← Back to Blog
GMP Article

The Goldilocks Zone: How Early is Too Early to Assess a System for Data Integrity Risks?

Published May 22, 2026 • Learn GMP

The Problem with "Phase Zero" Assessments

Imagine assessing a laboratory information management system (LIMS) or an electronic batch record (EBR) system before a single line of code has been written or a configuration setting has been chosen. You gather your team, pull out the FMEA (Failure Mode and Effects Analysis) template, and ask: “Where are the data integrity vulnerabilities?”

The answer will invariably be: “Everywhere.”

Without defined workflows, user roles, or system boundaries, your risk assessment becomes purely theoretical. You will identify risks that the software vendor has already solved through standard features, and you will miss risks that only emerge from your specific configuration. More critically, you cannot determine if a risk is controlled by a procedural or system-based control until you know what the system actually does.

Assessing a conceptual system yields a useless risk register. It forces teams to chase phantom threats, wasting months of validation effort on problems that never materialize.

The Opposite Extreme: Validation Stage

Conversely, waiting until Performance Qualification (PQ)—when the system is already configured and in a test environment—is lethal to timelines. At that stage, finding a data integrity gap (e.g., missing audit trails, uncontrolled shared logins, or the ability to delete raw data) often requires de-configuration, change control, and re-validation. The cost of remediation at PQ is 10 to 100 times higher than catching it in design.

The Sweet Spot: Requirements Definition

So, when is the right time?

The optimal window to begin your formal data integrity risk assessment is immediately following the approval of Functional Requirements but before the start of Detailed Design or Configuration.

Here is why that window is critical:

  1. You know the "What," not yet the "How." You have documented that the system must "record temperature readings every minute" and "prevent deletion of raw data." This is enough to ask meaningful risk questions: If a sensor fails, how does the system ensure data is not lost? You don't need code to answer that; you need a design principle.

  2. You can influence the architecture. At this stage, you can still demand technical controls (e.g., role-based access, electronic signatures, validated interfaces) rather than procedural workarounds (e.g., "The supervisor will manually check the log every hour"). Technical controls are superior to procedural ones.

  3. You avoid both the Blank Page and the Finished House. You are not guessing about abstract software, nor are you trying to knock holes in a finished wall.

The Danger of Static Checklists

One reason organizations assess too early is reliance on generic, static DI checklists. A PMO might demand a "Data Integrity Assessment" during the project charter phase to tick a box. This creates a false sense of security. The assessment says "low risk" because no data exists yet, or "high risk" because the checklist doesn't know your vendor's capabilities.

Rule of thumb: If you don’t know the system’s functional boundaries (inputs, outputs, storage, user privileges), you are too early. If the design is already locked and programmers are writing code, you are too late.

The Consequences of Being "Too Early"

  • Burnout: Subject Matter Experts (SMEs) become cynical when asked to assess risks for systems that don't exist.

  • Drift: The risk assessment becomes a shelf-ware document that is never updated because it was created in a vacuum.

  • Misallocation: You spend budget mitigating theoretical risks (e.g., "SQL injection attacks") while ignoring real configuration risks (e.g., "audit trail off by default").

A Practical Litmus Test

Before you schedule the Data Integrity Risk Assessment meeting, ask three questions:

  1. Are the functional requirements approved? (Yes -> Proceed; No -> Too early.)

  2. Have you selected the specific software version and hardware? (Yes -> Proceed; No -> Still too theoretical.)

  3. Has configuration or coding begun? (No -> Perfect window; Yes -> You are late, proceed urgently.)

Conclusion

Data integrity is not a one-time event but a lifecycle. However, the initial formal risk assessment must occur in the narrow gap between "what we need" and "how we will build it."

Assess too early, and you are doing creative writing, not engineering. Assess too late, and you are doing crisis management, not compliance. Aim for the Goldilocks zone: Requirements locked, design unlocked. That is the only moment where a risk assessment actually prevents a violation rather than just documenting it.

← All Blog Articles Request GMP Support

All Blogs

Popular Topics

FDA 483 Data Integrity CAPA QMS Validation Audit Readiness

Need practical implementation support?

Get help with GMP systems, data integrity, validation, QMS, inspection readiness, and documentation governance.

View Consultancy Services