To comply with the requirements of data integrity, suitable monitoring systems must be in place. In addition, regular personnel training on the importance of data integrity principles must be carried out. The training sessions should contribute to the creation of a working environment that promotes an open culture of reporting failures, omissions and deviating results.
In GxP-controlled companies, management is responsible for implementing systems and procedures for minimising the potential risk to data integrity and to identify risks using risk-based principles. Contract givers should ensure as part of supplier qualification that appropriate systems are also implemented at all of their suppliers. In the case of contract manufacturing, contract testing and contract packaging, this also includes monitoring measures and regular checks that cover the following aspects as a minimum:
If reports are generated using software, it must be ensured that they cannot be changed afterwards. If they are paper-based, they must be marked as original printouts (master documents) using an appropriate method (e.g. a signature). Master documents and true copies of these documents must be controlled. They are normally saved electronically in PDF format. The PDFs created using software or a scanner must be encrypted or password-protected, and appropriate action must be taken to ensure that subsequent changes are no longer possible. Saving the data in PDF format also requires comprehensive verification to ensure that the information loss caused by the embedded graphic formats and/or their compression algorithms is acceptable. This applies in particular when the PDF files are generated by scanning paper-based graphics. When generating reports, it is very important to be aware of the fact that this is a static data format and that the dynamic data format is lost if the original document is not saved separately. It must therefore be ensured that all dynamic data is stored and archived. This is not necessary when dynamic data is not created, e.g. when printing weighing data.
The (final) storage of data and generation of reports must be carried out contemporaneously to prevent subsequent changes or at least make them more difficult. The FDA stipulates that this has to be done at the end of each run and rules out final storage at the end of a measurement day or temporary storage.
The storage of data and the reports generated from it (in paper or electronic form) must be controlled in detail. In the case of hybrid systems, it is important that the data can be retrieved at all times. The readability of proprietary data for the entire period of retention can be a major challenge. In some cases, this can mean that control and evaluation systems that run on operating systems or hardware that are/is not upwardly compatible must be retained after decommissioning. An example of this would be old devices that are required to read data that is stored on floppy disks.
Access to archived data should be restricted to a limited number of individuals, and actions must be taken to prevent changes to the data during the period of retention. The respective established archiving system and the corresponding parameters must be regularly checked to ensure that they are still effective. As an example, sample calculations and/or reports can be recreated from the archived data and compared with those that were initially obtained. This should be done based on a risk assessment.
Requirements on data and data integrity lead to requirements on equipment that have to be taken into account during procurement and/or qualification. These include:
Markus Veit, PhD
i.DRAS GmbH Planegg | Alphatopics GmbH Kaufering, Germany
You’ll understand all the requirements with Data Integrity in the EU: Requirements for Quality Management Systems. This report details the ins and outs of all three documents and explains how the FDA regulations fit in.
You will learn:
Get started now! Order your copy of Data Integrity in the EU