Each scenario presents a real GxP situation. Read the setup, make a decision, and see what happens.
Wrong answers are shown, because understanding why something is wrong is more valuable than just knowing the right answer.
Fictional scenarios
All scenarios are fictional. They are constructed from patterns observed in public FDA warning letters, 483 observations, and published regulatory guidance. No real company, site, person, or product is referenced.
01
Audit Trail Review · Data Integrity
Intermediate
The analyst who only reviewed passing results
Situation
During a QA walkthrough of a CDS (chromatography data system), you find that the lead analyst's audit trail review procedure only covers samples that passed, the review log shows 100% pass rate across six months. When you ask why failing injections aren't in the review log, the analyst says: "We only have to review and document results that made it into the final report. Failures are obvious, the system rejects them." The analyst has a signed SOP for this. The QA manager says this has been the practice for three years and has never been challenged.
What is the most important first action?
Wrong, and here's what this reasoning misses
The QA approval of a three-year-old SOP doesn't make the underlying practice compliant. FDA and MHRA guidance is unambiguous: audit trail review must cover all GxP entries, including deleted runs, invalidated results, and test injections. Selective review of passing results only is one of the most common DI findings in analytical labs, it appeared in multiple FDA Warning Letters between 2015 and 2023. The fact that it "hasn't been challenged" means it hasn't been inspected properly, not that it's acceptable. This reasoning is the same reasoning companies use when they receive a Warning Letter for something they've done for a decade.
Selective audit trail review is a systemic data integrity failure, not a procedural gap. The SOP encodes the wrong behavior, it doesn't protect this practice, it makes it worse because it shows the organization designed a non-compliant review process and approved it. The correct sequence is: (1) issue a deviation documenting the non-compliant practice, (2) immediately halt the current review practice, (3) perform a retrospective review covering a risk-stratified sample of the missed audit trail entries, (4) assess whether any quality decisions made on reviewed data are still defensible, (5) implement CAPA to fix the SOP, retrain, and verify effectiveness. Three years of non-reviewed audit trails also means the regulatory risk extends back across all products tested in that lab during that period, that impact assessment is part of the CAPA.
Key principle
QA approval of a wrong SOP makes the situation worse, not better. It demonstrates organizational awareness and acceptance of a non-compliant control. FDA uses this as evidence of systemic failure.
Reference: FDA DI Q&A Guidance Dec 2018 Q11; MHRA GxP DI Guidance 2018 §6.14
Partially right reasoning, completely wrong action
Retraining is part of the CAPA, but retraining without stopping the wrong practice, correcting the SOP, and performing a retrospective review misses the point. More importantly, this is not an analyst knowledge gap. The analyst followed an approved SOP. The system failure is organizational: QA approved the wrong procedure. Retraining the analyst without fixing the SOP and addressing three years of incomplete audit trail review leaves the organization exposed. An inspector who sees "retraining completed" as the only CAPA response to a selective audit trail review finding will not accept it.
Continuing a non-compliant practice during SOP revision is not acceptable when the practice is a data integrity violation. You cannot document that you know a control is wrong and then continue using it while paperwork processes. The SOP update and immediate cessation of the wrong practice must happen at the same time. "Continue current practice until the SOP is approved" would itself become an inspection finding, you identified a DI gap and kept operating with it. The deviation must be opened now, and the practice must change now.
You're preparing for an FDA pre-approval inspection. During your internal readiness review, you ask for backup restore test records for the LIMS and ELN. The IT manager provides backup logs showing daily successful backups for 18 months. When you ask for restore test records, you're told: "The backups run automatically and the system logs show success. We've never had to restore, so we haven't tested it. If we needed to restore, we'd call the vendor." The validation plan for the LIMS, approved two years ago, says "backup and restore verification will be completed before going live." There is no record that this was ever done.
What is the inspection risk and what needs to happen before the FDA arrives?
