ALCOA, ALCOA+, and the Evolution to ALCOA++: The Journey of Data Integrity

The Birth and Fundamental Concepts of ALCOA

ALCOA, a foundational concept in data integrity, was coined in the 1990s by Stan W. Woollen of the U.S. Food and Drug Administration (FDA). This acronym represents the fundamental data quality requirements expected for both paper-based and electronic records. The concept of ALCOA was formally documented in the FDA’s 2018 “Data Integrity and Compliance with Drug CGMP Questions and Answers Guidance for Industry.”

ALCOA represents five attributes:

• A – Attributable: The ability to identify who performed the activity, when, and where the data was generated
• L – Legible: Records must be readable and remain interpretable over the long term
• C – Contemporaneous: Data must be recorded at the time of activity performance or shortly thereafter
• O – Original: The record must be the original or a certified true copy
• A – Accurate: Data must be accurate and correctly reflect the facts

The ALCOA principles primarily focus on “authenticity” (Attributable, Contemporaneous, Original, Accurate) and “legibility” (Legible), with the objective of ensuring the quality of raw data and source documents.

Extension to ALCOA+: The European Medicines Agency’s Contribution

In 2010, the European Medicines Agency (EMA) GCP Inspectors Working Group issued the “Reflection Paper on Expectations for Electronic Source Data and Data Transcribed to Electronic Data Collection Tools in Clinical Trials.” This document clarified expectations for electronic source data in clinical trials and expanded the ALCOA concept to introduce ALCOA+.

ALCOA+ adds the following four attributes to the original ALCOA:

• C – Complete: Data must be fully documented with nothing omitted. All results, both passing and failing, must be preserved
• C – Consistent: Records must be organized chronologically and logically consistent
• E – Enduring: Records must be maintained in a durable format for the period specified by regulatory authorities
• A – Available: Records must be accessible when needed and searchable for audits and inspections

ALCOA+ encompasses the entire data lifecycle, including processed data, whereas the original ALCOA primarily targeted raw data. In particular, “Available” requires that stored electronic records be searchable (including archives) and readable on current systems, while “Enduring” demands monitoring and supervision of the storage state of electronic media and migration to new media within their service life.

ALCOA++: The Addition of Traceability

In 2023, the EMA issued the “Guideline on computerised systems and electronic data in clinical trials,” adding further principles to ALCOA+. Particularly significant is the addition of the tenth principle: Traceable.

Traceable means:

• Data can be tracked throughout its entire lifecycle from creation to destruction
• All changes are recorded in an audit trail, and the original data is not obscured
• The history of changes can be reconstructed
• Who made the change, what was changed, when it occurred, and why it was made are clearly documented

In 2025, a draft revision of EU GMP Chapter 4 was published, legally defining the ten principles of ALCOA++. With this revision, ALCOA++ is evolving from a best practice to a legally binding requirement.

While interpretations of ALCOA++ vary slightly among organizations, it generally includes the following additional attributes:

• Traceable: As described above
• Transparent: Processes related to data are clear, justifiable, and open to scrutiny
• Integral: Data is protected from manipulation and linked to its context
• Risk-based thinking: Management is conducted according to the criticality of the data

The Importance of Security in Data Integrity

Although often overlooked in data integrity discussions, the requirement for Security is critically important. While not explicitly included in the ALCOA+ or ALCOA++ frameworks, regulatory guidance from various countries emphasizes the importance of data security.

Security Requirements from Major Regulatory Authorities

FDA (U.S. Food and Drug Administration) defines comprehensive requirements for electronic records and electronic signatures in 21 CFR Part 11:

• Access controls to systems (unique user IDs, strong passwords)
• Security measures to protect data from unauthorized changes
• Enabling and periodic review of audit trails
• Data backup and disaster recovery plans

MHRA (UK Medicines and Healthcare products Regulatory Agency) in its 2018 “GxP Data Integrity Guidance and Definitions”:

• Data must be securely maintained from creation through disposal after the retention period
• Prohibition of shared logins (each user must have unique access privileges)
• Protection of audit trails including metadata
• Data security responsibilities for IT suppliers and cloud service providers

PIC/S (Pharmaceutical Inspection Convention and Pharmaceutical Inspection Co-operation Scheme) PI 041-1 “Good Practices for Data Management and Integrity in Regulated GMP/GDP Environments” (2021), considered the most comprehensive data integrity guidance for inspectors, requires:

• Detailed implementation of organizational and technical controls
• Periodic review of computerized systems
• Verification of user access rights (confirmation of no shared accounts)

Integration of Security with ALCOA++

In practice, data security is the foundation supporting all ALCOA++ principles:

ALCOA++ Principle	Relationship with Security
Attributable	Unique user IDs and electronic signatures ensure reliable identification of who created or modified data
Legible	Access controls prevent data tampering or corruption by unauthorized users
Contemporaneous	Timestamp protection makes data recording time tamper-proof
Original	Version control and access controls ensure preservation of original data
Accurate	Input controls and validation minimize errors during data entry
Complete	Secure backups prevent data loss
Consistent	Access controls prevent inconsistent changes by different users
Enduring	Secure archive systems guarantee long-term storage
Available	Appropriate access rights management enables necessary personnel to access data when needed
Traceable	Secure audit trails record all change history in a tamper-proof manner

Data Lifecycle Management: Legibility and Preservation

The requirements for “Available” and “Enduring” in ALCOA+ focus on legibility and preservation after record storage. Whether these requirements should be included in the scope of data integrity is debatable. However, in the current regulatory environment, they are recognized as essential elements.

