Data Integrity in Calibrations: ALCOA+, Audit Trail, and Part 11
Data Integrity in Calibrations: from Excel to Part 11 systems without losing control
The most common scenario that creates “easy” findings
During an audit, the issue I see most often is not a poorly executed calibration. It is a record that was made too easily.
The inspector asks for a calibration trend on a critical sensor. The team opens an Excel file. The inspector asks a simple question:
“Who changed this cell, and when?”
If you cannot answer with an audit trail, you have just turned a technically correct calibration into a Data Integrity risk.
And the point is brutal: without Data Integrity, there is no compliance, because your data are not defensible.
The myth to dismantle, because it is everywhere
Myth: “It is enough to print the Excel file and sign it. Then it is GMP.”
Why this is inefficient and risky: because in many cases the Excel file remains:
- a perpetual draft, copied and pasted, with no version control
- editable without traceability, because there is no true audit trail
- unmanaged in terms of access, roles, and approvals
Result: when you really need it, during a deviation, complaint, or inspection, it does not hold up.
ALCOA+ applied to calibrations, without poster-level theory
ALCOA+ is not a slogan. It is an operational checklist.
Practical examples on calibration records
Attributable: every entry must have a unique user ID plus signature, manual or electronic
Legible: certificates must be readable, with no unreadable scans or “WhatsApp-style” photos
Contemporaneous: recording must happen at the time of the activity, not through backdating
Original: you retain the original record, or a controlled PDF, not just a transcription
Accurate: data must be consistent, formulas verified, with no blind copy-paste
Complete: include as found, conditions, standards used, result, and review
Consistent: formats and conventions must always be the same, including instrument IDs and units
Enduring: records must be retained and protected for the defined retention period
Available: records must be retrievable in minutes, not “maybe it is on that PC”
In the GuideGxP guide, this concept is explicitly recalled in relation to logbooks and document management, including numbered pages and disciplined completion practices.
Where Data Integrity breaks in calibration activities, real patterns
1. Uncontrolled templates
Calibration forms are “customized” by the technician depending on the day. Fields, criteria, and layout change. That makes robust review impossible.
2. No segregation of duties
The same person:
- enters the data
- “adjusts” the result
- approves it
Without segregation of duties, this is an immediate red flag for any inspector.
3. Unreliable timestamps
If the system does not have controlled timestamps, or if PCs are not synchronized through NTP time sync, the “when” becomes debatable. And in Data Integrity, debatable means vulnerable.
Paper, Excel, or a dedicated system? A very practical decision table
| Solution | Advantages | Hidden risks | When it is acceptable | Minimum non-negotiable controls |
|---|---|---|---|---|
| Paper logbooks | simple, immediate | missing pages, unmanaged corrections, slow archiving | low volume, small site, stable instruments | bound book, numbered pages, indelible pen, single-line corrections, signatures and dates |
| Excel / spreadsheets | fast, flexible | no real audit trail, multiple copies, modified formulas | only if treated as a controlled record | controlled template, restricted access, version control, print + signature, QA review, no local files |
| CMMS / Calibration Management System | workflow, audit trail, reports | if not validated, it creates an even bigger risk | medium/high volume, multi-department use, strict requirements | RBAC, active audit trail, e-signature, validation package, SOP for audit trail review, tested backup/restore |
What to remember
This is not about paper versus digital. It is about whether you can demonstrate who did what, when, and why.
Digital without CSV or validation can be worse than paper, because it is harder to defend.
If you use Excel today, how to make it defensible without lying to yourself
I am not saying “Excel is forbidden.” It is not. I am saying Excel is often used badly.
Pragmatic countermeasures
- controlled template under document control, with revision and QA approval
- protected calculated cells plus formula verification, to reduce unintentional manipulation
- storage in a controlled repository, not on desktops
- final output as PDF plus signature, manual or electronic
- distribution and access register, clearly defining who can edit
- periodic review of the file as a GMP record
Contrarian insight: many companies convince themselves that “password on Excel = compliance.” In an audit, that belief collapses in 30 seconds.
When you move to a CMMS, the mistake I see most often
Typical mistake: “It is commercial software, so it is already compliant.”
No. It is a GxP computerized system, so it must be managed in a validated state.
What I expect to see, at minimum, in a serious audit
- URS, User Requirements Specification: what it must do, and what it must not do
- Risk assessment: critical functions such as audit trail, signatures, OOT management, reporting
- Supplier assessment: supplier qualification
- Configuration management: what is configuration versus custom
- IQ/OQ: installation, permissions, audit trail, e-signatures
- Targeted UAT: real workflow execution, review, approval
- Verified data migration: if historical data are imported, consistency and completeness must be demonstrated
- Operational SOPs, including:
- audit trail review, who performs it and how often
- periodic user access review
- tested backup and restore
- exception handling / exception reports
- record retention
This approach is fully consistent with the GuideGxP logic around electronic systems and Data Integrity, with specific attention to audit trail, traceability, and the risk of “adjusting” records without QA visibility.
The QA perspective, which is often missing in CMMS projects
From a QA perspective, the risk is not “the system does not work.” The real risk is:
- the system works, but you cannot demonstrate governance over roles, reviews, and traceability
- the audit trail exists, but nobody reviews it
- the electronic signature exists, but it is not linked to responsibility and training
A CMMS without QA oversight becomes a digital archive of problems.
Final checklist: 12 audit questions on calibrations and Data Integrity
- Who can create or modify a record? RBAC
- Who performs and who approves? Segregation of duties
- Is there an active audit trail that cannot be disabled?
- Who performs audit trail review, and at what frequency?
- How do you manage corrections? Never overwrite without traceability
- Is the timestamp reliable? Time synchronization, NTP
- How do you ensure record retention and retrievability?
- Backup and restore: do you have test evidence?
- How do you prevent offline records, uncontrolled prints, or local copies?
- Are external certificates formally reviewed and accepted?
- Is the historical record coherent, with no gaps and no duplicate IDs?
- Is personnel training documented and traceable?
Data Integrity in calibrations is not IT bureaucracy. It is the minimum condition needed to say:
- “This instrument was under control.”
- “This data set is reliable.”
- “This GMP decision is defensible.”
If you want to reduce easy findings and increase real robustness, this is where the step change happens: control the records, the access, the audit trail, and the workflow.
👉 For a complete framework covering calibrations, logbooks, electronic systems, audits, and integration with validation, the GuideGxP guide is a practical accelerator with examples and ready-to-use models.