Data integrity PIC S
good practices for data management and integrity in regulatory GMP/GDP environments
good practices for data management and integrity in regulatory GMP/GDP environments
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
9.2.2 Validation alone does not necessarily guarantee that records generated are
necessarily adequately protected and validated systems may be vulnerable
to loss and alteration by accidental or malicious means. Thus, validation
should be supplemented by appropriate administrative and physical controls,
as wells as training of users.
9.3 Validation and Maintenance
Item:
System Validation & Maintenance
1. Expectation
Regulated companies should document and implement appropriate
controls to ensure that data management and integrity requirements are
considered in the initial stages of system procurement and throughout
system and data lifecycle. For regulated users, Functional Specifications
(FS) and/or User Requirement Specifications (URS) should adequately
address data management and integrity requirements.
Specific attention should be paid to the purchase of GMP/GDP critical
equipment to ensure that systems are appropriately evaluated for data
integrity controls prior to purchase.
Legacy systems (existing systems in use) should be evaluated to
determine whether existing system configuration and functionality permits
the appropriate control of data in accordance with good data management
and integrity practices. Where system functionality or design of these
systems does not provide an appropriate level of control, additional
controls should be considered and implemented.
Potential risk of not meeting expectations/items to be checked
Inadequate consideration of DI requirements may result in the
purchase of software systems that do not include the basic
functionality required to meet data management and integrity
expectations.
Inspectors should verify that the implementation of new systems
followed a process that gave adequate consideration to DI
principles.
Some legacy systems may not include appropriate controls for data
management, which may allow the manipulation of data with a low
probability of detection.
Assessments of existing systems should be available and provide
an overview of any vulnerabilities and list any additional controls
implemented to assure data integrity. Additional controls should be
appropriately validated and may include:
o Using operating system functionality (e.g. Windows Active
Directory groups) to assign users and their access
privileges where system software does not include
administrative controls to control user privileges;
o Configuring operating system file/folder permissions to
prevent modification/deletion of files when the
PI 041-1 33 of 63 1 July 2021