FDA Auditors and ALCOA+: What Your Lab Software Systems Must Prove

An FDA investigator doesn’t arrive at your facility asking to see your ALCOA+ policy binder. They ask to observe a routine analyst performing a stability sample test — and then they watch what happens in the software. Where the data lands. Whether the audit trail captures every keystroke. Whether anyone could have changed a result without leaving a trace.

That’s the reality of a data integrity inspection in 2026, and it’s a sharper test than most quality teams expect. The gap between having a validated system and having an audit-ready system is wider than most people realize — and the consequences of getting it wrong show up in Warning Letters, import alerts, and consent decrees.

This post breaks down what FDA investigators are actually checking when they sit down at your laboratory information management system (LIMS) or chromatography data system (CDS), and what your computer system validation (CSV) documentation needs to demonstrate before they do.

ALCOA+ Is Not a Framework. It’s a Live Inspection Checklist.

ALCOA is an acronym that’s been part of pharmaceutical quality vocabulary for decades. Attributable, Legible, Contemporaneous, Original, Accurate — those five attributes were formalized in FDA training materials as far back as the 1990s. The ”+” extension (Complete, Consistent, Enduring, Available) was codified more formally in FDA’s December 2018 guidance document, Data Integrity and Compliance With Drug CGMP.

What changed between the original ALCOA concept and where we are today isn’t the vocabulary. It’s the enforcement posture. FDA investigators are now trained to evaluate data integrity not as a documentation audit but as a systems audit. They’re asking: does the software itself enforce ALCOA+ attributes, or does it depend on people following procedures?

That distinction matters. A paper SOP that says “analysts must not share login credentials” is a procedural control. An access management system that makes shared credentials technically impossible is a system control. FDA’s current thinking, reflected in the 2018 guidance and reinforced in subsequent Warning Letters, is that relying on procedural controls alone for critical data integrity attributes is insufficient.

In other words, your lab software’s architecture — not just your SOPs — is now part of the inspection.

The Eight Attributes, Mapped to What Auditors Actually Check

Walk through each ALCOA+ attribute as an auditor would, and the inspection items become concrete fast.

Attributable means every data entry, modification, or deletion is linked to a specific, identified individual. During an inspection, investigators will pull up your CDS or LIMS, navigate to a batch record, and ask: “Can you show me who approved this result and when?” If the answer involves clicking through to a system administrator screen that only a few people know exists, that’s a flag. Attributability has to be visible, not buried.

Legible sounds trivial — can you read the data? — but in software systems, legibility extends to audit trail readability. If your audit trail exports as a comma-separated file that requires a macro to parse, the practical legibility of that trail during an inspection is questionable. FDA has cited audit trails that were technically complete but operationally unusable.

Contemporaneous is where a lot of systems fail quietly. Data must be recorded at the time of the activity. Investigators specifically look for time-stamp anomalies: results entered hours or days after the instrument generated raw data, batch records signed retroactively, or discrepancies between instrument printouts and LIMS timestamps. A 30-minute gap between instrument output and system entry may be explainable. A four-hour gap rarely is.

Original means the first capture of data — raw data — must be preserved and accessible. For chromatographic methods, that means the original chromatogram files, not just the integrated result. FDA has issued 483 observations when facilities retained processed results but had deleted or overwritten the underlying raw data files. Under 21 CFR Part 11, raw data must be retained with no possibility of undetected alteration.

Accurate is about the data reflecting what actually happened in the analysis. This sounds obvious, but auditors are specifically looking for whether your system allows result manipulation after the fact — reintegration without audit trail capture, manual overrides that don’t generate change records, or the ability to run samples multiple times and selectively report.

The ”+” attributes — Complete, Consistent, Enduring, Available — translate into specific documentation requirements. Complete means all data, including out-of-specification (OOS) results and aborted runs, must be retained. Consistent means date/time stamps across interconnected systems must be synchronized. Enduring means backup and archival systems must actually work, and Available means records must be retrievable within a timeframe that supports review during an inspection.

Audit Trail Deficiencies: Still the Most Cited Failure

If there’s one area where companies repeatedly stumble, it’s audit trail configuration — not because they don’t know they need one, but because they underestimate what “enabled” actually means.

21 CFR Part 11.10(e) is explicit: audit trails must be computer-generated, time-stamped, and must capture who made a change, what was changed, when it was changed, and — critically — what the original value was before the change. The audit trail must be accessible to the investigator, not just to the software vendor.

