What ALCOA+ Actually Means — and Why It Matters for OT Engineers
ALCOA+ is an acronym: Attributable, Legible, Contemporaneous, Original, Accurate, plus Complete, Consistent, Enduring, and Available. These nine principles define what a trustworthy GMP record looks like. Regulators use them as the lens through which they assess data integrity during inspections — and in practice, the most common reason a GMP site receives a data integrity observation is not that they were trying to falsify records. It is that their systems were not designed with these principles built in.
For an automation engineer, the important insight is that ALCOA+ is not something QA retrofits into a validated system after the fact. It is a design requirement. Every principle has a corresponding engineering implementation. If you are building a SCADA system and you have not thought about what "Contemporaneous" means for your historian's data buffering strategy, you have a gap that will either be caught during OQ or — worse — by an inspector during a site audit.
The QLean VP-SYS-001 Validation Plan requires that every ALCOA+ principle has a corresponding URS requirement and an OQ test case, linked through the Traceability Matrix. This is the right approach — ALCOA+ is not a section you write in one document, it is a thread that runs from design through testing.
Attributable — Every Action Must Be Traceable to a Named Individual
- Unique individual user accounts for every person who interacts with the system — no shared logins, no generic accounts like "OPERATOR1"
- Automatic audit trail capture of user ID for every GMP-relevant action — setpoint changes, batch record approvals, alarm acknowledgements
- Accounts disabled but not deleted when staff leave — the historical audit trail attribution must remain intact
- OQ test: change a setpoint with a named user account; verify the audit trail entry shows that user's ID, not a generic identifier
Legible — Records Must Be Readable for Their Entire Retention Period
- All GMP records exportable to PDF or CSV with engineering-unit labels, not raw tag values or binary codes
- Export includes all relevant fields: timestamp, user ID, parameter name with units, old value, new value, reason for change
- Report format documented and version-controlled — if the export format changes, a CCR and re-verification are required
- OQ test: export a batch of audit trail records; verify every field is present and human-readable in the exported file
Contemporaneous — Data Must Be Recorded at the Time of the Activity
- NTP time synchronisation to a validated server — all clocks on the OT network synchronised within ±30 seconds
- Any manual time change generates an audit trail entry and an alarm — and requires a documented justification
- PLC data buffering: if the historian connection is lost, process data is buffered locally in non-volatile memory and synchronised on restoration with original timestamps preserved — not re-timestamped on upload
- OQ test: simulate NTP server failure; verify an alarm is generated and the time deviation is logged
The most frequently cited contemporaneous violation in OT systems is not a malicious clock change — it is data buffering that re-timestamps records on upload rather than preserving the original capture timestamp. If your SCADA loses historian connectivity for 20 minutes and buffers 20 minutes of data, that data must be uploaded with its original timestamps. A record showing a temperature exceedance at 14:27 cannot arrive in the historian stamped 14:47 — that is a data integrity gap regardless of whether it was intentional.
Original — The First Capture Must Be Preserved Unaltered
- Historian database configured as append-only: existing records cannot be modified or deleted by any user, including administrators
- Administrator access to the audit trail is read-only — even the highest privilege user cannot alter historical entries
- Data correction workflow: original value retained, correction record created with reference to original, reason mandatory, approval required
- OQ test: attempt to modify a historical process value as an administrator; verify the attempt is blocked and the attempt itself is logged
Accurate — Records Must Correctly Reflect the Process
- All GMP-critical instruments calibrated against traceable standards before commissioning and on a defined periodic schedule
- Calibration certificates retained as GMP records and referenced in the IQ for each instrument
- Instrument accuracy specification stated in the URS — the system must record within that tolerance
- OQ test: inject a known reference signal; verify the recorded value falls within the specified accuracy tolerance
The Plus Principles — Complete, Consistent, Enduring, Available
The four ALCOA+ extensions address the integrity of the record set over time, rather than individual record attributes. They are often less well understood by OT engineers because they relate more to system architecture decisions than to individual data points.
