ALCOA & ALCOA+ Principles: The Complete Guide to Pharma Data Integrity

Data integrity is one of the most scrutinized areas in pharmaceutical and life science regulation. At the heart of every global data integrity framework – from the FDA’s guidance documents to MHRA and WHO guidelines — sit the ALCOA principles.

This guide covers everything you need to know: what ALCOA stands for, how ALCOA+ and ALCOA++ extend the framework, what each principle means in practice with real-world examples, how ALCOA maps to regulatory requirements, and how software can automate compliance across your lab.

What Is ALCOA? Definition and Origin

ALCOA is an acronym that defines the minimum standards data must meet to be considered trustworthy and compliant in a regulated environment. It stands for:

• Attributable – data can be traced to the person who generated it
• Legible – data is readable, permanent, and clear
• Contemporaneous – data is recorded at the time it is generated
• Original – data is the first recorded observation, or a certified true copy
• Accurate – data is correct, truthful, and free from errors

The ALCOA framework was originally developed by the US Food and Drug Administration (FDA) in the 1990s as part of good manufacturing practice (GMP) and good laboratory practice (GLP) guidance. It was formally introduced to provide a consistent standard for evaluating the quality and integrity of records during inspections and audits.

Since then, ALCOA has been adopted by virtually every major regulatory body worldwide, including the European Medicines Agency (EMA), the Medicines and Healthcare products Regulatory Agency (MHRA), the World Health Organization (WHO), and the Pharmaceutical Inspection Co-operation Scheme (PIC/S). It is referenced in FDA 21 CFR Part 11, EU Annex 11, and GAMP 5 guidance documents.

Breaking Down Each ALCOA Principle – With Examples

Understanding what each ALCOA principle means in practice is essential for building compliant laboratory workflows. Below is a detailed explanation of each, with real-world examples from pharmaceutical and life science settings.

Attributable

Every piece of data must be traceable to the specific individual who generated, collected, or reviewed it – and to the instrument or system used. This means data must not be anonymous, and shared logins are a violation of this principle.

Example: A QC analyst runs a HPLC analysis. The software automatically logs the analyst’s unique username, the date and time of the run, and the instrument ID. If the data were generated using a shared ‘lab’ login with no individual attribution, it would fail this principle.

Common violation: Multiple analysts sharing a single software login, or paper records with no signature identifying who made the entry.

Legible

Data must be readable for the entire period it is required to be retained. This applies to both electronic and paper records. Handwritten entries made in pencil, or electronic data saved in a proprietary format that cannot be read after the software is retired, both fail this principle.

Example: A lab notebook entry made in permanent ink, dated and signed, with any corrections made by a single strikethrough (preserving the original) and initialed. Alternatively, electronic records stored in a validated, open format with long-term readability guaranteed.

Common violation: Using correction fluid (Tipp-Ex) on paper records, saving data in formats tied to software that is no longer supported, or records that fade or become illegible over time.

Contemporaneous

Data must be recorded at the time the activity occurs – not reconstructed from memory afterwards. This is one of the most frequently cited violations in FDA warning letters and audit findings.

Example: A microbiologist performs a colony count and records the result immediately in the laboratory management system, noting the exact time of the reading. Recording results on a scrap of paper ‘to fill in later’ is a violation, even if the final entry is accurate.

Common violation: Backdating entries, completing paper records at the end of a shift rather than at the point of activity, or using pre-recorded timestamps.

Original

The first capture of data — whether on paper or electronically — is the original record. Copies may be made, but they must be certified true copies that faithfully reproduce the original, including any errors or annotations. The original must be retained and traceable.

Example: A raw chromatography data file exported directly from an instrument constitutes the original record. A PDF summary exported from analysis software is a derived record, not the original. Regulatory inspectors will often request the original raw data file.

Common violation: Deleting or overwriting raw instrument data files after exporting to a secondary format, or treating a printout as the primary record when the electronic original still exists.