Common deficiencies we see across regulated facilities include:

• Audit trails turned off in non-production environments that were later used for actual analysis. A validation server that handled real samples without an active audit trail is a serious gap.
• Audit trail access limited to administrator roles, meaning analysts or supervisors reviewing their own work can’t see the full record. FDA expects audit trails to be reviewable by supervisors as part of second-person review, not just by IT.
• No periodic audit trail review as a defined procedure. Having a functioning audit trail and having a program for actually reviewing it are two different things. 21 CFR Part 211.68 implies that data review includes verification of the audit trail, not just the reported result.
• Instrument-level audit trails not integrated with the LIMS. If your HPLC generates its own time-stamped data log and your LIMS generates a separate record, and those two records are never reconciled, you have an audit trail gap that investigators will find.

One detail worth knowing: FDA investigators are increasingly trained to export and off-site review audit trails before issuing observations. Preparing a clean audit trail summary for the investigator isn’t an option anymore — they’ll pull the raw export themselves.

What Your CSV Documentation Must Demonstrate for Data Integrity

Validation documentation for GxP software needs to address data integrity explicitly, not just functional performance. A validation protocol that proves your LIMS calculates results correctly but doesn’t address how it protects and preserves those results won’t hold up under a data integrity-focused inspection.

Specifically, your User Requirements Specification (URS) should capture data integrity requirements — ALCOA+ attributes — as defined, testable requirements. Your IQ/OQ/PQ scripts need test cases that verify audit trail function under specific scenarios: What happens when an analyst deletes a record? What happens when a result is modified after initial entry? What happens when the system clock is changed?

Risk assessments under GAMP 5 Second Edition (published by ISPE in 2022) now explicitly position data integrity as a risk category requiring impact assessment. Category 4 and Category 5 systems handling raw data need to demonstrate, through validation evidence, that the system enforces ALCOA+ controls — not just that an SOP instructs users to follow them.

Periodic review documentation is another area auditors examine. Validated systems require periodic review — typically annually — that includes verification that audit trail functionality remains active, that access controls haven’t drifted from the approved configuration, and that any software updates or patches have been assessed for data integrity impact.

Preparing Before the Investigator Asks

There are four things quality teams can do right now that make a material difference in a data integrity inspection — and none of them require a system replacement.

Conduct an audit trail readiness review. Pull a 90-day audit trail export from your most critical GxP system and review it the way an investigator would. Can you trace a specific result from instrument output to final batch record approval? Are there unexplained time gaps or user sessions that don’t correspond to shift patterns? If your team struggles to do this in a mock inspection, the investigator will struggle too — and they’ll note it.

Map your data flow. For each critical system, document where original data is first captured, how it moves through the system, and where it’s stored. This data flow map becomes your primary evidence during an inspection that you understand your own system architecture. It also reveals integration gaps — instrument-to-LIMS handoffs, CSV imports, manual transcription points — where ALCOA+ controls may be weakest.

Review user access permissions against current roles. It’s common for access privileges to accumulate as organizations change — analysts promoted to supervisors who were never removed from analyst groups, former employees whose accounts weren’t promptly deactivated. A quarterly access review against your approved permission matrix catches this before an investigator does.

Test your backup and recovery procedures. Endurance and availability are ALCOA+ attributes with an operational dimension. If your archival system hasn’t been tested for retrieval in 18 months, you don’t know if it works. Run a documented recovery test. Archive a known record set, delete the live copy from the test environment, and restore it. The documented evidence that this works is part of your validation lifecycle.

An ALCOA+ gap in your chromatography data system isn’t a documentation problem. It’s a product quality problem, and FDA treats it exactly that way. The Warning Letters that result from data integrity inspections don’t cite “inadequate documentation” — they cite failure to maintain adequate controls to prevent data manipulation, which is a CGMP violation under 21 CFR Part 211.68.

Getting this right doesn’t require rebuilding your validation program. It requires understanding what FDA is actually measuring when they sit down at your system — and making sure your evidence answers those questions before they have to ask.

Written by Sam Sammane, Founder & CEO, Aurora TIC | Founder, Qalitex Group. Learn more about our team

Talk to our compliance consultants about data integrity readiness reviews and CSV program assessments. Contact us

Related from our network

• Laboratory Quality Systems and ISO 17025 Accreditation — Qalitex Laboratories provides ISO 17025-accredited testing with validated computerized systems, offering a practical benchmark for GxP data integrity controls in contract laboratory settings.
• GMP Compliance and Analytical Testing for Canadian Manufacturers — Androxa supports Health Canada GMP compliance with analytical services and quality system consulting for pharmaceutical and NHP manufacturers.