All posts
·15 min read

GLP Data Integrity: ALCOA+ Checklist for Electronic Lab Systems

ALCOA+ principles mapped to GLP lab practice — audit trails, electronic records, Part 11 compliance, and what FDA warning letters reveal about data integrity failures in nonclinical studies.

Dr. James Chen
Dr. James Chen
Preclinical Biology, PhD
GLP Data Integrity: ALCOA+ Checklist for Electronic Lab Systems

On January 5, 2025, someone at CCIC Huatongwei's testing facility in Suzhou modified archive folders. FDA had announced the inspection nine days earlier, on December 27. Of 21 study records inspectors requested, only 7 were actually in the designated archive. Nine Guinea Pig Maximization Test studies contained photocopied source data — same animal weights, same observations, same results — reused across different studies.

That's not a documentation gap. That's fabrication. And it's the kind of thing that generates a warning letter, not a 483.

I wrote about this distinction in our 483 enforcement analysis: SOPs and training failures dominate 483 observations, but data integrity failures dominate warning letters. Training gets you a corrective action request. Data integrity gets your studies rejected. Different risk class entirely.

This article is about the second category — and specifically, about what "data integrity" actually means in practice when your GLP lab runs on electronic systems.

ALCOA+ isn't a buzzword. It's the framework.

If you've been in regulated labs for any length of time, you've heard ALCOA. Maybe you've seen it on a poster in a QA office somewhere. The problem is that most people treat it as a mnemonic to memorize for auditor questions rather than a practical standard to build systems around.

ALCOA stands for Attributable, Legible, Contemporaneous, Original, Accurate. The "+" adds Complete, Consistent, Enduring, and Available. These aren't FDA's invention — they come from the OECD and WHO frameworks, and FDA has adopted them as the de facto standard for evaluating data integrity in GLP labs.

Let me walk through each one with what it actually looks like in a GLP nonclinical lab. Not the textbook definition — the operational reality.

Attributable

Every data entry must be traceable to the person who made it. In a paper world, that means a signature or initials. In an electronic world, it means a unique user login tied to audit trail entries.

The failure mode I see most often: shared logins. A lab has 6 technicians and 2 LIMS workstations. Somebody logs in at 7 AM and stays logged in all day. Three different people enter data under the same user ID. The audit trail says "User: JSmith" for 47 entries across 11 hours. That's not attributable. It's useless.

Fix: individual logins, automatic timeout after inactivity, biometric or badge-based authentication if you're running a high-throughput facility. And train people that logging in as someone else isn't a shortcut — it's a GLP violation under 21 CFR 58.130.

Legible

Data must be readable. Permanently. For paper records, that means no pencil (it fades), no correction fluid (it obscures), ink that doesn't bleed through.

For electronic records, legibility is about format longevity. I've seen labs store raw data in proprietary instrument formats that can't be opened 5 years later because the vendor discontinued the software. Your HPLC chromatograms from 2019 might as well not exist if the only way to read them requires a version of Empower that no longer runs on any supported operating system.

Practical answer: export to open formats (PDF/A for reports, CSV for tabular data) alongside the native format. Keep the native format for reprocessing capability, but make sure you have a human-readable version that doesn't depend on specific software.

Contemporaneous

Record data at the time of observation. Not later. Not "I'll write it up at the end of the shift." At the time.

This is the one that caught Jiangsu Kerbio. During their July 2025 inspection, FDA inspectors directly observed staff completing Day 1 through Day 26 study records all at once for an ongoing study. Not transcribing from worksheets — creating records retrospectively. That's a death sentence for data credibility, and it's one reason that facility's operations were suspended through December 2027.

In electronic systems, contemporaneous recording means your LIMS timestamps entries automatically, and those timestamps can't be overridden. If there's a gap between observation and entry (say, you collect blood samples in the animal room and enter results back at the bench 20 minutes later), your SOP should define the acceptable window and your system should flag entries outside it.

Original

The first recording of data is the original. Everything else is a copy. In GLP, the original is what matters.

Here's where electronic systems get tricky. If a technician records body weights on a paper worksheet, then types them into the LIMS — which one is the original? The paper worksheet. The LIMS entry is a transcription. Now you have two records to maintain, reconcile, and archive.

Better approach: enter data directly into the validated electronic system. Make the electronic record the original. But that means the system needs to be validated, access-controlled, and backed up. You can't claim an Excel spreadsheet on a shared drive is your original GLP record. Well, you can claim it. The inspector won't agree.

Accurate

The recorded value matches reality. Calibrated instruments, validated methods, verified calculations.

This one feels obvious but the failures are subtle. A balance that drifts 0.3% over 6 months doesn't produce wrong data in any single measurement — it produces a systematic bias that nobody notices until a savvy inspector compares pre-calibration and post-calibration check weights and asks why the formulation concentrations shifted.

