Data integrity PIC S

Recommendations

Info

omodification/deletion of data files cannot be controlled bysystem software; orImplementation of hybrid or manual systems to providecontrol of data generated.2. ExpectationRegulated users should have an inventory of all computerised systems inuse. The list should include reference to:- The name, location and primary function of each computerisedsystem;- Assessments of the function and criticality of the system andassociated data; (e.g. direct GMP/GDP impact, indirect impact, none)- The current validation status of each system and reference to existingvalidation documents.Risk assessments should be in place for each system, specificallyassessing the necessary controls to ensure data integrity. The level andextent of validation of controls for data integrity should be determinedbased on the criticality of the system and process and potential risk toproduct quality, e.g. processes or systems that generate or control batchrelease data would generally require greater control than those systemsmanaging less critical data or processes.Consideration should also be given to those systems with higher potentialfor disaster, malfunction or situations in which the system becomesinoperative.Assessments should also review the vulnerability of the system toinadvertent or unauthorised changes to critical configuration settings ormanipulation of data. All controls should be documented and theireffectiveness verified.Potential risk of not meeting expectations/items to be checked Companies that do not have adequate visibility of all computerisedsystems in place may overlook the criticality of systems and maythus create vulnerabilities within the data lifecycle. An inventory list serves to clearly communicate all systems in placeand their criticality, ensuring that any changes or modifications tothese systems are controlled. Verify that risk assessments are in place for critical processingequipment and data acquisition systems. A lack of thoroughassessment of system impact may lead to a lack of appropriatevalidation and system control. Examples of critical systems toreview include:o systems used to control the purchasing and status ofproducts and materials;o systems for the control and data acquisition for criticalmanufacturing processes;o systems that generate, store or process data that is used todetermine batch quality;o systems that generate data that is included in the batchprocessing or packaging records; andPI 041-1 34 of 63 1 July 2021
osystems used in the decision process for the release ofproducts.3. ExpectationFor new systems, a Validation Summary Report for each computerisedsystem (written and approved in accordance with Annex 15 requirements)should be in place and state (or provide reference to) at least the followingitems:- Critical system configuration details and controls for restricting accessto configuration and any changes (change management).- A list of all currently approved normal and administrative usersspecifying the username and the role of the user.- Frequency of review of audit trails and system logs.- Procedures for:o creating new system user;o modifying or changing privileges for an existing user;o defining the combination or format of passwords for each systemo reviewing and deleting users;o back-up processes and frequency;o disaster recovery;o data archiving (processes and responsibilities), includingprocedures for accessing and reading archived data;o approving locations for data storage.- The report should explain how the original data are retained withrelevant metadata in a form that permits the reconstruction of themanufacturing process or the analytical activity.For existing systems, documents specifying the above requirementsshould be available; however, need not be compiled into the ValidationSummary report. These documents should be maintained and updated asnecessary by the regulated user.Potential risk of not meeting expectations/items to be checked Check that validation systems and reports specifically address dataintegrity requirements following GMP/GDP requirements andconsidering ALCOA principles. System configuration and segregation of duties (e.g. authorisationto generate data should be separate to authorisation to verify data)should be defined prior to validation, and verified as effective duringtesting. Check the procedures for system access to ensure modifications orchanges to systems are restricted and subject to change controlmanagement. Ensure that system administrator access is restricted to authorisedpersons and is not used for routine operations. Check the procedures for granting, modifying and removing accessto computerised systems to ensure these activities are controlled.Check the currency of user access logs and privilege levels, thereshould be no unauthorised users to the system and accessaccounts should be kept up to date.PI 041-1 35 of 63 1 July 2021
Page 1 and 2: PHARMACEUTICAL INSPECTION CONVENTIO
Page 3 and 4: 9.10 Management of Hybrid Systems .
Page 5 and 6: 3.5 The principles of data manageme
Page 7 and 8: o automation; oro the use of techno
Page 9 and 10: process consistency (e.g. biologica
Page 11 and 12: should clearly demonstrate that rep
Page 13 and 14: Staying continuously and actively i
Page 15 and 16: 6.7 Dealing with data integrity iss
Page 17 and 18: Data IntegrityAttributeRequirementt
Page 19 and 20: Specific elements that should be ch
Page 21 and 22: generation of working copies of doc
Page 23 and 24: 4. ExpectationDocuments should be s
Page 25 and 26: 8.5.2 Records should be appropriate
Page 27 and 28: Where appropriate, the reason for t
Page 29 and 30: 8.9 Direct print-outs from electron
Page 31 and 32: 8.11.2 A record/register should be
Page 33: 9.2.2 Validation alone does not nec
Page 37 and 38: Check that end-user testing include
Page 39 and 40: read by the new software. Where nec
Page 41 and 42: - User access controls should ensur
Page 43 and 44: potential security weaknesses) and
Page 45 and 46: 9.6 Audit trails for computerised s
Page 47 and 48: - in the case of changes or modific
Page 49 and 50: 9.8 Review of data within computeri
Page 51 and 52: to access electronically stored dat
Page 53 and 54: Appropriate quality risk management
Page 55 and 56: Area for reviewComparison of analyt
Page 57 and 58: Accurate [4.1], [6.17] [5.40], [5.4
Page 59 and 60: 12 REMEDIATION OF DATA INTEGRITY FA
Page 61 and 62: 12.2.1.2 Evidence of open communica
Page 63: MetadataIn-file data that describes

Data integrity PIC S

Create successful ePaper yourself

Delete template?

Save as template?