Wrong, backup logs prove the backup ran, not that data can be recovered
Backup logs confirm that the backup process completed. They do not confirm that the backup contains complete and usable data, that the restore procedure works, that the restored system functions correctly, or that all data is recoverable within an acceptable timeframe. FDA and EMA guidance both require periodic restore testing, not just backup monitoring. An inspector will ask: "Show me your backup restore test records." Logs showing backups ran will not satisfy this. This is a predictable inspection finding for any site that has only monitored backups without testing restores.
The validation plan committed to backup and restore verification. That commitment was never met. Before the inspection: (1) perform the restore test, restore to a test environment, verify data completeness and integrity, verify system functionality, and document the entire procedure and results; (2) open a deviation for the gap between what the validation plan committed to and what was actually done; (3) assess the impact, 18 months of production data on a system where restore was never verified; (4) establish a periodic restore test schedule and add it to the periodic review program. If the restore test fails, the situation is more serious, data recoverability may be compromised and the impact assessment must be broader. Coming to an FDA inspection with this gap unaddressed and undocumented is a far worse position than coming with a documented gap and an active CAPA.
Key principle
Backup logs prove the backup ran. Restore tests prove data can be recovered. They are not equivalent. Both are required for a defensible GxP backup control.
Reference: EU Annex 11 §9 (Backup); FDA DI Q&A 2018; GAMP 5 Second Edition (2022) §12.4
This is concealment, which makes the situation significantly worse
Knowing about a validation gap and not documenting it, not correcting it, and hoping an inspector doesn't find it is a strategy that fails in two ways. First, experienced FDA investigators systematically check backup and restore records, this is a standard inspection element for GxP computerized systems. Second, if the gap is found and you have no deviation, no CAPA, and no evidence that you identified it yourself, the finding escalates from a validation gap to a data integrity finding because it suggests inadequate internal quality oversight. The rule: find it yourself, document it, fix it, verify the fix. That is always the better position than an inspector finding it first.
Vendor certification does not satisfy the restore test requirement
A vendor certificate confirms the vendor's product is designed to support backup and restore. It does not confirm that your specific implementation, configuration, and data are recoverable. GxP requirements put the restore verification obligation on the system owner, the regulated company, not the vendor. You need to test restore in your environment, with your data, under your procedures, with documented results. Vendor support documentation is useful as supplementary evidence but cannot replace site-level testing.
Your validated cloud-based ELN vendor pushed an automatic software update over the weekend. Monday morning, users report the interface looks different and two workflow configurations have changed. Your validation documentation covers version 4.2. The current version is now 4.3.1. When you call the vendor, they say this was a routine security update and the validation is still valid because "only the UI changed and the core functionality is the same." The ELN stores GxP laboratory records for ongoing clinical studies. Your validation plan has a change control procedure but the vendor update bypassed your internal process. Your QA director asks you: is the ELN still validated?
How do you answer the QA director and what needs to happen next?
You cannot accept a vendor's statement as your change control
A vendor saying "your validation is still valid" is not a regulated activity. The vendor does not own your validation. You own your validation. What the vendor says about their product doesn't satisfy your regulatory obligation to assess changes under change control and maintain validation documentation current with the system state. The two workflow configuration changes you already observed indicate that something beyond UI did change. Accepting the vendor's assurance without investigation, when you can already see functional differences, is not a defensible position.
Correct, this is how cloud change control works in practice
Validated status requires your change control process to be applied. A vendor update that bypassed your change control is a deviation, regardless of what the vendor says about impact. Here's the sequence: (1) Raise a deviation documenting that the vendor update was applied without going through your change control process. This is a process failure between you and the vendor, your supply agreement should require change notification. (2) Perform a change impact assessment: review the vendor's release notes, compare versions, assess which validated functions may have been affected, and specifically investigate the two workflow changes users reported. (3) Based on the impact assessment, determine whether re-testing is required (likely yes for the workflow areas that changed) or whether the change can be documented as low risk with justification. (4) Execute testing, document results, and formally restore validated status. (5) CAPA: update your cloud vendor agreement to require advance change notification, establish a testing window, and define escalation when advance notice isn't given. Stopping data entry depends on risk, if the workflow changes affected data entry or calculations, new data entered in that window may need to be reviewed more carefully.