Accuracy in electronic systems also means validated calculations. If your LIMS calculates dose based on body weight and concentration, those algorithms need to be verified. I know a lab that discovered their LIMS had been rounding intermediate calculations incorrectly for two years. Nobody caught it because the final numbers looked reasonable. They caught it during a system upgrade when the new version produced slightly different results. That was an uncomfortable conversation with QA.

Complete (+)

All data, including data you wish didn't exist. Repeat runs, failed assays, out-of-spec results — they all stay. Deleting inconvenient data points isn't editing. It's fraud.

In electronic systems, completeness means your audit trail captures every action: creation, modification, deletion attempts. Key word: attempts. A properly configured system should prevent hard deletion of GLP data entirely. If someone tries, the system logs the attempt.

Consistent (+)

Data across different sources should tell the same story. The body weight in the clinical observations should match the body weight in the dose calculation. The sacrifice date in the pathology report should match the sacrifice date in the protocol's study calendar.

Electronic systems can enforce consistency through linked data fields. But they can also create consistency problems: if one system rounds to 2 decimal places and another to 3, you get phantom discrepancies that generate audit findings for no scientific reason. Define your rounding conventions in SOPs. Sounds trivial. It prevents real headaches.

Enduring (+)

Records must survive for the retention period. Under 21 CFR 58.195, that's at least 2 years after FDA approval or 5 years after submission. In practice, keep them longer.

For electronic records, "enduring" means migration strategy. Your LIMS vendor will release new versions. Your server hardware will be replaced. Your backup media will degrade. Every one of those transitions is a point where data can be lost or corrupted.

WORM media (Write Once, Read Many) is the gold standard for long-term archival. Cryptographic checksums verify that archived data hasn't been modified. And you need to test your restore process — actually test it, not just document that you have one. I've audited labs with beautiful archive SOPs and backup procedures that had never been tested. When they tried to restore a 4-year-old study for an FDA request, two of the backup tapes were unreadable. That's not enduring.

Available (+)

Records must be accessible for inspection and review. Archived doesn't mean buried. If FDA asks for Study 2019-TOX-047 and it takes you three weeks to produce it, that's not a violation per se, but it's a red flag that tells the inspector your archive system may not be well-managed.

Electronic availability means indexed, searchable archives. Not 47 unlabeled folders on a file server.

Part 11 meets Part 58: where electronic records get regulated

21 CFR Part 11 covers electronic records and electronic signatures across all FDA-regulated activities. Part 58 covers GLP. When your GLP lab uses electronic systems, both apply.

Here's what that means in practice.

Validated systems. Any computerized system used to create, modify, maintain, archive, retrieve, or transmit GLP data must be validated. Validation means documented evidence that the system does what it claims to do. For a LIMS, that includes installation qualification (IQ), operational qualification (OQ), and performance qualification (PQ). For a simple spreadsheet used to calculate doses? Still needs validation if it's generating GLP data. Yes, even the spreadsheet.

Audit trails. Part 11 requires that audit trails record who did what, when, and why. For GLP systems, "why" is critical — when someone modifies a data entry, the reason for the change must be documented. Not "correction" — that tells you nothing. "Original entry was 45.2 g; corrected to 54.2 g due to transposition error confirmed by raw data worksheet" — that's a reason.

Electronic signatures. If your system uses electronic signatures in place of handwritten signatures (for protocol approvals, report sign-offs, deviation authorizations), those signatures must be legally binding. That means unique user IDs, passwords that meet complexity requirements, and a certification filed with FDA stating that electronic signatures are intended to be equivalent to handwritten ones.

The OECD weighed in on this too. Advisory Document No. 22 on GLP Data Integrity (2021) provides detailed guidance on what GLP-specific data integrity looks like in practice, and Position Paper No. 25 (December 2024) addresses IT security specifically — access controls, network security, cloud computing. If your lab is moving to cloud-based LIMS or ELN, that paper is worth reading before the migration, not after.

The audit trail gap nobody talks about

Here's something that comes up in almost every lab I've consulted with: the audit trail exists, but nobody reviews it.

A LIMS dutifully records every login, every data entry, every modification. The audit trail file grows to 14,000 entries per month. QA is supposed to review it. QA has one person. That person is also responsible for phase inspections, deviation reviews, and maintaining the master schedule. The audit trail review doesn't happen, or it happens as a check-the-box exercise where someone scrolls through and signs off without actually reading.

FDA knows this. The Compliance Program 7348.808 — the actual document that GLP inspectors follow — specifically directs inspectors to examine whether QA reviews audit trails and what the review process looks like. If your audit trail review is "reviewed by QA" with a signature and no evidence of what was actually examined, that's a finding waiting to happen.

