ALCOA is a common acronym for representing data integrity by meeting the following criteria:

  • Attributable / attributable (i.e., source identification – human or technology)
  • Legible / readable (and understandable)
  • Contemporaneous (i.e. immediately recorded)
  • Original (handwritten records or certified / true copies)
  • Accurate (that means, no change (cave: permission correct?) or no change without justification)

In the literature, additional criteria are often cited leading to acronyms such as e.g. ALCOA (+) or ALCOA CCEA:

  • Complete (i.e., all process-relevant data for robust decision-making)
  • Consistent (relevant data are recorded in the correct chronological order and with correct timestamps)
  • Enduring / permanent (recorded on appropriate media – i.e. no sticky notes, back pages, loose uncontrolled sheets, flat files or USB sticks)
  • Available (i.e., data is available over the entire data lifecycle – e.g. for audits, inspections, reviews)


If you need more information about ALCOA contact us here or inform yourself on the Website of ISPE.

An Audit is a systematic, independent and documented process for obtaining audit evidence and evaluating it objectively to determine the extent to which agreed criteria are fulfilled.

If you need more information about audits please contact us here.

Generating the program code to create software modules. The coding is subject to programming guidelines, which define the quality requirements for code generation and thus ensure the traceability of the program code. The correctness of the generated code is verified in the module test. Compliance with programming standards is verified on the basis of code reviews.

If you want to get more information about coding please contact us here.

A Computer is a functional unit that can perform substantial computations, including numerous arithmetic operations and logic operations without human intervention.

If you need more information please contact us here.

The CSA approach is a method to scale the documentation efforts for test activities according to risk associated with the function to be tested. High-Risk functions should be tested more extensively with higher control in a fully scripted test. Low risk functions can be tested more informally with minimal documentation. The basis for the CSA approach is a comprehensive understanding of the process and function as well as the associated risks for the patient or the product. The CSA approach can be applied during the entire computerized system life cycle, including software development as long as the risk are understood and documented.
The CSA principles should be applied to all computer systems involved in manufacturing a medical device (and medicinal products) or the associated quality systems (e.g. ERP, LIMS, etc.). Software that is itself a component of a medical device is explicitly excluded.
The main steps of the CSA approach are:
• Define the Intended Use (at a system and/or function level)
• Define the risk-based approach for assuring the quality of the software
• Define the appropriate testing activities
In all of these steps, the CSA approach emphasizes the need for critical thinking when developing the life-cycle strategy of a computerized system, especially in terms of the scope and depth of the associated testing and documentation activities.
If you want to have more information about Computer Software Assurance contact us here

A Computerized System is a broad range of systems including, but not limited to, automated laboratory equipment, laboratory information management, clinical trials data management, vigilance systems, process control and process analytics, manufacturing resource planning, automated manufacturing equipment, manufacturing execution, and document management systems. The computerized system consists of the hardware, software, and network components, together with the controlled functions and associated processes, trained people, qualified equipment and specifications and records.

If you want to have more information about computerized Systems please contact us here or inform yourself on the Website of the ISPE.

Computerized system validation describes achieving and maintaining compliance with applicable GxP and Medical Device regulations and establishing documented evidence that the system is fit for intended use by:

  • the adoption of principles, approaches, and life cycle activities within the validation framework by executing project specific validation plans
  • establishing and applying appropriate operational controls throughout the life of the system

If you need more information about computerized system validation please contact us here.

A Computersystem is a system containing one or more computers (or hardware components) and associated software.

If you need more information about computersystems contact us here.

Critical thinking is a systematic, rational, and disciplined process of evaluating information from a variety of perspectives to yield a balanced and well-reasoned answer.
Critical thinking promotes informed decision-making and good judgment about where and how to apply and scale quality and compliance activities for computerized systems based on the risks associated with them.
A better understanding of the risks leads to greater confidence in assessing and controlling those risks, thereby supporting robust scaling of controls and validation activities.
If you want more information about critical thinking contact us here or get some information from the ISPE.

Data generally denotes facts, values (numerical or otherwise) or recordable findings, such as those obtained by measurements or observation.

If you need more information about data contact us here.

Data integrity is the degree to which a collection of data is complete, consistent and accurate throughout the data lifecycle. The collected data should meet the ALCOA criteria. Ensuring data integrity requires appropriate quality and risk management systems and compliance with good documentation practices.

If you need more information about data integrity contact us here.

Data life cycle is a planned approach to assessing and managing data risks in a way that reflects the potential impact on

  • Product quality,
  • Patient safety and/or
  • the reliability of the decisions taken

in all phases of the process in which data is

  • created,
  • processed,
  • checked,
  • analyzed,
  • reported,
  • transferred,
  • saved and
  • retrieved

and which is continuously monitored.

If you need more information about Data life cycle contact us here.

Electronic record describes any combination of text, graphics, data, audio, images or other informational representations in digital format generated, modified, maintained, archived, accessed or distributed by computerized systems.

If you want more information about electronic record contact us here.

Integration describes the building of hardware and/or implementation of software components to create a complete system. Integration tests check the function and interaction of the individual components.

For more information about integration contact us here.

Process is a set of interrelated or interacting activities which transform inputs into outputs.

If you need more details about process contact us here.

Process validation means establishing documented evidence which provides a high degree of assurance that a specific process will consistently produce a product meeting its pre-determined specifications and quality attributes.

For more information and details about process validation contact us here.



QFINITY provides expertise and support for pharmaceutical and medical device companies along the entire product or service lifecycle. Our focus is on developing and optimizing quality management system and IT system strategies to support continuous improvement, (business) process management and optimization through application of technology, ensuring (e)data quality and data integrity, as well as validation and qualification of computerized systems incl. requirements for electronic records and signatures (ERES).  QFINITY offers an integrated service portfolio especially tailored to companies and universities active in the GCP (clinical trials) and GMP (pharmaceutical manufacturing) fields. Our portfolio includes training, audits, consulting and project management. Through our activities in international associations such as ISPE, RQA, VDI and DIA, QFINITY is well-acquainted with both current and developing standards. As an independent consultancy without affiliation with any particular manufacturer or product, QFINITY is able to tailor the scale and scope of the services provided to the individual needs of each client. 

If you want more information about us as a company or our services contact us here.


The term quality is derived from the Latin word “qualitas”, which means characteristic, feature, property or condition. In other words, the term quality defines the degree to which a set of inherent features of an object meets requirements. Inherent means “intrinsic to a particular unit”.

If you want more information about quality contact us here.

Quality Management (QM) refers to all organizational measures that relate to the structure of the organization and the efficient execution of processes at various levels of the company. With consistent implementation, quality management enables the continuous improvement of corporate culture, process quality and technology deployment, ultimately leading to better products or services.

If you need more information about quality management contact us here.