Key principle
Cloud systems don't exempt you from change control. They require a different implementation of change control, one that relies on supplier agreements, change notification, and rapid impact assessment processes rather than preventing changes.
Reference: GAMP 5 Second Edition (2022) §10 Cloud; Annex 11 §10; FDA Part 11 Scope Guidance 2003
Security updates can and do affect validated functionality
"Security updates don't affect validation" is a common misunderstanding. Security patches can change system behavior, database structures, API responses, access control mechanisms, and configurations. The fact that two workflow configurations already changed is direct evidence that this update was not limited to security patches. More broadly, the category of update (security vs. feature) doesn't determine validation impact, the actual changes do. You must assess impact by reviewing what changed, not by accepting the update category label.
Full revalidation is excessive without an impact assessment first
Stopping use entirely and requiring full revalidation before resuming is a risk management decision that should be proportionate to the actual impact. An impact assessment determines the scope of re-testing needed. Depending on what changed, you might need targeted re-testing of affected functions, not a complete rebuild of the validation package. Proportionality is a core GAMP 5 principle. "Void and restart" is not the default response to every change, it is the response when the impact assessment determines that the change affects foundational system behavior or that the extent of change is too large to scope with targeted testing.
The HPLC workstation everyone logs into the same way
Situation
During a tour of the QC lab, you notice that the HPLC workstation running a commercial CDS has a single login visible on a sticky note taped to the monitor: username "qcanalyst" and password "lab2024". When you ask the lab manager, she explains: "All four analysts use the same login. The system is old, it doesn't support individual user accounts. We know who ran each sample because analysts write their initials in the lab notebook." The CDS stores raw chromatographic data for product release testing. The product is in a Phase 3 clinical trial.
What is the data integrity risk and what must be done?
Paper initials cannot fix a broken electronic attributability control
The audit trail in the CDS shows every action taken under "qcanalyst", with no way to know which of four analysts made each entry. Manual initials in a separate notebook don't link to the electronic audit trail entries. They can be added after the fact. They can't be verified against the system log. And they rely on people being honest in a system with no technical enforcement. The ALCOA principle "Attributable" applies to the electronic record itself. FDA and MHRA guidance are explicit: shared accounts are not acceptable for GxP computerized systems because they eliminate the ability to reconstruct who did what. Phase 3 clinical testing data with unattributable electronic records is a serious finding with potential implications for the regulatory submission.
Correct, this is a critical finding, not a minor observation
Shared accounts are one of the most clearly defined data integrity violations in both FDA and MHRA guidance. MHRA DI Guidance 2018 states: "Shared or generic log-ins should not be used for GxP activities." FDA DI Q&A 2018 requires that audit trails attribute actions to the individual who performed them. The remediation path: (1) open a deviation, this is a critical DI finding because it affects Phase 3 release data; (2) perform a risk assessment on data generated under the shared account, assess which decisions were made on this data and whether they remain defensible; (3) investigate whether individual accounts can be enabled (many "old" CDS systems can be configured for individual accounts, the lab manager's statement should be verified against the system documentation or vendor); (4) if the system genuinely cannot support individual accounts, a compensating control must be designed and risk-justified, and this may mean the system is not fit for purpose for GxP release testing; (5) the sticky note with credentials is a separate finding, passwords must be protected. This situation also needs to be reported to QA management because Phase 3 data integrity affects the regulatory submission.
Key principle
Shared accounts are a critical finding in any GxP system. "The system doesn't support individual accounts" is worth verifying, it's often not true. If it is true, the system may not be fit for GxP use.
Reference: FDA DI Q&A 2018 Q4; MHRA GxP DI Guidance 2018 §6.7; PIC/S PI 041-1
Shared accounts on a GxP release testing system is never a minor finding
Minor findings are things like a single signature missing from a form, a training record filed in the wrong folder, or a label print slightly misaligned. Shared accounts on a CDS used for Phase 3 clinical release testing is a systemic data integrity failure affecting all data generated in that lab under that account. If FDA finds this first, it will not be written as a minor observation. Flagging for "next budget cycle" with Phase 3 data at risk is not acceptable quality oversight. This needs escalation today.
