Most teams in pharmaceutical and clinical research know ALCOA. Many know ALCOA+. Fewer have fully reckoned with ALCOA++ — the ten-principle framework that adds "Traceable" as a distinct requirement and is now being codified in binding regulation for the first time.
If you're building or auditing audit trail practices for electronic records in 2026, ALCOA++ data integrity is the current standard you're being measured against. This post explains what changed, what "Traceable" actually demands from your systems, and where the gaps typically appear when an FDA investigator or EU inspector shows up.
Key Takeaways
- ALCOA++ adds Traceable as the tenth data integrity principle, requiring full record-history reconstruction.
- EU GMP Chapter 4 July 2025 draft codifies ALCOA++ in binding regulation for the first time.
- Traceable maps to Part 11 §11.10(e) audit trail requirements but extends to all GxP data, not just FDA-regulated electronic records.
- Common 483 patterns: audit trails not enabled, missing old values, user-adjustable timestamps, admin-modifiable trails, undocumented review.
- A compliant system needs automatic generation, server-side timestamps, cryptographic integrity, old-value preservation, and documented periodic review.
From ALCOA to ALCOA+: A Quick History
ALCOA as a framework dates to the early 1990s, when FDA's Stan Woollen articulated the five core principles for GxP data: Attributable, Legible, Contemporaneous, Original, and Accurate. Those five principles were enough when most records were paper. They gave investigators a simple checklist to assess whether a batch record or a case report form could be trusted.
As records moved into electronic systems, ALCOA showed its age. Electronic data isn't just a record you can read — it's a record with metadata, with timestamps that might be set by the user's local machine, with modification histories that exist somewhere in a database log but may never surface in a readable form. The original five principles didn't say anything about whether data had to be complete, whether it had to remain usable throughout its retention period, or whether it had to be accessible for inspection on demand.
ALCOA+ addressed that. The "plus" added four principles: Complete, Consistent, Enduring, and Available When Needed. Regulatory bodies including FDA and EMA incorporated ALCOA+ into data integrity guidance documents through the 2010s. The FDA's 2018 CGMP guidance on data integrity explicitly references ALCOA+ as the framework for what "complete, consistent, and accurate" means in practice.
But ALCOA+ still had a gap. It said data must be attributable (linked to who did what) and accurate (reflecting what actually happened), but it didn't explicitly require that you be able to reconstruct the full history of a record — to show not just what a record says now, but every state it passed through from creation to the present. That's the job of the tenth principle.
What "Traceable" Means in ALCOA++ Data Integrity
The EMA introduced ALCOA++ in 2023, adding Traceable as the tenth principle. The EU GMP Chapter 4 draft revision released in July 2025 codifies all ten principles in binding language for the first time, with a comment period that closed in October 2025. Final implementation is expected in 2026.
Here's what Traceable means in practice: any change to data or metadata must not obscure the original record, and must be captured in a way that enables the complete history of the record to be reconstructed. It's not enough to know who created a record and when. You need to know every modification, every reviewer action, every signature event — in sequence, with enough attribution and timestamping to reconstruct the record's full lifecycle.
This is different from "Attributable," which asks who created or modified the record. Traceable asks whether you can follow the record's complete history: creation, modification, review, signature, archival, and eventually destruction. Every link in that chain has to exist and be reconstructable.
For electronic systems, this translates into specific requirements:
- Unbroken audit trail from creation to archive. Every modification to a regulated record must appear in the audit trail, including changes to metadata. A system that captures creation and final signature events but drops intermediate review actions doesn't meet Traceable.
- Old value capture. When a field is modified, the audit trail must record what the field contained before the change, not just what it contains afterward. An audit trail that shows only the current value of a modified field gives you attribution (who changed it) but not traceability (what it was before).
- Immutable, sequenced entries. Audit trail entries must be generated automatically, timestamped to an external time standard (not the user's local clock), and protected from modification by anyone — including system administrators. An audit trail that an admin can edit is not an audit trail in any meaningful sense.
- Complete metadata preservation. In electronic systems, records carry metadata that is often as significant as the data itself: who accessed the record, when it was transmitted, which version was used for a regulatory submission. ALCOA++ Traceable extends to that metadata, not just the visible record content.
How ALCOA++ Maps to 21 CFR Part 11
Part 11 and ALCOA++ aren't separate frameworks that happen to overlap — they're largely addressing the same underlying compliance objective from different angles. Part 11 is the regulatory mechanism; ALCOA++ is the conceptual framework that explains what the regulation is trying to achieve.
The mapping is direct:
§11.10(e) — Audit trails.The Part 11 audit trail requirement is the primary implementation mechanism for ALCOA++ Traceable. Systems must "use computer-generated, time-stamped audit trails to independently record the date and time of operator entries and actions that create, modify, or delete electronic records." The "old value, new value" requirement embedded in FDA's data integrity guidance flows from the same principle.
§11.10(d) — Access controls. Part 11 requires that system access be limited to authorized individuals. This is how Attributable gets implemented: if unique user IDs are enforced and audit trails capture user identity, you can attribute every action to a specific person.
§11.10(c) — Record protection.Electronic records must be protected to enable their accurate and ready retrieval throughout the retention period. This is Enduring and Available. A system that generates complete records but can't reliably retrieve them for inspection doesn't satisfy either principle.
§11.50 — Signature manifestations.Every electronic signature event must capture the signer's name, the date and time of signing, and the meaning of the signature. That's the signature layer of Traceable — you need to know not just that a record was signed, but who signed it, when, and why.
