Data Integrity – ALCOA+ in Practice for GxP Manufacturing

This topic is part of the SG Systems Global regulatory glossary series.

Updated October 2025 • Data Integrity • 21 CFR Part 11 / EU Annex 11 / Predicate Rules

Data Integrity is the assurance that GxP data are Attributable, Legible, Contemporaneous, Original, Accurate—and, under the extended ALCOA+ model, also Complete, Consistent, Enduring, Available. It is not a slogan; it is the bedrock that lets regulators, Qualified Persons, and your own management rely on electronic records to make release and safety decisions. In modern operations, integrity is engineered through a combination of 21 CFR Part 11/Annex 11 technical controls (identity, access, audit trails, electronic signatures), validated processes (CSV), disciplined documentation (BMR/eBMR, CoA), and quality governance (Change Control, CAPA).

“Data integrity is the assurance that data is authentic, accurate, and traceable—proven by who recorded it, when, how, under which method or specification, and why any changes were made.”

1) What It Is

Data integrity is the capability to defend the truthfulness and context of your records across their lifecycle—from raw capture (an instrument reading or barcode scan) through processing (calculations, limits, units), review/approval, release, trending, and long-term retention & archival. In practice, that means your systems and procedures make it impossible (or at least conspicuously obvious) to fabricate, alter, backdate, or misattribute data. The concept spans MES/eBMR, LIMS, QMS, and WMS as well as interfaces to ERP and labeling, where misalignment between master data and execution is a common root cause of integrity findings.

2) Regulatory Anchors & ALCOA+ Principles

Predicate rules (e.g., 21 CFR 210/211, 600–680, 820, and for food Part 117) define which records must exist and what they must show. Part 11 and Annex 11 define how electronic records and signatures must be controlled (identity, security, trail, retention). ALCOA+ translates these expectations into everyday criteria: who created the data (Attributable), can you read them (Legible), were they recorded at the time (Contemporaneous), are they the original or a true copy (Original), are they correct (Accurate), and are they Complete, Consistent, Enduring, and Available over time.

Auditors routinely test ALCOA+ by asking for a complete eBMR including audit trail extracts filtered for edits/overrides, verifying controlled master data (BOM, specs, methods), tracing batch genealogy from bin/location to finished good, checking label version alignment, and confirming that exceptions triggered recorded CAPAs with effectiveness checks.

3) Data Lifecycle & System Controls

Creation. Data should originate from controlled sources: instrument interfaces (LIMS), barcode scans (WMS/MES) with barcode validation, and structured inputs (ranges, units, decimal precision). Free-text fields are limited to narrative and are never the sole source of critical values. For weighing and dispensing, Batch Weighing captures scale ID, calibration status, tolerance windows, and operator identity.

Processing. Calculations (yields, potency adjustments, SPC statistics) are versioned and locked. Specification limits and control limits (SPC) are master data; changes are approved via Approval Workflow and recorded in trails. Where adjustments are permitted (e.g., reweigh), the system requires reasons and triggers review.

Review & approval. Dual verification and e-signatures ensure the “second eyes” are unique users with appropriate roles. Review-by-exception focuses attention on events (deviation, OOS/OOT, override). All actions—approve, reject, re-route—are time-stamped and linked to the record.

Release & distribution. Lot release binds the CoA to the executed eBMR and master data in force at the time. WMS enforces status (quarantine/released/expired) and directed picking so only eligible lots are shipped; dynamic lot allocation respects market-specific rules and shelf life.

Retention & archival. Records are preserved with their metadata, audit trails, and rendering capability per your Data Retention & Archival policy. Migration and decommissioning are validated so meaning is not lost.

4) Technical and Procedural Controls That Prove Integrity

• Identity & access. Unique user IDs, role-based permissions, MFA where appropriate, session controls, and privileged-access oversight. Shared logins are prohibited.
• Audit trails. Computer-generated, time-stamped logs of who/what/when (and why when significant), protected from alteration and retained with the record. See Audit Trail (GxP).
• Electronic signatures. Non-repudiable signatures linked to records with defined meaning (review/approval/responsibility) aligned to Part 11.
• Controlled masters. Versioned methods, specifications, BOMs, label templates; all under Change Control with impact assessments and validation where needed.
• Instrument & asset status. Calibrations and maintenance statuses are enforced at the point of use; see Asset Calibration Status.
• Segregation & zoning. Digital/physical controls prevent mix-ups and cross-contact; see Allergen Segregation Control and Cross-Contamination Control.
• CSV lifecycle. Requirements → risk assessment → testing → traceability → controlled deployment and periodic review; see CSV.
• Training & competence. GxP training, periodic refreshers, and effectiveness checks; training status blocks execution when required.

