What is ALCOA+ in data integrity?

ALCOA+ represents the expanded principles of data integrity: Attributable (traceable to the person who created it), Legible (readable and permanent), Contemporaneous (recorded at the time of activity), Original (first recording or certified true copy), and Accurate (correctly represents the activity). The plus adds Complete (all data retained), Consistent (recorded in expected sequence), Enduring (remains intact throughout retention), and Available (accessible when needed).

What is the FDA data integrity guidance document?

The primary FDA data integrity guidance is "Data Integrity and Compliance With Drug CGMP: Questions and Answers," published in December 2018. This guidance provides FDA's current thinking on data integrity requirements for pharmaceutical manufacturers, presented in a question-and-answer format. It covers topics including data governance, audit trails, electronic and paper records, and remediation of data integrity problems.

How does 21 CFR Part 11 relate to data integrity?

21 CFR Part 11 provides the regulatory framework for electronic data integrity controls. Part 11 requires system validation ensuring accuracy and reliability (11.10(a)), secure audit trails recording all data changes (11.10(e)), access controls limiting who can modify data (11.10(d)), and authority checks preventing unauthorized alterations (11.10(g)). Compliance with Part 11 supports data integrity by ensuring electronic records are trustworthy and reliable.

What are common data integrity violations?

Examples of FDA data integrity violations include deleting failing test results without investigation, conducting trial injections or unofficial testing before official testing, using shared user accounts that prevent attribution, backdating documentation that was not recorded contemporaneously, disabling audit trails, manipulating chromatographic integration to achieve passing results, and failing to retain original data including repeat analyses.

What triggers FDA data integrity enforcement?

FDA data integrity enforcement can be triggered by patterns of data deletion or modification without justification, missing or disabled audit trails, shared user accounts or generic logins, discrepancies between electronic data and paper printouts, evidence of unofficial or trial testing, complaints from whistleblowers or former employees, and repeat observations from previous inspections.

How do you remediate data integrity issues?

Data integrity remediation requires a systematic approach: (1) Conduct comprehensive gap assessment across all GxP systems, (2) Implement immediate containment for product quality risks, (3) Perform thorough root cause analysis including organizational culture factors, (4) Execute corrective and preventive actions including system upgrades, procedure revisions, and training, (5) Verify effectiveness through ongoing monitoring and internal audits. FDA expects remediation to address systemic root causes, not just individual findings.

What is the difference between data integrity and data security?

Data integrity focuses on the accuracy, completeness, and consistency of data throughout its lifecycle, ensuring data correctly represents actual activities and can be relied upon for quality decisions. Data security focuses on protecting data from unauthorized access, disclosure, or theft. While related, they serve different purposes: security controls who can access data, while integrity ensures data is trustworthy and accurate. Both are necessary for GxP compliance. ---

Data Integrity FDA: ALCOA+ Compliance Essentials

Data Integrity FDA Requirements: Complete Guide to ALCOA+ Principles and GxP Compliance

Quick Answer

Data integrity FDA requirements require pharmaceutical records to be complete, accurate, and trustworthy throughout the data lifecycle. In practice, this means strong governance, secure systems, reliable audit trails, appropriate review controls, and an organizational culture that supports contemporaneous and accurate documentation.

Key Takeaways

ALCOA+ stands for Attributable, Legible, Contemporaneous, Original, Accurate, plus Complete, Consistent, Enduring, and Available.
FDA's 2018 data integrity guidance establishes expectations for data governance, technical controls, and organizational culture in all cGMP environments.
21 CFR Part 11 provides the regulatory framework for electronic records and signatures that underpins data integrity compliance for digital systems.
Data integrity FDA refers to the completeness, consistency, and accuracy of data throughout its lifecycle, as required by the U.S. Food and Drug Administration for regulated operations. FDA's data integrity requirements are aimed at ensuring that records supporting product quality, safety, and efficacy decisions are trustworthy, attributable, and appropriately controlled. For more detail on inspection readiness, see our data integrity audits guide.
Data integrity failures remain a recurring FDA enforcement theme in pharmaceutical manufacturing and laboratory operations. For regulatory affairs professionals, quality managers, and laboratory directors, understanding FDA data integrity requirements is essential because unreliable data can undermine product quality decisions, inspection outcomes, and remediation efforts.
In this guide, you will learn:
The complete FDA data integrity guidance framework and regulatory expectations
How to implement ALCOA data integrity principles across your quality systems
The critical connection between data integrity pharmaceutical operations and 21 CFR Part 11
Common GxP data integrity violations and how to prevent them
Step-by-step data integrity remediation strategies when violations occur
---

