Most quality teams know what an FDA investigator will ask for. They’ve run mock inspections, updated their SOPs, and rehearsed responses to 483 observations. The gap isn’t knowledge. The gap is retrieval.
When an investigator asks for the complete change history of a batch record, including every downstream system that touched that record, the quality manager who can’t produce it in 30 minutes is not underprepared on compliance. They’re underprepared on evidence assembly. That distinction costs companies millions in warning letters, import alerts, and consent decrees.
This checklist is organized around what FDA investigators actually request during inspections—not the broad categories you’ll find in agency guidance, but the specific evidence packages that determine whether an inspection closes with a 483 or without one.
What FDA investigators are trained to look for
FDA’s Investigations Operations Manual (IOM) instructs investigators to evaluate data integrity across the full data lifecycle: creation, processing, review, reporting, and archiving. The key phrase from 21 CFR Part 11 is “accurate and complete.” Not accurate in each system. Accurate and complete across the entire record.
Modern pharmaceutical stacks don’t have one system. They have Veeva for document control, SAP for batch management, LIMS for laboratory data, TrackWise for deviations. Each system may pass its own data integrity audit. The question an investigator is increasingly likely to ask: how do these records connect?
Pre-inspection readiness: The evidence assembly audit
Before checking your SOPs and training records, run this test. Pick any batch released in the last 12 months. Set a timer. How long does it take to produce:
- The complete audit trail for the batch record
- All deviations associated with that batch
- The CAPA linked to each deviation
- The supplier certificate for each critical excipient
- The electronic signature log for each quality decision point
- Evidence that each signer had the authority to sign at the time of signing
If the answer is more than four hours, your inspection readiness problem is not documentation—it’s data retrieval.
The inspection readiness checklist
1. Electronic records and signatures (21 CFR Part 11)
- All electronic signatures link to a specific individual with a unique user ID
- Signature authority records are current and accessible within minutes
- Audit trails are enabled on all systems that create, modify, or delete GxP records
- Audit trails cannot be modified or deleted by any user including system administrators
- System access logs are retained and retrievable
- Closed system controls documented and current
Where teams fail: Audit trails exist in each system, but there is no unified record of who accessed which records across which systems during a batch release decision. If an investigator asks “who reviewed the COA for Excipient X before batch 2024-1147 was released, and when?”—the answer may require pulling records from three systems manually.
2. Data integrity (ALCOA+)
- Attributable: every data point traces to the person and system that created it
- Legible: all records are readable throughout the retention period
- Contemporaneous: records are created at the time of the activity
- Original: source data is preserved and accessible
- Accurate: no unexplained alterations exist
- Complete: no gaps in required records
- Consistent: timestamps are synchronized across all systems
- Enduring: records are maintained through the required retention period
- Available: records can be produced during an inspection
Where teams fail: “Available” is assumed to mean “exists somewhere in a system.” In practice, it means “can be produced in a format an investigator can review within the inspection timeframe.” Data that exists but requires a 48-hour IT extract request is not operationally available.
3. Cross-system record traceability
| Record Type | Source System | Linked To | Cross-System Link Verified? |
|---|---|---|---|
| Batch record | SAP / ERP | Deviations in TrackWise | |
| Deviation | TrackWise | CAPA records | |
| CAPA | TrackWise | Batch records affected | |
| Supplier CoA | Veeva / LIMS | BOM components | |
| Change control | Veeva | SOPs, specifications affected | |
| Electronic signature | Veeva / LIMS | Signer authority record |
If any row in this table cannot be completed with verified links, that gap is an inspection finding waiting to happen.
4. Documentation control
- Document index is current and reflects all active, retired, and superseded versions
- All documents are within review cycle
- Superseded documents are archived but accessible
- Document distribution records are maintained
- Controlled copies are accounted for
5. Training records
- Training matrix is current
- All personnel performing GxP activities have documented training
- Training completion dates precede the activities performed
- Effectiveness checks are documented where required
- Training records for departed personnel are retained
6. Deviation and CAPA traceability
- Every deviation has a disposition and root cause documented
- Every open CAPA has a current owner and due date
- Overdue CAPAs have documented justification and re-dates
- CAPA effectiveness checks are scheduled and tracked
- Repeat deviations are identified and escalated
7. Supplier and material traceability
- Approved Vendor List (AVL) is current
- Supplier qualification records are accessible for all critical suppliers
- CoAs are linked to specific batches in which materials were used
- Re-qualification schedules are tracked and current
The retrieval test: Run it before the investigator does
One week before any planned inspection—or as a standing quarterly exercise—run the following scenario with your quality team:
Scenario: An FDA investigator has arrived unannounced and asked for the complete quality history of your last five commercial batches, including all associated deviations, CAPAs, supplier CoAs, and electronic signature records. You have two hours to produce the first batch record package.
Time yourself. Note which systems you had to access. Note where you hit access barriers or needed IT assistance. Note which links between records required manual reconstruction.
That exercise will reveal your actual inspection readiness better than any SOP review.
What prepared looks like
Teams that consistently close inspections without 483 observations related to data integrity share one characteristic: they can answer any question about their records without reconstructing the answer. The records are connected. The evidence is pre-assembled in the sense that the relationships between records are maintained continuously, not assembled under pressure.
The difference between a 40-hour audit prep sprint and a two-hour evidence pull is not the quality of the underlying records. It is whether the connections between those records are maintained as a matter of operational practice or assembled manually when needed.
Related reading: