Data integrity PIC S
good practices for data management and integrity in regulatory GMP/GDP environments
good practices for data management and integrity in regulatory GMP/GDP environments
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
From this information, risk proportionate control measures can be
implemented. Subsequent sections of this guidance that refer to a risk
management approach refer to ‘risk’ as a combination of data risk and data
criticality concepts.
5.4 Data criticality
5.4.1 The decision that data influences may differ in importance and the impact of
the data to a decision may also vary. Points to consider regarding data
criticality include:
Which decision does the data influence?
For example: when making a batch release decision, data which
determines compliance with critical quality attributes is normally of
greater importance than warehouse cleaning records.
What is the impact of the data to product quality or safety?
For example: for an oral tablet, API assay data is of generally greater
impact to product quality and safety than tablet friability data.
5.5 Data risk
5.5.1 Whereas data integrity requirements relate to all GMP/GDP data, the
assessment of data criticality will help organisations to prioritise their data
governance efforts. The rationale for this prioritisation should be documented
in accordance with quality risk management principles.
5.5.2 Data risk assessments should consider the vulnerability of data to involuntary
alteration, deletion, loss (either accidental or by security failure) or re-creation
or deliberate falsification, and the likelihood of detection of such actions.
Consideration should also be given to ensuring complete and timely data
recovery in the event of a disaster. Control measures which prevent
unauthorised activity, and increase visibility / detectability can be used as risk
mitigating actions.
5.5.3 Examples of factors which can increase risk of data failure include processes
that are complex, or inconsistent, with open ended and subjective outcomes.
Simple processes with tasks which are consistent, well defined and objective
lead to reduced risk.
5.5.4 Risk assessments should focus on a business process (e.g. production, QC),
evaluate data flows and the methods of generating and processing data, and
not just consider information technology (IT) system functionality or
complexity. Factors to consider include:
process complexity (e.g. multi-stage processes, data transfer between
processes or systems, complex data processing);
methods of generating, processing, storing and archiving data and the
ability to assure data quality and integrity;
PI 041-1 8 of 63 1 July 2021