What Is Data Integrity According to FDA?

Definition

Data Integrity FDA - The complete, consistent, and accurate representation of all data throughout its entire lifecycle, from creation through final archival or destruction, ensuring that records supporting pharmaceutical decisions are trustworthy, attributable, and comply with ALCOA+ principles and FDA requirements.

Data integrity FDA requirements encompass the extent to which all data are complete, consistent, and accurate throughout the data lifecycle. According to FDA's 2018 guidance document "Data Integrity and Compliance With Drug CGMP," data integrity is a fundamental component of the pharmaceutical quality system that ensures decisions about product quality are based on reliable information.

Key characteristics of FDA data integrity:

Applies to all data generated during drug development, manufacturing, testing, and distribution
Encompasses both paper and electronic records
Requires documented controls throughout the entire data lifecycle
Expects appropriate audit trails and other controls for relevant electronic records
Demands organizational accountability and quality culture

Key Statistic

FDA's 2018 Data Integrity Guidance specifically states that data integrity is an inherent element of a pharmaceutical quality system that ensures that medicines are of the quality required for their intended use. Data integrity failures can lead to unreliable decisions about product quality.

The Data Lifecycle Concept

FDA expects data integrity controls throughout the complete data lifecycle:

Lifecycle Stage	Data Integrity Requirements
Creation	Data generated at time of activity; attributable to individual
Processing	Calculations verified; transformations documented
Review	Independent verification; audit trail examination
Reporting	Complete and accurate representation of results
Storage	Secure preservation; protection from alteration
Retrieval	Accessible throughout retention period; format preserved
Archival	Long-term storage with integrity controls maintained
Destruction	Controlled disposition per retention requirements

The lifecycle approach means that data integrity is not just about how data is recorded; it includes controls from initial generation through final destruction.

FDA Data Integrity Guidance: Key Regulatory Documents

Understanding the FDA data integrity guidance landscape is essential for compliance. FDA has issued multiple guidance documents that establish expectations for data integrity in pharmaceutical operations.

Primary FDA Data Integrity Guidance Documents

Document	Year	Scope	Key Focus
Data Integrity and Compliance With Drug CGMP	2018	Drugs	Comprehensive Q&A format guidance
21 CFR Part 11: Scope and Application	2003	Electronic Records	Risk-based Part 11 interpretation

Key Principles from FDA Data Integrity Guidance

The 2018 FDA guidance establishes several fundamental principles:

1. CGMP Records Must Be Complete and Accurate

Per 21 CFR 211.68, 211.180, and 211.194, laboratory records and other CGMP documentation must accurately and completely document activities as they are performed.

2. Data Governance Is Management's Responsibility

FDA expects management to establish and implement effective data governance systems including:

Written data integrity policies
Risk assessments for data integrity vulnerabilities
Adequate staffing and resources
Training programs for all personnel
Monitoring and self-identification mechanisms

3. Original Data Must Be Retained

Static or dynamic data, whether electronic or paper, that represents the first capture of information must be preserved. This includes:

Raw chromatographic data files
Original laboratory notebook entries
Electronic source data from instruments
Metadata and audit trail information

“
GEO Quotable: FDA's data integrity guidance explicitly states that regulated companies are responsible for designing and operating systems that provide an acceptable state of control based on data integrity risk, with the level of effort commensurate with the risk to product quality and patient safety.

