ALCOA++ Without the Buzzwords: Practical Controls for Each Attribute

ALCOA++ expresses the qualities regulators expect of records: Attributable, Legible, Contemporaneous, Original, Accurate, plus Complete, Consistent, Enduring, Available. Below are pragmatic controls and evidence checks teams can adopt across paper and electronic environments.

• Attributable. Every entry identifies who did what. Controls: unique logins; signature/initials with printed name and role; eSource audit trails capturing user ID; delegation-of-duties mapping to tasks. Evidence: monitors can pull a credentials packet (DoD + training + user access) and trace a task back to an authorized person.
• Legible. Records are readable and unambiguous. Controls: block caps for paper; no gel pens; approved abbreviations; structured eSource fields where possible; scans at ≥300 dpi when certifying copies. Evidence: sample packets remain readable after scanning/printing and across light/dark modes.
• Contemporaneous. Capture at the time of activity or as soon as practical. Controls: time-stamped entries; automatic device timestamps; “late entry” conventions with reason; prohibition on undocumented transcribing from scratch later. Evidence: time deltas between procedure and entry are reasonable; late entries explain delay.
• Original. The first capture or a verified certified copy. Controls: define system-of-record; certification workflow that preserves metadata (hash/checksum, timestamp, author); forbid “screen photos” as evidence unless part of a validated capture process. Evidence: chain-of-custody for copies; auto-generated certification statements in exports.
• Accurate. Correct, verified values with correct units and context. Controls: calibration logs; range checks; unit locks; double-checks for critical calculations (e.g., dose based on weight); cross-reference keys (accession numbers, DICOM IDs) for reconciliation. Evidence: no unexplained unit flips; outliers investigated; calibration current.
• Complete. Nothing material is missing. Controls: visit checklists; eSource required fields for CtQ elements; “none”/“not done” statements rather than blank cells; capture of reasons for missingness. Evidence: primary endpoint packets have every required element or a documented reason.
• Consistent. Entries align across time, systems, and narrative. Controls: data lineage diagrams; reconciliation routines (EDC↔LIMS, EDC↔imaging, eCOA↔portal, IRT↔pharmacy); version registries for devices/firmware; time-zone rules (store local time and UTC offset). Evidence: case-level reconciliations show identity/time/value matches or documented exceptions.
• Enduring. Records persist intact through retention period. Controls: PDF/A for static documents; validated exports for audit trails; secure, redundant storage; documented viewer software for DICOM/ECG; environmental controls for paper (humidity/temperature). Evidence: retrieval drills succeed years later; checksums unchanged.
• Available. Retrievable when needed. Controls: TMF/ISF indexing; metadata with participant/site keys; access-control rosters; retrieval job aids (how to pull audit trails, eCOA logs, device exports). Evidence: inspectors receive requested artifacts in minutes, not days.

Corrections that persuade reviewers. Paper: single-line strike-through, keep original legible, date/initial and reason. Electronic: amendment entries with “who/what/when/why,” prior values preserved, and justification. Never “overwrite” without trace; never backdate. Encourage note-to-file only when it clarifies context, not to replace missing source.

Blinding preserved in records. IP/device documentation, supply notes, and pharmacy logs use arm-agnostic language; randomization keys and kit mappings live in restricted areas with controlled access. If a source entry could reveal treatment, route details to unblinded systems/roles and maintain a blinded-safe summary for the main file.

Equity and accessibility inside ALCOA++. Source integrity is also about inclusive capture: interpreter used (yes/no, language), accommodations offered (transport, evening slots, home visits), and accessible eConsent/ePRO design. These reduce missingness and align with public-health expectations from the WHO and regional authorities.

From Clinic Devices to Cloud Platforms: eSource, Certified Copies, and Traceability

eSource expectations that hold up globally. When data originate electronically (EDC direct capture, eSource app, eCOA, connected devices, EMR, imaging consoles), the system must be validated to intended use; users uniquely identified; audit trails tamper-evident; time synchronized; and exports capable of producing certified copies. These principles are recognizable to FDA and EMA reviewers, as well as PMDA and TGA.