Complete means no data gaps. If the process was running, the historian was recording. A gap in the continuous process record — even a gap caused by a network outage, not human intervention — is a data integrity concern that must be explained and investigated. Data gap detection alarms and PLC buffering are the technical controls that implement this principle.
Consistent means timestamps and engineering units are consistent throughout the system. A temperature value displayed as 72.4°C on the HMI, stored as 72.4 in the historian, and exported as 72.4°C in the report — with the same timestamp in all three places — is consistent. Inconsistencies between the SCADA display and the historian record, or between historian time and report time, are Consistent violations that inspectors will identify when cross-referencing records.
Enduring means records are retained for the full required period and remain accessible throughout. For most GMP records in EU markets, this means a minimum of seven years total retention. The backup and recovery procedure must demonstrate that records can be retrieved at any point during that period, and the backup restoration test in the OQ must verify that retrieved records are complete and accurate.
Available means authorised users can access records when they need them — including during a regulatory inspection. An inspector who asks to see the audit trail for a specific batch on a specific date must be able to receive that information within a reasonable timeframe. A system where audit trail retrieval requires a specialist and takes two days is not Available in the ALCOA+ sense.
VP-SYS-001 Section 9 provides an ALCOA+ compliance framework table mapping every principle to its system requirement, implementation approach, and verification phase. URS-SYS-001 Section 2.3 contains the corresponding data integrity requirements (URS-GEN-012 through URS-GEN-019) that translate each principle into testable URS statements. CP-SYS-001 Section 6 defines the data recording strategy, audit trail architecture, data buffering approach, and retention requirements that implement ALCOA+ at the design level.
The OQ Connection — Every Principle Needs a Test Case
Understanding ALCOA+ is necessary but not sufficient. The validation package must demonstrate that every principle is implemented — which means every principle must have at least one OQ test case that verifies it. The Traceability Matrix should show the chain from each ALCOA+ principle to its URS requirement to its OQ test case.
The test cases that inspectors look for most closely are the adversarial ones: what happens when someone tries to modify a historical record? What happens when the clock is changed manually? What happens when the network connection is lost? These are not hypothetical scenarios — they are the scenarios that distinguish a system designed for data integrity from one that has ALCOA+ written in a document but not implemented in engineering.
| Principle | OT System Requirement | Key OQ Test Case | Common Failure Mode |
|---|---|---|---|
| Attributable | Unique individual user accounts; audit trail captures user ID | Change setpoint; verify audit trail shows named user, not generic ID | Shared accounts, generic logins |
| Legible | GMP records exportable to PDF/CSV with labels and units | Export audit trail; verify all fields present and human-readable | Proprietary binary format, raw tag values |
| Contemporaneous | NTP sync ±30s; buffer timestamps preserved on upload | Simulate NTP failure; verify alarm and log entry generated | Re-timestamping buffered data on upload |
| Original | Append-only historian; no modification by any user | Attempt to modify historical value as admin; verify blocked and logged | Admin override capability on historian |
| Accurate | Calibrated instruments to specification in URS | Inject reference signal; verify recorded value within tolerance | Uncalibrated instruments, no calibration traceability |
| Complete | Data gap alarm; PLC buffering during comms loss | Disconnect historian; restore; verify no data gap and no re-timestamping | No buffer, gaps accepted without investigation |
| Consistent | NTP sync across all nodes; consistent units HMI/historian/report | Cross-reference HMI value, historian value, and exported report value | Time skew between nodes, unit conversion errors |
| Enduring | 7-year retention with tested backup restore | Restore from backup; verify record completeness and hash match | No verified backup, retention period not tested |
| Available | Audit trail searchable and exportable in under defined time | Retrieve specific batch audit trail; verify retrieval within defined timeframe | No search function, specialist required for export |