Data integrity PIC S

Recommendations

Info

9.1.5.1 In dealing with raw data, the complete capture and retention of raw datawould normally be required in order to reconstruct the manufacturing eventor analysis.9.1.5.2 In dealing with metadata, some metadata is critical in reconstruction ofevents, (e.g. user identification, times, critical process parameters, units ofmeasure), and would be considered as ‘relevant metadata’ that should befully captured and managed. However, non-critical meta-data such as systemerror logs or non-critical system checks may not require full capture andmanagement where justified using risk management.9.1.6 When determining data vulnerability and risk, it is important that thecomputerised system is considered in the context of its use within thebusiness process. For example, the integrity of results generated by ananalytical method utilising an integrated computer interface are affected bysample preparation, entry of sample weights into the system, use of thesystem to generate data, and processing / recording of the final result usingthat data. The creation and assessment of a data flow map may be useful inunderstanding the risks and vulnerabilities of computerised systems,particularly interfaced systems.9.1.7 Consideration should be given to the inherent data integrity controlsincorporated into the system and/or software, especially those that may bemore vulnerable to exploits than more modern systems that have beendesigned to meet contemporary data management requirements. Examplesof systems that may have vulnerabilities include: manual recording systems,older electronic systems with obsolete security measures, non-networkedelectronic systems and those that require additional network securityprotection e.g. using firewalls and intrusion detection or prevention systems.9.1.8 During inspection of computerised systems, inspectors are recommended toutilise the company’s expertise during assessment. Asking and instructingthe company’s representatives to facilitate access and navigation can aid inthe inspection of the system.9.1.9 The guidance herein is intended to provide specific considerations for dataintegrity in the context of computerised systems. Further guidance regardinggood practices for computerised systems may be found in the PIC/S GoodPractices for Computerised Systems in Regulated “GxP” Environments(PI 011).9.1.10 The principles herein apply equally to circumstances where the provision ofcomputerised systems is outsourced. In these cases, the regulated entityretains the responsibility to ensure that outsourced services are managedand assessed in accordance with GMP/GDP requirements, and thatappropriate data management and integrity controls are understood by bothparties and effectively implemented.9.2 Qualification and validation of computerised systems9.2.1 The qualification and validation of computerised systems should beperformed in accordance with the relevant GMP/GDP guidelines; the tablesbelow provide clarification regarding specific expectations for ensuring gooddata governance practices for computerised systems.PI 041-1 32 of 63 1 July 2021
9.2.2 Validation alone does not necessarily guarantee that records generated arenecessarily adequately protected and validated systems may be vulnerableto loss and alteration by accidental or malicious means. Thus, validationshould be supplemented by appropriate administrative and physical controls,as wells as training of users.9.3 Validation and MaintenanceItem:System Validation & Maintenance1. ExpectationRegulated companies should document and implement appropriatecontrols to ensure that data management and integrity requirements areconsidered in the initial stages of system procurement and throughoutsystem and data lifecycle. For regulated users, Functional Specifications(FS) and/or User Requirement Specifications (URS) should adequatelyaddress data management and integrity requirements.Specific attention should be paid to the purchase of GMP/GDP criticalequipment to ensure that systems are appropriately evaluated for dataintegrity controls prior to purchase.Legacy systems (existing systems in use) should be evaluated todetermine whether existing system configuration and functionality permitsthe appropriate control of data in accordance with good data managementand integrity practices. Where system functionality or design of thesesystems does not provide an appropriate level of control, additionalcontrols should be considered and implemented.Potential risk of not meeting expectations/items to be checked Inadequate consideration of DI requirements may result in thepurchase of software systems that do not include the basicfunctionality required to meet data management and integrityexpectations. Inspectors should verify that the implementation of new systemsfollowed a process that gave adequate consideration to DIprinciples. Some legacy systems may not include appropriate controls for datamanagement, which may allow the manipulation of data with a lowprobability of detection. Assessments of existing systems should be available and providean overview of any vulnerabilities and list any additional controlsimplemented to assure data integrity. Additional controls should beappropriately validated and may include:o Using operating system functionality (e.g. Windows ActiveDirectory groups) to assign users and their accessprivileges where system software does not includeadministrative controls to control user privileges;o Configuring operating system file/folder permissions toprevent modification/deletion of files when thePI 041-1 33 of 63 1 July 2021
Page 1 and 2: PHARMACEUTICAL INSPECTION CONVENTIO
Page 3 and 4: 9.10 Management of Hybrid Systems .
Page 5 and 6: 3.5 The principles of data manageme
Page 7 and 8: o automation; oro the use of techno
Page 9 and 10: process consistency (e.g. biologica
Page 11 and 12: should clearly demonstrate that rep
Page 13 and 14: Staying continuously and actively i
Page 15 and 16: 6.7 Dealing with data integrity iss
Page 17 and 18: Data IntegrityAttributeRequirementt
Page 19 and 20: Specific elements that should be ch
Page 21 and 22: generation of working copies of doc
Page 23 and 24: 4. ExpectationDocuments should be s
Page 25 and 26: 8.5.2 Records should be appropriate
Page 27 and 28: Where appropriate, the reason for t
Page 29 and 30: 8.9 Direct print-outs from electron
Page 31: 8.11.2 A record/register should be
Page 35 and 36: osystems used in the decision proce
Page 37 and 38: Check that end-user testing include
Page 39 and 40: read by the new software. Where nec
Page 41 and 42: - User access controls should ensur
Page 43 and 44: potential security weaknesses) and
Page 45 and 46: 9.6 Audit trails for computerised s
Page 47 and 48: - in the case of changes or modific
Page 49 and 50: 9.8 Review of data within computeri
Page 51 and 52: to access electronically stored dat
Page 53 and 54: Appropriate quality risk management
Page 55 and 56: Area for reviewComparison of analyt
Page 57 and 58: Accurate [4.1], [6.17] [5.40], [5.4
Page 59 and 60: 12 REMEDIATION OF DATA INTEGRITY FA
Page 61 and 62: 12.2.1.2 Evidence of open communica
Page 63: MetadataIn-file data that describes

Data integrity PIC S

Create successful ePaper yourself

Delete template?

Save as template?