Accurate

Data must be a truthful representation of the observation made. This means no rounding that changes the meaning of a result, no selective reporting, and no manipulation of data to achieve a desired outcome.

Example: A western blot quantification result of 0.847 is recorded as 0.847 — not rounded to 0.85 or 1.0 for convenience. Similarly, a failed experiment must be recorded as failed, not omitted from records.

Common violation: Manually adjusting integration parameters on chromatography data to move a result inside a specification limit, or omitting out-of-specification (OOS) results from reports.

What Is ALCOA+? The Additional CCEA Principles

ALCOA+ (pronounced ‘ALCOA plus’) extends the original framework with four additional principles, first formalized in guidance from the MHRA (2018) and subsequently referenced in FDA and WHO data integrity guidance. The four additional principles are:

• Complete — all data is recorded, with no omissions
• Consistent — data and records follow a consistent process and are internally coherent
• Enduring — data is retained for as long as required by regulation
• Available — data can be retrieved promptly for review, audit, or inspection

Together these are often referred to as ALCOA+CCEA. The addition of these four principles reflects the regulatory community’s recognition that ALCOA alone — while necessary — was not sufficient to address all data integrity challenges, particularly in increasingly electronic and hybrid (paper and electronic) laboratory environments.

Complete

No data should be omitted from records, whether intentional or accidental. This includes failed runs, out-of-specification results, and any data that was generated as part of an investigation — even if ultimately not used in the final analysis.

Example: A dissolution test generates six individual vessel results. All six must be recorded, even if one appears anomalous. Selectively recording only the five ‘good’ results would be a completeness violation.

Consistent

Records should be internally coherent and follow a standardized process. Dates, times, and sequences must make logical sense. A record that shows a sample was analyzed before it was received, or a result entered before the analysis was performed, fails this principle.

Example: Audit trail timestamps should follow a logical sequence: sample receipt → sample preparation → analysis → review → approval. Any inconsistency in this sequence will raise red flags during inspection.

Enduring

Data must be stored in a durable format that ensures it remains readable for the full required retention period — typically at least 5 years for GLP studies, 15 years for clinical trial data, and often longer for marketed products.

Example: Electronic records stored on a validated server with redundant backups, access controls, and a documented retention schedule. Records stored only on a personal laptop with no backup would fail this principle.

Available

Authorised personnel must be able to retrieve data promptly when requested — whether for a routine internal audit, an FDA inspection, or an external regulatory review. Data that is technically retained but practically inaccessible does not satisfy this principle.

Example: An FDA inspector requests all raw data for a specific batch analysis. The data management system can retrieve all relevant records within minutes, with a full audit trail. Data buried in offline archive tapes with no documented retrieval process would fail this principle.

ALCOA vs ALCOA+ vs ALCOA++ – What Is the Difference?

A common source of confusion in the industry is the relationship between ALCOA, ALCOA+, and ALCOA++ (sometimes written as ALCOA++). Here is a clear comparison:

In practice, most regulatory guidance documents and GxP frameworks reference ALCOA+ as the current standard. ALCOA++ is used in some industry contexts to emphasize the traceability requirement explicitly, but it is not a separate formal regulatory standard.

When in doubt, ALCOA+ is the framework to align your quality management system with.

ALCOA Principles and Regulatory Guidance

The ALCOA and ALCOA+ principles underpin data integrity requirements across all major pharmaceutical regulatory frameworks:

• FDA 21 CFR Part 11 — Governs electronic records and electronic signatures in the United States. Requires audit trails, access controls, and secure record retention that directly implement ALCOA+ principles.
• EMA/EU Annex 11 — The European equivalent of 21 CFR Part 11, covering computerized systems used in GxP environments. References ALCOA principles explicitly as the standard for data quality.
• MHRA Data Integrity Guidance (2018) — One of the most detailed regulatory documents on data integrity, which formalized ALCOA+ as the current industry standard and provided extensive guidance on common violations.
• WHO Technical Report Series No. 996 (2016) — WHO guidance on data integrity for pharmaceutical manufacturers, adopting ALCOA+ as the global benchmark.
• PIC/S PI 041 (2021) — The Pharmaceutical Inspection Co-operation Scheme guidance, directly referencing ALCOA+ as the data integrity standard for GMP inspections.