International Context

International documents such as PIC/S also use similar data management and integrity concepts, which is one reason ALCOA and ALCOA+ terminology is widely used across regulated environments.

ALCOA Data Integrity: The Foundation of Compliance

ALCOA data integrity represents the five fundamental principles that define reliable data in GxP environments. ALCOA and the extended ALCOA+ framework are widely used to explain the attributes regulators expect for trustworthy GxP records.

The Original ALCOA Principles

Principle	Definition	Practical Implementation
Attributable	Data must be traceable to the person who generated it	Unique user IDs; no shared logins; signatures on paper records
Legible	Data must be readable and permanent	Indelible ink; clear handwriting; preserved electronic formats
Contemporaneous	Data must be recorded at the time the activity occurred	Real-time documentation; no backdating; timestamps
Original	Data must be the first recording or a certified true copy	Raw data preserved; certified copies documented
Accurate	Data must correctly represent the activity performed	Verification procedures; calibrated instruments; valid methods

ALCOA+ Extended Principles

The pharmaceutical industry has expanded ALCOA to ALCOA+ by adding four additional principles that reinforce data integrity:

ALCOA+ Addition	Definition	FDA Alignment
Complete	All data including repeat or reanalysis results must be retained	21 CFR 211.194(a) - complete records
Consistent	Data elements must be recorded in expected sequence	Audit trail review; timestamp verification
Enduring	Data must remain intact throughout retention period	Secure storage; format preservation
Available	Data must be accessible when needed for review	Retrieval procedures; indexing systems

Implementing ALCOA+ in Practice

Pro Tip

Start your data integrity implementation by auditing user access across all GxP systems. Shared user accounts and generic logins undermine attributability and routinely attract regulatory attention.

Attributable:

Assign unique user IDs to each individual - never share accounts
Require initials/signatures with date on all paper entries
Configure electronic systems to capture operator identification automatically
Document reason for data changes with operator identification

Legible:

Use permanent ink for paper records (no pencil)
Ensure printing is clear and readable
Preserve electronic data in readable formats
Implement single-line corrections that do not obscure original entry

Contemporaneous:

Train operators to document activities as they occur
Configure systems to record timestamps automatically
Prohibit pre-signing or post-dating of records
Review audit trails for suspicious timing patterns

Original:

Retain raw data files from instruments
Never delete original electronic records
Document certified true copy procedures
Preserve metadata with original data

Accurate:

Validate analytical methods before use
Calibrate and qualify instruments
Implement second-person verification for critical data
Investigate and explain data anomalies

“
Critical Warning: Data integrity principles should be applied across GxP records, not just laboratory records. Manufacturing batch records, equipment logs, environmental monitoring data, training records, and complaint files all need appropriate controls.

Data Integrity Pharmaceutical: GxP Applications

Data integrity pharmaceutical requirements span all areas of Good Manufacturing Practice (GMP), Good Laboratory Practice (GLP), Good Clinical Practice (GCP), and Good Distribution Practice (GDP). Each GxP domain has specific data integrity considerations.

GMP Data Integrity Requirements

Current Good Manufacturing Practice (CGMP) regulations under 21 CFR Parts 210 and 211 establish data integrity expectations for finished pharmaceutical manufacturing:

CFR Section	Requirement	Data Integrity Application
211.68	Automatic equipment controls	Audit trails, electronic batch records
211.100	Written production and control procedures	Complete documentation of manufacturing
211.160	Laboratory controls general requirements	Complete laboratory records
211.180	Records and reports general requirements	All records readily available
211.188	Batch production and control records	Complete, contemporaneous documentation
211.194	Laboratory records	Complete analytical data and raw data

Laboratory Data Integrity Focus Areas

Laboratory data integrity receives particular FDA scrutiny because analytical results directly impact product release decisions:

Chromatographic Data Systems:

Audit trails should be enabled and appropriately secured
All injections must be retained (no selective deletion)
Integration parameters must be documented
Reprocessing must be justified and documented