Certified copy workflow—make it boring and repeatable. A sound process answers five questions: who certifies; what is being copied; how integrity is preserved; where the copy is filed; and how to link back to the participant and event. Practical steps:

1. Export from the system of record using a controlled, versioned report that includes human-readable content and metadata (dates with UTC offset, units, device/firmware, user IDs).
2. Embed a certification statement (automated or attested) with date/time, system, and hash/checksum (or equivalent integrity indicator).
3. Apply naming and indexing rules (study–site–subject–visit–artifact type) so the copy lands in the right TMF/ISF node.
4. Record the cross-reference keys used for reconciliation (e.g., LIMS accession ↔ EDC result; DICOM case ID ↔ read).
5. Validate retrieval: demonstrate you can reproduce the copy and audit trail on demand.

Data lineage ties the story together. Build a simple diagram that traces each critical datum from origin to analysis—origin → verification → system of record → transformation rules → analysis dataset. Identify reconciliation keys at the points where data cross organizational or system boundaries (participant ID + date/time + accession number or device serial; IRT kit ↔ participant). File the diagram in the TMF and mirror site-relevant snippets in the ISF so monitors can follow the thread without guesswork.

Time discipline across zones and devices. A common inspection finding is window misinterpretation due to time zones. Standardize to record both local time and UTC offset in source and systems. Sync devices daily; log the “time-last-synced” value; and ensure CRF windows reference the correct zone. When home-health or participants travel, confirm the local time used for endpoints and safety clocks; if a hand-entered time is corrected, document reason and impact.

Imaging and waveforms. For DICOM imaging and ECG files, preserve originals with viewer software/version noted; record scanner make/model/field strength, acquisition parameters, and phantom checks. Certified copies should render the clinical meaning and preserve key metadata. Central readers’ adjudications must link back to the same DICOM case ID and subject/visit keys.

Wearables and sensors. Treat raw sensor files as source when they are the first capture. Keep device serials/firmware, sampling rate, and validation/placement notes. If vendor platforms pre-process data, file the transformation rules (filters, thresholds) and version history. Provide a path for monitors to inspect a sample file and audit trail without breaching privacy or proprietary code.

ePRO/eCOA diaries. Ensure device provisioning records (serial, language pack), activation logs, and reminder cadence are on file. Diary timestamps should state the participant’s local time with offset; audit trails show prompts, opens, completions, and edits. For missed entries, document the reason (e.g., travel, illness) and use protocol-allowed make-ups without biasing the endpoint.

Corrections and data changes. Paper: strike-through, initial/date, reason; keep original visible. Electronic: corrections are new audit-trailed entries; prior values intact; reason codes meaningful. For third-party systems, ask vendors to provide point-in-time extracts and change logs for sampled records so monitors can verify that corrections follow controlled processes.

Privacy and security by design. Source and certified copies must respect HIPAA and GDPR/UK-GDPR: minimum-necessary data, pseudonymization where feasible, encryption in transit/at rest, and documented cross-border mechanisms. When vendor portals host PHI outside the originating country, file the contractual safeguards and notification clocks. Public resources from the EMA and FDA can help benchmark expectations.

Operating Controls, KPIs & QTLs: Proving Source Integrity Day In, Day Out

Right-size your controls to risk. Apply a risk-based mindset: high-impact data (consent validity, eligibility evidence, primary endpoint timing, IP/device integrity, safety clocks) get the strongest process controls and monitoring attention. Lower-impact operational data may use sampling. This proportionality aligns with the principles approach in ICH guidance and is recognizable to global regulators (FDA, EMA, PMDA, TGA, WHO).

Monitoring that follows the signals. Combine centralized analytics (detect window heaping, diary adherence dips, outlier labs, device parameter drift) with targeted on-site or remote source review. Define what is always checked (consent/eligibility, endpoint timing, IP/accountability, safety clocks) and what triggers expansion (fabrication signals, systemic errors). Follow-up letters should state the source documents inspected, findings, impact on endpoints, and required CAPA with owners/dates.

