Data integrity PIC S

Recommendations

Info

legislative requirement to implement a ‘data governance system’, itsestablishment enables the manufacturer to define, prioritise andcommunicate their data integrity risk management activities in a coherentmanner. Absence of a data governance system may indicate uncoordinateddata integrity systems, with potential for gaps in control measures.5.1.2 The data lifecycle refers to how data is generated, processed, reported,checked, used for decision-making, stored and finally discarded at the end ofthe retention period. Data relating to a product or process may cross variousboundaries within the lifecycle. This may include data transfer betweenpaper-based and computerised systems, or between different organisationalboundaries; both internal (e.g. between production, QC and QA) and external(e.g. between service providers or contract givers and acceptors).5.2 Data governance systems5.2.1 Data governance systems should be integral to the Pharmaceutical QualitySystem described in PIC/S GMP/GDP. It should address data ownershipthroughout the lifecycle, and consider the design, operation and monitoringof processes and systems in order to comply with the principles of dataintegrity, including control over intentional and unintentional changes to, anddeletion of information.5.2.2 Data governance systems rely on the incorporation of suitably designedsystems, the use of technologies and data security measures, combined withspecific expertise to ensure that data management and integrity is effectivelycontrolled. Regulated entities should take steps to ensure appropriateresources are available and applied in the design, development, operationand monitoring of the data governance systems, commensurate with thecomplexity of systems, operations, and data criticality and risk.5.2.3 The data governance system should ensure controls over the data lifecyclewhich are commensurate with the principles of quality risk management.These controls may be:Organisationalo procedures, e.g. instructions for completion of records and retentionof completed records;o training of staff and documented authorisation for data generationand approval;o data governance system design, considering how data is generated,recorded, processed, retained and used, and risks or vulnerabilitiesare controlled effectively;o routine (e.g. daily, batch- or activity-related) data verification;o periodic surveillance, e.g. self-inspection processes seek to verifythe effectiveness of the data governance system; oro the use of personnel with expertise in data management andintegrity, including expertise in data security measures.Technicalocomputerised system validation, qualification and control;PI 041-1 6 of 63 1 July 2021
o automation; oro the use of technologies that provide greater controls for datamanagement and integrity.5.2.4 An effective data governance system will demonstrate Senior management’sunderstanding and commitment to effective data governance practicesincluding the necessity for a combination of appropriate organisational cultureand behaviours (section 6) and an understanding of data criticality, data riskand data lifecycle. There should also be evidence of communication ofexpectations to personnel at all levels within the organisation in a mannerwhich ensures empowerment to report failures and opportunities forimprovement. This reduces the incentive to falsify, alter or delete data.5.2.5 The organisation’s arrangements for data governance should bedocumented within their Pharmaceutical Quality System and regularlyreviewed.5.3 Risk management approach to data governance5.3.1 Senior management is responsible for the implementation of systems andprocedures to minimise the potential risk to data integrity, and for identifyingthe residual risk, using the principles of ICH Q9. Contract Givers shouldperform a review of the contract acceptor’s data management policies andcontrol strategies as part of their vendor assurance programme. Thefrequency of such reviews should be based on the criticality of the servicesprovided by the contract acceptor, using risk management principles (refer tosection 10).5.3.2 The effort and resource assigned to data governance should becommensurate with the risk to product quality, and should also be balancedwith other quality resource demands. All entities regulated in accordance withGMP/GDP principles (including manufacturers, analytical laboratories,importers and wholesale distributors) should design and operate a systemwhich provides an acceptable state of control based on the data quality risk,and which is documented with supporting rationale.5.3.3 Where long term measures are identified in order to achieve the desired stateof control, interim measures should be implemented to mitigate risk, andshould be monitored for effectiveness. Where interim measures or riskprioritisation are required, residual data integrity risk should becommunicated to senior management, and kept under review. Reverting fromautomated and computerised systems to paper-based systems will notremove the need for data governance. Such retrograde approaches are likelyto increase administrative burden and data risk, and prevent the continuousimprovement initiatives referred to in paragraph 3.5.5.3.4 Not all data or processing steps have the same importance to product qualityand patient safety. Risk management should be utilised to determine theimportance of each data/processing step. An effective risk managementapproach to data governance will consider:Data criticality (impact to decision making and product quality) andData risk (opportunity for data alteration and deletion, and likelihood ofdetection / visibility of changes by the manufacturer’s routine reviewprocesses).PI 041-1 7 of 63 1 July 2021
Page 1 and 2: PHARMACEUTICAL INSPECTION CONVENTIO
Page 3 and 4: 9.10 Management of Hybrid Systems .
Page 5: 3.5 The principles of data manageme
Page 9 and 10: process consistency (e.g. biologica
Page 11 and 12: should clearly demonstrate that rep
Page 13 and 14: Staying continuously and actively i
Page 15 and 16: 6.7 Dealing with data integrity iss
Page 17 and 18: Data IntegrityAttributeRequirementt
Page 19 and 20: Specific elements that should be ch
Page 21 and 22: generation of working copies of doc
Page 23 and 24: 4. ExpectationDocuments should be s
Page 25 and 26: 8.5.2 Records should be appropriate
Page 27 and 28: Where appropriate, the reason for t
Page 29 and 30: 8.9 Direct print-outs from electron
Page 31 and 32: 8.11.2 A record/register should be
Page 33 and 34: 9.2.2 Validation alone does not nec
Page 35 and 36: osystems used in the decision proce
Page 37 and 38: Check that end-user testing include
Page 39 and 40: read by the new software. Where nec
Page 41 and 42: - User access controls should ensur
Page 43 and 44: potential security weaknesses) and
Page 45 and 46: 9.6 Audit trails for computerised s
Page 47 and 48: - in the case of changes or modific
Page 49 and 50: 9.8 Review of data within computeri
Page 51 and 52: to access electronically stored dat
Page 53 and 54: Appropriate quality risk management
Page 55 and 56: Area for reviewComparison of analyt
Page 57 and 58:
Accurate [4.1], [6.17] [5.40], [5.4
Page 59 and 60:
12 REMEDIATION OF DATA INTEGRITY FA
Page 61 and 62:
12.2.1.2 Evidence of open communica
Page 63:
MetadataIn-file data that describes
show all

Data integrity PIC S

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?