Good documentation practices are guidelines for creating, approving, recording, and retaining GxP records so that they are complete, trustworthy, and inspection-ready. Based on the ALCOA+ principles – attributable, legible, contemporaneous, original, accurate, complete, consistent, enduring, and available – they protect data integrity across Good Manufacturing Practices (GMP), Good Clinical Practices (GCP), and Good Laboratory Practices (GLP).
GDocP defines how you:
For medical device, pharma and biotech companies, records are the primary evidence that you followed your procedures, met your specifications, investigated and resolved issues, and protected patients and users.
The proper adherence to GDocP helps the safe development of potentially lethal products these sectors trade in. Document control via an organised system of best practice is the way in which traceability and accountability of quality goods and products can be monitored and guaranteed.
Global regulators have repeatedly highlighted data integrity and documentation as critical inspection themes. MHRA’s GxP data integrity guidance, WHO’s data integrity guideline, and PIC/S PI 041 all emphasise robust documentation practices and ALCOA+ as the basis of trustworthy data.
A Document Management System (DMS) can demonstrate adherence to the highest standards of design, development, testing, manufacture, and subsequent treatment in drugs and medtech - they make it easy for companies to be audited and assessed by regulators on this basis.
Without GDocP, audits become painful, submissions are delayed, and product release decisions become risky.
GDocP is not a standalone regulation; rather, it is how you comply with multiple regulatory frameworks at once.
MHRA GxP Data Integrity Guidance (2018) sets expectations for data governance and the use of ALCOA+ across all GxP areas. The WHO’s data integrity guideline and earlier “Good data and record management practices” guidance serve the same purpose for a global audience. PIC/S PI 041‑1 describes good practices for data management and integrity in regulated GMP/GDP environments, harmonising expectations across inspectorates.
In all cases, Good Documentation Practices are the practical way you demonstrate data integrity.
ISO 13485:2016 requires documented procedures for the control of documents (4.2.4) and the control of records (4.2.5), as well as a structured medical device file that consolidates key information about each device.
GDocP helps you:
Under FDA’s Quality Management System Regulation (QMSR) in 21 CFR 820 – which now incorporates ISO 13485:2016 by reference – manufacturers must maintain documented procedures and records that are controlled, legible, retrievable, and protected from loss.
Historically, this included defined records such as the design history file (DHF), device master record (DMR) and device history record (DHR). Under QMSR these obligations are carried forward via ISO 13485 concepts like the Medical Device File and design & development files, but the underlying expectations for complete, traceable and enduring documentation do not change.
Under EU MDR 2017/745, Annex II and III require technical documentation to be clear, organised, readily searchable, and unambiguous, with tight traceability across the device lifecycle.
This is achievable in practice by applying GDocP to your technical documentation structure, change control and version history, and PMS and vigilance records.
The principles of GdocP were originally abbreviated into the acronym “ALCOA”:
Attributable – it’s always clear who did what, when (and ideally why).
Legible – readable and understandable throughout the retention period.
Contemporaneous – recorded at the time the activity is performed.
Original – the first capture or a verified true copy.
Accurate – correct, truthful and free from unjustified edits.
Regulators later expanded ALCOA to ALCOA+, adding four attributes that were always implied but not explicit:
Complete – nothing relevant is missing, including changes and deletions.
Consistent – timestamps, sequences and formats make logical sense.
Enduring – records remain intact and accessible for as long as required.
Available – you can readily retrieve records for use, audits and submissions.
Some sources refer to ALCOA++ (adding concepts like “traceable” or “integrity‑protected”), but the nine ALCOA+ attributes are the most widely recognised globally.
Translating ALCOA+ and regulatory expectations into daily practice means designing your QMS around the document and record lifecycle. The document management system you choose to implement should support these fundamental requirements.
Of course, not every document produced by your company needs to be subject to the highest levels of document control specified here, but the documentation relevant to all parts of the development and manufacture of the regulated products you market must be.
Here are some implementation considerations to keep in mind when defining your documentation processes:
Start by mapping:
Decide which items are “GxP‑critical” and therefore fully subject to GDocP.
Create controlled templates with:
This makes documents easier to find and reduces free‑text variation that undermines consistency.
Define workflows for:
An eQMS like Cognidox allows you to configure these flows once and then reuse them across document types, rather than building ad-hoc processes each time.
Good documentation practices mean:
Your eDMS should enforce this automatically; something shared drives can’t do.
Regulators expect you to show that people followed the right version of a procedure and were competent to do so.
Tie GDocP to training by:
An integrated LMS within your eQMS can automate much of this, reducing manual tracking.
Computerised systems should generate an audit trail that records:
MHRA, WHO, and PIC/S all expect audit trails for GxP‑critical data and periodic review of those trails as part of GDocP.
Finally, ensure records are:
This is where many paper systems and basic file shares fail. In contrast, a DMS like Cognidox offers powerful search, configurable access control, and robust backup as key enablers of compliant GDocP.
Here’s a shortened checklist to assess your current state:
Time and again, the various demands of documentation best practice appear among the top 10 reasons for failing FDA inspections. And in the UK, the MHRA inspectorate has explained how inadequate documentation around computer systems validation (CSV) frequently contributes to companies failing their audits.
Some of the failures we see most often include:
While you can apply GDocP on paper, regulators increasingly expect validated electronic systems in complex environments, and paper-based document management systems are inefficient, cumbersome, and difficult to keep updated. They are prone to falling into disuse, as the effort of upkeep eats into the patience of their users.
Similarly, some businesses might choose to use file-sharing platforms such as Google Docs, Dropbox, or even SharePoint to bring a level of sophistication to their document management. But, even a brief look at the basic level of controls delivered by these off-the-shelf file sharing solutions begins to show up their shortcomings as a proper tool for the required document control.
There are Document Management Systems that operate as cloud-based, process-driven intranets and digital frameworks for the compliant storage of all your project documentation - that can scale with you - and from the outset make observing GdocP part of your organisational DNA.
A modern eDMS/eQMS should help you to:
Adopting one of these from the beginning of your med tech development journey could well be the answer to meeting a whole range of GxP requirements in the most cost-effective and enduring way for your business.
The Document Management Solution you choose must have all the necessary tools and functionality for specific regulatory compliance. It needs to come with the sophisticated version control you’d expect, date and time stamping of records, the ability to detail changes made to records, and the integration of digital signature technology to enable sign-off and track approval.
In short, it needs to tick all of the boxes as a safe, secure and auditable record of every part of your document creation and handling, while all the time helping you adhere to the principles of ALCOA+.
Cognidox is widely used by medical device development, pharma, and high‑tech organisations to bring “formal rigour” and “good practice” into product development and quality management, while remaining intuitive and configurable for SMEs.
Get our comprehensive guide to GxP compliance, or get a free trial to see our GxP solutions in action.
ALCOA defines five core data integrity attributes: attributable, legible, contemporaneous, original, and accurate. ALCOA+ adds complete, consistent, enduring, and available. Together, they provide a practical checklist for designing and reviewing documentation workflows and records under GDocP.
You can implement GDocP on paper, but regulators increasingly expect validated electronic systems for complex operations because they support audit trails, access control, backing up, search and consistent application of ALCOA+.
Cognidox provides a lean eQMS with configurable workflows, strong version control, Part 11‑ready e‑signatures, robust audit trails, integrated training, and a secure extranet. Customers in medtech and high‑tech sectors report smoother audits and improved control over document lifecycle and access.
Blog post updated on 23/12/2025