ALCOA principles: ‘healthy’ guidelines for data integrity -1-

We guess most organizations in life sciences would acknowledge that their data are accurate and trustworthy. However, inspection authorities such as the FDA did not appear out of thin air and regularly beg to differ. Triggered by the recent warning letters, many pharmaceutical companies have mobilized Vivenics to fix or implement systems to secure data integrity. Here too, prevention is better than cure.   

Attributable, Legible, Contemporaneous, Original, Accurate 

For this aim, we go by the so-called ALCOA principles that have been broadly accepted including the World Health Organization (WHO). ALCOA is an acronym defining that all data should be Attributable, Legible, Contemporaneous, Original and Accurate. As no two organizations are exactly the same, ALCOA cannot serve as a blueprint but as general guidelines to ensure that documentation is transparent and reliable and can be validated more effectively by the authorities. In the first of a series of five blogs, we will look at the attributability of data. Attributable means information is captured in the record so that it is uniquely identified as executed by the originator of the data (e.g. a person or a computer system). 

In other words: there should be no argument as to who created a record and when. The applying criteria depend on whether the data involved are recorded by hand or machine.

Expectations for paper records to guarantee “Attributable”:

  • Initials;
  • Full handwritten signature;
  • Personal seal;
  • Date and, when necessary, time stamp. 

Expectations for electronic records to guarantee “Attributable”:

  • Unique user logons that link the user to actions that create, modify or delete data;
  • Unique electronic signatures (either biometric or non-biometric);
  • An audit trail that should capture user identification (ID) and date and time;
  • Signatures, which must be securely and permanently linked to the record being signed.

Concrete measures to be taken are not restricted to these 'expectations' and should include actions such as automatically locking a computer screen after a maximum of ten minutes in case the user has left his or her workplace. Obviously, computers make (business) life a lot easier but can cause those responsible occasional headaches when data integrity comes into play. 

Other risk management considerations to ensure that data are attributable include:

  • Are you using a system with separate applications for signing and storing the document? In this case, make sure that the two remain linked.
  • Avoid the use of hybrid systems. The same goes for shared and generic logon credentials. In legacy systems, among others, the right technical controls may not be available. Here, a combination of paper and electronic records may be helpful.
  • Some cases may call for the use of a scribe to record an activity on behalf of another operator. Examples are:
    – where the act of recording places the product or activity at risk;
    – to accommodate cultural differences or in cases of staff literacy/language limitations. In such situations, the supervisory recording should be done simultaneously with the task being performed and should identify both the person performing the observed task and the person completing the record.  

We would like to reward those of you who actually made it all the way to the end of this blog by making the promise that our next blog will be a lot easier to digest. You have our word for it.