HANDLING OF DATA INTEGRITY
PURPOSE: To lay down a procedure for the management of data generated through electronic and paper-based systems which should be Attributable, Legible, Contemporaneous, Original, and Accurate throughout the data lifecycle to ensure Data integrity.
SCOPE: Data integrity management as described in the SOP applies to all manual, electronic, and paper-based data generated within the Manufacturing operation, Distribution, and Quality Management System.
RESPONSIBILITY & ACCOUNTABILITY:
All Department Executive/Officers / Operator / Workmen: Shall implement the SOP.
All Department Heads: Shall ensure compliance of the SOP.
ACCOUNTABILITY:
Head QA shall be accountable for this SOP.
PROCEDURE:
DEFINITIONS
Data Integrity:
It is the extent to which all data is complete, consistent, and accurate throughout the data Lifecycle.
Data: Facts, figures and statistics collected together for reference or analysis.
Data Lifecycle: All phases in the life of the data (including raw data) from initial generation and recording through processing (including transformation or migration), use, data retention, archive/retrieval and destruction.
Data Governance: The sum total of arrangements to ensure that data, irrespective of the format in which it is generated, is recorded, processed, retained and used to ensure a complete, consistent and accurate record throughout the data lifecycle.
Meta-data: It is the data that describe the attributes of other data, and provide context and meaning.
Archive: Long term or permanent retention of complete data and relevant metadata in its final form,For the purpose of reconstruction of the process or activity.
Audit Trail: GMP/GDP audit trails are metadata that are a record of GMP/GDP critical information (for example the change or deletion of GMP/GDP relevant data), which permit the reconstruction of GMP/GDP activities.
Back-up: A copy of current (editable) data, metadata and system configuration settings (e.g. variable settings which relate to an analytical run) maintained for the purpose of disaster recovery.
Manual Data Governance System:
Data governance is the sum total arrangements which provide assurance of data generated, recorded, processed, retained, retrieved and used their by ensuring its completeness, correctness.
Consistency and accuracy throughout the data lifecycle.
The data governance system should ensure following controls over data lifecycle-
All documents should have a unique identification number (including the version number) and should be checked, approved, signed and dated.
Procedures, e.g. instructions for completion of records and retention of completed paper records and their routine data verification shall be clearly defined.
The documentation should be done by the trained and qualified personnel who performed the actual task / function to demonstrate that the function was performed.
The information must be readable and required to be considered Complete, including all Original records or entries.
The original record shall be described as the first-capture of information, whether recorded on paper (static) or electronically (usually dynamic, depending on the complexity of the system).
The results and records shall be accurate and must achieve through many elements of a robust Pharmaceutical QMS.
GDP should be applied throughout any process, without exception, including deviations that may occur during the process along with capturing all changes made to data.
Records should remain intact and accessible as an indelible/durable record and must be available for review at any time during the required retention period, accessible in a readable format to all applicable personnel who are responsible for their review.
The use of uncontrolled documents should be prohibited by local procedures. The use of temporary recording practices, e.g. scraps of paper should be prohibited.
System for version control must be in placed with controls for issuance.
There should be design in such a way that there should be sufficient space for manual data entries.
If additional pages of the documents are added to allow complete documentation, the number of, and reference to any pages added should be clearly documented on the main record page and signed.
Documents should be stored in a manner which ensures appropriate version control.
Master copy (in soft copy) should be prevented from unauthorized or inadvertent changes.
Master copies should contain distinctive marking so to distinguish the master from a copy, e.g. use of colored papers or inks so as to prevent inadvertent use.
Distribution and Control:
Updated versions should be distributed in a timely manner.
Obsolete master documents and files should be archived and their access restricted.
Any issued and unused physical documents retrieved and destroyed accordingly.
Document issuance should be controlled by written procedures that include the following controls
Usage of a secure stamp, or paper color code not available in the working areas or another appropriate system.
Ensuring that only the current approved version is available for use.
Allocating a unique identifier to each blank document issued and recording the issue of each document in a register.
