Data Integrity

Data Integrity in Pharmaceutical Manufacturing: ALCOA+ and Regulatory Requirements

10 min read By Ahmad Al-Sharif, Senior CSV Consultant

Data integrity failures have become one of the leading causes of FDA Warning Letters and EU GMP non-compliance findings over the past decade. Regulators have made clear that incomplete, altered, or missing records - whether in electronic systems or on paper - represent a fundamental failure of GMP, not merely an administrative oversight.

This guide explains what pharmaceutical data integrity requires, how ALCOA+ forms its conceptual foundation, what regulators specifically look for during inspections, and how to build a programme that will hold up under scrutiny.

ALCOA+: The Foundation of Data Integrity

ALCOA is a mnemonic for the five core attributes of data integrity in pharmaceutical manufacturing. The "+" extends the original five to include four additional attributes adopted by regulators in subsequent guidance:

  • Attributable - data must be traceable to the person or system that created it. Anonymous data entries, shared login credentials, and generic system accounts all violate this principle.
  • Legible - data must be readable and permanent. Pencilled entries, overwritten text, and faded print fail legibility requirements.
  • Contemporaneous - data must be recorded at the time the activity occurs, not retroactively. Backdated entries are one of the most commonly cited data integrity violations.
  • Original - the first capture of data is the original record. Transcription without retention of the original, or destruction of paper records after scanning, can violate this principle if not properly controlled.
  • Accurate - data must reflect what actually occurred. Rounding results, excluding out-of-specification values, or recording target values instead of actual measurements are accuracy violations.

The "+" adds:

  • Complete - all data must be present, including failed runs, out-of-specification results, and cancelled batch records.
  • Consistent - data must be consistent across related records (e.g. a batch record temperature matches the chart recorder output for the same time period).
  • Enduring - records must be retained for the required retention period and remain readable throughout that period.
  • Available - records must be accessible for review during their retention period, by the company and by regulators.

What FDA and EU GMP Expect

The FDA published its Data Integrity and Compliance guidance in 2018, and the EMA published the EU GMP Chapter 4 and Annex 11 revisions that together address data integrity for both paper and electronic records. Both regulatory bodies expect:

  • Audit trails that are enabled and reviewed. Electronic systems must generate automatic audit trails for all GxP data entries, changes, and deletions. These audit trails must be reviewed as part of routine operations - not only when a problem is suspected.
  • Access control systems. System access must be restricted so that users can only perform functions appropriate to their role. Shared passwords, administrator access for routine operations, and undocumented super-user accounts are all findings.
  • Complete records of all testing. Out-of-specification results, invalidated tests, and failed runs must all be documented. Regulators look specifically for evidence of "testing into compliance" - running tests repeatedly and only recording the passing result.
  • Blank forms not available to operators. Pre-printed or pre-completed forms left in production areas create risk of backdating. Controlled forms must be issued against specific batch records.

Most Common Data Integrity Violations

Based on FDA Warning Letter data and EMA inspection findings, the most frequent data integrity violations are:

  1. Audit trail not enabled, reviewed, or protected - by far the most common finding in computerised systems
  2. Shared user accounts - multiple operators using a single login, destroying attributability
  3. Backdated entries - recording results, observations, or completion entries after the fact
  4. Selective data deletion - deleting "failed" injections from HPLC systems before the sequence completes
  5. Paper records completed in advance - filling in expected values before performing an operation
  6. Unofficial data storage - saving instrument data to USB drives or local folders not under the quality system

Regulatory stance: The FDA has stated explicitly that data integrity violations can result in import alerts, consent decrees, and criminal referrals - not just warning letters. The agency treats deliberate data falsification differently from systemic control failures, but both trigger enforcement action.

Building a Data Integrity Programme

A robust pharmaceutical data integrity programme has four components:

  • Data governance policy - a policy document establishing the company's commitment to data integrity, defining roles and responsibilities, and setting expectations for all data-generating activities
  • Data flow mapping - systematic documentation of where GxP data is created, how it flows through systems, how it is stored, and who has access
  • Risk-based controls - technical controls (audit trails, access management, validated systems) combined with procedural controls (two-person verification, periodic data reviews) proportionate to the risk of each data activity
  • Training and culture - data integrity training for all personnel who generate or review GxP data, combined with management commitment to a culture where reporting data integrity concerns is encouraged and protected

Free Data Integrity Self-Assessment Checklist

Download our 45-point data integrity audit checklist covering ALCOA+ controls, audit trail configuration, access management, and paper record compliance.

Download Free Checklist →
Data Integrity ALCOA+ FDA EU GMP Audit Trail Electronic Records
A

Ahmad Al-Sharif

Senior CSV Consultant · 12 years in pharmaceutical validation

Ahmad leads PHARPRO's CSV and digital validation practice. He has delivered validation projects across Jordan, UAE, Saudi Arabia, and Europe - covering FDA 21 CFR Part 11, EU GMP Annex 11, and ISPE GAMP 5 frameworks.

Frequently asked questions

Data integrity applies equally to paper and electronic records. ALCOA+ principles are regulatory expectations regardless of the medium. Paper records must be attributable (signed), contemporaneous (dated at the time of activity), legible, original (not transcribed without controls), and accurate. Many data integrity findings involve paper records - pre-printed forms, pencilled entries, and corrective fluid use are all paper data integrity issues.
Based on published Warning Letters, the most common finding is audit trail deficiencies in computerised systems - specifically: audit trails not enabled, not reviewed as part of routine batch release, or configured in a way that allows users to delete or overwrite audit trail entries. The second most common finding is shared user accounts.
A data integrity audit is a focused review of your data governance controls, computer system configurations, and record management practices against ALCOA+ principles and applicable regulatory guidance. It typically includes review of audit trail settings and completeness, access control configurations, data backup validation, training records for data integrity, and physical observation of data recording practices in the laboratory and production areas.
21 CFR Part 11 is the FDA's regulation governing electronic records and electronic signatures - it establishes the technical and procedural controls required for electronic records to be considered equivalent to paper records. Data integrity is the broader concept (applicable to both paper and electronic records), while Part 11 is the specific regulatory mechanism for ensuring electronic records meet ALCOA+ principles. Full Part 11 compliance is a necessary but not sufficient condition for a complete data integrity programme.

Ready to work with PHARPRO?

Get a free assessment of your compliance programme - no obligation.

Request Free Assessment Explore CSV Services
PHARPRO - Expert Pharma Consulting

Data integrity gaps are among the most cited FDA and EU GMP inspection findings. PHARPRO helps pharma teams assess, remediate, and close data integrity deficiencies before they become observations.

QA & Data Integrity Consulting → Free Assessment
Related Insights

Keep reading

More in-depth guides from the PHARPRO compliance team.

FDA 21 CFR Part 11: Data Integrity Requirements
Electronic records, e-signatures, and audit-trail requirements every regulated system must meet.
21 CFR Part 11 Audit Trail: What Your System Must Capture
Which events must be logged, how to configure compliant audit trails, and the most common gaps.
EU GMP Annex 11: A Practical Compliance Checklist
Supplier assessment, validation documentation, audit trails, and data integrity - 2025 edition.
Pharmaceutical Inspection Readiness: A 7-Step Guide
How to prepare your site for an FDA, EU GMP, or national authority inspection.
CAPA Management in Pharmaceutical QA
Root cause analysis, corrective action planning, and effectiveness checks - aligned to FDA and EU GMP.