Contacting the vendor doesn't close the existing data integrity gap
Contacting the vendor to request an upgrade is part of the long-term fix, but it does nothing about the data already generated under a shared account, and it does nothing about ongoing risk. The deviation, risk assessment, and impact evaluation on existing data must happen regardless of whether an upgrade is coming. Additionally, waiting for a vendor upgrade timeline (potentially months) while continuing to generate GxP data with shared accounts extends the problem. Interim compensating controls may be needed immediately.
At the close of a 5-day FDA cGMP inspection, the investigator issues a 483 with three observations. Observation 2 reads: "The firm's procedures for periodic review of computerized systems do not include a requirement to verify that audit trails are enabled and have not been disabled since the last review." You review your validated system inventory, eight systems have periodic review procedures, but none of them include a check to confirm audit trail enable/disable status between review cycles. The 483 response is due in 15 business days. During the exit discussion, the investigator mentioned she may follow up on the response. Your legal team wants you to commit to the minimum possible in writing.
How should you structure the response to Observation 2?
Narrow responses to systemic observations tend to generate follow-up
Legal teams often want to minimize commitments to preserve flexibility, a reasonable instinct in litigation, but counterproductive in FDA 483 responses. FDA reads narrow responses as insufficient understanding of the finding or unwillingness to address systemic issues. An investigator who cited eight systems affected by the same gap will notice if your response only addresses "the system reviewed during the inspection." A 12-month timeline for a procedure update that takes one to two weeks to write and approve signals either organizational dysfunction or deliberate delay. Both are bad. Narrow, legally hedged responses increase the probability of escalation to Warning Letter.
A strong 483 response to a systemic observation: (1) acknowledges the specific finding without minimizing it; (2) identifies the root cause, in this case, the periodic review SOP template didn't include audit trail status verification as a required check; (3) describes immediate action, conduct out-of-cycle audit trail status verification on all eight systems now, before the response is submitted, and include the results; (4) describes the systemic fix, update all eight periodic review SOPs to include the audit trail enable/disable check; (5) provides specific, realistic timelines, procedure updates in 30-45 days is credible; (6) includes evidence where possible, completed SOP revisions, signed approvals, verification records. On timeline: commit to what you can actually do. FDA does not expect perfection, but they do expect you to demonstrate that your organization can fix problems it identifies. Short timelines with completed actions in the response are far stronger than long timelines with "planned" activities.
Key principle
A strong 483 response treats the observation as finding a gap the company should have found itself. It shows FDA that the quality system works, it received the finding, understood it, assessed scope, and fixed it. That is the message that reduces the risk of escalation.
Reference: FDA Regulatory Procedures Manual §4; FDA Warning Letter Policy; FDA CDER Inspection Program
Disagreeing with this observation creates more risk, not less
Manual audit trail entry review and verification that the audit trail is still enabled are different things. Reviewing entries tells you what was recorded; it doesn't tell you whether the audit trail was disabled and re-enabled between review periods, hiding a gap. FDA's observation is technically accurate: periodic review procedures did not include an explicit check that audit trail configuration had not changed. You can choose to disagree with a 483 observation if you have a well-supported technical basis, but this observation doesn't have a strong disagreement case, and disagreement without a substantive technical argument escalates the relationship with FDA rather than resolving it.
This option gets the verification right and including current audit trail status in the response is good evidence. The gap is that framing currently-enabled audit trails as "evidence of low risk" to justify a shorter-than-necessary fix timeline is incomplete. The finding is about the absence of a control, the periodic review procedure doesn't require the check. The fact that audit trails are currently enabled is good news, but it doesn't resolve the finding: the procedural gap still exists and will exist again until the SOP is updated. Include the verification results as evidence of current status, but the response must also commit to the SOP updates with specific timelines, regardless of current status.