KPIs and KRIs that matter for source.

• Consent quality rate: ≥99% correct version and timing; re-consent cycle time ≤10 business days after amendment.
• Eligibility precision: ≤2% misclassification; each criterion evidenced in dated source within window.
• Primary endpoint on-time: ≥95% within window; heaping near edges investigated and mitigated.
• Source↔CRF concordance: ≥98% match for CtQ fields; query median age ≤7 days.
• Third-party reconciliation: ≥98% identity/time/value match for LIMS, imaging, ECG, eCOA vs. EDC; exceptions categorized and resolved.
• Audit-trail retrieval success: 100% for sampled systems without vendor intervention.
• IP/device integrity: temperature excursion rate ≤1 per 100 storage days with scientific disposition; reconciliation discrepancies resolved ≤1 business day.
• Access hygiene: same-day deactivation on staff departure; quarterly user-access attestations completed.

Quality Tolerance Limits (QTLs) that trigger governance. Examples at study level: “0 use of superseded consent versions”; “primary endpoint on-time ≥92–95% depending on risk”; “audit-trail retrieval success 100% for sampled flows”; “eligibility misclassification ≤2% (critical if any ineligible randomized).” Breaches initiate documented governance, root cause analysis (beyond “human error”), and system-level CAPA (e.g., add imaging capacity, enforce eConsent hard-stops, fix time-sync issues).

Common findings—and durable fixes.

• Ambiguous time stamps: store local time + UTC offset; sync devices; train on time-zone handling; update CRF and job aids.
• Missing source for a criterion: add eligibility packet checklists; require investigator sign-off before randomization.
• Screen shots as “source”: replace with controlled certified-copy exports preserving metadata and integrity indicators.
• Inconsistent units or reference ranges: lock units in eSource/EDC; file range-change notices from labs; annotate effective dates in source.
• Diary non-adherence: enable loaners; adjust reminder cadence; human follow-up within 48 hours; document reasons for missingness.
• Audit-trail gaps: require vendor demonstration of retrieval; file job aids; perform periodic dry-runs.
• Blinding risks in pharmacy notes: arm-agnostic language; restricted unblinded files; firewall communications.

Inspection-ready file architecture. Organize TMF/ISF so reviewers reconstruct source integrity fast:

• Source Documentation Plan (systems of record, certification workflow, reconciliation keys).
• Data lineage diagram for CtQ data streams; vendor validation summaries; device version registries.
• Consent packets (all languages/modes) with version histories and re-consent evidence.
• Eligibility packets with dated source; endpoint timing checklists with time-zone declarations.
• Third-party reconciliations (LIMS/imaging/ECG/eCOA) with exception logs and resolutions.
• Audit-trail retrieval procedures and sampled outputs; privacy artifacts (HIPAA/GDPR/UK-GDPR) matching real flows.
• Monitoring letters with impact statements; deviation/CAPA logs with effectiveness checks.

Quick-start checklist (study-ready).

• Define systems of record per datum; publish a concise Source Documentation Plan.
• Implement ALCOA++ controls; train staff on corrections, time zones, and attribution.
• Stand up certified-copy workflows that preserve metadata and integrity indicators.
• Map data lineage and reconciliation keys; schedule and file reconciliations.
• Validate eSource/eCOA/EDC/IRT/imaging; ensure audit-trail retrieval without vendor help.
• Monitor CtQ KPIs/KRIs; set QTLs; act on breaches with system-level CAPA and effectiveness checks.
• Keep TMF/ISF ready with rapid-pull indices for source, reconciliations, and audit trails—coherent to ICH principles and recognizable to FDA, EMA, PMDA, TGA, and WHO reviewers.

Bottom line. Source data are not just “where you wrote it down.” They are the evidence that your trial was ethical, controlled, and scientifically credible. When you define systems of record, operationalize ALCOA++, preserve traceability across vendors and devices, and measure performance with meaningful thresholds, you protect participants and generate data that withstand global scrutiny.