ALCOA+Attributable, Legible, Contemporaneous, Original, Accurate — plus Complete, Consistent, Enduring, Available
ALCOA+ is the nine-letter mnemonic regulators use to grade your data integrity programme — Attributable, Legible, Contemporaneous, Original, Accurate, plus Complete, Consistent, Enduring, Available. Every 21 CFR Part 11, EU GMP Annex 11 and MHRA GxP data-integrity audit is, in practice, an ALCOA+ audit. This page covers each letter, how regulators test it, the failure modes that trigger 483s, and how V5 Ultimate is engineered to satisfy every letter natively.
01What ALCOA+ is
ALCOA was coined by Stan Woollen at FDA in the 1990s as a five-letter mnemonic for the attributes of trustworthy GxP records. EMA, MHRA and WHO later extended it with four additional letters — Complete, Consistent, Enduring, Available — to form ALCOA+. The expanded version is now the global standard cited by every major regulator.
Crucially, ALCOA+ is not a regulation itself. It is the test framework regulators apply when interpreting 21 CFR Part 11, Annex 11 and equivalent rules. If your system satisfies all nine letters, you generally pass a data-integrity audit. If it fails any one letter, you have a finding.
02The original five — ALCOA
| Letter | Meaning | What it tests |
|---|---|---|
| A — Attributable | Every record identifies who did it. | User logged in; e-signature captures name; no shared accounts. |
| L — Legible | Records readable for the full retention period. | PDFs render; no proprietary one-vendor format; archive readable in 10 years. |
| C — Contemporaneous | Recorded at the moment the event occurred. | Kiosk weight captured at the scale; not transcribed later. |
| O — Original | First record (or true certified copy). | No 'gather paper, then enter into computer' workflows; raw electronic record retained. |
| A — Accurate | Correct, truthful, error-free. | Validated calculations; system prevents entry of impossible values; corrections audit-trailed with reason. |
03The four additions — +
| Letter | Meaning | What it tests |
|---|---|---|
| + Complete | All data, including reruns, exceptions and metadata. | Failed test attempts retained; no deletion; audit trail captures everything, not just the happy path. |
| + Consistent | Chronological, time-stamped, no contradictions. | Server-side time source; no user-editable timestamps; events ordered correctly. |
| + Enduring | Preserved for the entire retention period. | Append-only storage; backups; archive media still readable at year N; cloud supplier qualification. |
| + Available | Retrievable on demand by authorised users and auditors. | Search; export; reasonable response time; works during an inspection without re-engineering. |
04Common ALCOA+ failures that trigger 483s
- Shared 'operator' logins → not Attributable.
- Excel-based calculations that anyone can overwrite → not Original, not Accurate, not Enduring.
- Paper batch records transcribed into the system at end of shift → not Contemporaneous, not Original.
- Audit trail can be disabled by admin → not Complete, not Enduring.
- System time editable on client → not Consistent.
- 'Test' records deleted to clean up reports → not Complete.
- Data only available via vendor's portal that requires login → not Available.
- Archive in proprietary database format with no documented export → not Legible at year 10.
05How V5 satisfies each letter
| Letter | V5 design |
|---|---|
| Attributable | Every action requires SSO authentication + role; critical actions require explicit e-signature with name, password and meaning. |
| Legible | PDFs rendered server-side; raw data exportable as CSV/JSON at any time. |
| Contemporaneous | Kiosk captures scale weight, environmental reading, scan at the moment of the action — no offline buffering. |
| Original | Raw electronic record stored append-only; PDF is a presentation, not the master. |
| Accurate | Server-side validation; tolerance checks; corrections require reason + e-signature. |
| + Complete | Audit trail captures every CRUD action including failed attempts; nothing is hard-deleted. |
| + Consistent | Server time source only; events hash-chained for tamper evidence. |
| + Enduring | Append-only storage with daily backups; archive export tested annually. |
| + Available | Search across audit trail; sub-second filtered queries; export to PDF/CSV one click. |
Frequently asked questions
Q.Is ALCOA+ a regulation?+
No. It is the test framework regulators apply when interpreting 21 CFR Part 11, EU GMP Annex 11 and equivalent rules. Failing any letter typically means a finding against the underlying regulation.
Q.Where did the + come from?+
EMA / MHRA / WHO added Complete, Consistent, Enduring and Available in the 2010s to close gaps the original five didn't fully cover — particularly around long-term retention and on-demand availability.
Q.Does paper meet ALCOA+?+
It can — Attributable, Legible, Contemporaneous, Original, Accurate are all paper-friendly. The +letters (especially Enduring and Available) get harder as volumes grow; most regulated sites move to electronic records to satisfy ALCOA+ at scale.
Primary sources
Further reading
V5 Ultimate ships with the ALCOA+ controls already wired in — audit trail, e-signatures, validation evidence. Free trial, no credit card, onboard in days, not months.