What is ALCOA+ in data integrity?

ALCOA+ represents the expanded principles of data integrity: Attributable (traceable to the person who created it), Legible (readable and permanent), Contemporaneous (recorded at the time of activity), Original (first recording or certified true copy), and Accurate (correctly represents the activity). The plus adds Complete (all data retained), Consistent (recorded in expected sequence), Enduring (remains intact throughout retention), and Available (accessible when needed).

How does 21 CFR Part 11 relate to data integrity?

21 CFR Part 11 provides the regulatory framework for electronic data integrity controls. Part 11 requires system validation ensuring accuracy and reliability (11.10(a)), secure audit trails recording all data changes (11.10(e)), access controls limiting who can modify data (11.10(d)), and authority checks preventing unauthorized alterations (11.10(g)). Compliance with Part 11 supports data integrity by ensuring electronic records are trustworthy and reliable.

What are common data integrity violations?

The most common FDA data integrity violations include: deleting failing test results without investigation, conducting trial injections or unofficial testing before official testing, using shared user accounts preventing attribution, backdating documentation that was not recorded contemporaneously, disabling or not enabling audit trails, manipulating chromatographic integration to achieve passing results, and failing to retain all original data including repeat analyses.

What triggers FDA data integrity enforcement?

FDA data integrity enforcement is typically triggered by: patterns of data deletion or modification without justification, missing or disabled audit trails, shared user accounts or generic logins, discrepancies between electronic data and paper printouts, evidence of unofficial or trial testing, complaints from whistleblowers or former employees, and repeat observations from previous inspections. FDA investigators are specifically trained to identify data integrity warning signs.

How do you remediate data integrity issues?

Data integrity remediation requires a systematic approach: (1) Conduct comprehensive gap assessment across all GxP systems, (2) Implement immediate containment for product quality risks, (3) Perform thorough root cause analysis including organizational culture factors, (4) Execute corrective and preventive actions including system upgrades, procedure revisions, and training, (5) Verify effectiveness through ongoing monitoring and internal audits. FDA expects remediation to address systemic root causes, not just individual findings.

What is the difference between data integrity and data security?

Data integrity focuses on the accuracy, completeness, and consistency of data throughout its lifecycle, ensuring data correctly represents actual activities and can be relied upon for quality decisions. Data security focuses on protecting data from unauthorized access, disclosure, or theft. While related, they serve different purposes: security controls who can access data, while integrity ensures data is trustworthy and accurate. Both are necessary for GxP compliance. ---

Data Integrity FDA Requirements: Complete Guide to ALCOA+ Principles and GxP Compliance

Q: What is the FDA data integrity guidance document?

The primary FDA data integrity guidance is "Data Integrity and Compliance With Drug CGMP: Questions and Answers," published in December 2018. This guidance provides FDA's current thinking on data integrity requirements for pharmaceutical manufacturers, presented in a question-and-answer format. It covers topics including data governance, audit trails, electronic and paper records, and remediation of data integrity problems.

Quick Answer

Data integrity FDA requirements mandate that all pharmaceutical data be complete, accurate, and traceable throughout its lifecycle-governed by the ALCOA+ principles. FDA enforcement has increased dramatically, with 60% of drug GMP warning letters citing data integrity violations since 2023. Comprehensive compliance requires robust data governance, technical controls like audit trails, and a strong organizational culture prioritizing quality.

Data integrity FDA refers to the completeness, consistency, and accuracy of data throughout its lifecycle, as required by the U.S. Food and Drug Administration for all regulated pharmaceutical, biotechnology, and medical device operations. FDA's data integrity requirements ensure that records supporting product quality, safety, and efficacy decisions are attributable, legible, contemporaneous, original, and accurate - the foundational ALCOA principles.

Data integrity failures have become the leading cause of FDA warning letters and import alerts in the pharmaceutical industry. Between 2015 and 2025, more than 60% of drug GMP warning letters cited data integrity violations as contributing factors. For regulatory affairs professionals, quality managers, and laboratory directors, understanding FDA data integrity requirements is no longer optional - it is essential for organizational survival.