Practical approach: risk-based audit trail review. You don't need to review every entry. Define criteria for what triggers detailed review: after-hours modifications, changes to critical data points (body weights used in dose calculations, analytical results), entries made outside the expected study timeline. Configure your system to flag these automatically. Then QA reviews the flags, not the entire trail. That's defensible. The 14,000-entry monthly dump is not.

What data integrity looks like in the warning letter record

I've already covered the CCIC Huatongwei case. Let me add two more because the patterns are instructive.

Palamur Biosciences (India, December 2025): A protocol specified a supraglottic airway device. Surgical records showed an endotracheal tube was used instead. No deviation was documented. QAU didn't catch it. FDA's finding used the phrase "bring into question the quality and integrity of safety data" — that's the language that precedes data rejection.

The data integrity issue here isn't electronic. It's about the gap between what the protocol says and what actually happened. But notice how it connects: if this study had been run with an electronic protocol management system that required real-time deviation logging, the discrepancy would have been captured at the point of occurrence. Paper-based study conduct leaves room for "we'll document it later." Later often means never.

Vedic Lifesciences (India, March 2026): The personnel who signed final reports were not the actual study directors. The effect was to obscure which facility had run the work. This is a data integrity violation at the governance level — the records don't accurately represent who was responsible for the science.

The common thread across all three: the records didn't match reality. ALCOA+ is fundamentally about that match. When records and reality diverge — whether through fabrication, negligence, or poor systems — FDA treats it as the most serious category of GLP failure.

Self-assessment checklist

If you're a sponsor with studies at a CRO, or a lab preparing for an inspection, here's what I'd check. This isn't exhaustive (the full GLP compliance checklist covers the broader regulatory framework), but it targets the data integrity layer specifically.

User access and attribution

  • Every person has a unique login — no shared accounts
  • Automatic session timeout after defined inactivity period
  • User access levels match job functions (technicians can't approve protocols)
  • Access is revoked promptly when personnel leave or change roles
  • Login attempts are logged, including failed attempts

Audit trails

  • Audit trail captures: who, what, when, and why for every change
  • Audit trail cannot be disabled or modified by users
  • Reason-for-change is required (not optional) for modifications to GLP data
  • QA has a documented, risk-based audit trail review process
  • Audit trail reviews are documented with specific findings noted

Electronic records

  • All GLP computerized systems are validated (IQ/OQ/PQ documented)
  • Validation is maintained through change control — updates trigger revalidation
  • Data backup runs on a defined schedule with verified restore capability
  • Backup restoration has been tested within the last 12 months
  • Electronic records are stored in formats that remain readable long-term
  • Raw data is defined for each system (electronic original vs. paper original)

Electronic signatures

  • Part 11 certification filed with FDA (if using e-signatures)
  • Passwords meet complexity and expiration requirements
  • E-signatures are unique, non-transferable, and linked to one individual
  • Signature meaning (approval, review, authorship) is captured with each signature

Archive and retention

  • Electronic archives use integrity verification (checksums, WORM media)
  • Archived data is indexed and retrievable within a reasonable timeframe
  • Migration procedures exist for system upgrades and platform changes
  • Archive access is restricted and logged
  • Retention periods meet 21 CFR 58.195 requirements (min 2 yr post-approval or 5 yr post-submission)

Data consistency

  • Rounding conventions are defined in SOPs
  • Data transferred between systems is verified for accuracy
  • Calculations in validated systems have been independently verified
  • Out-of-specification results are investigated and documented (not deleted)
  • Failed runs and repeat analyses are retained with the study record

Training

  • Personnel are trained on ALCOA+ principles (not just told they exist)
  • Training includes system-specific procedures, not just generic GLP
  • Training on data integrity is refreshed annually
  • Personnel understand the difference between correction and falsification

Connecting this to your IND

When your repeat-dose toxicity study or genotoxicity battery or safety pharmacology core battery data arrives at FDA inside your IND, the reviewer checks the GLP compliance statement first. If the study is marked GLP-compliant, the reviewer trusts the data — until they have a reason not to. A warning letter on the testing facility is a reason. An inspection finding about data integrity is a reason.

The thing that keeps me up at night (well, not literally, but it's close): a sponsor can do everything right on their side — characterized test article, solid protocol, good science — and still have their IND data questioned because the CRO's data systems didn't meet ALCOA+ standards. The sponsor's name is on the application, but the data integrity depends on systems they didn't build and may never have audited.

Audit your CRO's data integrity practices. Not just their GLP compliance certificate. Ask specifically about shared logins, audit trail review processes, backup testing, and archive integrity. If they can't give you clear answers, that's your answer.

Related reading:

RegFo checks your nonclinical study package against FDA/ICH requirements — including GLP compliance gaps — before you submit.

Check your studies against 1,054 rules

Upload your preclinical reports. Get a compliance score in 3 minutes.

Try Regfo free