QA/RA Consulting, Auditing & Training


Let's get started

Understanding ALCOA Principles and FDA & EU Data Integrity Principles for Pharma




As regulatory and QC professionals, we all understand the important role data plays in maintaining consistent, high-quality, and safe products. What is less well understood is how regulators expect you to collect, maintain, and report that data. Every year, scores of pharmaceutical manufacturers receive unexpected reprimands from FDA and EU regulators on this very issue.

EU auditors and FDA investigators are trained in the principles of data integrity and how it can be compromised. This can take many forms, including:

    • Human error, such as unintended transfer errors, misconfigurations, and security errors
    • Technical issues, such as physical compromise to devices or server failures
    • Malicious acts, such as viruses, malware, hacking, and other cyber threats

While many data integrity violations are not the result of malice, it’s important to note that FDA and EU regulators draw no distinction between unintentional and intentional data integrity problems. So, if you’re expecting to find a sympathetic shoulder to cry on after your next audit or inspection, expect a dose of tough love instead…minus the love.


In the US, 21 CFR Part 11 provides very specific guidance to manufacturers on the use of electronic records and signatures. Get up to speed on Part 11 requirements by reading this short article.

What Regulators Focus on When It Comes to Data Integrity

  • As a manufacturer you generate virtual reams of data, so you may wonder which data is most scrutinized. In general, regulators consider it important to focus resources on systems, features, or functions that directly:
  • Impact product properties or manufacturing processes essential to patient safety or product quality
  • Impact the integrity of data used to specify or support patient safety or product quality
  • Measure, inspect, analyze, or disposition the product or process
  • Accept or perform process corrections without human intervention, awareness, or review
  • Impact labeling or instructions for use
  • Alert or communicate to the user


Regulators consider this data to be at highest risk:

1 – Data from automated processes associated with product production or testing

2 – Data supporting batch or lot release data

3 – Data supporting long-term stability or shelf life

4 – Postmarket (complaint) data


Relevant Documents Related to Data Integrity

There are enough publications related to pharma data integrity to cure insomnia for a year. Don’t try to tackle them all at once. Start with these two short publications to get a high-level overview of how US and FDA regulators think about data integrity:

After that, move on to graduate-level homework by diving into these, in order of relevance:


Prioritize Risk Over Documentation

Over time, FDA and other regulators have been encouraging manufacturers to use critical thinking to implement risk-based decisions about data governance. Rather than focusing on simply collecting the required documentation and focusing on testing activities, the emphasis now is tilted more toward applying critical thinking to identify the most important data, associated vulnerabilities, and appropriate controls. The goal is to develop a strategy and incorporate requirements into your business processes.

Understanding the different states of data is important for effectively managing and analyzing data to extract insights and make informed decisions. Each state of data may require different tools, techniques, and approaches to effectively process and analyze the data. Data security is an essential component of an organization’s business continuity plan; therefore, a combination of technical and physical controls to protect data from unauthorized access, loss, or theft should be well thought out and implemented.


Common Pharma Data Integrity Themes

FDA and other regulators see the same problems pop up time and time again. Many of these examples were taken from publicly available FDA warning letters, but there is little doubt that EU regulators see the same issues. They generally fall into four categories.


Recurring Data Themes Cited by Regulators
Data Completeness & Reliability
  • Data is not trustworthy, lacks integrity, or is fraudulent
  • Raw data is not maintained for review; no controls to prevent deletion of raw data
  • Deleted analytical and API files left in the recycle bin on the computer with batch numbers in the file name
  • Electronic records are missing; backup or archive not adequate or verifiable
  • Not recording activities immediately and / or backdating records
  • Creating duplicate batch production records, lab analysis records, control records, etc.
  • Repeating sample runs
  • Reusing test specimens
Tracking, Access, & Security
  • No usernames attributable to specific individuals
  • All analysts and operations personnel have system admin access
  • Data can be changed by unauthorized personnel
  • No controls to prevent overwriting data or unauthorized access to data changes
  • Signing for activities performed by someone else
  • Unable to ensure electronic data remains secure
  • Paper-based logbooks with loose-leaf or unnumbered pages
  • Usernames and passwords for software used to control laboratory equipment handwritten in uncontrolled notebook
  • Use of uncontrolled paper forms or templates
  • No back up of stand-alone computers used to operate equipment
Computer Systems Validation
  • Legacy computer systems do not have adequate validation or controls
  • Accuracy of input / output with lab instruments is not checked
  • Databases for analysis, tracking, and trending are not validated
  • Suppliers are “blindly trusted” to perform validation activities
  • Use of nonqualified equipment
Data Auditing & Training
  • Audit trails are not reviewed by the quality unit
  • No audit trail reviews or no audit trails to show deletion of data
  • No secondary review of laboratory results for accuracy
  • Replacing data with copies of previously generated data
  • Quality personnel not adequately trained to audit electronic data and computer systems


EU and FDA ALCOA Principles

What does ALCOA mean? The ALCOA acronym describes basic principles for data integrity developed in the 1990s by FDA. The core data principles (attributable, legible, contemporaneous, original, accurate) serve as a framework for data management and documentation practices that help ensure the accuracy, reliability, and completeness of data generated in support of drug development, regulatory submissions, and postmarket monitoring.

Over time, the ALCOA principles expanded and have become widely adopted as a best practice within the pharmaceutical industry and have been incorporated into regulatory guidance documents in various countries around the world.




  • It should be clear who documented the data.
  • Readable and signatures identifiable.
  • Documented at the time of the activity.
  • Written printout or observation or a certified copy thereof.
  • No errors or editing without documented amendments.
+ Complete
  • All data including any repeat or reanalysis performed on the sample.
+ Consistent
  • All the elements of the data, such as the sequence of events, follow on and are dated or timestamped in expected sequence.
+ Enduring
  • Long-lasting and durable.
+ Available
  • For review and audit or inspection over the lifetime of the record.


Want to Learn More?

The myriad overlapping guidance documents and regulations related to data compliance and integrity may start to make your head hurt. If you feel a data migraine coming on, consider our deep-dive class on pharma data integrity. Using real-life examples, our instructors will untangle the morass of data compliance requirements, giving you a clear vision of what needs to be done within your organization and how.

Our team is here to help. Contact us online
Get answers right now. Call

US OfficeWashington DC


EU OfficeCork, Ireland

+353 21 212 8530