In this guide, you will learn:

The complete FDA data integrity guidance framework and regulatory expectations
How to implement ALCOA data integrity principles across your quality systems
The critical connection between data integrity pharmaceutical operations and 21 CFR Part 11
Common GxP data integrity violations and how to prevent them
Step-by-step data integrity remediation strategies when violations occur

What Is Data Integrity According to FDA?

Definition

Data Integrity FDA - The complete, consistent, and accurate representation of all data throughout its entire lifecycle, from creation through final archival or destruction, ensuring that records supporting pharmaceutical decisions are trustworthy, attributable, and comply with ALCOA+ principles and FDA requirements.

Data integrity FDA requirements encompass the extent to which all data are complete, consistent, and accurate throughout the data lifecycle. According to FDA's 2018 guidance document "Data Integrity and Compliance With Drug CGMP," data integrity is a fundamental component of the pharmaceutical quality system that ensures decisions about product quality are based on reliable information.

Key characteristics of FDA data integrity:

Applies to all data generated during drug development, manufacturing, testing, and distribution
Encompasses both paper and electronic records
Requires documented controls throughout the entire data lifecycle
Mandates audit trails for electronic systems
Demands organizational accountability and quality culture

Key Statistic

FDA's 2018 Data Integrity Guidance specifically states that data integrity is an inherent element of a pharmaceutical quality system that ensures that medicines are of the quality required for their intended use. Data integrity failures can lead to unreliable decisions about product quality.

The Data Lifecycle Concept

FDA expects data integrity controls throughout the complete data lifecycle:

Lifecycle Stage	Data Integrity Requirements
Creation	Data generated at time of activity; attributable to individual
Processing	Calculations verified; transformations documented
Review	Independent verification; audit trail examination
Reporting	Complete and accurate representation of results
Storage	Secure preservation; protection from alteration
Retrieval	Accessible throughout retention period; format preserved
Archival	Long-term storage with integrity controls maintained
Destruction	Controlled disposition per retention requirements

The lifecycle approach means that data integrity is not just about how data is recorded - it includes every touchpoint from initial generation through final destruction. FDA inspectors evaluate controls at each stage.

FDA Data Integrity Guidance: Key Regulatory Documents

Understanding the FDA data integrity guidance landscape is essential for compliance. FDA has issued multiple guidance documents that establish expectations for data integrity in pharmaceutical operations.

Primary FDA Data Integrity Guidance Documents

Document	Year	Scope	Key Focus
Data Integrity and Compliance With Drug CGMP	2018	Drugs	Comprehensive Q&A format guidance
21 CFR Part 11: Scope and Application	2003	Electronic Records	Risk-based Part 11 interpretation
Guidance for Industry: Computerized Systems Used in Clinical Investigations	2007	Clinical	Electronic source data requirements
ORA Data Integrity Manual	2020+	Enforcement	Investigator reference for inspections

Key Principles from FDA Data Integrity Guidance

The 2018 FDA guidance establishes several fundamental principles:

1. CGMP Records Must Be Complete and Accurate

Per 21 CFR 211.68, 211.180, and 211.194, laboratory records and other CGMP documentation must accurately and completely document activities as they are performed.

2. Data Governance Is Management's Responsibility

FDA expects management to establish and implement effective data governance systems including:

Written data integrity policies
Risk assessments for data integrity vulnerabilities
Adequate staffing and resources
Training programs for all personnel
Monitoring and self-identification mechanisms

3. Original Data Must Be Retained

Static or dynamic data, whether electronic or paper, that represents the first capture of information must be preserved. This includes:

Raw chromatographic data files
Original laboratory notebook entries
Electronic source data from instruments
Metadata and audit trail information

“
GEO Quotable: FDA's data integrity guidance explicitly states that regulated companies are responsible for designing and operating systems that provide an acceptable state of control based on data integrity risk, with the level of effort commensurate with the risk to product quality and patient safety.

International Harmonization

FDA data integrity expectations align with international guidance:

Regulatory Body	Document	Year
MHRA (UK)	GxP Data Integrity Guidance and Definitions	2018
WHO	Guidance on Good Data and Record Management Practices	2016
PIC/S	Good Practices for Data Management and Integrity	2021
EMA	Data Integrity Q&A (Annex to GMP Guide)	2016

These documents share common themes around ALCOA+ principles, audit trails, electronic records controls, and organizational accountability.