Where ALCOA++ goes beyond Part 11 is in the completeness of its scope. Part 11 applies specifically to electronic records used under FDA predicate rules. ALCOA++ applies to all GxP data, including paper records in hybrid systems, instrument-generated data, and data held in non-validated laboratory systems. If you're in a GMP environment with paper batch records and a Part 11-compliant LIMS, both systems are subject to ALCOA++ — only one is subject to Part 11.
Where Audit Trails Fail the Traceable Test
Most regulatory audit trail findings aren't about missing audit trail technology. The technology exists and most modern electronic systems generate some form of audit trail. The findings are about gaps in what the audit trail captures and whether it's actually being reviewed.
Here are the patterns that show up repeatedly in FDA 483 observations and warning letters:
Audit trails not enabled. Surprising but common. The system has audit trail functionality, but it was never turned on in production — or it was enabled but scoped only to certain record types, leaving others untracked. A 2024 BIMO inspection finding cited a sponsor for generating 144 primary efficacy assessment values with no source documentation. The data existed; the trail back to its origin did not.
Missing old values.The audit trail records that a field was changed and who changed it, but the previous value isn't captured. This is often a configuration gap rather than a system limitation. The system can capture old values — it just wasn't configured to do so.
User-adjustable timestamps.If a system uses the local workstation clock for timestamps rather than a server-side or NTP-synchronized time source, users can backdate entries by changing their computer's clock. This is a direct violation of Contemporaneous and Traceable. FDA has cited this in CGMP inspections.
Admin-modifiable audit trails. The audit trail exists and is complete, but a system administrator can edit or delete entries from the backend. This is a critical vulnerability. Under ALCOA++ Traceable, no user — including administrators — should be able to modify audit trail entries once created.
Audit trail review not documented.The system generates a complete, immutable audit trail. Nobody has formally reviewed it on a defined schedule, and there's no documentation that reviews have occurred. Part 11 requires that audit trails be reviewed by QA; the review schedule, scope, and completion records must exist. "Audit trails not reviewed" is one of the most consistently cited phrases in FDA data integrity 483 observations.
Scope gaps in hybrid environments.An organization runs an electronic system for signatures and tracking, but paper records exist in parallel — lab notebooks, paper CRFs from legacy studies, site-specific worksheets. ALCOA++ applies to those paper records too. If the paper records can't be linked to the electronic record history (and vice versa), the full lifecycle trace doesn't exist.
The EU GMP Chapter 4 Shift: What Changes in 2026
The July 2025 draft revision of EU GMP Chapter 4 is significant because it's the first time ALCOA++ has been formalized in binding GMP regulation rather than guidance. The draft grew from 9 to 17 pages; roughly half the content was rewritten.
For electronic records specifically, the draft:
- Codifies all ten ALCOA++ attributes with formal definitions, including Traceable
- Explicitly recognizes electronic signatures as legally binding, provided they meet ALCOA++ requirements
- Provides specific requirements for hybrid systems (sections 4.82-4.85), acknowledging that many GMP organizations run mixed paper-electronic environments and need defined controls for both
- Requires that audit trail review be "risk-based, proactive, and ongoing" — not just periodic retrospective checks
The draft also aligns with PIC/S guidance and ICH E6(R3), the clinical trial standard finalized in January 2025. Organizations that operate across FDA and EU jurisdictions will need audit trail practices that satisfy both — and those requirements are converging on the same standard: complete, immutable, systematically reviewed, and traceable end to end.
What a Traceable System Looks Like in Practice
A system that satisfies ALCOA++ Traceable for regulated records needs to do several things that many general-purpose software tools don't do out of the box:
Automatic audit trail generation.Audit trail entries are created by the system without user action. The user cannot suppress an audit trail entry, and the audit trail runs even when the user doesn't know they're being tracked.
External time synchronization.Timestamps are generated server-side and synchronized to an external time standard (NTP or UTC). User-side clocks don't influence the record's timestamp.
Cryptographic integrity protection. In purpose-built Part 11 systems, audit trail entries are often protected by hash chains or digital signatures that make undetected modification mathematically infeasible. When an investigator pulls the audit trail, they can verify that no entry has been altered since it was created.
Old value preservation. Every modification event captures both the previous value and the new value for each modified field, along with the reason for change where required by the applicable predicate rule.
Full lifecycle coverage.The audit trail tracks the record from creation through every modification, every review action, every signature event, and every export or transmission — not just the "critical" events as defined by someone inside the organization.
Documented periodic review. The system supports a structured audit trail review workflow where QA reviewers can filter, export, and document their reviews — and those review completion records become part of the quality record for the system.
Internal Connections
The ALCOA++ framework doesn't stand alone in a compliance program. It connects directly to the other documentation your organization maintains:
Your electronic signature SOPsneed to describe how audit trail review is conducted, who is responsible, how often it happens, and what a reviewer does when they find an anomaly. If the SOP doesn't cover that, the procedure for one of Part 11's most frequently cited controls is missing.
Your system validation — whether traditional IQ/OQ/PQ or the CSA risk-based approach — needs explicit test cases that verify Traceable: that old values are captured, that admin modification is prevented, that timestamps are server-generated, and that the audit trail runs automatically. Those test cases are part of the IQ OQ PQ validation package for any Part 11 system.
And the ALCOA audit trail software requirements post covers what to look for in a platform — which controls should be standard features, not configuration add-ons.
Certivo's audit trail is built to satisfy ALCOA++ Traceable out of the box: automatic, immutable, hash-chained, timestamped server-side, with old value capture on every modification and a built-in audit trail review workflow for QA. If you want to see the audit trail architecture and how it maps to the ALCOA++ framework, visit the compliance page or get in touch.