Numbering every distributed copy (e.g.: copy 2 of 2) and sequential numbering of issued pages in bound books.
All issued records should be reconciled following use to ensure the accuracy and completeness of records.
An index of all the template records should be maintained by QA.
Records should be appropriately controlled in the production areas by designated persons or processes.
Handwritten entries must be made by the person who executed the task with clear and legible writing.
Unused, blank fields within documents should be crossed-out, dated and signed.
The completion of date fields should be done in the format defined for the site.
E.g. DD/MM/YY & DD/MM/YYYY.
The handwritten data must be reviewed for completeness of data recorded including correct pagination of the records and are all pages present.
Verify that records are available within the immediate areas in which they are used.
Records should be indelible entries are in ink, which is not erasable and/or will not smudge or fade (during the retention period).
Check that the records were not filled out using pencil prior to use of pen (overwriting).
Note that some paper printouts from systems may fade over time, e.g. thermal paper therefore; a Photostat of the thermal print should be attached with original.
Check that there is signature and initials logs, that are current and controlled and demonstrate the use of unique examples, not just standardized printed letters.
Ensure that all key entries are signed & dated, particularly if steps occur over time, i.e. not just signed at the end of the page and/or process.
Corrections to the records must be made in such way that full traceability is maintained.
Cross out what is to be changed with a single line with appropriate, the reason for the correction must be clearly recorded and verified if critical. Initial and date the change made.
Check that the original data is readable not obscured (e.g.: not obscured by use of liquid paper; overwriting is not permitted).
If changes have been made to critical data entries, verify that a valid reason for the change has been recorded and that supporting evidence for the change is available.
Reviewed/witnessed by designated personnel (e.g.: production supervisor) at the time of operations occurring and – reviewed by an authorized person within production before sending them to the QC department; and – reviewed and approved by the Quality Assurance Unit (e.g. Authorized Person / Qualified Person) before release or distribution of the batch produced.
Batch production records of non-critical process steps are shall be reviewed by production personnel according to an approved procedure.
This verification shall be carried out after performing production-related tasks and Verify the process for the handling of production records within processing areas to ensure that they are readily available to the correct personnel at the time of performing the activity to which the record relates.
Secondary checks should be performed during processing by appropriately qualified and independent personnel, e.g. production supervisor or QA.
Data Management In Computerized Systems
All computerized systems having potential for impact on product quality should be protected from acts of accidental or deliberate manipulation, modification or any other activity that may impact on data integrity.
Prospective validation for computerized systems is conducted.
For systems already installed, retrospective validation may be carried out based on an assessment of all historical records for the existing computerized system.
Critical system configuration details and controls for restricting access to configuration and any changes (change control) should be clearly defined.
System configuration and segregation of duties (e.g. authorization to generate data should be separate to authorization to verify data) should be defined prior to validation, and verified as effective during testing.
Methods of generating, storing and retiring data and their ability to ensure data accuracy, legibility, and indelibility shall be evaluated during computerized system validation should be clearly defined in the respective system SOP.
Data integrity of an analytical method with computerized interface is affected by sample preparation, entry of sample weights into the computerized system, use of the computerized system to generate data, and processing / recording of the final result using that data therefore the authenticity of input data must be verified.
Changes or modifications to these systems should be controlled.
Permitted activities (privileges) for each user of the system, Identity and role of the System Administrator, Frequency of review of audit trails and system logs shall be defined. Procedures for how a new system user is created, along with the modification (change of privileges) for an existing user, validation systems and reports specifically addressed.
Procedures for system access to ensure modifications or changes to systems are restricted and subject to change control management.
Administrator access should be restricted to authorized persons and is not used for routine operations.
Procedures for granting, modifying and removing access to computerized systems shall be defined to ensure these activities are controlled.
User access logs and privilege levels, unauthorized use should be defined in specific instrument SOP.
Data backup and frequency; data recovery process in case of an incident, Process and responsibilities for data archiving should be clearly stated that the original data are retained with relevant metadata in a form that permits the reconstruction of the manufacturing process or the analytical activity.
