The Data Was Complete. The Authorization Trail Was Not.
Investigator reviewed GxP computer system validation records for the firm's laboratory information management system placed in service January 2023, including the validation summary report, IQ/OQ/PQ protocols, audit trail configuration, and access control documentation.
The firm could not produce a formal data integrity authorization record identifying who made the determination that the system met 21 CFR Part 11 and ALCOA+ requirements, what evidence was reviewed before that determination, or what regulatory standard governed the authorization.
21 CFR Part 11 requires that computerized systems used in regulated activities meet specific requirements for electronic records. FDA's Data Integrity Guidance establishes that firms must document the determination that systems are fit for intended purpose under ALCOA+ principles. Without a formal authorization record, the determination cannot be verified during inspection.
A data integrity authorization documenting the ALCOA+ compliance assessment, the evidence evaluated before system activation, and the named decision owner accountable for the regulatory determination would have provided the investigator with a complete, defensible authorization record.
The inspector pulled the audit trail. The data was intact. Then they asked: "Who authorized the data review, and what was the documented rationale for each decision?"
That question ends careers. Not because the data was compromised — but because the authorization logic was never captured as a formal record.
This case file gives you that record.
During inspection of computer system validation records for the firm's laboratory information management system placed in GxP service in January 2023, the investigator requested documentation of the formal data integrity risk assessment performed prior to system activation, identification of the individual who authorized the determination that the system met the firm's data integrity requirements under 21 CFR Part 11 and FDA's Data Integrity Guidance, and the specific evidence evaluated before that authorization was made. The system validation package contained executed IQ/OQ/PQ protocols, a validation summary report with QA signature, audit trail configuration documentation, and an access control matrix. No formal data integrity authorization record was present in the validation package or the firm's quality management system.
"Who authorized the determination that this system meets your data integrity requirements — and what evidence was evaluated before that decision was made?"
For GxP computerized systems, FDA's Data Integrity Guidance requires firms to document the determination that each system is fit for its intended purpose and meets ALCOA+ data integrity principles. This determination must be made before the system is placed in service, by a named decision authority, based on specific evidence reviewed before the authorization. A validation summary signed by QA records that the validation package was reviewed. It does not record who authorized the data integrity determination, what evidence supported it, or which regulatory standard governed the decision.
| What Existed | What Was Missing |
|---|---|
| ✓ Validated LIMS with executed IQ/OQ/PQ protocols on file | → Formal data integrity authorization record at validation closure |
| ✓ Audit trail configuration documented in validation summary | → Named decision authority accountable for the DI determination |
| ✓ Access controls and user permission matrix documented | → Evidence log showing what was assessed before authorization |
| ✓ Audit trail review procedure approved and in place | → ALCOA+ compliance assessment with documented determination |
| ✓ Computer system validation protocol executed with QA approval | → Regulatory standard explicitly applied to the authorization decision |
| ✓ QA signature on validation summary report | → Timestamped authorization statement from the responsible decision owner |
The Decision Ownership Assessment identifies your open decision gaps in 8 minutes.
Take the Assessment → No account required · Results delivered immediately