Spectroscopic Data:

Original spectral files must be preserved
Peak identification must be documented
Reference standard comparison must be traceable
Method validation must be complete

Microbiological Testing:

Raw counts and calculations must be retained
Analyst observations must be documented
Environmental monitoring data must be complete
Sterility test results must include all incubation records

Manufacturing Data Integrity Areas

Manufacturing Area	Data Integrity Focus
Batch Records	Contemporaneous entries; complete documentation; no blank fields
Equipment Logs	Cleaning, maintenance, and use records with timestamps
Environmental Monitoring	Continuous monitoring data retention; alarm response documentation
Process Parameters	Critical process parameter recording and verification
Material Tracking	Incoming materials to finished product traceability

Common Pharmaceutical Data Integrity Violations

FDA warning letters and inspection observations frequently address violations such as:

Deleting original data - Discarding failing results without investigation
Trial injections - Testing samples without documentation before official testing
Shared user accounts - Multiple operators using same login credentials
Backdating records - Recording data after the fact
Incomplete records - Failing to document all activities
Disabled audit trails - Turning off audit trail functionality
Manipulated integration - Reprocessing chromatographic data to achieve passing results
Falsified training records - Documenting training that did not occur

GxP Data Integrity: Connection to 21 CFR Part 11

GxP data integrity requirements are closely linked to 21 CFR Part 11, FDA's regulation governing electronic records and electronic signatures. Understanding this connection is important for electronic-record compliance.

How 21 CFR Part 11 Supports Data Integrity

Part 11 provides the regulatory framework for electronic data integrity controls:

Part 11 Section	Data Integrity Requirement
11.10(a)	System validation ensures data accuracy and reliability
11.10(b)	Ability to generate accurate and complete copies
11.10(c)	Records protection throughout retention period
11.10(d)	Access limited to authorized individuals
11.10(e)	Secure, computer-generated, time-stamped audit trails
11.10(g)	Authority checks prevent unauthorized alterations
11.10(k)	Documentation controls including change control

Audit Trails: The Critical Control

Audit trails are central to both Part 11 compliance and data integrity. FDA expects:

Audit Trail Technical Requirements:

Computer-generated (not manually entered)
Time-stamped with synchronized, reliable time source
Secure (cannot be modified by ordinary means)
Captures who, what, when, and why for all changes
Retained at least as long as underlying records

Audit Trail Review Expectations:

Routine review as part of data verification
Part of batch record review before release
Included in laboratory data review
Documented review with findings recorded

Key Statistic

FDA's 2018 Data Integrity Guidance explicitly states that audit trail review should be part of routine data review and approval practices, not just performed during inspections or for cause investigations.

Part 11 and Data Integrity Gap Assessment

Assessment Area	Part 11 Requirement	Data Integrity Impact
User Access	Unique IDs, no sharing	Attributability of data
Audit Trails	Enabled, secure, complete	Detection of manipulation
Validation	Documented IQ/OQ/PQ	Accuracy and reliability
Electronic Signatures	Two-component, unique	Accountability for approvals
Backup/Recovery	Documented procedures	Data endurance and availability
Change Control	Documented, assessed	Data consistency over time

Organizations should conduct combined Part 11 and data integrity assessments to identify overlapping gaps and prioritize remediation efforts efficiently.

Common Data Integrity Issues and Root Causes

Understanding why data integrity violations occur enables effective prevention. FDA observations often reveal repeated control weaknesses and root causes.