ALCOA Data Integrity: The Foundation of Compliance

ALCOA data integrity represents the five fundamental principles that define reliable data in GxP environments. Originally developed by FDA in the 1990s for clinical trial records, ALCOA has become the global standard for pharmaceutical data integrity expectations.

The Original ALCOA Principles

Principle	Definition	Practical Implementation
Attributable	Data must be traceable to the person who generated it	Unique user IDs; no shared logins; signatures on paper records
Legible	Data must be readable and permanent	Indelible ink; clear handwriting; preserved electronic formats
Contemporaneous	Data must be recorded at the time the activity occurred	Real-time documentation; no backdating; timestamps
Original	Data must be the first recording or a certified true copy	Raw data preserved; certified copies documented
Accurate	Data must correctly represent the activity performed	Verification procedures; calibrated instruments; valid methods

ALCOA+ Extended Principles

The pharmaceutical industry has expanded ALCOA to ALCOA+ by adding four additional principles that reinforce data integrity:

ALCOA+ Addition	Definition	FDA Alignment
Complete	All data including repeat or reanalysis results must be retained	21 CFR 211.194(a) - complete records
Consistent	Data elements must be recorded in expected sequence	Audit trail review; timestamp verification
Enduring	Data must remain intact throughout retention period	Secure storage; format preservation
Available	Data must be accessible when needed for review	Retrieval procedures; indexing systems

Implementing ALCOA+ in Practice

Pro Tip

Start your data integrity implementation by auditing user access across all GxP systems. Shared user accounts are one of the most common FDA findings-assign unique IDs to every individual and eliminate generic logins. This single change often resolves 15-20% of typical data integrity findings.

Attributable:

Assign unique user IDs to each individual - never share accounts
Require initials/signatures with date on all paper entries
Configure electronic systems to capture operator identification automatically
Document reason for data changes with operator identification

Legible:

Use permanent ink for paper records (no pencil)
Ensure printing is clear and readable
Preserve electronic data in readable formats
Implement single-line corrections that do not obscure original entry

Contemporaneous:

Train operators to document activities as they occur
Configure systems to record timestamps automatically
Prohibit pre-signing or post-dating of records
Review audit trails for suspicious timing patterns

Original:

Retain raw data files from instruments
Never delete original electronic records
Document certified true copy procedures
Preserve metadata with original data

Accurate:

Validate analytical methods before use
Calibrate and qualify instruments
Implement second-person verification for critical data
Investigate and explain data anomalies

“
Critical Warning: ALCOA data integrity principles apply to ALL GxP data - not just laboratory records. Manufacturing batch records, equipment logs, environmental monitoring data, training records, and complaint files must all meet ALCOA+ standards.

Data Integrity Pharmaceutical: GxP Applications

Data integrity pharmaceutical requirements span all areas of Good Manufacturing Practice (GMP), Good Laboratory Practice (GLP), Good Clinical Practice (GCP), and Good Distribution Practice (GDP). Each GxP domain has specific data integrity considerations.

GMP Data Integrity Requirements

Current Good Manufacturing Practice (CGMP) regulations under 21 CFR Parts 210, 211, and 212 establish data integrity requirements for pharmaceutical manufacturing:

CFR Section	Requirement	Data Integrity Application
211.68	Automatic equipment controls	Audit trails, electronic batch records
211.100	Written production and control procedures	Complete documentation of manufacturing
211.160	Laboratory controls general requirements	Complete laboratory records
211.180	Records and reports general requirements	All records readily available
211.188	Batch production and control records	Complete, contemporaneous documentation
211.194	Laboratory records	Complete analytical data and raw data

Laboratory Data Integrity Focus Areas

Laboratory data integrity receives particular FDA scrutiny because analytical results directly impact product release decisions:

Chromatographic Data Systems:

Audit trails must be enabled and cannot be modified
All injections must be retained (no selective deletion)
Integration parameters must be documented
Reprocessing must be justified and documented