Failure to comply with ALCOA+ principles is one of the most common reasons for FDA warning letters, EU GMP non-compliance findings, and clinical trial data rejections. Between 2012 and 2022, the FDA issued over 50 warning letters specifically citing data integrity violations — the majority of which related to failures of the Attributable, Contemporaneous, and Original principles.

Common ALCOA Violations and How to Avoid Them

Understanding where data integrity failures most commonly occur helps laboratories build controls that prevent them. The following violations are most frequently cited in FDA warning letters and regulatory audit findings:

Shared login credentials

When multiple users share a single system login, data cannot be attributed to a specific individual – an immediate ALCOA violation. This is particularly common with legacy laboratory instruments that were not designed with individual user authentication.

Solution: Implement individual user accounts for every member of staff who accesses regulated systems. Software such as AuditSafe can wrap legacy instruments and software in a compliant authentication layer without requiring complete hardware replacement.

Backdating and pre-dating records

Manually entering a date or time that is different from when the activity actually occurred – whether to correct an earlier omission or to pass an audit – violates the Contemporaneous and Accurate principles simultaneously.

Solution: Use systems that automatically capture timestamps at the point of data entry and prevent manual overwriting of date/time fields (such as AuditSafe). A tamper-evident audit trail makes any attempt at backdating detectable.

Deletion or overwriting of raw data

Deleting instrument output files, overwriting original chromatography data, or saving only processed results without retaining the raw data violates the Original and Complete principles. This is one of the most serious data integrity violations and can result in criminal liability.

Solution: Implement a data management system where original records are written to a protected location that cannot be modified or deleted by regular users. All subsequent processing should operate on copies, with the original preserved.

Selective recording of results

Recording only ‘passing’ results while omitting out-of-specification or unexpected findings violates the Complete and Accurate principles. This includes the practice of ‘testing into compliance’ — running a test multiple times and only recording the result that passes.

Solution: Enforce a workflow where all data generated during an experiment is automatically captured and archived before any analysis can proceed. No result should be suppressible by an analyst without a documented, approved deviation record.

Unintelligible or degraded records

Paper records written in pencil, records stored in obsolete file formats, or electronic data held on degrading media that can no longer be read – all violate the Legible and Enduring principles.

Solution: Establish a data lifecycle policy that defines retention periods, acceptable formats, and migration procedures when technology changes. Store records in validated, long-term formats with periodic readability testing.

How to Implement ALCOA+ in Your Lab

Implementing ALCOA+ requires both organizational and technical measures. No single software solution can achieve full compliance without the right procedures and culture in place — but the right technology makes implementation significantly more straightforward.

1. Conduct a data integrity gap assessment

Before implementing any changes, map your current data flows from instrument to report. For each step, ask: Is the data attributable to a specific person? Is it recorded contemporaneously? Is the original preserved? This will surface your highest-risk gaps.

2. Implement individual user authentication everywhere

Every system that generates, processes, or stores regulated data must require individual user login. This includes laboratory instruments, analysis software, LIMS, and document management systems. Shared logins must be eliminated.

3. Enable automatic audit trails

Audit trails should capture who accessed the system, what actions were taken, when, and from where — automatically and without the ability for regular users to disable or modify them. Retrospective audit trail creation is not compliant.

4. Establish a data lifecycle policy

Document how long each type of record must be retained, in what format, where it is stored, who can access it, and how it will be migrated if the storage technology changes. This policy is often requested directly during regulatory inspections.