Representative Data Integrity Findings

Finding Category	Typical Concern
Deleted or missing data	Original data are not preserved or cannot be reconstructed
Audit trail gaps	Critical changes cannot be traced to who changed what, when, and why
Shared user accounts	Records cannot be attributed reliably to an individual
Backdated entries	Documentation is not contemporaneous with the activity performed
Incomplete records	Repeat tests, invalid runs, or supporting metadata are missing
Unauthorized access	Access controls do not adequately restrict changes to GxP data
Test-into-compliance behavior	Repeated testing or reprocessing is not scientifically justified or fully documented

Root Cause Analysis: Why Data Integrity Fails

Organizational Culture Factors:

Production pressure prioritized over quality
Fear of reporting failures or deviations
Inadequate management oversight
Insufficient resources for proper documentation
Lack of accountability for data integrity

Technical System Factors:

Legacy systems without audit trail capability
Spreadsheets and standalone systems without controls
Shared logins due to license limitations
Paper-based systems prone to manipulation
Inadequate backup and archive procedures

Process Design Factors:

Unrealistic timelines for documentation
Procedures that encourage shortcuts
Inadequate training on data integrity expectations
No second-person verification for critical data
Insufficient review of electronic data and audit trails

Data Integrity Culture Assessment

Organizations should evaluate their data integrity culture using these indicators:

Positive Indicator	Warning Sign
Open reporting of errors without fear	Errors discovered only through investigation
Management invests in proper systems	Cost savings prioritized over controls
Deviation trends actively monitored	Deviations addressed individually without trending
Training emphasizes integrity	Training focuses only on mechanics
Personnel comfortable raising concerns	Personnel fear consequences for problems
Regular self-assessments conducted	Problems found only by regulators

Data Integrity Remediation Strategies

When data integrity issues are identified, systematic remediation is required. FDA expects comprehensive remediation that addresses root causes, not just individual findings.

The Five-Phase Remediation Framework

Pro Tip

When remediating data integrity violations, prioritize audit trail review early. Audit trails often help define the scope and pattern of issues faster than paper review alone.

Phase 1: Assessment

Conduct comprehensive data integrity gap assessment
Review all GxP electronic systems for Part 11 compliance
Assess paper-based documentation practices
Evaluate organizational culture factors
Document current state and prioritize risks

Phase 2: Containment

Address immediate product quality concerns
Quarantine potentially affected batches
Implement interim controls for high-risk areas
Assign dedicated resources to critical remediation
Communicate status to regulatory authorities if required

Phase 3: Root Cause Analysis

Investigate systemic root causes using formal tools
Assess scope across all affected systems and processes
Evaluate human factors and organizational culture
Determine extent of impact on product quality decisions
Document investigation findings thoroughly

Phase 4: Corrective and Preventive Actions

Implement technical system enhancements
Upgrade or replace non-compliant systems
Revise procedures for data integrity requirements
Conduct comprehensive training programs
Establish enhanced monitoring mechanisms

Phase 5: Effectiveness Verification (Ongoing)

Conduct follow-up assessments
Monitor data integrity metrics
Perform internal audits
Review audit trails routinely
Document sustained compliance

Remediation Priority Matrix

Priority	System/Area	Response Expectation	Criteria
Critical	Laboratory data systems, batch records	Immediate containment and escalation	Direct product quality impact
High	Electronic QMS, document management	Prompt remediation planning	Quality decision support
Medium	Training systems, equipment logs	Planned remediation	Supporting GxP functions
Lower	Administrative systems	Risk-based remediation as appropriate	Indirect GxP impact

Technology Solutions for Data Integrity

Technology	Data Integrity Benefit
Electronic batch records	Enforce contemporaneous documentation
LIMS with audit trails	Complete laboratory data capture
Electronic signatures	Attributable approvals with timestamps
Automated data backup	Data endurance and availability
Role-based access control	Prevent unauthorized changes
Timestamped audit trails	Detect and document all modifications

Preventing Data Integrity Issues: Best Practices

Proactive prevention is more effective and less costly than reactive remediation. Implement these best practices to maintain data integrity compliance.