Spectroscopic Data:

Original spectral files must be preserved
Peak identification must be documented
Reference standard comparison must be traceable
Method validation must be complete

Microbiological Testing:

Raw counts and calculations must be retained
Analyst observations must be documented
Environmental monitoring data must be complete
Sterility test results must include all incubation records

Manufacturing Data Integrity Areas

Manufacturing Area	Data Integrity Focus
Batch Records	Contemporaneous entries; complete documentation; no blank fields
Equipment Logs	Cleaning, maintenance, and use records with timestamps
Environmental Monitoring	Continuous monitoring data retention; alarm response documentation
Process Parameters	Critical process parameter recording and verification
Material Tracking	Incoming materials to finished product traceability

Common Pharmaceutical Data Integrity Violations

FDA warning letters consistently cite these data integrity violations:

Deleting original data - Discarding failing results without investigation
Trial injections - Testing samples without documentation before official testing
Shared user accounts - Multiple operators using same login credentials
Backdating records - Recording data after the fact
Incomplete records - Failing to document all activities
Disabled audit trails - Turning off audit trail functionality
Manipulated integration - Reprocessing chromatographic data to achieve passing results
Falsified training records - Documenting training that did not occur

GxP Data Integrity: Connection to 21 CFR Part 11

GxP data integrity requirements are inextricably linked to 21 CFR Part 11, FDA's regulation governing electronic records and electronic signatures. Understanding this connection is essential for comprehensive compliance.

How 21 CFR Part 11 Supports Data Integrity

Part 11 provides the regulatory framework for electronic data integrity controls:

Part 11 Section	Data Integrity Requirement
11.10(a)	System validation ensures data accuracy and reliability
11.10(b)	Ability to generate accurate and complete copies
11.10(c)	Records protection throughout retention period
11.10(d)	Access limited to authorized individuals
11.10(e)	Secure, computer-generated, time-stamped audit trails
11.10(g)	Authority checks prevent unauthorized alterations
11.10(k)	Documentation controls including change control

Audit Trails: The Critical Control

Audit trails are central to both Part 11 compliance and data integrity. FDA expects:

Audit Trail Technical Requirements:

Computer-generated (not manually entered)
Time-stamped with synchronized, reliable time source
Secure (cannot be modified by ordinary means)
Captures who, what, when, and why for all changes
Retained at least as long as underlying records

Audit Trail Review Expectations:

Routine review as part of data verification
Part of batch record review before release
Included in laboratory data review
Documented review with findings recorded

Key Statistic

FDA's 2018 Data Integrity Guidance explicitly states that audit trail review should be part of routine data review and approval practices, not just performed during inspections or for cause investigations.

Part 11 and Data Integrity Gap Assessment

Assessment Area	Part 11 Requirement	Data Integrity Impact
User Access	Unique IDs, no sharing	Attributability of data
Audit Trails	Enabled, secure, complete	Detection of manipulation
Validation	Documented IQ/OQ/PQ	Accuracy and reliability
Electronic Signatures	Two-component, unique	Accountability for approvals
Backup/Recovery	Documented procedures	Data endurance and availability
Change Control	Documented, assessed	Data consistency over time

Organizations should conduct combined Part 11 and data integrity assessments to identify overlapping gaps and prioritize remediation efforts efficiently.

Common Data Integrity Issues and Root Causes

Understanding why data integrity violations occur enables effective prevention. FDA observations consistently reveal common patterns and root causes.

Top Data Integrity Findings by Frequency

Rank	Finding Category	Frequency	Root Cause
1	Deleted or missing data	35%	Pressure to meet specifications
2	Audit trail gaps	25%	System misconfiguration; disabled features
3	Shared user accounts	15%	Convenience; insufficient licenses
4	Backdated entries	10%	Documentation not contemporaneous
5	Incomplete records	8%	Rushing; inadequate training
6	Unauthorized access	5%	Weak access controls
7	Test-into-compliance	2%	Testing until passing result obtained

Root Cause Analysis: Why Data Integrity Fails

Organizational Culture Factors:

Production pressure prioritized over quality
Fear of reporting failures or deviations
Inadequate management oversight
Insufficient resources for proper documentation
Lack of accountability for data integrity

Technical System Factors:

Legacy systems without audit trail capability
Spreadsheets and standalone systems without controls
Shared logins due to license limitations
Paper-based systems prone to manipulation
Inadequate backup and archive procedures

Process Design Factors:

Unrealistic timelines for documentation
Procedures that encourage shortcuts
Inadequate training on data integrity expectations
No second-person verification for critical data
Insufficient review of electronic data and audit trails

Data Integrity Culture Assessment

Organizations should evaluate their data integrity culture using these indicators:

Positive Indicator	Warning Sign
Open reporting of errors without fear	Errors discovered only through investigation
Management invests in proper systems	Cost savings prioritized over controls
Deviation trends actively monitored	Deviations addressed individually without trending
Training emphasizes integrity	Training focuses only on mechanics
Personnel comfortable raising concerns	Personnel fear consequences for problems
Regular self-assessments conducted	Problems found only by regulators

Data Integrity Remediation Strategies

When data integrity issues are identified, systematic remediation is required. FDA expects comprehensive remediation that addresses root causes, not just individual findings.

The Five-Phase Remediation Framework

Pro Tip

When remediating data integrity violations, prioritize audit trail review and analysis in your first 30 days. Audit trails often reveal the scope and pattern of violations much faster than other investigation methods. Enable audit trails on all GxP systems if not already active-this single control prevents many common violations going forward.

Phase 1: Assessment (Weeks 1-4)

Conduct comprehensive data integrity gap assessment
Review all GxP electronic systems for Part 11 compliance
Assess paper-based documentation practices
Evaluate organizational culture factors
Document current state and prioritize risks

Phase 2: Containment (Weeks 2-6)

Address immediate product quality concerns
Quarantine potentially affected batches
Implement interim controls for high-risk areas
Assign dedicated resources to critical remediation
Communicate status to regulatory authorities if required

Phase 3: Root Cause Analysis (Weeks 4-8)

Investigate systemic root causes using formal tools
Assess scope across all affected systems and processes
Evaluate human factors and organizational culture
Determine extent of impact on product quality decisions
Document investigation findings thoroughly

Phase 4: Corrective and Preventive Actions (Weeks 6-24)

Implement technical system enhancements
Upgrade or replace non-compliant systems
Revise procedures for data integrity requirements
Conduct comprehensive training programs
Establish enhanced monitoring mechanisms

Phase 5: Effectiveness Verification (Ongoing)

Conduct follow-up assessments
Monitor data integrity metrics
Perform internal audits
Review audit trails routinely
Document sustained compliance

Remediation Priority Matrix

Priority	System/Area	Timeframe	Criteria
Critical	Laboratory data systems, batch records	0-30 days	Direct product quality impact
High	Electronic QMS, document management	30-90 days	Quality decision support
Medium	Training systems, equipment logs	90-180 days	Supporting GxP functions
Lower	Administrative systems	180+ days	Indirect GxP impact

Technology Solutions for Data Integrity

Technology	Data Integrity Benefit
Electronic batch records	Enforce contemporaneous documentation
LIMS with audit trails	Complete laboratory data capture
Electronic signatures	Attributable approvals with timestamps
Automated data backup	Data endurance and availability
Role-based access control	Prevent unauthorized changes
Timestamped audit trails	Detect and document all modifications

Preventing Data Integrity Issues: Best Practices

Proactive prevention is more effective and less costly than reactive remediation. Implement these best practices to maintain data integrity compliance.