5. Train staff on ALCOA+ principles

Data integrity is ultimately a cultural issue as much as a technical one. Regular training that explains not just what the rules are, but why they exist and what the consequences of non-compliance can be, is essential for sustained compliance.

6. Validate your systems

Any computerized system used in a GxP environment must be validated to demonstrate that it consistently performs as intended. This includes Installation Qualification (IQ), Operational Qualification (OQ), and Performance Qualification (PQ) documentation. Retain all validation records.

How AuditSafe Automates ALCOA+ Compliance

---

AuditSafe is TotalLab’s universal compliance software, designed to make any existing laboratory instrument or software 21 CFR Part 11 and GMP/ALCOA+ compliant – without replacing your existing hardware.

---

One of the most significant challenges in ALCOA+ compliance is that many laboratories operate legacy instruments and analysis software that were not designed with compliance in mind. AuditSafe solves this by acting as a compliant wrapper around any existing system — closing the gap between data creation, analysis, and archiving.

Here is how AuditSafe addresses each ALCOA+ principle:

AuditSafe supports Windows Active Directory logins, networked folder integration, automatic backup systems, and Docker deployment. It has been developed in close collaboration with the world’s largest pharmaceutical manufacturers over more than a decade, meeting and typically exceeding their internal User Requirement Specifications (URS) for compliance.

For laboratories that need to comply with FDA 21 CFR Part 11, EU Annex 11, GAMP 5, or GMP/GxP requirements, AuditSafe provides a single, harmonized compliance layer across all of your existing systems – reducing training burden, eliminating inter-system gaps, and dramatically lowering the cost of compliance compared to replacing each instrument’s software individually.

---

Ready to automate ALCOA+ compliance in your lab? Book a 30-minute AuditSafe demo with our team — or download the free ALCOA+ compliance checklist to assess your current status.

Frequently Asked Questions

What does ALCOA stand for?

ALCOA stands for Attributable, Legible, Contemporaneous, Original, and Accurate. It is the foundational data integrity framework used in pharmaceutical, biotech, and life science regulated environments worldwide.

What is the difference between ALCOA and ALCOA+?

ALCOA defines five core data integrity principles. ALCOA+ extends this to nine principles by adding Complete, Consistent, Enduring, and Available. Most current regulatory guidance — including MHRA, WHO, and FDA documents — references ALCOA+ as the current standard.

What does ALCOA+ stand for in pharma?

In pharmaceutical and regulated life science settings, ALCOA+ refers to the nine-principle data integrity framework: Attributable, Legible, Contemporaneous, Original, Accurate, Complete, Consistent, Enduring, and Available. It is the standard against which data practices are assessed during GMP inspections and regulatory audits.

What is ALCOA++ and how does it differ from ALCOA+?

ALCOA++ adds a tenth principle — Traceable — to ALCOA+, placing explicit emphasis on the requirement for a full, unbroken audit trail from raw data creation to final report. ALCOA++ is used in some industry and academic contexts but is not itself a formal regulatory standard. ALCOA+ remains the primary regulatory benchmark.

What does ‘contemporaneous’ mean in the context of ALCOA?

Contemporaneous means that data is recorded at the same time the activity occurs — not reconstructed from memory or notes at a later point. It is one of the most commonly violated ALCOA principles and one of the most frequently cited in FDA warning letters.

Is ALCOA a legal requirement?

ALCOA and ALCOA+ are not directly cited as law, but they are embedded in binding regulatory guidance and GMP requirements enforced by the FDA, EMA, MHRA, and other regulators. Non-compliance with ALCOA+ principles constitutes non-compliance with GMP, which can result in warning letters, import bans, product recalls, and criminal prosecution.

How can software help with ALCOA+ compliance?

Compliance software such as AuditSafe automates many of the technical requirements of ALCOA+ – individual user attribution, automatic timestamping, tamper-evident audit trails, secure data storage, and access controls. This reduces the compliance burden on staff and makes violations both less likely to occur and more immediately detectable when they do.