamps, data retention, and retrieval

12. Implementation of ALCOA+ Controls

ALCOA+ principles must be implemented through a combination of system configuration and procedures.

  • system controls
    • access control and authentication
    • audit trails and change tracking
    • electronic signatures
    • data protection and backup
  • procedural controls
    • SOPs governing data entry, review, and approval
    • audit trail review procedures
    • data correction and deviation handling
  • validation linkage
    • verification that ALCOA+ controls function as intended
    • testing of data integrity scenarios during OQ
  • lifecycle integration
    • controls applied at data creation, processing, storage, and archival
    • periodic review ensures continued effectiveness

13. Common Data Integrity Failures

Typical failures include:

  • shared user accounts
  • disabled or incomplete audit trails
  • overwriting or deletion of original data
  • backdated entries
  • lack of audit trail review
  • uncontrolled manual data transcription

These failures indicate breakdown of ALCOA+ controls and must be addressed through remediation.

14. Verification of ALCOA+ Compliance

ALCOA+ compliance must be verified through:

  • validation testing: confirmation that system controls enforce data integrity
  • audit trail review: detection of unauthorized or unexpected changes
  • periodic review: ongoing evaluation of system performance and controls
  • internal audits: independent assessment of data integrity practices

Verification ensures that ALCOA+ principles are not only defined but actively maintained.