Data integrity PIC S
good practices for data management and integrity in regulatory GMP/GDP environments
good practices for data management and integrity in regulatory GMP/GDP environments
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
9.1.5.1 In dealing with raw data, the complete capture and retention of raw data
would normally be required in order to reconstruct the manufacturing event
or analysis.
9.1.5.2 In dealing with metadata, some metadata is critical in reconstruction of
events, (e.g. user identification, times, critical process parameters, units of
measure), and would be considered as ‘relevant metadata’ that should be
fully captured and managed. However, non-critical meta-data such as system
error logs or non-critical system checks may not require full capture and
management where justified using risk management.
9.1.6 When determining data vulnerability and risk, it is important that the
computerised system is considered in the context of its use within the
business process. For example, the integrity of results generated by an
analytical method utilising an integrated computer interface are affected by
sample preparation, entry of sample weights into the system, use of the
system to generate data, and processing / recording of the final result using
that data. The creation and assessment of a data flow map may be useful in
understanding the risks and vulnerabilities of computerised systems,
particularly interfaced systems.
9.1.7 Consideration should be given to the inherent data integrity controls
incorporated into the system and/or software, especially those that may be
more vulnerable to exploits than more modern systems that have been
designed to meet contemporary data management requirements. Examples
of systems that may have vulnerabilities include: manual recording systems,
older electronic systems with obsolete security measures, non-networked
electronic systems and those that require additional network security
protection e.g. using firewalls and intrusion detection or prevention systems.
9.1.8 During inspection of computerised systems, inspectors are recommended to
utilise the company’s expertise during assessment. Asking and instructing
the company’s representatives to facilitate access and navigation can aid in
the inspection of the system.
9.1.9 The guidance herein is intended to provide specific considerations for data
integrity in the context of computerised systems. Further guidance regarding
good practices for computerised systems may be found in the PIC/S Good
Practices for Computerised Systems in Regulated “GxP” Environments
(PI 011).
9.1.10 The principles herein apply equally to circumstances where the provision of
computerised systems is outsourced. In these cases, the regulated entity
retains the responsibility to ensure that outsourced services are managed
and assessed in accordance with GMP/GDP requirements, and that
appropriate data management and integrity controls are understood by both
parties and effectively implemented.
9.2 Qualification and validation of computerised systems
9.2.1 The qualification and validation of computerised systems should be
performed in accordance with the relevant GMP/GDP guidelines; the tables
below provide clarification regarding specific expectations for ensuring good
data governance practices for computerised systems.
PI 041-1 32 of 63 1 July 2021