Governance and Culture

Establish data integrity policy - Written policy signed by senior management
Assign accountability - Designated data integrity officer or function
Conduct risk assessments - Systematic evaluation of data integrity vulnerabilities
Allocate adequate resources - Staffing, technology, and time for proper documentation
Foster open reporting culture - No punishment for honest reporting of problems

Technical Controls

Enable audit trails on all GxP-relevant electronic systems
Eliminate shared accounts - Unique user IDs for every individual
Implement access controls - Role-based permissions limiting functions by job
Validate computerized systems - Documented computerized system validation for relevant electronic records and controls
Establish backup procedures - Regular backup with tested recovery

Process Controls

Design for integrity - Procedures that support contemporaneous documentation
Second-person verification - Independent review of critical data
Audit trail review - Routine review as part of data approval
Change control - Documented control of system and process changes
Periodic assessments - Regular internal audits of data integrity practices

Training Requirements

Pro Tip

Make data integrity training role-specific rather than generic. Lab analysts, manufacturing supervisors, reviewers, and approving managers all need different examples and decision rules.

Training Topic	Audience	Frequency
Data integrity awareness	All GxP personnel	Initial and periodic
ALCOA+ principles	Data generators and reviewers	Initial and periodic
System-specific training	System users	Initial and on change
Audit trail review	Data reviewers and approvers	Initial and periodic
Management responsibilities	Supervisors and managers	Periodic

FDA Enforcement: Data Integrity Warning Letters

Understanding FDA enforcement themes helps organizations prioritize compliance efforts and recognize warning signs during inspections.

Enforcement Focus

FDA warning letters and import alerts continue to show that FDA scrutinizes data integrity where unreliable records could affect product quality decisions, laboratory controls, or batch disposition.

Common Warning Letter Language

FDA warning letters typically cite data integrity violations with language such as:

"Failure to ensure that laboratory records include complete data derived from all tests"
"Your firm deleted electronic data without following change control procedures"
"Your laboratory lacks adequate controls to prevent unauthorized access to data"
"Audit trails were not enabled on your analytical instrumentation"
"Your firm's data governance practices are inadequate"

Import Alert Consequences

Severe data integrity violations can result in import alerts that prevent products from entering the United States:

Import Alert	Description	Resolution Difficulty
66-40	CGMP - Drugs	Requires comprehensive remediation and FDA re-inspection
99-32	Fraudulent documentation	Severe enforcement consequence

“
Critical Warning: Removal from an import alert related to data integrity usually requires extensive remediation, evidence of sustainable control, and FDA satisfaction with the corrective actions taken.

Key Takeaways

Data integrity according to FDA refers to the completeness, consistency, and accuracy of data throughout its entire lifecycle. FDA's 2018 guidance states that data integrity is an inherent element of the pharmaceutical quality system that ensures medicines are of the required quality. Data must be attributable, legible, contemporaneous, original, and accurate (ALCOA) with supporting principles of complete, consistent, enduring, and available (ALCOA+).

Key Takeaways

Data integrity FDA requirements are foundational: The completeness, consistency, and accuracy of GxP data directly impacts product quality decisions and patient safety. FDA expects robust data governance systems.
ALCOA+ principles provide the compliance framework: Attributable, Legible, Contemporaneous, Original, and Accurate data, extended with Complete, Consistent, Enduring, and Available, define regulatory expectations for all GxP data.
21 CFR Part 11 and data integrity are interconnected: Electronic records controls, audit trails, and system validation under Part 11 provide the technical foundation for data integrity compliance.
Proactive prevention outperforms reactive remediation: Establishing data integrity culture, implementing technical controls, and conducting regular assessments prevents costly enforcement actions and product quality issues.
FDA enforcement remains a serious compliance risk: Data integrity failures can contribute to warning letters, import alerts, and major remediation programs.
---

Next Steps

Achieving data integrity FDA compliance requires systematic assessment, robust technical controls, and an organizational culture that prioritizes quality over convenience. Companies that proactively implement ALCOA+ principles and maintain vigilant oversight avoid the costly consequences of data integrity enforcement.

Organizations managing regulatory submissions benefit from automated validation tools that catch errors before gateway rejection. Assyro's AI-powered platform validates eCTD submissions against FDA, EMA, and Health Canada requirements, providing detailed error reports and remediation guidance before submission.

Sources

References

Sources

Last updated: March 16, 2026