Maintaining Legibility (Legible & Available)

Records must remain readable over long periods:

• Electronic records should be stored in open formats (PDF, XML, SGML, etc.)
• Conversion is necessary to ensure readability on new systems as technology evolves
• Searchability of complete records including metadata must be ensured

Ensuring Preservation (Enduring)

Physical preservation of storage media is also important:

• Regular monitoring and verification of storage media
• Planned migration considering media service life
• Management of environmental conditions (temperature, humidity)
• Redundant backup strategies

Modern Data Integrity Practices

Electronic Record Systems and ALCOA++

Modern electronic systems such as Laboratory Information Management Systems (LIMS), Electronic Lab Notebooks (ELN), and Manufacturing Execution Systems (MES) automatically ensure data integrity by technically implementing ALCOA++ principles:

• Automatic timestamps guarantee contemporaneousness
• Unique user logins ensure attributability
• Immutable audit trails achieve traceability
• Access controls maintain completeness and security
• Validated backups guarantee endurance

Risk-Based Approach

Not all data requires the same level of management. Based on ICH Q9 (Quality Risk Management) principles, management according to data criticality and risk level is recommended:

High-Risk Data:

• Data directly affecting batch release decisions
• Stability study data
• Clinical trial data → Rigorous audit trail review, real-time monitoring

Medium-Risk Data:

• Routine QC test data
• Environmental monitoring data → Periodic audit trail review, sampling-based monitoring

Low-Risk Data:

• Facility management records
• Training records → Risk-based monitoring, annual review

Establishing Data Governance

ALCOA++ practice requires not only technical measures but also an organization-wide data governance framework:

1. Clarification of Data Ownership: Designation of responsible persons for each dataset
2. Development of Standard Operating Procedures (SOPs): Clear procedures for data creation, modification, review, approval, and archiving
3. Continuous Training: Education of all employees on the importance of data integrity
4. Cultivation of Quality Culture: Positioning data integrity as a core organizational value
5. Regular Self-Assessment: Identification of data integrity gaps and implementation of corrective actions

Regulatory Trends and Inspection Patterns

Analysis of Warning Letters

Analysis of FDA warning letters in 2024 shows that approximately 60-80% of warning letters to pharmaceutical manufacturing facilities contain data integrity-related findings. Major observations include:

• Disabled or improperly managed audit trails
• Use of shared login IDs
• Data tampering or destruction
• Incomplete records (unreported failed test results)
• Lack of metadata
• Inadequate backup and recovery processes

International Harmonization

Major regulatory authorities such as FDA, EMA, MHRA, WHO, and PIC/S continue efforts to harmonize data integrity expectations. ALCOA++ is becoming the common foundation for these international guidance documents.

ICH E6(R3): The revision of Good Clinical Practice (GCP) strengthens clinical trial data governance and application of ALCOA principles.

EU GMP Annex 11 (Computerised Systems) and Annex 15 (Qualification and Validation) include requirements reflecting ALCOA++ principles.

WHO TRS 996 Annex 5: Defines data integrity as fundamental to GMP compliance and adopts the ALCOA+ framework.

Conclusion and Future Outlook

Since its inception in the 1990s, ALCOA has evolved through ALCOA+ to ALCOA++, becoming a comprehensive framework for modern complex data environments. However, the requirement for Security, while not explicitly included in these acronyms, is essential as the foundation supporting all ALCOA++ principles.

Data integrity is not merely a compliance requirement but a fundamental responsibility for ensuring patient safety and pharmaceutical quality. Organizations can achieve true data integrity by integrating technical solutions, clear processes, continuous training, and a strong quality culture.

Looking ahead, as new technologies such as artificial intelligence (AI), machine learning (ML), real-world data (RWD), and blockchain are introduced, data integrity principles will continue to evolve. However, the fundamental principles of ALCOA++—attributability, legibility, contemporaneousness, originality, accuracy, completeness, consistency, endurance, availability, traceability, and security—will remain the unchanging foundation of data integrity.

References

1. FDA (2018). “Data Integrity and Compliance with Drug CGMP: Questions and Answers Guidance for Industry”
2. EMA (2010). “Reflection Paper on Expectations for Electronic Source Data and Data Transcribed to Electronic Data Collection Tools in Clinical Trials”
3. EMA (2023). “Guideline on computerised systems and electronic data in clinical trials”
4. MHRA (2018). “GxP Data Integrity Guidance and Definitions, Revision 1”
5. PIC/S (2021). “Good Practices for Data Management and Integrity in Regulated GMP/GDP Environments (PI 041-1)”
6. WHO (2021). “Guidance on Good Data and Record Management Practices (TRS 996, Annex 5)”
7. FDA 21 CFR Part 11: “Electronic Records; Electronic Signatures”
8. EU GMP Annex 11: “Computerised Systems”
9. ICH E6(R3): “Good Clinical Practice”
10. ICH Q9: “Quality Risk Management”