Electronic Records and Data Integrity

I SPE/ GAMP: GOOD PRACTI PRACTI CE GUI DE ELECTRO EL ECTRONI C RECO RECORDS AND AND DATA I NTEGRI TEGRI TY

I NDUSTRY STRY REVI REVI EW J UNE 2016

1 2 3 4 5 6 7 8

I SPE/ GAMP GO GOOD PRAC PRACTI CE GU GUI DE: ELECTRO EL ECTRONI C RECOR ECORDS AND AND DATA I NTEGR EGRI TY

9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39

40 41 42 43 44 45

DRAFT FO FOR I NDUSTRY REVI REVI EW J UNE 2016 2016 CRO CROSS REFEREN REF ERENCES CES WI L L BE UPDATED UPDATED DURI URI NG THE FI FI NAL PROD PRODUCTI ON OF THI THI S I SPE GUI DANCE DOCUMENT. ENT. PLEASE NOTE:

©I SPE 2016. Al l r i ght s r eser eser ved ved.

Page 1 of 198



I SPE/ GAMP: GOOD PRACTI PRACTI CE GUI DE ELECTRO EL ECTRONI C RECO RECORDS AND AND DATA I NTEGRI TEGRI TY 46 47 48 49 50


PREFACE TBA TBA

Page 2 of 198



I SPE/ GAMP: GOOD PRACTI PRACTI CE GUI DE ELECTRO EL ECTRONI C RECO RECORDS AND AND DATA I NTEGRI TEGRI TY 46 47 48 49 50


PREFACE TBA TBA

Page 2 of 198



I SPE/ GAMP: GOOD PRACTI PRACTI CE GUI DE ELECTRO EL ECTRONI C RECO RECORDS AND AND DATA I NTEGRI TEGRI TY 51 52


ACKNOWLEDGEMENTS TBA TBA

Page 3 of 198

I SPE/ GAMP: GOOD PRACTI CE GUI DE ELECTRONI C RECORDS AND DATA I NTEGRI TY

I NDUSTRY REVI EW J UNE 2016

I SPE/ GAMP: GOOD PRACTI CE GUI DE ELECTRONI C RECORDS AND DATA I NTEGRI TY 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109


TABLE OF CONTENTS 1

INTRODUCTION ............................................................... 7

1. 1 1. 2 1. 3 1. 4 2

13 14 22 23 26

I NTRODUCTI ON . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 STEP 1: I DENTI FY REGULATED DATA, RECORDS, AND SI GNATURES . . . . . . . . . . . . . . 31 STEP 2: ASSESS I MPACT OF DATA AND RECORDS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 STEP 3: ASSESS RI SKS TO ELECTRONI C RECORDS BASED ON I MPACT . . . . . . . . . . . . 36 STEP 4: I MPLEMENT CONTROLS TO MANAGE I DENTI FI ED RI SKS . . . . . . . . . . . . . . . . . 38 STEP 5: MONI TOR EF FECTI VENESS OF CONTROL S . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

DATA LIFE CYCLE ........................................................... 40

5. 1 5. 2 5. 3 5. 4 5. 5 5. 6 5. 7 5. 8 6

I NTRODUCTI ON . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . I MMEDI ATE ACTI ONS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . STRATEGI C ACTI ONS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . SYSTEM LI FE CYCLE ACTI ONS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . KEY DATA LI FE CYCLE ACTI ONS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

QUALITY RISK MANAGEMENT ................................................... 30

4. 1 4. 2 4. 3 4. 4 4. 5 4. 6 5

GUI DI NG PRI NCI PLES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 KEY CONCEPTS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

RISKS AND ACTIONS FOR ELECTRONIC RECORDS AND DATA INTEGRITY ............... 13

3. 1 3. 2 3. 3 3. 4 3. 5 4

7 7 8 9

GUIDING PRINCIPLES AND KEY CONCEPTS ....................................... 10

2. 1 2. 2 3

OVERVI EW. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . PURPOSE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . SCOPE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . HOW TO USE THI S GUI DE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

I NTRODUCTI ON . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40 DATA CREATI ON AND CAPTURE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40 DATA CALCULATI ON/ PROCESSI NG . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 RECORD REVI EW. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42 RECORD ANALYSI S & REPORTI NG . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44 RECORD RETENTI ON AND ARCHI VAL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 MI GRATI ON . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49 DESTRUCTI ON . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

DATA GOVERNANCE FRAMEWORK ................................................. 53

6. 1 6. 2 6. 3 6. 4 6. 5

I NTRODUCTI ON . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . OVERVI EW. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ELEMENTS OF THE DATA I NTEGRI TY FRAMEWORK . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . HUMAN FACTORS I N DATA I NTEGRI TY . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . DATA I NTEGRI TY MATURI TY MODEL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

53 53 54 60 60

7 AUDIT TRAIL AND AUDIT TRAIL REVIEW ........................................ 66

7. 1 7. 2 7. 3 7. 4 8

66 66 68 69

GAMP 5 QUALITY RISK MANAGEMENT ............................................ 72

8. 1 8. 2 8. 3 8. 4 8. 5 9

I NTRODUCTI ON . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . REGULATORY BACKGROUND . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . APPLI CATI ON AND USE OF AUDI T TRAI LS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . AUDI T TRAI L REVI EW. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . I NTRODUCTI ON . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . OVERVI EW OF QUALI TY RI SK MANAGEMENT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . QUALI TY RI SK MANAGEMENT PROCESS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . EXAMPLE FUNCTI ONAL RI SK ASSESSMENT APPROACH . . . . . . . . . . . . . . . . . . . . . . . . . . . RI SK MANAGEMENT THROUGHOUT THE SYSTEM LI FE CYCLE . . . . . . . . . . . . . . . . . . . . . .

72 72 72 74 75

RISK CONTROL MEASURES FOR RECORD, DATA, AND SIGNATURE INTEGRITY ........... 77

9. 1 9. 2 9. 3 9. 4 9. 5 9. 6 9. 7 9. 8

I NTRODUCTI ON . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77 RECORD AND DATA CONTROLS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77 I MPLEMENTATI ON OF CONTROLS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78 RI GOR OF CONTROLS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86 SI GNATURE CONTROLS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86 REGULATED COMPANY AND SUPPLI ER RESPONSI BI LI TI ES . . . . . . . . . . . . . . . . . . . . . . . 87 PROCEDURAL REQUI REMENTS ( RESPONSI BI LI TY OF REGULATED COMPANY) . . . . . . . . . 87 TECHNI CAL REQUI REMENTS ( LARGELY MET THROUGH SUPPLI ER ACTI VI TI ES) . . . . . . 89 Page 4 of 198



I SPE/ GAMP: GOOD PRACTI CE GUI DE ELECTRONI C RECORDS AND DATA I NTEGRI TY 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167

10

RISKS RELATED TO RECORD RETENTION, ARCHIVING, AND MIGRATION ............. 90

10. 1 10. 2 10. 3 10. 4 10. 5 10. 6 10. 7 11

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109 F OR SPREADSHEETS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109 FOR PC DATABASES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110 FOR STATI STI CAL TOOLS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111

KEY DEFI NI TI ONS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . EXAMPLES FROM US REGULATI ONS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . EXAMPLES FROM EU REGULATI ONS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . EXAMPLES FROM I CH Q7 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

112 112 123 125

CASE STUDIES ........................................................... 126

13. 1 DATA 13. 2 13. 3 13. 4 13. 5 13. 6 14

I NTRODUCTI ON . . DATA I NTEGRI TY DATA I NTEGRI TY DATA I NTEGRI TY

EXAMPLES OF RECORDS AND SIGNATURES REQUIRED BY GXP REGULATIONS ......... 112

12. 1 12. 2 12. 3 12. 4 13

I NTRODUCTI ON . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90 MANAGEMENT OF ELECTRONI C RECORDS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90 HYBRI D RECORDS AND ARCHI VES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92 AUDI T TRAI L CONSI DERATI ONS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93 ALTERNATI VE SYSTEMS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94 CONVERTI NG ELECTRONI C TO ALTERNATI VE FORMAT/ MEDI A HYBRI DS . . . . . . . . . . . . . 94 EXAMPLES OF APPLI CATI ON OF GAMP® 5 RI SK ASSESSMENT TO RECORDS MANAGEMENT 101

DATA INTEGRITY FOR END-USER APPLICATIONS ............................... 109

11. 1 11. 2 11. 3 11. 4 12


SPREADSHEET F OR BATCH RELEASE CALCULATI ONS BASED ON MANUAL I NPUT OF LAB TO A TEMPLATE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126 AUTOMATED FORMULATI ON PRODUCTI ON & PACKI NG EQUI PMENT . . . . . . . . . . . . . . . . . 128 BUI LDI NG MANAGEMENT SYSTEM ( BMS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133 I NTERACTI VE RESPONSE T ECHNOLOGI ES ( I RT) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136 ENTERPRI SE RECOURSE PL ANNI NG ( ERP) SYSTEM . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139 DRUG SAFETY SYSTEM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144

DATA INTEGRITY MATURITY LEVEL CHARACTERIZATION ......................... 146

14. 1 I NTRODUCTI ON . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146 15

USER REQUIREMENTS ...................................................... 159

15. 1 I NTRODUCTI ON . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159 15. 2 TECHNI CAL CONTROLS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160 15. 3 PROCEDURAL CONTROLS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163 16

DATA INTEGRITY CONCERNS RELATED TO SYSTEM ARCHITECTURE ................. 165

16. 1 16. 2 16. 3 16. 4 17

170 170 171 172

I NTRODUCTI ON . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . I S A DATA I NTEGRI TY PROGRAM REQUI RED? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . I NDI CATORS OF P ROGRAM SCOPE AND EFF ORT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . I MPLEMENTATI ON CONSI DERATI ONS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . KEYS TO SUCCESS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . SUMMARY . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

178 178 179 181 182 184

PAPER & HYBRID RECORDS ................................................. 185

19. 1 19. 2 19. 3 19. 4 19. 5 19. 6 20

I NTRODUCTI ON . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . COMPUTERI ZED SYSTEM LI FE CYCLE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . SPECI FI CATI ON AND VERI FI CATI ON . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . LI FE CYCLE PHASES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

CORPORATE DATA INTEGRITY PROGRAM ....................................... 178

18. 1 18. 2 18. 3 18. 4 18. 5 18. 6 19

165 165 166 167

COMPUTERIZED SYSTEM LIFE CYCLE ......................................... 170

17. 1 17. 2 17. 3 17. 4 18

DATA RESI DES ON A LOCAL HARD DI SK . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . I NTERNAL LY MANAGED CENTRAL DATABASE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . I NTERNAL LY MANAGED DI STRI BUTED DATA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . CLOUD- BASED SOLUTI ONS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

CONTROLS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185 MANAGI NG RECORDS & SI GNATURES I N HYBRI D SYSTEMS . . . . . . . . . . . . . . . . . . . . . . 185 RI SK ASSESSMENT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185 CONTROLS FOR MANAGI NG RECORDS & SI GNATURES I N HYBRI D SYSTEMS . . . . . . . . . 186 USE OF FORMS TO ENFORCE PROCEDURES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187 I SSUES WI TH HYBRI D RECORDS I N PRODUCTI ON AND LABORATORY . . . . . . . . . . . . . . 188

PROCESS MAPPING/INTERFACES ............................................. 190 Page 5 of 198



I SPE/ GAMP: GOOD PRACTI CE GUI DE ELECTRONI C RECORDS AND DATA I NTEGRI TY 168 169 170 171 172 173 174 175 176 177 178

20. 1 20. 2 20. 3 20. 4 20. 5 21


I NTRODUCTI ON . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . PROCESS ( BUSI NESS) FLOWCHARTS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . DATA FLOWCHARTS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . HOW MUCH I S NEEDED? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . CONCLUSI ON . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

190 190 192 193 193

INSPECTION READINESS ................................................... 194

21. 1 I NTRODUCTI ON & GENERAL PROCEDURES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194 21. 2 KEY I NFORMATI ON THAT NEEDS TO BE MAI NTAI NED FOR REGULATORY I NSPECTI ONS – RI GHT PEOPLE AND RI GHT I NFORMATI ON . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195 22 23

GLOSSARY ............................................................... 198 REFERENCES ............................................................. 198

179

Page 6 of 198



I SPE/ GAMP: GOOD PRACTI CE GUI DE ELECTRONI C RECORDS AND DATA I NTEGRI TY 180 181

1

INTRODUCTION

182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200

1.1

OVERVIEW

201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235


Thi s GAMP Good Pr act i ce Gui de: El ect r oni c Recor ds and Dat a I nt egr i t y pr ovi des pr act i cal gui dance on meet i ng cur r ent r egul at ory expect at i ons f or t he management of el ect r oni c r ecor ds and the dat a underl yi ng t hem, whi ch i ncl udes t he need f or i nt egr i t y, secur i t y, and avai l abi l i t y t hr oughout t he r equi r ed r et ent i on per i od. I t desc r i bes how a r i sk management appr oach may be used t o ensur e t he compl i ance of r egul at ed el ect r oni c r ecor ds and si gnat ur es, i ncl udi ng managi ng r i sks t o i nt egr i t y of under l yi ng dat a, t hr ough t he appl i cat i on of appr opr i at e cont r ol s commensur at e wi t h t he i dent i f i ed r i sks. Thi s Gui de has been devel oped by t he GAMP and i s i nt ended t o compl ement GAMP 5 - A Computerized Systems. I t has been desi gned wi t h gui dance pr ovi ded i n GAMP 5 and ot her

Communi t y of Pr act i ce ( CoP) of I SPE, Risk-Based Approach to Compliant GxP

so t hat i t may be used i n conj unct i on GAMP Good Pr act i ce Gui des.

Col l abor at i ng wi t h r egul at ors and i ndust r y exper t s, GAMP pr omotes t he i nnovat i ve use of aut omat i on and comput er t echnol ogy i n a r i sk- based appr oach t hat saf eguar ds pat i ent saf et y, pr oduct qual i t y, and dat a i nt egr i t y. 1.2

PURPOSE

Si nce t he publ i cat i on of t he GAMP Good Pr act i ce Gui de, A Ri sk- Based Appr oach t o Compl i ant El ect r oni c Recor ds and Si gnat ur es i n 2005, t he soci al , t echni cal , and r egul at or y l andscape has changed: 









I ncr eased r egul at or y f ocus on t he wi der aspect s of dat a i nt egr i t y, i ncl udi ng publ i cat i on of speci f i c r egul at or y gui dance on the t opi c and i ncr eased number of ci t at i ons i n t he ar ea. The i ncr eased publ i c and r egul at or y acc ept ance and under st andi ng of el ect r oni c si gnat ur es as bei ng t he l egal l y bi ndi ng equi val ent of t r adi t i onal handwr i t t en si gnat ur es, and i ncr eased use of el ect r oni c t r ansact i ons i n dai l y l i f e. Techni cal model s.

devel opment s such as t he i ncr eased adopt i on of cl oud comput i ng

The enhanced Qual i t y Ri sk Management appr oach as def i ned i n GAMP 5.

and Speci f i cat i on and Ver i f i cat i on

The r evi si on of EU GMP Annex 11 and EU GMP Chapt er 4 ( bot h adopt ed f or wi der use by PI C/ S) .

Thi s Gui de pr ovi des compr ehensi ve and up- t o- dat e gui dance t o meet t hese changes. El ect r oni c r ecor d and dat a i nt egr i t y i s achi eved by wel l - document ed, val i dated syst ems, and t he appl i cat i on of appr opr i at e cont r ol s t hr ough bot h t he syst em and dat a l i f e c yc l es . The appr oach al l ows measur es ai med at a hi gh degr ee of i nt egr i t y, avai l abi l i t y, and conf i dent i al i t y ( wher e requi r ed) t o be est abl i shed f or r ecor ds t hat have a hi gh pot ent i al i mpact on pr oduct qual i t y or pat i ent saf et y, whi l e per mi t t i ng a l ess r i gor ous appr oach f or r ecor ds of l ower i mpact , or t hose wi t h l ower l evel s of as s oc i at ed r i s k. Thi s over al l

phi l osophy i s i nt ended t o encour age i nnovat i on and t echnol ogi cal Page 7 of 198



I SPE/ GAMP: GOOD PRACTI CE GUI DE ELECTRONI C RECORDS AND DATA I NTEGRI TY 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291


advance whi l e avoi di ng unaccept abl e r i sk t o pr oduct qual i t y, pat i ent saf ety, and publ i c heal t h. The gui dance i s i nt ended f or r egul at ed compani es and suppl i er s of any sys t ems, pr oduct s, or ser vi ces i n t hi s ar ea, as wel l as a usef ul r ef er ence f or r egul at or s. Some f ami l i ar i t y wi t h cur r ent i nt er nat i onal r egul at i ons i s assumed. 1.3

SCOPE

Thi s Gui de addr ess es t he i nt egr i t y of al l r egul at ed dat a, r ecor ds, and si gnat ur es managed by comput eri zed syst ems used wi t hi n t he r egul at ed l i f e sci ence i ndust r i es i ncl udi ng pharmaceut i cal , bi ol ogi cal , and medi cal devi ces. Thi s Gui de may al so be usef ul i n ot her r egul at ed ar eas such as cosmet i cs and f ood. Cur r ent i nt er nat i onal GxP l i f e sci ence r equi r ement s r el at ed t o el ect r oni c recor ds and data i nt egr i t y have been t aken i nt o account , and t he f ol l owi ng publ i cat i ons have been speci f i cal l y consi der ed: 





US Codes of Feder al Regul at i ons ( CFRs) cover i ng GCP, GLP, GMP, and medi cal devi ces US CFR r egul at i on 21 CFR Par t 11, and ass oci at ed gui dance Rel evant sect i ons of EU and PI C/ S r egul at i ons, i ncl udi ng Chapt er 4 and Annex 11



MHRA GMP Dat a I nt egr i t y Def i ni t i ons and Gui dance f or I ndust r y



FDA - Dat a I nt egr i t y and Compl i ance Wi t h CGMP - Dr af t Gui dance f or I ndust r y



I CH Q9 Qual i t y Ri sk Management



I CH Q10 Phar maceut i cal Qual i t y Syst em



Dr af t WHO Gui dance on Good Dat a and Recor d Management Pr act i ces

Thi s Gui de cover s r egul at ed el ect r oni c r ecor ds, el ect r oni c si gnat ur es, handwr i t t en si gnat ur es capt ur ed el ect r oni cal l y, and handwr i t t en si gnat ur es appl i ed t o el ect r oni c r ecor ds. Thi s Gui de al so addr esses t he need f or i nt egr i t y of t he under l yi ng dat a. Whi l e paper , el ect r oni c and hybr i d si t uat i ons are consi der ed, t he f ocus i s on el ect r oni c aspect s, and t he Gui de encour ages a move away f r om hybr i d sol ut i ons wher ever pr act i cal .

Thi s Gui de pr ovi des a met hod f or managi ng r i sk t o el ect r oni c dat a, r ecor ds and si gnat ur es. Or gani zat i ons may al r eady have est abl i shed r i sk management act i vi t i es and t ool s, and t hi s Gui de does not i nt end or i mpl y t hat t hese exi st i ng met hods shoul d be di scar ded, r at her t hat t hey cont i nue t o be used as appr opr i at e wi t hi n t he cont ext of t he over al l r i sk management pr ocess descr i bed. Not e t hat t hi s Gui de pr ovi des a pr agmat i c appr oach t o managi ng r i sk. Ot her met hods or t echni ques gi vi ng document ed evi dence of adequat e cont r ol , and ensur i ng appr opr i at e secur i t y and i nt egr i t y, may al so be accept abl e. The Gui de i s equal l y r el evant t o bot h new and exi st i ng comput er i zed sys t ems. Whi l e Page 8 of 198





292 293 294 295 296

not wi t hi n t he scope of t hi s Gui de, cr i t i cal i t y, heal t h and saf ety, speci f i c assessment and cont r ol . el ect r oni cal l y shoul d al so be consi

297 298 299 300 301 302

1.4

i t i s r ecogni zed t hat aspect s such as busi ness and envi r onment al r equi r ement s may r equi r e Legal admi ssi bi l i t y of i nf or mat i on st or ed der ed.

HOW TO USE THIS GUIDE

The Gui de cont ai ns t hi s I nt r oduct i on, a Mai n Body, and a set of appendi ces . I t has been st r uct ur ed t o meet t he needs of var i ous r eaders , and cont ai ns, i n i nc r eas i ng l evel of det ai l : 1. Cr i t i cal ar eas of r egul at or y f ocus and concer n

303 304

2. An over vi ew of r i sks t o r ecor d and dat a i nt egr i t y, and a hi gh l evel over vi ew of how t o addr ess t hem

305 306

3. Fur t her i nf or mat i on on how t o appl y t he GAMP®5 l i f e cycl e and Qual i t y Ri sk Management ( QRM) appr oach t o el ect r oni c r ecor d and dat a i nt egr i t y

307

4. More detailed “how to” guidance for specific topics

308

5. Exampl e case st udi es

309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324

Readers requiring an overview of the topic shoul d r ead t hi s I nt r oducti on,

pl us Sect i on 2, Gui di ng Pr i nci pl es and Key Concept s, and Sect i on 3, Ri sks and Act i ons f or El ect r oni c Recor ds and Dat a I nt egr i t y. Readers seeking further information on t he over al l appr oach t o ensur i ng el ect r oni c

r ecor d and data i nt egr i t y shoul d al so r ead t he remai ni ng sect i ons of t he mai n body. Readers requiring detailed information on par t i cul ar t opi cs shoul d al so consi der

t he appl i cabl e appendi ces, based on t hei r ar eas of i nt er est and r esponsi bi l i t y. when appl yi ng t he gui dance pr ovi ded t o speci f i c si t uat i ons. The case studi es r ef l ect a wi de var i et y of t ypi cal r egul at ed systems.

All readers may f i nd t he exampl e case st udi es i n Appendi x x usef ul

Appendi x X pr oves r ef er ences and Appendi x y cont ai ns a Gl ossar y.

Page 9 of 198





325 326 327

2

GUIDING PRINCIPLES AND KEY CONCEPTS

328 329 330 331 332 333 334

2.1

GUIDING PRINCIPLES

335 336 337 338 339 340 341 342 343 344 345 346 347

Ri sk management pr act i ces f or el ect r oni c r ecor d and dat a i nt egr i t y cont r ol s must pr ot ect publ i c heal t h. I n or der t o be ef f ect i ve, however, r i sk management pr act i ces must al so be pr act i cal and ef f i ci ent . To t hi s end t he f ol l owi ng gui di ng pr i nci pl es have been adopt ed f or t hi s Gui de: Provi de a consi st ent and suf f i ci ent l y f l exi bl e r i sk management appr oach t o addr ess al l r el evant i nt er nat i onal r egul at or y expect at i ons 













Lever age and suppor t i nt egr i t y

ot her

wi der

i ndust r y

act i vi t y

in

f i el d of

dat a

Adopt t he phi l osophy of managi ng ri sk by gener al l y accept ed good pr act i ce t o addr ess el ect r oni c r ecor ds and dat a i nt egr i t y Ensur e t he r i sk management appr oach t o el ect r oni c r ecor ds and dat a i nt egr i t y i s si mpl e and ef f ect i ve. The ef f ort r equi r ed to assess and manage r i sk must be pr opor t i onat e t o the l evel of r i sk Pr ovi de i nt er pr et at i on of key i nt er nat i onal r egul at i ons and gui dance on t hi s t opi c Focus on r ecor ds and dat a wi t h si gni f i cant qual i t y and/ or pat i ent saf et y.

pot ent i al

i mpact

on pr oduct

Emphasi ze t he benef i t s, and encour age t he use of t echnol ogy, r at her t han i nt r oduce unnecessar y barr i er s t o t echnol ogi cal advance.

348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376

2.2 KEY CONCEPTS (1) Definitions and Scope The t er m GxP regulation r ef er s

t o t he under l yi ng i nt er nat i onal l i f e s c i enc e r equi r ement s s uch as t hose set f or t h i n t he US FD&C Act , US PHS Act , FDA r egul ati ons, EU Di r ect i ves, J apanese MHLW r egul ati ons, adopt ed PI C/ S GMP Gui des, or ot her appl i cabl e nat i onal l egi sl at i on or r egul at i ons under whi ch a r egul at ed company oper at es. A regulated record i s a r ecor d requi r ed t o be mai nt ai ned or submi t t ed by GxP r egul ati ons. A r egul at ed r ecor d may be hel d i n di f f er ent f or mat s, f or exampl e, el ectr oni c, paper , or bot h. A regulated electronic record i s a regul at ed r ecor d mai nt ai ned i n el ect r oni c f or mat . A r egul at ed el ect r oni c recor d i s a col l ect i on of r egul at ed dat a (and metadata necessary to provide meaning and context) wi t h speci f i c GxP pur pose, cont ent , and meani ng. Regul at ed el ect r oni c r ecor ds i ncl ude, but ar e not l i mi t ed t o Par t 11 r ecor ds as def i ned by US FDA ( Appendi x X of t hi s Gui de pr ovi des exampl es of r ecor ds r equi r ed by GxP r egul at i ons) . Note t hat t hat t her e may be r ecor ds r equi r ed t o suppor t r egul at ed act i vi t i es, des pi t e t hem not bei ng expl i c i t l y i dent i f i ed i n t he r egul at i ons . A regulated signature i s a si gnat ur e r equi r ed by a GxP r egul at i on. Regul at ed si gnat ur es i ncl ude si gnat ur es t hat document t he f act t hat cer t ai n event s act i ons occur r ed i n accor dance wi t h t he GxP r egul ati on r ul e ( e. g. appr oval , r evi ew or ver i f i c at i on of a r egul at ed r ec or d) . A regulated electronic signature i s a si gnat ur e appl i ed el ectr oni cal l y t o a r egul ated el ect r oni c r ecor d, and i nt ended t o be the equi val ent of a handwr i t t en si gnat ur e r equi r ed by a GxP r egul ati on. By t he appl i cat i on of a si gnat ur e, t he st at us of a recor d i s changed. Si gnat ur es Page 10 of 198



I SPE/ GAMP: GOOD PRACTI CE GUI DE ELECTRONI C RECORDS AND DATA I NTEGRI TY 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391

392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412


shoul d be cl ear l y di st i ngui shed f r om i dent i f i cat i on event s ( t hat may al so be r equi r ed by r egul at i ons) wher e t he r equi r ement i s onl y f or t he i dent i f i cat i on of an i ndi vi dual per f or mi ng a par t i cul ar acti vi t y. Thi s may, f or i nst ance, be achi eved by l oggi ng of an event i n an audi t t r ai l by a val i dat ed comput er i zed syst em. Si gnat ur es ar e of t en i mpl ement ed by a uni que user - i d and pass wor d combi nat i on. Ot her uses of user - i ds and password, such as l oggi ng on t o a syst em, shoul d be cl ear l y di st i ngui shed f r om si gnat ur e event s. Si gnat ur es not r equi r ed by pr edi cat e r ul es, and ot her super f i ci al l y si mi l ar cases such as i dent i f i cat i on of i ndi vi dual s, acknowl edgement of st eps or act i ons, or l oggi ng- on t o a syst em, are not r egul at ed si gnat ur es.

Fi gur e 1- 1. Nar r ow Scope and t he need f or under l yi ng data i nt egr i t y. As shown i n Fi gur e 1- 1, GxP dat a i s a subset of al l dat a mai nt ai ned by a r egul at ed company. Dat a i nt egr i t y r equi r ement s appl y t o al l r egul at ed ( GxP) dat a. Regul at ed el ect r oni c r ecor ds are col l ect i ons of r egul at ed dat a and met adat a wi t h a speci f i c GxP pur pose, cont ent , and meani ng. El ect r oni c si gnat ur es may be appl i ed t o some r egul ated el ect r oni c r ecor ds, and paper si gnat ur es may be appl i ed t o ot her s ( a hybr i d s i t uat i on) . Some regul at i ons ( e. g. 21 CFR Par t 11) appl y speci f i cal l y t o regul at ed el ect r oni c r ecor ds and r egul at ed si gnatur es. Wi der dat a i nt egr i t y cont r ol s must be i n pl ace t o ensur e t he accur acy and r el i abi l i t y of such r ecor d cont ent . (2) Data Governance

Dat a gover nance ensur es f or mal management of r ecor ds and dat a t hr oughout t he r egul at ed company. Dat a gover nance encompass es t he peopl e, pr ocesses , and t echnol ogy r equi r ed t o achi eve consi st ent , accur ate and ef f ecti ve dat a handl i ng. I t pr ovi des t he st r uct ur e wi t hi n whi ch appr opr i at e deci si ons r egar di ng dat ar el at ed mat t ers may be made accor di ng t o agr eed model s, pr i nci pl es, pr ocesses, and def i ned aut hor i t y. Dat a governance may al so be consi dered as a qual i t y assurance and cont r ol appr oach f or appl yi ng r i gor and di sci pl i ne t o t he pr ocess Page 11 of 198



I SPE/ GAMP: GOOD PRACTI CE GUI DE ELECTRONI C RECORDS AND DATA I NTEGRI TY 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444 445 446 447 448 449 450 451 452 453 454 455 456 457 458 459 460 461


of managi ng, usi ng, pr ot ect i ng, and i mpr ovi ng or gani zati onal i nf or mat i on. (3) Quality Risk Management

The Quality Risk Management ( QRM) appr oach def i ned i n GAMP 5, f ol l owi ng I CH Q9, wi l l be appl i ed t o i dent i f yi ng, assessi ng, and managi ng r i sks t o dat a and r ecor d i nt egr i t y. Sect i on 4 pr ovi des det ai l s of t he appr oach, i ncl udi ng some def i ni t i ons speci f i c t o QRM. (4) System Life Cycle

A system life cycle appr oach, as descr i bed i n GAMP 5 i s appl i ed. Dat a and i nt egr i t y must be bui l t i n and mai nt ai ned t hr oughout t he syst em l i f e cycl e f r om concept t hr ough pr oj ect and oper at i ons t o r et i r ement . The sys t em l i f e cycl e act i vi t i es shoul d be scal ed based on t he compl exi novel t y, of t he syst em, and pot ent i al i mpact on pr oduct qual i t y, pat i ent and dat a i nt egr i t y.

r ecor d phases t y and saf et y

(5) Data Life Cycle Approach

As wel l as t he s ys t e m l i f e c yc l e, t he data life cycle i s al s o c ons i der ed. Al l phases i n dat a l i f e cycl e f r omi ni t i al dat a cr eat i on and capt ur e r ecor di ng t hr ough pr ocessi ng ( i ncl udi ng t r ansf or mat i on or mi gr at i on) , r evi ew, r epor t i ng, r et ent i on, r et r i eval and dest r uct i on must be cont r ol l ed and managed i n or der t o ensur e accur at e, r el i abl e, and compl i ant el ect r oni c r ecor ds and dat a. (6) Process Understanding

A f ul l under st andi ng of t he busi ness pr ocess( es) t o be suppor t ed, i ncl udi ng t he i nt ended user - base and i nt ended use of dat a and r ecor ds wi t hi n t he pr ocess, i s f undament al t o accur atel y deter mi ni ng el ect r oni c r ecor d and data i nt egr i t y r equi r ement s. As descr i bed i n GAMP 5, t hor ough pr ocess unders t andi ng i s al so t he basi s f or qual i t y r i sk management . As not ed i n t he GAMP Good Pr act i ce Gui de: A Risk-Based Approach to GxP Compliant Laboratory Computerized System, [ r ef ] dat a i nt egr i t y cannot be achi eved wi t hout a compl et e under st andi ng of t he i nf ormat i on f l ow. (7) Leveraging Supplier Involvement

As descr i bed i n GAMP 5, r egul at ed compani es shoul d seek t o l ever age suppl i er knowl edge, experi ence, and document ati on t hr oughout t he syst eml i f e cycl e, subj ect t o sat i sf act or y suppl i er assessment . For exampl e, suppl i er s may assi st wi t h cl ar i f yi ng t echnol ogy l i mi t at i ons, gat her i ng r equi r ement s, def i ni ng and assessi ng r i sks, i dent i f yi ng appr opr i at e t echni cal or pr ocedur al cont r ol s, devel opi ng t echni cal cont r ol s, ver i f yi ng cont r ol s, and moni t or i ng t he ef f ecti veness of cont r ol s. The suppl i er may al so an i mpact on t he way t he dat a i s managed t hr ough t he ent i r e dat a l i f e c yc l e. Pl anni ng shoul d det er mi ne how best t o use suppl i er document at i on and expert i se, i ncl udi ng exi st i ng t est document at i on, t o avoi d wast ed ef f or t and dupl i cat i on. J ust i f i cat i on f or t he use of suppl i er document at i on shoul d be pr ovi ded by t he sat i sf act or y out come of suppl i er assessment s, whi ch may i ncl ude suppl i er audi t s.

Page 12 of 198



I SPE/ GAMP: GOOD PRACTI CE GUI DE ELECTRONI C RECORDS AND DATA I NTEGRI TY 462

3

RISKS AND INTEGRITY

3.1

INTRODUCTION

463 464 465 466 467 468 469 470 471 472 473 474 475 476 477 478 479 480 481 482 483 484 485 486 487 488 489 490 491 492 493 494 495 496

ACTIONS


FOR

ELECTRONIC

RECORDS

AND

DATA

Dur i ng r ecent r egul ator y i nspect i ons, t he f ol l owi ng have emerged as speci f i c ar eas of r egul at ory f ocus and concer n: 

      

Lack of basi c access cont r ol and secur i t y measur es al l owi ng unaut hor i zed changes Shar ed user l ogi ns Lack of cont empor aneous r ecor di ng of act i vi t i es Fai l ur e t o i nvest i gat e dat a di scr epanci es Test i ng i nt o compl i ance I ncompl et e col l ecti on, r et ent i on, and revi ew of dat a f or qual i t y deci si ons Over wr i t i ng or del eti on of r aw data Mi s s i ng or di s abl ed audi t t r ai l s

These r egul at or y f ocus ar eas ar e r ef l ect ed and di scus sed i n t hi s sect i on, wher e key aspect s and r i sks r el ated t o r ecor ds and dat a i nt egr i t y ar e cover ed i n mor e det ai l . I t i s r ecogni sed t hat i nt r oduci ng compr ehensi ve el ect r oni c r ecor d and dat a i nt egr i t y cont r ol s acr oss an or gani zat i on may i nvol ve cul t ur al and behavi our al shi f t s, r equi r i ng a f ocused cor por at e dat a i nt egr i t y pr ogr amme over a per i od of t i me, such t hat appr opr i at e cont r ol s are bui l t i n t o a data gover nance f r amewor k, embedded i n t he wi der Qual i t y Management Syst em. Thi s sect i on i dent i f i es t he most i mpor t ant aspect s t hat al l r egul at ed or gani zat i ons shoul d consi der , and hi ghl i ght s ar eas t hat shoul d be i nvest i gat ed and act i oned i mmedi atel y, as a seri es of t abl es:    

I mmedi at e Act i ons St r at egi c Acti ons Syst em Li f e Cycl e Acti ons Dat a Li f e Cycl e Act i ons

Page 13 of 198



Electronic Records and Data Integrity

Recommend Documents