data integrity controls in medicinal and medical devices...

Puerto Rico Data Integrity Conference 2016

Data Integrity Controls in Medicinal and Medical Devices Manufacturing Environment

June 28, 2016

1

Orlando LópezGAMP Data Integrity SIG SMEJune 28, 2016olopez6102@gmail.com

Scope

The scope of this presentation is the technical features about the electronic records (e-recs) integrity associated to a typical manufacturing environment.

3

Scope

4

Agenda◆  References◆  Introduction◆  Inspection Trends◆  E-Recs Life Cycle◆  Electronic Records Related Definitions◆  SOPs Managing E-Recs◆  E-Recs Controls – Supporting Processes◆  E-Recs Controls – Records Retained by Storage◆  E-Recs Controls – During Processing◆  E-Recs Controls – While in Transit◆  E-Recs Integrity Remediation◆  Summary

5

REFERENCES

6

References◆  ISPE/PDA, “Good Electronic Records Management (GERM)”,

July 2002 ◆  López, O., “A Computer Data Integrity Compliance Model”,

Pharmaceutical Engineering, Volume 35 Number 2, March/April 2015.

◆  López, O., “EU Annex 11 and the Integrity of Erecs,” Journal of GxP Compliance, Volume 18 Number 2, May 2014.

◆  MHRA, “MHRA GMP Data Integrity Definitions and Guidance for Industry”, March 2015.

◆  US FDA, Guidance for Industry: “Data Integrity and Compliance with CGMP Guidance for Industry,” April 2016 (Draft).

◆  WHO, “Guidance on Good Data and Record Management Practices,” TRS 996 Annex 5, May 2016.

7

References

8

López, O., “Data Integrity in Pharmaceutical and Medical Devices Regulations: Best Practices Guide to Electronic Records Compliance”, CRC Press, November 2016. https://www.crcpress.com/Data-Integrity-in-Pharmaceutical-and-Medical-Devices-Regulation-Operations/Lopez/9781498773249

INTRODUCTION

9

10

What is e-recs integrity?

◆  Data Integrity is the property that data has not been altered in an unauthorized manner. Data integrity covers data in storage, during processing, and while in transit. (NIST SP 800-33).

11

IntroductionWhat is e-recs integrity?

Introduction What is e-recs integrity?

◆  There is a general misconception that data integrity failures only result from acts of deliberate fraud.

◆  The majority of issues relate to:–  bad practice, –  poor organizational behavior,–  weak systems.

12

◆  The concept of data integrity underpins CGMPs.–  All the regulatory agencies or competent authoritis rely

on accurate information to ensure drug quality.–  E-recs integrity problems break trust.–  The regulatory agencies or competent authoritis rely

largely on trusting the regulated users to do the right thing when we are not there.

13

IntroductionWhat is e-recs integrity?

Introduction What is e-recs integrity?

Is this a new requirement? US FDA 21 CFR 211◆  1978◆  211.68 requires backup data are exact and complete, secure

from alteration, inadvertent erasures, or loss◆  211.100 and 211.160 require certain activities be documented

at the time of performance and that lab controls be scientifically sound

◆  211.80 requires true copies or other accurate reproductions of the original records

◆  211.188, 211.194, 212.60(g) require complete information, complete data derived from all tests, complete record of all data, and complete records of all tests performed.

◆  212.110(b) requires data be stored to prevent deterioration or loss.

14

IntroductionWhat is e-recs integrity?

Is this a new requirement? EMA Annex 11 ◆  1992◆  Risk Management p1◆  Data Services Providers p3◆  Data p4.8; 5; 6◆  Storage p7◆  Reports p8◆  Audit trails p9

◆  Periodic Evaluation p11◆  Security p12◆  E-sig p 14◆  Business Continuity p16◆  Archiving p17◆  Incident Management p13◆  Back-ups p7.2

15

IntroductionWhat is e-recs integrity?

Is this a new requirement? APIs ICH Q7 ◆  2000◆  Security 5.43 ◆  Data 5.45; 5.49; 5.48◆  Back ups 5.48◆  Business Continuity 5.48◆  E-sig 6.18◆  Complete Records (Labs)

6.60

16

17

RegulatoryReferences

§ 21 CFR § 211.68 (b)§ 21 CFR § 211.188§ 21 CFR § 211.194§ EMA Annex 11§ MHRA GMP DI Guidance§ ICH Q7§ WHO TRS 966 Annex 5§ TGA PIC/S Guide PE009-8

DEFINITIONSIntroduction

18

Introduction Definitions

19

Data - A representation of facts, concepts, or instructions in a manner suitable for communication, interpretation, or processing by humans or by automatic means.

Record - A set of related data items treated as a unit.

IntroductionDefinitions

For the purpose of this presentation, except noted, the definitions used are given in the MHRA GMP Data Integrity Definitions and Guidance for Industry (March 2015).

20

Data - Information derived or obtained from raw data (e.g. a reported analytical result).

Introduction Definitions

21

Electronic records - E-recs mean any combination of text, graphics, data, audio, pictorial, or other information representation in digital form that is created, modified, maintained, archived, retrieved, or distributed by a computer system. (21 CFR Part 11.3(6))

Original Records - Data as the file or format in which it was originally generated, preserving the integrity (accuracy, completeness, content and meaning) of the record, e.g. original paper record of manual observation, or electronic raw data file from a computerized system.

IntroductionDefinitions

22

Raw Data - Original records and documentation, retained in the format in which they were originally generated (i.e. paper or electronic), or as a ‘true copy’.

Raw data must be contemporaneously and accurately recorded by permanent means. In the case of basic electronic equipment which does not store electronic data, or provides only a printed data output the printout constitutes the raw data.

Primary Record - The record which takes primacy in cases where data that are collected and retained concurrently by more than one method fail to concur.

Introduction Definitions

23

True Copy - An exact verified copy of an original record.

Introduction Definitions

24

Electronic record lifecycle – The series of stages through which an e-rec passes from the beginning of its life until its physical deletion: create, access, change, delete.

INSPECTION TRENDS

25

26

Inspection Trends 2015

◆  13 of 43 Drug GMP WLs have at least one observation related with e-records integrity.

◆  10 of 43 Drug GMP WLs were to API manufacturers: India (5); China (2); Canada (1); Thailand (1); and Czech Republic (1).

◆  2 of 43 Drug GMPs WLs were to solid oral dosage forms.

◆  1 of 43 Drug GMPs WLs was to injectable.

27

Inspection Trends 2016

◆  As of May 2016, there have been sixteen (16) Non Compliance Reports posted on the EU site. Of those 16, five (5) of the reports contain data integrity issues.

28

Inspection Trends E-recs Integrity Deviations

http://www.computer-systems-validation.net/dataintegritydeviations.html

29

E-RECS LIFECYCLE

30

E-Recs Lifecycle

◆  When does electronic data become a CGMP record? –  When generated to satisfy a CGMP requirement,

all data become a CGMP record. –  Contemporaneous - The data must be saved at

the time of performance to create a record in compliance with CGMP requirements.

31

E-Recs Lifecycle

32

◆  The series of stages through which an e-rec goes from the generation of the e-rec up to its physical deletion: create, access and use, change, delete.

◆  E-recs Use–  Review–  Analyze–  Reports–  Monitor–  Migration: short term storage and

archive–  Transformation and Integration

Figure 4.3 from the ISPE/PDA, “Good Electronic Records Management (GERM)”, Figure 4.3, July 2002.

US FDA DI (draft) Guidance (Q12) “It is not acceptable to store data electronically in temporary memory, in a manner that allows for manipulation, before creating a permanent record.”

E-Recs Lifecycle

◆ E-Recs Creation◆ E-Recs Access◆ E-Recs Change◆ E-Recs Delete

•  Records Retained by Storage

•  During Processing•  While in Transit

33

E-Recs Lifecycle◆  E-Records Creation Phase

–  Commitment to generate the raw e-rec, collect the raw e-rec and to save the raw e-rec.

-  System Design*  Operational checks.*  Contemporaneous - After the raw e-rec is generated and

collected, the raw e-rec is saved prior to proceeding to the next step or event in the sequence of steps and events. The raw e-rec cannot be superseded before creating a permanent record.

*  The media to be stored the e-recs cannot be a temporary media. (Refer last paragraph Section 4.1, ISPE/PDA, Good Electronic Record Management (GERM), 2002)

34

E-Recs Lifecycle

◆  E-Records Creation Phase (Cont.)–  Manipulation of data before recording

» Cleansing»  Scaling» Normalized

–  Managed and documented

35

E-Recs Lifecycle

◆ E-Records Active Phase– Access, Use and Re-use– E-records are used for their intended

usage as representing the activities they stand for.

36

E-Recs Lifecycle

◆  E-Records Inactive Phase–  no longer actively used –  e-recs moved to a separate records storage

device for long-term retention (archive)–  any further changes is restricted–  retention period had not been finalized.

37

E-Recs Lifecycle

◆  E-Records Destruction–  e-recs met the approved retention time, are

tagged to discard and removed according to an approved procedure.

» content» metadata» audit trails» any pointers to the record» connections to related records

–  legal holds

38

E-Recs Lifecycle

◆  Migration–  data migration is the activity of transporting e-recs

from one system to another;–  the transition of data from one state to another;–  system obsolescence forces a need to transfer e-

records from one system to another;–  conversion of e-recs to a different format should

be considered as e-recs migration;–  it can happen in the active or inactive phase of the

e-recs life cycle.

39

E-Recs Lifecycle

◆ Transformation– Over-rides

» A program may be such that the sequence of program events or program edits can be over-ridden by the operator or automated.

» Any allowed over-rides must be under procedural control and, in case of operator over-ride, subject to audit trail.

40

E-Recs Lifecycle◆  Transformation

–  Integration»  In typical data warehouses and business

intelligence environments, the integration of e-recs is performed.

» Each e-rec to be integrated comes from difference sources.

» These rules, that are considered operational checks, are applied in order to prepare the data for loading into the end target (e.g., data mart).

» The transformation processing must be validated and changes must be controlled and tested.

41

42

ELECTRONIC RECORDS RELATED DEFINITIONS

Intro to manufacturing system and MHRA definitions

43

MHRA DefinitionsTerm MHRA DefinitionData Information derived or obtained from raw data (e.g. a

reported analytical result)

Original record Data as the file or format in which it was originally generated, preserving the integrity (accuracy, completeness, content and meaning) of the record, e.g. original paper record of manual observation, or electronic raw data file from a computerized system.

Primary Record The record which takes primacy in cases where data that are collected and retained concurrently by more than one method fail to concur.

Raw Data Original records and documentation, retained in the format in which they were originally generated (i.e. paper or electronic), or as a ‘true copy’. Raw data must be contemporaneously and accurately recorded by permanent means. In the case of basic electronic equipment which does not store electronic data, or provides only a printed data output (e.g. balance or pH meter), the printout constitutes the raw data.

True Copy An exact verified copy of an original record.

44

The definitions using the sample architecture

45

46

Intro to manufacturing system and MHRA definitions

◆  Cell controllers (ISA 95 Level 2) manage the manufacturing process and data acquisition.

◆  Cell controllers process inputs and direct outputs. ◆  Performing precisely in the intended environment is

essential to ensure proper functioning of the process to manufacture quality product.

◆  The quality of the product is established by following the determined sequence of operations and evaluating samples from the associated manufacturing batch by laboratory equipment and other type of verifications.

47

Intro to manufacturing system and MHRA definitions

◆  The SCADA systems are the environment that the e-recs were created initially (raw data). In addition, the SCADA systems are the responsible for the storage and handling of manufacturing-related e-records but usually not the retention environment.

◆  There must be a second environment use to safe keeping and preservation of the raw data residing in the SCADA (retention environment, true copies).

◆  It must be decided which environment is holding the primary record. SCADA or a second environment?

48

Intro to manufacturing system and MHRA definitions

◆  MES (ISA 95 Level 3) tracks and documents the transformation of raw materials through finished goods. It works in real time to enable the control of multiple elements of the production process (e.g., inputs, personnel, machines and support services).

◆  The history records of each batch of product and/or associated utility are to be used to verify if the process was followed as established.

◆  The MES holds the data. ◆  There must be a second environment use to safe

keeping and preservation of the raw data residing in the MES (retention environment, true copies)

49

50

Intro to manufacturing system and MHRA definitions

51

Intro to manufacturing system and MHRA definitions Source Operation Receiving

PLC Analog data transformed

Digitized data, validated, normalized, scaled, and so on

SCADA

Raw dataOriginal data

SCADA Migration

Direct move, no transformation or integration.

MES

data

MES Records from different sources, integrated. It creates product batch records.

From the MES context, the batch records are raw data

52

Intro to manufacturing system and MHRA definitions

◆ MES– Stringent design (data load mappings)–  Implementation– Testing– Maintenance– Operation

53

Intro to manufacturing system and MHRA definitions

◆  Primary Records– Def. – Data set which takes primacy in

case there is an inconsistency between corresponding data sets.

– Primary records employed to quality related assessments.

– Raw data or true copies.– Raw data and true copies must be

reconciled.

54

Intro to manufacturing system and MHRA definitions

◆  Records Retention on Raw Data– Validation and stability records in EU.

» While Authorization in force– Medicinal products in EU

» 1 year after expiration» 5 years in some cases

– Records in US FDA» 1 year after expiration» OTC with no expiration – 3 years after

distribution55

SOPS MANAGING E-RECS

56

SOPs Managing E-recs◆  SOPs are instructions about the operation,

calibration and validation of all GMP activities.◆  SOPs must ensure that the computer system is

trustworthy. –  are reasonably suited to performing their intended

functions; –  provide a reasonably reliable level of availability,

reliability and correct operation;–  are reasonably secure from intrusion and misuse;

and;–  adhere to generally accepted security principles.

57

SOPs Managing E-recs◆  Recording and storage of e-records.

–  describes what e-records must be recorded and reported,

–  in accordance with the applicable predicate rule requirements,

–  where and how long these e-records must be retained,

–  establishing retention times,–  the responsibility for the integrity of retained

records and relevant raw data, –  validation process of the computer system

managing these records.

58

SOPs Managing E-recs◆  E-recs creation.

–  It is the outcome of a validated/qualified practice (qualified equipment, validated process or validated method).

–  If e-recs are migrated via interfaces the authenticity and integrity of received data must be ensured (validation, built-in checks, monitoring).

–  Manual interaction during data creation requires additional controls, including an additional check on the accuracy of the data. This additional check can be done by a second operator or by a validated electronic means (e.g., built-in checks).

59

SOPs Managing E-recs

◆  E-recs creation.–  Manual recording of critical values from display

require a secondary verification of the values entered before the e-recs are committed.

60

SOPs Managing E-recs

◆  Data modification.–  Ensure that the systems are designed to permit e-

rec changes in such a way that the e-rec changes are documented and that there is no physical deletion of entered e-rec (e.g., maintain an audit trail, data trail, edit trail) and associated metadata (e.g., data that describe the context, content and structure of the data).

–  Maintain a list of the users who are authorized to make e-rec changes.

61

SOPs Managing E-recs◆  E-recs periodic review.

–  Verification of e-recs.–  Traceability to raw e-recs.–  Changes to critical e-recs traceable (analysis results,

method parameters).–  What manual activities have been performed by whom

and when?–  If unprocessed raw e-recs are not printed, review must

also include electronic system to check for any user manipulation of data.

–  Reconciliation between raw e-recs and true copies .

62

SOPs Managing E-recs

◆ E-recs Security - User access.– Physical and/or logical controls should be

in place to restrict access to computer system to authorized persons.

– Suitable methods of restricting access to computer, equipment and data storage areas.

63

SOPs Managing E-recs

◆ Segregation of duties (analysis, review, admin tasks).– Analyst and reviewer must not have

administrator rights.– Personalized accounts for analysis and

administration with additional mitigating controls (e.g., review of user access log) – controls needs to be defined in a procedure.

64

SOPs Managing E-recs◆  Data availability.

–  Procedures should be in place to ensure that essential information remains complete and retrievable throughout the specified retention period.

»  Back-up and restore»  Disaster Recovery»  Archival

–  Restore and recovery procedures needs to be tested to ensure e-records integrity is not compromised by technical controls.

–  Restore and recovery procedures must require appropriate authorization mechanism to prevent misuse.

65

SOPs Managing E-recs◆  Data Management Procedures based on difference

computer systems.–  Computer system, fully electronic data handling.

»  maintain all relevant raw e-records,»  paper printouts are clear copies of e-records (11 p 8.1) and may be

used for further regulated activities if following a defined procedure.–  Hybrid systems (highest risk due to incompatible media

management).»  create and maintain raw data partly as e-records and partly as paper

records (e.g., approval on paper);»  require procedural or technical links between e-records and paper

records◆  qualified printout (e.g., qualified procedure or verification by a

second operator on the accuracy of the printout)◆  link and synchronization of printout and e-recs.

66

SOPs Managing E-recs◆  Data Management Procedures based on difference

computer systems (Cont.)–  E-records not to be deleted in system (needs of existence

of a version control and/or audit trail).–  Written procedure to keep changes to e-records and

paper records synchronized.–  Pass through system.

» Raw data passed through to paper or compliant computer system.

» Data integrity to be ensured by creating an implemented automated control (preferred) or procedural controls until printout / pass through to next system.

»  The controls are depending on system complexity and risk.

67

Other SOPs Managing E-recs

◆  Archiving.◆  Back-ups.◆  Business Continuity.◆  Data Storage.◆  Infrastructure

Maintenance.◆  Problem Reporting.◆  Problem Managing.◆  Retirement.

◆  Restore. ◆  Risk Management.◆  Security.◆  Training.◆  Validation.◆  Change Control.◆  Quality Control.◆  Periodic Review.

68

E-RECS CONTROLS – SUPPORTING PROCESSES

69

E-Rec Controls – Supporting Processes

◆  Business Continuity.–  EMA Annex 11 p 16.–  For the availability of computer

systems supporting critical processes, provisions should be made to ensure continuity of support for those processes in the event of a system breakdown (e.g. a manual or alternative system).

–  The time required to bring the alternative arrangements into use should be based on risk and appropriate for a particular system and the business process it supports.

–  These arrangements should be adequately documented and tested.

70

E-Rec Controls – Supporting Processes

◆  Incident Management.– EMA Annex 11 p 13.– All incidents, not only system failures and

data errors, should be reported and assessed.

– The root cause of a critical incident should be identified and should form the basis of corrective and preventive actions.

71

E-Rec Controls – Supporting Processes

◆  Personnel.– EMA Annex 11 p 2.– There should be close cooperation between

all relevant personnel such as Process Owner, System Owner, Qualified Persons and IT.

– All personnel should have appropriate qualifications, level of access and defined responsibilities to carry out their assigned duties.

72

E-Rec Controls – Supporting Processes

◆  Requirements Document.– EMA Annex 11 p 4.4.– Based on the documented intended use and

risk assessment, the Requirements Document must describe the required e-recs integrity controls.

– The required e-recs integrity controls must be traceable throughout the life-cycle.

– The preferred method to implement the e-recs integrity controls is via design.

73

E-Rec Controls – Supporting Processes

◆  Risk Management.–  EMA Annex 11 p 1.–  Risk management should be applied throughout the

lifecycle of the computer system taking into account patient safety, data integrity and product quality.

–  As part of a risk management system, decisions on the extent of validation and data integrity controls should be based on a justified and documented risk assessment of the computer system.

74

E-Rec Controls – Supporting Processes

◆  Risk Management.–  EMA Annex 11 p 12.–  Physical and/or logical controls should be in place to restrict

access to computer system to authorized persons. –  Suitable methods of preventing unauthorized entry to the

system may include the use of keys, pass cards, personal codes with passwords, biometrics, restricted access to computer equipment and data storage areas.

–  The extent of security controls depends on the criticality of the computer system.

–  Creation, change, and cancellation of access authorizations should be recorded.

75

E-Rec Controls – Supporting Processes

◆  Computer systems and computer controlled equipment (ICH Q9 – Quality Risk Management)–  To select the design of computer hardware and

software (e.g., modular, structured, fault tolerance);

–  To determine the extent of validation, e.g., »  identification of critical performance parameters; »  selection of the requirements and design; »  code review; »  the extent of testing and test methods; »  reliability of electronic records and signatures.

76

E-Rec Controls – Supporting Processes

◆ Suppliers and Service Providers.–  EMA Annex 11 p 3.–  When third parties (e.g. suppliers, service

providers) are used e.g. to provide, install, configure, integrate, validate, maintain (e.g. via remote access), modify or retain a computer system or related service or for data processing, formal agreements must exist between the manufacturer and any third parties, and these agreements should include clear statements of the responsibilities of the third party. IT-departments should be considered analogous.

77

E-Rec Controls – Supporting Processes

◆ Suppliers and Service Providers.–  The competence and reliability of a supplier are

key factors when selecting a product or service provider. The need for an audit should be based on a risk assessment.

–  Documentation supplied with commercial off-the-shelf products should be reviewed by regulated users to check that user requirements are fulfilled.

–  Quality system and audit information relating to suppliers or developers of software and implemented systems should be made available to inspectors on request.

78

E-Rec Controls – Supporting Processes

◆  Time Stamping Controls.–  EMA Annex 11 p 3.–  When third parties (e.g. suppliers, service

providers) are used e.g. to provide, install, configure, integrate, validate, maintain (e.g. via remote access), modify or retain for data processing, formal agreements must exist between the manufacturer and any third parties, and these agreements should include clear statements of the responsibilities of the third party.

–  IT-departments should be considered analogous.

79

E-Rec Controls – Supporting Processes

◆  Time Stamping Controls.–  The competence and reliability of a supplier are

key factors when selecting a product or service provider. The need for an audit should be based on a risk assessment.

–  Documentation supplied with commercial off-the-shelf products should be reviewed by regulated users to check that user requirements are fulfilled.

–  Quality system and audit information relating to suppliers or developers of software and implemented systems should be made available to inspectors on request.

80

E-RECS CONTROLS – RECORDS RETAINED IN STORAGE

81

E-Recs Controls – Records Retained in Storage

82

E-Recs Controls – Records Retained in Storage

◆  When e-recs are retained in computer storage (recording and records keeping), the security related procedures describe the access controls to the e-records retained throughout the retention period. (EudraLex Volume 4, Chapter 4: Documentation, June 2011).

83

E-Recs Controls – Records Retained in Storage

◆  Potential hazards and vulnerabilities to the computer storage (e.g., e-records in data server) or any infrastructure retaining e-recs are identified via risk assessments.

◆  In the context of e-recs retained by computer storage, such hazards may result in threats to the integrity of the e-records, including modification and/or accidental destruction of the e-recs without having the proper authorization provided by the e-records owner(s).

84

E-Recs Controls – Records Retained in Storage

◆  Where e-recs retention is contracted to a third party, particular attention is expected to the ownership and retrieval of e-recs held under this arrangement.

◆  The physical location in which the e-recs are held, including impact of any laws applicable to that geographic location, should also be considered.

85

E-Recs Controls – Records Retained in Storage

◆  Example of impact of a law applicable to e-recs by a geographic location: Clinical e-recs archiving guidelines established in South Africa. –  In South Africa e-recs must be reproduced in hard copy,

which are to be signed and dated as a verified accurate copy of the original data.

–  The verified hard copy should then be stored with other paper-based records.

–  This requirement in South Africa is established to overcome the possibility of loss or inability to read the information due to technological redundancy.

(Department of Health, 2006. Guidelines for Good Practice in the Conduct of Clinical Trials with Human Participants in South Africa. Department of Health: Pretoria, South Africa, Section 6.7)

86

E-Recs Controls – Records Retained in Storage

◆  E-Record control to consider:–  E-Records Storage–  E-Records Handling–  E-Records Archiving –  E-Records Migration–  File Integrity Checking

87

E-Recs Controls – Records Retained in Storage

•  E-recs Storage–  E-recs storage is a device that records (stores) or

retrieves (reads) information (e-recs) from any medium, including the medium itself.

–  This is considered short retention environment and may be considered the initial creation environment or processing environment.

–  Design specification or similar document must describe the file structure(s) in which the e-recs are stored, the capacity requirements of the storage, and how the security scheme is implemented.

–  The file structure and security are tested during the qualification phase.

88

E-Recs Controls – Records Retained in Storage

◆  Physical protection.◆  Logical protection.◆  Environment.◆  Media deterioration.◆  Modifications of e-recs.,

infrastructure and/or application accessing the e-recs.

◆  Back-ups.◆  Periodic verifications of

storage and data in storage.

◆  Legal holds.

89

E-Recs Controls – Records Retained in Storage

•  E-Records Handling–  Adequate assignment and maintenance of access

rights. –  Validation of systems and maintenance of the

validated state. –  Audit trails established, activated and periodically

monitored. »  Is the audit trail functionality implemented/

activated? » Are online clock adjustments protected? » Which is the source of the time stamp?

90

E-Recs Controls – Records Retained in Storage

•  E-Records Handling–  Controlled and defined process for any modification/change,

and so on, e-recs. I»  Is there an independent check of critical e-recs (including review of

audit trail data) implemented? »  Safe storage of e-recs, e.g. correct file system setup, DB

protection.»  Does file saving procedure save into a protected environment?

–  Electronic Signatures specific to authorized personnel.–  Data Backup and verification.

»  How about the creation of backup copies? »  Are the backup copies monitored periodically for accessibility,

readability and accuracy? »  Are data generally protected against loss, damage or overwriting?

91

E-Recs Controls – Records Retained in Storage

•  E-Records Handling– Archival and record retention.– Recovery and contingency plans.

92

E-Recs Controls – Records Retained in Storage

•  E-Records Archiving-  E-recs archiving is the process of moving e-recs that

are no longer actively used to a separate records storage device for long-term retention, often disabling the e-recs from any further changes.

-  The retention period of these e-recs had not been finalized.

-  Controls – Refer to e-recs in storage.-  May involve a modification of format, media and/or

physical storage. (Annex 11-4.8)-  It must be performed in a controlled manner in

accordance with a procedural control.

93

E-Recs Controls – Records Retained in Storage

•  E-Records Archiving-  A verification of the output of the archiving

must be performed. •  e-recs are not altered in value and/or meaning

during this migration process. •  accessibility and readability.•  metadata must be also transferred and verified.

(Annex 11-4.8)

94

E-Recs Controls – Records Retained in Storage

◆ Sample types of archiving disposition.– Extract/Migrate – The migration of digital

information from one hardware/software configuration to another or from one generation of computer technology to a later one.

– Host – these are single-instance database systems that are not typically managed by the site and are hosted elsewhere.

95

E-Recs Controls – Records Retained in Storage

◆  Sample types of archiving disposition.– Archive.

» Report – in this case, the official record is considered to be in hard copy currently or the most effective end state will become hard copy.

» Physical to Virtual (P2V) (Encapsulate) –the application and the database in a virtual environment.

» Technology emulation creates an environment that behaves in a hardware-like manner.

» Keeping every version of software and hardware

96

E-Recs Controls – Records Retained in Storage

◆  Physical protection◆  Logical protection◆  Environment◆  Media deterioration◆  Modifications of e-recs.◆  Modification of

infrastructure.◆  Back-ups.◆  Periodic verifications of

storage and data in storage.

◆  Legal holds.

97

E-Recs Controls – Records Retained in Storage

•  E-Records Migration-  e-recs migration is the process of transferring e-

recs between storage types, formats, or computer systems. It is a key consideration for any system implementation, upgrade, or consolidation.

-  e-recs migration occurs for a variety of reasons, including: server or storage equipment replacements or upgrades; retirement of computer systems; website consolidation; server maintenance; and data center relocation.

98

E-Recs Controls – Records Retained in Storage

•  E-Records Migration-  Before any e-record can be migrated from one

system to another, it is important to identify differences between systems and how they might affect how reliably the migrated e-record can preserve and present information.

-  A verification of the output of the archiving must be performed.

99

E-Recs Controls – Records Retained in Storage

•  File Integrity Checking–  Periodically e-recs and the associated file(s)

should be checked for integrity.–  Provide a way to identify that files have been

changed.–  File integrity checkers establish a file checksum

database. –  Stored checksums are later recomputed to

compare their current value with the stored value, which identifies file modifications.

100

E-Recs Controls – Records Retained in Storage

•  File Integrity Checking–  The reference database should be stored offline

to prevent attackers from compromising the system and covering their tracks by modifying the database.

–  For file integrity checking, strong cryptographic checksums such as Secure Hash Algorithm 1 (SHA-1) should be used to ensure the integrity of e-recs stored in the checksum database.

101

E-Records Integrity(Databases)

◆  Data integrity is enforced in both hierarchical and relational database models.

◆  The following three integrity constraints are used in a relational database structure to achieve data integrity: –  Entity Integrity: This is concerned with the concept of primary

keys. The rule states that every table must have its own primary key and that each has to be unique and not null.

–  Referential Integrity: This is the concept of foreign keys. The rule states that the foreign key value can be in two states. The first state is that the foreign key value would refer to a primary key value of another table, or it can be null. Being null could simply mean that there are no relationships, or that the relationship is unknown.

–  Domain Integrity: This states that all columns in a relational database are in a defined domain.

102

E-Records Integrity(Databases)

◆  Ensures that all data in a database can be traced and connected to other data. This ensures that everything is recoverable and searchable.

◆  Data integrity is usually imposed during the database design phase through the use of standard procedures and rules. 

103

E-Records Integrity(Databases)

◆  Data scrubbing, also called data cleansing, is the process of amending or removing data in a database that is incorrect, incomplete, improperly formatted, or duplicated. –  Validation

Verifying that a field is logically correct (integrity) and/or physically correct (format).

–  Boundary Checking Checking whether the value of the field is within a defined range of values.

–  Completeness Confirming all mandatory fields are filled in.

–  Eliminating Duplicates Discarding duplicate records, or selecting the "best record" (same instance from several sources, only one is selected), or merging duplicate instances (merging part or all of same instance from several sources).

104

E-RECS CONTROLS – DURING PROCESSING

105

E-Recs Controls – During Processing

106

E-Recs Controls – During Processing

◆  Archiving (Annex 11 p 4.8 and Part 11.10(b)).◆  Built-in checks (Annex 11 p 5).◆  Operational checks (Part 11.10(f)).◆  Print-outs/Reports (Annex 11 p 8).◆  Security (Part 11 (c), (d), (g) and Annex 11 p

12).◆  Time stamping of e-records (Part 11.10(e)).◆  Verification of computer motherboard and

CPU.

107

E-Recs Controls – During Processing

◆ Secondary or processed data.– To maintain data integrity, altering

methods to reprocess will require a secured audit trail functionality, data, and access security.

108

E-RECS CONTROLS – WHILE IN TRANSIT

109

E-Recs Controls – Records While in Transit

110

E-Recs Controls – Records While in Transit

◆  Infrastructure Qualification (Annex 11 Principle 2).

◆ Built-in checks (Annex 11 p 5).◆ Accuracy checks (Annex 11 p 6).◆ Tracking records movements.◆ Computerized Drug Processing; Input/

Output Checking (CPG 7132a.07).

111

E-RECORDS INTEGRITY REMEDIATION

112

E-Recs Integrity RemediationPhases◆  Initiate◆  Diagnose◆  Implement◆  Act◆  Manage

113

Implement

E-Recs Integrity RemediationInitiation Phase◆  Characterize current and

desired states for authentic records.

◆  Establish record policies and practices.

◆  Alignment with internal and external requirements for authenticity.

Diagnose Phase◆  Inventory and assess

installed computing bases.

◆  Establish strategies for new computing bases.

114

E-Recs Integrity Remediation

Implement Phase◆  Formulate approaches to

evolve legacy environments.

◆  Enhance engineering methods for new environments.

Act Phase◆  Execute implementation

strategies.

115

Manage Phase•  Maintain operational

computing bases.•  Process improvement.

SUMMARY

116

Requirements

Data Integrity Management

117

Concept

Project

Operation

Retirement

Potential Migration

PotentialRetention, Migration,Destruction

Risk Assessment

Changes

Release

Risk, Requirements and Data Integrity Management

•  Data (I/Os)•  Data Storage•  Archiving•  Data Migration

Migration

Creation, access, use, change, deleteErecs Lifecycle

RecordRetention

Good E-Recs Integrity Practices

118

Good E-Recs Integrity Practices ◆  As part of a risk management system, decisions on

the e-recs integrity controls should be based on a justified and documented risk assessment of the computer system. (11 p1)

◆  Raw data may be recorded by trustworthy computer systems and must be recorded at the time the raw data is generated (contemporaneously).

◆  Records should be regularly and progressively backed up, and the backup retained at a location remote from the active file;

119

Good E-Recs Integrity Practices ◆  Data collected directly from equipment and control

signals between computers and equipment should be checked by verification circuits/software to confirm accuracy and reliability;

◆  Interfaces between computers and equipment should be checked to ensure accuracy and reliability.

◆  There should be documented contingency plans and recovery procedures in the event of a breakdown.

120

Good E-Recs Integrity Practices ◆  The recovery procedures should be periodically

checked for the return of the system to its previous state.

◆  The system should be able to provide accurate printed copies of relevant data and information stored within. Printed matter produced by computer peripherals should be clearly legible.

◆  The system should include, where appropriate, built-in checks of the accuracy entry and recording of data.

121

Good E-Recs Integrity Practices ◆  Data should only be entered or amended by persons

authorized to do so. ◆  There should be a defined procedure for the issue,

cancellation and alteration of authorization to enter and amend data, including the changing of personal passwords.

◆  Consideration should be given to systems allowing for recording of attempts to access by unauthorized persons.

122

Good E-Recs Integrity Practices ◆  Critical data entered manually into a computer

system should be checked for accuracy by a second person.

◆  The computer system should create an audit trail of any changes to electronic data.

◆  The audit trail record should include the time of each change, the nature of the change, and the identity of the person involved.

◆  All e-recs keeping track of modifications or deletions of e-recs (e.g., electronic audit trails), become at the same time e-recs subject to the same e-recs related controls.

123

Good E-Recs Integrity Practices ◆  The persons carrying out the data entry and

verification should be identifiable.◆  Data should be secured by physical or electronic

means against willful or accidental damage.◆  Stored data should be checked for accessibility,

durability and accuracy.

124

Good E-Recs Integrity Practices ◆  If changes are proposed to the computer equipment

or its programs the above mentioned checks should be performed at a frequency appropriate to the storage medium being used.

◆  Critical computer-dependent systems should have alternate systems available in the event of a systems failure.

◆  When outside agencies are used to provide a computer service, there should be a formal agreement including a clear statement of the responsibilities of that outside agency.

125

Good E-Recs Integrity Practices ◆  Security.

–  It must be established role-based security on all databases, data servers, networks and applications.

–  Only authorized persons must be able to enter or modify e-recs in computer systems.

–  Access to e-recs should be restricted by passwords or other means.

–  Security should also extend to devices used to store programs, such as tapes, disks and magnetic strip cards. Access to these devices should be controlled.

126

Good E-Recs Integrity Practices ◆  21 CFR 211.180(d) requires records to be retained

“either as original records or true copies such as photocopies, microfilm, microfiche, or other accurate reproductions of the original records.” Similar worldwide requirements are established in other GMP related regulations.

◆  During the retention period of e-recs, these must be readily available.

127

Good E-Recs Integrity Practices ◆  Periodically, e-recs retained by computer storages

need to be verified for accessibility, readability, integrity and the state of security control.

◆  The computer system documentation most covers the relevant steps associated with the handling of data integrity controls.

◆  Routine preventive maintenance shall be implemented for the system; an emergency response system for system failures shall be available, and measures for recovery after system disasters shall be prepared.

◆  Procedures are established and implemented covering the above items. 128

129

130 130

OrlandoLópezGAMPDataIntegritySIGSME

olopez6102@gmail.com

131

FIN

ADDITIONAL SLIDES

Confidential and Proprietary to QCCS, Inc. 132

133

Raw DataFrom 2008!!

134

Raw Data Issues

●  Volatile Data

●  Electronic Record(Electronic Raw Data)

135

Raw Data Issues

●  Volatile Data

●  Raw E-Record

136

Volatile Data

●  Volatile data is a great example of data that is not an electronic record.

A routine control temperature reading that is taken by a PLC five (5) times a second stored momentarily looked at by another loop of the program then erased as it is replaced by the next value.

Why data <> electronic record? Because data has not been written contemporaneous to electronic media.

137

Volatile Data(Cont.)

●  Volatile data is considered data retained transiently in buffers. Is this same concept can be applied to “transient disk storage”?

NO. How long the record is kept on disk does not alter its status as an electronic record.

138

Electronic Record●  Electronic record is data directly entered into a

computer, through an instrument interface for example and saved to recording media such as disk, tape or other durable electronic medium.

●  An electronic copy of an electronic record is considered to be also electronic record.

“Computerized Data Systems for Nonclinical Safety Assessment, Current Concepts and Quality Assurance”, Drug Information Association, September 1988.

139 76

Electronic Record (Cont.)

Electronic data "may include electronic signals emanating from various sensors and control devices. Raw data includes electronic data contained in database files, and information stored on floppy disks or tapes."

Robert Tetszlaff, "GMP Documentation Requirements for Automated Systems: Part I", Pharmaceutical Technology (March1992).

140

Electronic Raw Data (Cont.)

●  Where an instrument writes data to a disk file from which file the information is printed to paper, an electronic record (original) is created and a paper copy of that electronic original is made.

●  It will not prudent to destroy the electronic record after printing it out because section 11.10(b) requires that systems and controls include “The ability to generate accurate and complete copies of records in both human readable and electronic form suitable for inspection, review and copying by the agency...”