Data Integrity Master Class & Audit Trail Review

Programme

Data Integrity Master Class

• EU GMP Requirements: Chapter 4, Annex 11
• Guidance Documents Overview (state of the art): GMDP Inspectors WG, Data Integrity Q&A, (PIC/S Good Practices for Data Management and Integrity in regulated GMP/GDP Environments), WHO, Annex 5 Guidance on Good Data and Record Management Practices, MHRA GxP Data Integrity Definitions and Guidance for Industry
• FDA, Data Integrity and Compliance with cGMP
• “These Guides are not intended to impose additional regulatory burden upon regulated entities”. Is This correct?: Data Governance, Dynamic Data

• Which PQS elements need to be added or updated?
• The Data Integrity Program: Priorities (immediate/short/mid-term), Capacity, Timing

• GMP requirements for good documentation practice
• Application to paper documents
• Common problems from FDA 483 observations and warning letters and how to avoid them

• Objective and purpose
• Electronic data flow
• Complete data flow
• Identification of possible weaknesses

• Metrics in the context of a corporate data integrity programme
• Suggested metrics in the assessment phase
• Suggested metrics in the operational phase

• How to present the DI status and future approach?
• Gap analysis
• Training program coverage
• Experience from FDA inspections – Hot Buttons

• Basis for Inspections: “PIC/S Good Practices for Data Management and Integrity in regulated GMP/GDP Environments”
• Data Integrity Assessment during Inspection: Quality Control, Manufacturing
• Inspection Findings

• Regulatory and guidance document requirements for the second person review
• Role of the second person review
• Scope of the second person review
• Documenting the review for paper, hybrid and electronic systems
• Facilitated discussion on Second Person review

• Purpose and requirements
• TAI, UTC, time zone, legal time, local time, system time
• ntp - network time protocol
• Time management concept

• Regulatory requirements for software systems:
• procedural and technical
• Role of software suppliers
• Regulations push vs market needs pull
• Implementing technical requirements for software: architecture, database and application
• Marketing literature versus marketing bullshit

• Why is control of master templates and blank forms important?
• Regulatory requirements from FDA, MHRA, WHO, EMA and PIC/S
• Devising and controlling the master template
• Operational use of the blank forms
• Do you really want to work this way?

• Regulatory requirements and expectations for audit trail review
• Is the application adequate for audit trail review?
• Application of a risk based approach to audit trail review

• What is record vulnerability?
• Protection and security of electronic records requirements
• What can go wrong? Scope of misfortunes that can impact records
• Assessment of record vulnerability and implementation of control measures

• Data integrity training
• Enforce data flows
• Reviews
• Internal inspection
• Audit of external organisations

• Cyber security reality and concerns
• Possible security weaknesses
• Designing robust IT and automation infrastructures

• Governance responsibilities
• Data governance vs. IT governance
• Elements of a data governance
• Embedding data governance into the PQS

• Audit context
• Audit scope
• Findings
• Root causes

• Migration of complex data collections
• Migration of a large collection of similar data
• Design of the migration process
• Risk-based elaboration of the verification strategy

• Proprietary v open standards for laboratory data
• Options for long term retention:
• Keep original system
• Virtualisation
• Data migration

• What are data integrity investigations?
• Human and technical triggers for DI investigations
• Who should investigate the problem?
• Process description and how to document a DI investigation
• Should we inform regulatory authorities?

Audit Trail Review

• Part 11 and Annex 11 / Chapter 4 requirements for audit trail
• Regulatory requirements for audit trail review
• Guidance documents for audit trail review
• Do I really need an audit trail?

• What do we look for in an application for auditing?
• Pros and cons for event logs and audit logs?
• Which audit trail(s) should I review?

• Annex 11 requires that audit trails monitor GMP-relevant data – what are GMP relevant data?

• Guidance for frequent is “frequent review” of audit trails
• Process versus system: avoiding missing data integrity issues when only focussing on a per system review
• What are we looking for in an audit review?
• Suspected data integrity violation - What do we need to do?

• Technical considerations for audit trail review e.g.
• Identifying data that has been changed or modified – how the system can help
• Documenting the audit trail review has occurred
• Review by exception – how technical controls can help
• Have you specified and validated these functions?