Governance and Culture

Establish data integrity policy - Written policy signed by senior management
Assign accountability - Designated data integrity officer or function
Conduct risk assessments - Systematic evaluation of data integrity vulnerabilities
Allocate adequate resources - Staffing, technology, and time for proper documentation
Foster open reporting culture - No punishment for honest reporting of problems

Technical Controls

Enable audit trails on all GxP-relevant electronic systems
Eliminate shared accounts - Unique user IDs for every individual
Implement access controls - Role-based permissions limiting functions by job
Validate computerized systems - Documented validation per 21 CFR Part 11
Establish backup procedures - Regular backup with tested recovery

Process Controls

Design for integrity - Procedures that support contemporaneous documentation
Second-person verification - Independent review of critical data
Audit trail review - Routine review as part of data approval
Change control - Documented control of system and process changes
Periodic assessments - Regular internal audits of data integrity practices

Training Requirements

Pro Tip

Make data integrity training role-specific rather than generic. Lab analysts need different training than manufacturing supervisors, who need different content than approval authorities. Role-specific training increases retention by 40% and ensures personnel understand how data integrity applies to their specific responsibilities.

Training Topic	Audience	Frequency
Data integrity awareness	All GxP personnel	Annual
ALCOA+ principles	Data generators and reviewers	Initial and annual
System-specific training	System users	Initial and on change
Audit trail review	Data reviewers and approvers	Initial and annual
Management responsibilities	Supervisors and managers	Annual

FDA Enforcement: Data Integrity Warning Letters

Understanding FDA enforcement patterns helps organizations prioritize compliance efforts and recognize warning signs during inspections.

Warning Letter Trends

FDA warning letters citing data integrity have increased significantly:

Time Period	Percentage Citing Data Integrity	Primary Concerns
2008-2012	~20% of drug GMP warning letters	Emerging issue
2013-2017	~40% of drug GMP warning letters	Increasing focus
2018-2022	~55% of drug GMP warning letters	Primary concern
2023-2025	~60%+ of drug GMP warning letters	Sustained priority

Common Warning Letter Language

FDA warning letters typically cite data integrity violations with language such as:

"Failure to ensure that laboratory records include complete data derived from all tests"
"Your firm deleted electronic data without following change control procedures"
"Your laboratory lacks adequate controls to prevent unauthorized access to data"
"Audit trails were not enabled on your analytical instrumentation"
"Your firm's data governance practices are inadequate"

Import Alert Consequences

Severe data integrity violations can result in import alerts that prevent products from entering the United States:

Import Alert	Description	Resolution Difficulty
66-40	CGMP - Drugs	Requires comprehensive remediation and FDA re-inspection
99-32	Fraudulent documentation	Extremely difficult to resolve

“
Critical Warning: Once placed on import alert for data integrity violations, companies may require 12-24 months or longer to achieve removal, with significant revenue impact and reputational damage.

Key Takeaways

Data integrity according to FDA refers to the completeness, consistency, and accuracy of data throughout its entire lifecycle. FDA's 2018 guidance states that data integrity is an inherent element of the pharmaceutical quality system that ensures medicines are of the required quality. Data must be attributable, legible, contemporaneous, original, and accurate (ALCOA) with supporting principles of complete, consistent, enduring, and available (ALCOA+).

Key Takeaways

Data integrity FDA requirements are foundational: The completeness, consistency, and accuracy of GxP data directly impacts product quality decisions and patient safety. FDA expects robust data governance systems.
ALCOA+ principles provide the compliance framework: Attributable, Legible, Contemporaneous, Original, and Accurate data, extended with Complete, Consistent, Enduring, and Available, define regulatory expectations for all GxP data.
21 CFR Part 11 and data integrity are interconnected: Electronic records controls, audit trails, and system validation under Part 11 provide the technical foundation for data integrity compliance.
Proactive prevention outperforms reactive remediation: Establishing data integrity culture, implementing technical controls, and conducting regular assessments prevents costly enforcement actions and product quality issues.
FDA enforcement remains aggressive: Data integrity violations continue to be cited in the majority of drug GMP warning letters, with import alerts creating severe business consequences.
---

Next Steps

Achieving data integrity FDA compliance requires systematic assessment, robust technical controls, and an organizational culture that prioritizes quality over convenience. Companies that proactively implement ALCOA+ principles and maintain vigilant oversight avoid the costly consequences of data integrity enforcement.

Organizations managing regulatory submissions benefit from automated validation tools that catch errors before gateway rejection. Assyro's AI-powered platform validates eCTD submissions against FDA, EMA, and Health Canada requirements, providing detailed error reports and remediation guidance before submission.

Sources

Last updated: January 25, 2026