Data Integrity Requirements for Computerized Systems

Follow this link to read the full article: Data Integrity: Key requirements for Computerized Systems - Zamann Pharma Support GmbH (zamann-pharma.com)

What is data integrity?

Data integrity ensures that the data generated throughout the manufacturing process is accurate, reliable, and secure. Data integrity refers to the completeness, consistency, and accuracy of data throughout its lifecycle, from creation and processing to storage and retrieval.

By implementing data integrity controls, companies can incorporate new technologies and digital innovations, paving the way for automated production systems. This integration is critical to modernizing legacy systems and improving operational support. Maintaining data integrity requires adherence to procedures, policies, and standards as early as the design phase. Whether data is stored for a short or long time, and how frequently it is accessed, its accuracy, completeness, and trustworthiness are maintained when data integrity is ensured. This is crucial in the pharmaceutical industry, where safe, effective and high-quality medicines are of paramount importance.

The concept of data integrity is often explained with ALCOA+, which stands for Attributable, Legible, Contemporaneous, Original, Accurate, Complete, Consistent, Enduring, and Available. Each of these terms highlights different aspects of data integrity. For more details, see ALCOA+.

Data integrity Dos and Don’ts by FDA

Do’s

• Establish clear and comprehensive guidelines for data handling to ensure accuracy and consistency.
• Vigilantly double-check data entries to minimize errors.
• Create a Clear and Comprehensive Audit Trail and maintain detailed records of data access, including who accessed it and when.
• Train Employees on Data Integrity and Compliance. Offer thorough training sessions on proper data handling practices.
• Regularly Perform Internal Audits. Conduct frequent audits to validate data accuracy and integrity.
• Document All Data-Related Activities and Changes. Keep exhaustive logs of all data modifications.
• Utilize Electronic Signatures and Controls. Implement secure access systems through password protection and electronic signatures.

Don’ts

• Avoid altering or falsifying information to fit desired outcomes.
• Delete Data Without Documentation: Never erase records without proper authorization and documentation.
• Prevent unauthorized access by not sharing passwords.
• Take immediate action upon noticing any discrepancies or inconsistencies.
• Always prioritize data protection and address potential security breaches promptly.
• Document all data handling actions accurately, without relying on memory.
• Avoid relying on obsolete software or tools for data management.
• Maintain transparency and integrity by not falsifying records to hide errors.
• Report any data breaches or incidents without delay to relevant parties.
• Ensure continuous training and supervision to uphold data integrity standards

Importance of Data Integrity for pharmaceutical companies

Data integrity is crucial in pharmaceutical and medical device industries for several reasons:

1. Regulatory Compliance: Ensures adherence to strict regulations set by agencies like the FDA, guaranteeing product safety and efficacy.
2. Patient Safety: Maintains accurate data to prevent errors in diagnosis, treatment, or monitoring that could endanger patient health.
3. Quality Assurance: Ensures the consistency and high standards of pharmaceuticals and medical devices, minimizing risks of defects or recalls.
4. Reputation and Trust: Builds credibility with healthcare professionals and patients, fostering long-term success and trust in the market.

Key requirements for Computerized Systems

Companies use various computerized systems for operational tasks, ranging from simple setups to complex integrated systems, all affecting product quality. These systems must adhere to GMP and GDP requirements.

Lets understand the key requirements of data integrity for Computerized system as below.?

1. System Validation & Maintenance

• Regulated companies must establish and follow robust controls to ensure data integrity throughout the system lifecycle. This involves incorporating data management and integrity considerations from the outset of system procurement and maintaining them throughout. Functional Specifications (FS) and User Requirement Specifications (URS) for regulated users should comprehensively address these requirements.
• Special attention is needed when purchasing critical GMP/GDP equipment to ensure proper evaluation of data integrity controls before procurement.
• Legacy systems should undergo evaluation to determine if their current configuration and functionality align with good data management practices. If existing systems lack adequate controls, additional measures should be explored and implemented

2. Qualification and validation of computerised systems

• Validation of computerized systems must align with GMP/GDP guidelines. However, validation alone doesn’t ensure adequate protection of generated records. Validated systems can still be vulnerable to loss or alteration due to accidents or malicious intent. Therefore, it’s crucial to supplement validation with administrative and physical controls, along with user training

3. Validation and Operation

The input text outlines key considerations and requirements for regulated companies regarding data integrity in computerized systems:

• Establishment and Enforcement of Controls:?Regulated companies must implement controls to ensure data integrity throughout the lifecycle of systems and data. This includes comprehensive addressing of data management needs in Functional and User Requirement Specifications (FS/URS).
• Procurement and Evaluation of Systems:?When procuring GMP/GDP critical equipment, special attention must be given to ensuring adequate data integrity controls are in place. Existing legacy systems should be evaluated for compliance with good data management practices, and additional controls should be implemented if necessary.
• Tracking and Documentation:?Regulated users must maintain records of their computerized systems, including system names, locations, purposes, evaluations of system function and importance, validation status, and references to validation documents.
• Validation Requirements:?New systems require a Validation Summary Report compliant with Annex 15 requirements, detailing critical system configurations, access controls, approved users, audit trail frequency, and procedures for user management and data handling. Existing systems should have relevant documents outlining these requirements available and maintained.
• Validation Master Plan and Testing:?Companies should have a Validation Master Plan outlining validation policies and requirements for computerized systems. Validation extent should be risk-based, with defined tests for compliance before routine use. Prospective validation is recommended, and tests should follow GMP Annex 15 requirements.
• Periodic Evaluation and Updates:?Computerized systems need periodic evaluation covering deviations, changes, upgrade history, performance, and maintenance to maintain data integrity. The frequency of re-evaluation should be determined by risk assessment. Timely updates for operating systems and network components are essential to safeguard data integrity, along with applying security patches promptly and under controlled conditions.
• Migrations to newer platforms?companies should plan and execute application migrations to newer platforms before they become unsupported and isolate unsupported operating systems from the network as much as possible while carefully designing remaining interfaces and data transfer processes to prevent vulnerabilities.

4. Data transfer and migration

• Data transfer :?During validation, it’s crucial to assess and address interfaces to ensure accurate data transfer. These interfaces should incorporate built-in checks for secure data entry and processing, minimizing integrity risks. Verification methods may include secure transfer, encryption, and checksums. Interfaces between systems should be designed and qualified for automated transfer of GMP/GDP data.
• Check for compatability:?When updating system software, users must ensure compatibility with existing and archived data. If necessary, data conversion to the new format should be facilitated. If conversion isn’t feasible, the old software should be maintained and available for accessing archived data during investigations.
• When older software becomes unsupported,?Preserving data accessibility is crucial, either by maintaining legacy software in a virtual environment or migrating to a compatible format that retains data integrity. Assess options based on data importance and risk, balancing long-term accessibility with potential loss of functionality. Document all risk mitigation controls and acknowledge that some loss of attributes may be inevitable during migration.

5. System security for computerised systems

• User access controls:?Access controls must be configured and enforced to prevent unauthorized access, changes, or deletion of data in computerized systems. The level of security measures depends on the criticality of the system.
• Data integrity:?Safeguards against accidental alterations or intentional tampering are necessary to maintain data integrity. This involves evaluating system designs, ensuring physical security of hardware, and implementing network security measures against local and external threats.
• Network protection:?Security measures, including firewalls, intrusion detection systems, and regular vulnerability scans, are essential to detect and prevent potential threats. Protection levels should be aligned with the assessed risk of the data.
• Electronic signatures: Robust controls for authenticity and traceability of electronic signatures are required, including permanent linkage to associated records, timestamp logging, and adoption of advanced methods like biometrics.
• USB device restrictions:?To enhance system security, USB device usage on critical systems hosting GMP/GDP data should be restricted. Ports should be configured for approved purposes, and all USB devices must undergo proper scanning before use.

6. Audit trails for computerised systems

• Companies must prioritize data integrity?by selecting computerized systems with appropriate electronic audit trail functionality, upgrading older systems if necessary.?Systems lacking audit trails should implement alternative verification methods, ensuring compliance during system validation.
• Audit trail functionalities should be enabled and locked,?with procedures established for determining data requirements and conducting independent reviews, overseen by the quality unit. Electronic-based systems must configure audit trails to capture critical activities, recording detailed parameters for comprehensive tracking of actions and entries.

7. Data capture/entry for computerised systems

Systems should ensure accurate data capture, whether manual or automated. Manual data must follow specified formats, be validated, and verified by a second operator or software, with changes documented in an audit trail. Automated data capture needs validated interfaces, secure storage, and software checks for completeness and accuracy. Data changes must follow authorized procedures, retaining original data, with all modifications fully documented and approved by qualified individuals.

8. Review of electronic data within computerised systems

• Regulated users must conduct risk assessments to identify critical GMP/GDP relevant electronic data and audit them?for accuracy and integrity, with all changes duly authorized. Standard Operating Procedures (SOPs) should detail second-operator checks, encompassing raw data, summaries, and logs. Audit trail reviews should be integrated into routine data assessments,
• Frequency and roles for audit trail reviews should align?with data importance, with significant changes triggering thorough investigations and documented actions to address quality or data integrity issues
• The company’s quality unit should establish a program and schedule to?conduct ongoing reviews of audit trails based upon their criticality and the system’s complexity in order to verify the effective implementation of current controls?and to detect potential non-compliance issues. These reviews should be incorporated into the company’s self-inspection program.

Conclusion : By prioritizing DI now, companies can enhance efficiency and productivity while delivering high-quality products.Maintaining data integrity in cGMP compliance is not merely a regulatory requirement; it’s a fundamental necessity for pharmaceutical manufacturers. The consequences of data integrity breaches can be severe, both in terms of regulatory actions and patient safety. By implementing best practices, investing in staff training, and leveraging technology, pharmaceutical companies can ensure data integrity throughout the manufacturing process. This commitment not only meets regulatory expectations but also upholds the highest standards of product quality and patient well-being.