Data Integrity Master Class & Audit Trail Review

Programme

Data Integrity Master Class

Regulatory Update

• EU GMP Requirements: Chapter 4, Annex 11
• Guidance Documents Overview (state of the art): GMDP Inspectors WG, Data Integrity Q&A, (PIC/S Good Practices for Data Management and Integrity in regulated GMP/GDP Environments), WHO, Annex 5 Guidance on Good Data and Record Management Practices, MHRA GxP Data Integrity Definitions and Guidance for Industry
• FDA, Data Integrity and Compliance with cGMP
• “These Guides are not intended to impose additional regulatory burden upon regulated entities”. Is This correct?: Data Governance, Dynamic Data

Data Integrity in the pharmaceutical quality system

• Which PQS elements need to be added or updated?
• The Data Integrity Program: Priorities (immediate/short/mid-term), Capacity, Timing

Data Integrity in paper documentation

• GMP requirements for good documentation practice
• Application to paper documents
• Common problems from FDA 483 observations and warning letters and how to avoid them

Data flow analysis

• Objective and purpose
• Electronic data flow
• Complete data flow
• Identification of possible weaknesses

Metrics for Data Integrity

• Metrics in the context of a corporate data integrity programme
• Suggested metrics in the assessment phase
• Suggested metrics in the operational phase

Preparing your company for an Data Integrity inspection

• How to present the DI status and future approach?
• Gap analysis
• Training program coverage
• Experience from FDA inspections – Hot Buttons

DI Inspections

• Basis for Inspections: “PIC/S Good Practices for Data Management and Integrity in regulated GMP/GDP Environments”
• Data Integrity Assessment during Inspection: Quality Control, Manufacturing
• Inspection Findings

Second Person Review

• Regulatory and guidance document requirements for the second person review
• Role of the second person review
• Scope of the second person review
• Documenting the review for paper, hybrid and electronic systems
• Facilitated discussion on Second Person review

Time synchronisation

• Purpose and requirements
• TAI, UTC, time zone, legal time, local time, system time
• ntp - network time protocol
• Time management concept

Software Suppliers Responsibility for Data Integrity Compliance

• Regulatory requirements for software systems:
• procedural and technical
• Role of software suppliers
• Regulations push vs market needs pull
• Implementing technical requirements for software: architecture, database and application
• Marketing literature versus marketing bullshit

Control of Master Templates and Blank Forms

• Why is control of master templates and blank forms important?
• Regulatory requirements from FDA, MHRA, WHO, EMA and PIC/S
• Devising and controlling the master template
• Operational use of the blank forms
• Do you really want to work this way?

Risk-based approach for manufacturing and laboratory audit trail review

• Regulatory requirements and expectations for audit trail review
• Is the application adequate for audit trail review?
• Application of a risk based approach to audit trail review

Workshop on Audit Trail Review
Vulnerability of Records

• What is record vulnerability?
• Protection and security of electronic records requirements
• What can go wrong? Scope of misfortunes that can impact records
• Assessment of record vulnerability and implementation of control measures

Workshop on Vulnerability of Records

QA oversight for data integrity

• Data integrity training
• Enforce data flows
• Reviews
• Internal inspection
• Audit of external organisations

Cyber security measures to assure data integrity

• Cyber security reality and concerns
• Possible security weaknesses
• Designing robust IT and automation infrastructures

Data governance

• Governance responsibilities
• Data governance vs. IT governance
• Elements of a data governance
• Embedding data governance into the PQS

Data integrity audit results of a contract laboratory

• Audit context
• Audit scope
• Findings
• Root causes

Case study Data Migration - Production

• Migration of complex data collections
• Migration of a large collection of similar data
• Design of the migration process
• Risk-based elaboration of the verification strategy

Options for Long Term Data Retention of Laboratory Data

• Proprietary v open standards for laboratory data
• Options for long term retention:
• Keep original system
• Virtualisation
• Data migration

Data Integrity Investigations

• What are data integrity investigations?
• Human and technical triggers for DI investigations
• Who should investigate the problem?
• Process description and how to document a DI investigation
• Should we inform regulatory authorities?

Workshop on Data Integrity Investigations

Key Learning Points and Final Discussion

Audit Trail Review

Why Is An Audit Trail and Its Review Important?

• Part 11 and Annex 11 / Chapter 4 requirements for audit trail
• Regulatory requirements for audit trail review
• Guidance documents for audit trail review
• Do I really need an audit trail?

What is in a Name?

• What do we look for in an application for auditing?
• Pros and cons for event logs and audit logs?
• Which audit trail(s) should I review?

Workshop 1: Which Audit Trail to Review?

What are GMP-Relevant Data?

• Annex 11 requires that audit trails monitor GMP-relevant data – what are GMP relevant data?

Workshop 2: Identifying GMP Relevant Data

Review of Audit Trail Entries

• Guidance for frequent is “frequent review” of audit trails
• Process versus system: avoiding missing data integrity issues when only focussing on a per system review
• What are we looking for in an audit review?
• Suspected data integrity violation - What do we need to do?

Workshop 3: Reviewing Audit Trail Entries

Technical Controls to Aid Second Person Review of Audit Trails

• Technical considerations for audit trail review e.g.
• Identifying data that has been changed or modified – how the system can help
• Documenting the audit trail review has occurred
• Review by exception – how technical controls can help
• Have you specified and validated these functions?