Users to the system and access accounts should be kept up to date. There should also be restrictions to prevent users from amending audit trail functions.
Audit Trails:
Software based system must comply to the electronic audit trail functionality as per 21 CFR part 11. The aim of part 11 of 21 CFR rules is to promote the integrity of the usage of electronic record and signature such that data is not destroyed, delete manipulated in any way which Compromise delivery of services.
Audit trail functionalities for electronic-based systems should be configured properly to capture general system events as well as any activities relating to the acquisition, deletion, overwriting of and changes to data for audit purposes.
Some simple systems involved in less critical function having lack of appropriate audit trails may be acceptable; however, alternative arrangements to verify the veracity of data must be implemented, e.g. administrative procedures, secondary checks and controls.
Audit trails should be verified during validation of the system.
Audit trail functionalities must be enabled and locked at all times. For example, an individual involved in the input of and changes to HPLC data must not have access to enable and disable the audit trail as they desire.
Procedures should be in place to address and investigate any audit trail discrepancies, including escalation processes for the notification of senior management and national authorities where necessary.
Data entry:
Systems should be designed for the correct capture of data whether acquired through manual or automated means.
The entry of data should only be made by authorized individuals and the system should record details of the entry, the individual making the entry and when the entry was made.
Data should be entered in a specified format that is controlled by the software, validation activities should verify that invalid data formats are not accepted by the system.
All manual data entries should be verified, either by a second operator, or by a validated computerized means.
Changes to entries should be captured in the audit trail and reviewed by an appropriately authorized and independent person.
For automated data capture interface between the originating system, data acquisition and recording systems should be validated to ensure the accuracy of data.
Data captured by the system should be saved into memory in a format that is not vulnerable to manipulation, loss or change.
The system software should incorporate validated checks to ensure the completeness of data acquired, as well as any metadata associated with the data.
Any necessary changes to data must be authorized and controlled in accordance with approved procedures. For example, manual integrations and reprocessing of laboratory results must be performed in an approved and controlled manner.
Any change and modifications to original data must be fully documented and should be reviewed and approved by at least one appropriately trained and qualified individual.
Ensure that manual entries made into computerized systems are subject to an appropriate secondary check.
Validation records should be reviewed for systems using automated data capture to ensure that data verification and integrity measures are implemented and effective.
Review of electronic data:
Critical data should be audited by the regulated user and verified to determine that operations were performed correctly and whether any change (modification, deletion or overwriting) have been made to original information in electronic records. All changes must be duly authorized.
The review of data-related audit trails should be part of the routine data review within the approval process.
Audit trails records should be in an intelligible form and have at least the following information:
Name of the person who made the change to the data;
Description of the change;
Time and date of the change;
Justification for the change;
Name of any person authorizing the change.
The audit trail activity should be documented and recorded.
Any significant variation from the expected outcome found during the audit trail review should be fully investigated and recorded.
Storage, archival and disposal of electronica data:
Storage of data must include the entire original data and metadata, including audit trails, using a secure and validated process.
If the data is backed up, or copies of it are made, then the backup and copies must also have the same appropriate levels of controls so as to prohibit unauthorized access to, changes to and deletion of data or their alteration. For example, a firm that backs up data onto portable hard drives must prohibit the ability to delete data from the hard drive. Some additional considerations for the storage and backup of data include.
True copies of dynamic electronic records can be made, with the expectation that the entire content (i.e., all data and metadata is included) and meaning of the original records are preserved.
Suitable software and hardware needs to be readily available for accessing data backups or copies.
Back-up data should be readable for all the period of the defined regulatory retention period, even if a new version of the software has been updated or substituted for one with better performance.
The record retention procedures must include provisions for retaining the metadata. This allows for future queries or investigations to reconstruct the activities that occurred related to a batch.
Data should be archived periodically in accordance with written procedures.
Archive copies should be physically secured in a separate and remote location from where back up data are stored.
The data should be accessible and readable and its integrity maintained for all the period of archiving.
REFERENCE:
SOP FOR SOP