5) Typical Failure Modes & How to Avoid Them

• Backdating and unofficial notes. Paper scraps or post-hoc entries undermine contemporaneity. Fix: require direct entry at source and reason-coded corrections with trail.
• Shared accounts or “admin does all.” Destroys attribution. Fix: unique users, minimal admin, periodic access reviews, and alerts on high-risk actions.
• Spreadsheet islands. Uncontrolled calculations and silent version drift. Fix: move to validated functions in MES/LIMS/QMS, or harden spreadsheets under Annex 11/Part 11 style controls.
• Label/content misalignment. Recipe adds an allergen; label not updated. Fix: bind labels to approved recipe/version via Approval Workflow.
• Unvalidated integrations. Silent data transforms between LIMS↔MES↔ERP. Fix: interface specifications, field mapping, checksum/acknowledgement, and change control.
• “PDF-only” archives. Loss of raw data/metadata. Fix: preserve system of record with rendering; use PDFs as human-readable companions, not substitutes.

6) Metrics That Show Integrity Is Working

• Audit-trail exceptions per batch (overrides, backdated entries) and time-to-review.
• Access hygiene: orphaned accounts, admin actions, and role drift over time.
• Label-to-recipe version match rate at time of print and shipment.
• Data reconciliation defects across systems (e.g., LIMS result mismatches in eBMR).
• Retrieval SLA for complete batch dossiers with trails and CoA.
• CAPA effectiveness on integrity-related incidents within 6–12 months.

7) How It Relates to V5

V5 by SG Systems Global implements data-integrity by design. In V5 MES, eBMR steps enforce identity, ranges, and step sequencing; dual verification with e-signatures governs critical actions. In V5 QMS, deviations/OOS/OOT route to CAPA with effectiveness checks; Change Control governs master data (methods, specs, labels). In V5 WMS, directed picking, status control, and traceability maintain consistent genealogy. All systems generate protected audit trails, and integration via the V5 Connect API preserves field-level fidelity and acknowledgements. For trending and CPV, V5 provides SPC dashboards with alert/action limits tied to approved masters, ensuring that the numbers you act on are the numbers you can defend.

Related Reading
• Foundations: ALCOA+ | 21 CFR Part 11 | EU Annex 11
• Records & Release: BMR | Automated Batch Records (eBMR) | CoA | Batch Release
• Controls & Assurance: Audit Trail | Control Limits (SPC) | CSV | Cleaning Validation
• Materials & Warehouse: Bin / Location Management | Directed Picking | Dock-to-Stock

8) FAQ

Q1. Is Part 11 compliance the same as data integrity?
No. Part 11 defines controls for electronic records/signatures; data integrity is broader—covering predicate-rule completeness, ALCOA+, and lifecycle evidence across MES/LIMS/QMS/WMS.

Q2. Do we need audit trails for every field?
Trails should cover GxP-relevant records and significant changes (values, status, approvals, configuration). Low-risk ancillary fields may be excluded by risk justification—but never core identity/quality data.

Q3. Can we rely on spreadsheets?
Only with strict controls (versioned templates, protected formulas, access control, verification, and where feasible audit trails). Prefer validated application logic in MES/LIMS/QMS.

Q4. What is “review by exception” and why does it matter?
It focuses human review on events that change risk—deviations, overrides, OOS/OOT—backed by complete audit trails. It increases detection power and reduces rote checking.

Q5. How do we prove data integrity to an inspector?
Render a complete batch dossier quickly: executed eBMR steps, signatures with meaning, LIMS raw data and calculations, genealogy and WMS movements, CoA, changes and approvals, audit-trail excerpts, and linked CAPAs—plus evidence of CSV and retention.