Guest Column | August 29, 2022

Attributable Data Integrity in Modern Biopharma Using ALCOA Principles

By Kip Wolf, X-Vax Technology, @KipWolf

Expert NetworkThis article is the first in a five-part series intended to provide contemporary, practical, and useful examples of data integrity within each of the five traditional principles of ALCOA (Attributable, Legible, Contemporaneous, Original, and Accurate). The objective of this series is to describe how data integrity makes good business sense, can improve the effectiveness and efficiency of operations, and may provide improvement to your organization’s quality culture. It is to offer some common-sense language around the topic of data integrity and to provide some tangible everyday examples of positive data integrity within each of the individual ALCOA principles so you and your organization might benefit from these pragmatic suggestions. This series is not intended to be a primer on ALCOA, a wordy explanation of acronyms, a detailed description of information governance strategy, or a guidance for assessing data integrity within your organization.

ALCOA Principle #1: Attributable

When data are attributable, we may clearly identify the person or system that performed an activity or captured the data. In the non-binding guidance for industry titled Data Integrity and Compliance With Drug CGMP - Questions and Answers, published in December of 2018, the FDA identifies the predicate rules it considers to be specifically relevant to “attributable.” They are 21 CFR §§ 211.101(d), 211.122, 211.186, 211.188(b)(11), and 212.50(c)(10).1

Very typically, the topic of audit trail comes up in the context of discission about meeting requirements for attributable data. While audit trails are certainly an important requirement and are a common means of attributing data to the user, being able to identify the individual or system that executed an activity is quite useful beyond the obvious regulatory requirement. By monitoring activity on documents in a network-stored location (e.g., cloud solution), we may also benefit from native document version control, improved security over email attachments, or see if unexpected editors have modified the document.

Colleague 1: “I updated that document you asked about. I’ll email it to you.”
Colleague 2: “No need. I can see your edits. Thanks, I’ll take it from here.”

Have you had a similar conversation? Attributability lends itself positively to results such as ensuring privacy, confirming actions, or achieving process efficiencies, just to name a few. As in the example above, we can see when our colleague has finished editing, so we can continue processing the document further. We do not need to rely on notifications from our colleagues or clog our email inboxes with attachments.

Achieving “Attributable” Data In Day-To-Day Operations

In our life sciences industry, we are very familiar with good documentation practices and the operations that are necessary to achieve data integrity compliance with the predicate rules and Part 11 for that matter. For example, standard operating procedures for: drug product component labeling (21 CFR § 211.101(d)); checking and verifying of labeling components (21 CFR § 211.122) or master production and control records (21 CFR § 211.186); performing, supervising, or checking significant steps in manufacturing operations (21 CFR § 211.188(b)(11)); and applying initials and signatures of persons performing or checking those steps (21 CFR § 212.50(c)(10)) are compliance activities with which we are all familiar. 

In addition to these familiar activities, there are some day-to-day data integrity opportunities that exist that may enhance your compliance position, boost efficiency and effectiveness, and improve the overall data integrity culture in your organization.

Common mistakes with paper documents and records include our tendency to take the “out of sight, out of mind” approach when archiving. Remember that paper and ink can have temperature or chemical sensitivity that may be affected by storage in hot or humid spaces. I recently had the experience of opening some archived records from a carton that had been stored in a hot and humid space, where most of the top page was rendered almost entirely blank from the heat and humidity. Attributability was impossible.

Scanning these records and storing them in an electronic archive prevents further damage, but electronic solutions are not without their risks as well. If “Created By” attributability of individual electronic files or folders is of operational importance or business value, it may be affected by scanning/saving and moving files to different networked or cloud solutions.

For example, during collection and manual migration (download/upload) of documents from various legacy SharePoint sites to a new collaboration SharePoint site, the electronic files were downloaded from various sites and then uploaded to the new site, which attributed ALL the files to the user who performed the upload. While this was not a compliance issue (they were business documents and not GMP records), it did now present a usability challenge. Where users were accustomed to browsing through the folder structure to peruse files by the user who created it, all files now had a “Created By” attribute assigned to the one user who had migrated/uploaded all the files.

I was also recently reminded of another common “attributability” mistake related to spreadsheets, not in the use of the spreadsheet for GMP calculations or decision-making purposes, but in the use of a spreadsheet as a method for recording test evidence during activities such as user acceptance testing or performance qualification of computerized user interfaces. While it is not uncommon to use spreadsheets in this way, it is very common to use them incorrectly.

Entering test results, initials, and dates in spreadsheet cells and saving the file as evidence does not provide sufficient attributability, as the file may be modified, edited, or deleted. However, printing the spreadsheet and applying a signature and date to the output as a verification of the data captured therein would provide sufficient attributability (either physically printing and signing/dating or printing to PDF and applying an electronic signature/date as in using DocuSign). 

Tools such as DocuSign, Smartsheet, and SharePoint are now very common in our workplaces that are increasingly virtual and distributed. These tools also provide opportunities for attributability that, while not necessarily directly related to regulatory compliance, can improve your organization’s data integrity awareness and, furthermore, the quality culture.

Smartsheet provides the ability to attribute data changes to users by each individual cell in the sheet. Open any Smartsheet and right-click a cell to display the menu, then select View Cell History. Attributable evidence of any and all cell data changes is displayed.


In a SharePoint document library (with version control enabled), SharePoint also provides the ability to attribute users to each version of document revision. Select the document of interest and choose “Version history” to see a complete list of each version modified for that document object.

Finally, a common opportunity for better data attributability is to ensure that all users of Microsoft Office enter their name and initials accurately in their profile. When editing an Office document, the username is applied to the document metadata (e.g., Created By) and is also applied during activities such as Track Changes, Comments, and the like. It is unfortunate when users collaborate on a document and add comments, edits, and revisions via Track Changes only to realize that multiple changes are attributed to a null value (no name) or to a generic username. The simple practice of ensuring that users’ names and initials are accurately entered in their Microsoft Office application profile can improve collaboration activities down the road.

Next Steps

Consider that attributes may already be applied to data that you created or modified. Know how your data is attributed during normal operations. Question how the attributes are captured and verify that you know how to view them. This is useful both to ensure attributable data and to better understand your own attributability. When you know how your data activities are attributed, you become a more informed user and improve the quality culture of your organization.


  1. eCFR : Title 21 of the CFR -- Food and Drugs, 

About the Author:

Kip Wolf is the head of technical operations and portfolio management at X-Vax Technology, Inc., where he manages internal operations and outsourced partner relationships/activities, and also leads the project management office that oversees the company’s portfolio of R&D projects. His technical experience includes the fields of quality assurance and regulatory affairs, GMP and IT compliance, technical operations, and product supply. His areas of leadership expertise include business transformation, new business development, organizational change leadership, and program/project management. He has led business process management groups at Wyeth Manufacturing and at Merck Research & Development. Prior to joining X-Vax, he supported the company as a principal consultant at Tunnell Life Sciences Consulting, where he led the data integrity practice. Wolf can be reached at