Document Number: 01-3316

Revision: 01

TRAINING COPY
Effective Date: 24-Feb-2023

Title Global Data Integrity Policy

Document Number 01-3316

Revision 01

Document Type Global Policy

Release Date

COMPANY CONFIDENTIAL Page 1 of 19

 Document Number: 01-3316
Revision: 01

TRAINING COPY
Effective Date: 24-Feb-2023

CONTENTS

PURPOSE ................................................................................................................. 3
SCOPE...................................................................................................................... 3
DEFINITIONS / GLOSSARY ..................................................................................... 3
ROLES AND RESPONSIBILITIES ............................................................................ 5
REFERENCES .......................................................................................................... 7
PROCEDURE ........................................................................................................... 8
REVISION HISTORY .............................................................................................. 19

COMPANY CONFIDENTIAL Page 2 of 19

 Document Number: 01-3316
Revision: 01

TRAINING COPY
Effective Date: 24-Feb-2023

PURPOSE
The purpose of this policy is to provide guidance on data integrity principles and define the expectations
for the implementation of these principles within Mundipharma Manufacturing entities undertaking GxP
activities.

This document describes the requirements and responsibilities to ensure Data Integrity (DI) of records
used for GxP purposes. The principles within this policy are applicable for all stages throughout the
product lifecycle.

To ensure that data integrity requirements are clearly defined and met appropriately, in line with current
legislation and best practice guidelines.

SCOPE
This policy applies to GxP electronic, paper-based and hybrid records.

The methodologies and principles defined in this document apply to Global GxP Computerised Systems
that are registered in the Global IT CMDB (Configuration Management Database in ServiceNow) and
Manufacturing Sites in the Mundipharma Organization.

DEFINITIONS / GLOSSARY

Abbreviation / Term Definition

An audit trail is a form of metadata containing information associated with actions

that relate to the creation, modification, or deletion of GXP records. An audit trail
Audit Trail provides for secure recording of life-cycle details such as creation, additions,
deletions, or alterations of information in a record, either paper or electronic, without
obscuring or overwriting the original record.

Acronym referring to Attributable, Legible, Contemporaneous, Original and Accurate

ALCOA +
‘plus’ Complete, Consistent, Enduring, and Available.

Facts, figures, and statistics are collected for reference or analysis. All original
records and true copies of original records, including source data and metadata and
Data all subsequent transformations and reports of these data, are generated, or
recorded at the time of the GxP activity and allow full and complete reconstruction
and evaluation of the GxP activity.

DI is the degree to which data are complete, consistent, accurate, trustworthy, and
Data Integrity reliable and that these characteristics of the data are maintained throughout the data
life cycle.

The arrangements to ensure that data, irrespective of the format in which they are
Data Governance generated, are recorded, processed, retained, and used to ensure the record
throughout the data lifecycle.

All phases in the life of the data from generation and recording through processing
Data Life Cycle (including analysis, transformation, or migration), use, data retention,
archive/retrieval, and destruction.

COMPANY CONFIDENTIAL Page 3 of 19

 Document Number: 01-3316
Revision: 01

TRAINING COPY
Effective Date: 24-Feb-2023

Abbreviation / Term Definition

Data transfer is the process of transferring data between different storage types,
formats, or computerized systems.
Data Transfer /
Data migration is the process of moving stored data from one durable storage
migration
location to another. This may include changing the format of data, but not the
content or meaning.

A sequence of operations performed on data to extract, present or obtain

Data Processing
information in a defined format.

Metadata is data that describe the attributes of other data and provides context and
meaning. Typically, these are data that describe the structure, data elements, inter-
Meta Data relationships, and other characteristics of data e.g., audit trails. Metadata also
permits data to be attributable to an individual (or if automatically generated, to the
original data source).

Raw data is defined as the original record (data) which can be described as the first
Raw Data capture of information, whether recorded on paper or electronically. Information that
is originally captured in a dynamic state should remain available in that state.

Regulated Data Information used for a regulated purpose or to support a regulated process.

The first or source capture of data or information e.g., original paper record of
manual observation or electronic raw data file from a computerized system, and all
Original record
subsequent data required to fully reconstruct the conduct of the GXP activity.
Original records can be Static or Dynamic.

A copy (irrespective of the type of media used) of the original record that has been
verified (i.e., by a dated signature or by generation through a validated process) to
True copy
have the same information, including data that describe the context, content, and
structure, as the original.

A signature in digital form (bio-metric or non-biometric) that represents the signatory,

Electronic Signatures
should be equivalent in legal terms to the handwritten signature of the signatory.

In cases where data is collected and retained concurrently by more than one
Primary Record method, the record which has primacy should provide the greatest accuracy,
completeness, content and meaning

Reference: MHRA GXP Data Integrity Guidance and Definitions; Revision 1: March 2018

COMPANY CONFIDENTIAL Page 4 of 19

 Document Number: 01-3316
Revision: 01

TRAINING COPY
Effective Date: 24-Feb-2023

ROLES AND RESPONSIBILITIES

This document applies to all GxP functions within Mundipharma.

Role Responsibility

 Establish and maintain the DI assurance culture throughout

Mundipharma Network
 Set the global DI policy and standards
 Allocate appropriate resources to support and sustain good DI
Senior Management
management
 Provide direction and prioritization on which systems fall within the
scope of this SOP
 Provide oversight, risk management and monitoring for DI

Quality Function and  Responsible for independent oversight and review to assure the integrity
CSQA of data throughout the data life cycle
 Review and approve the DI Risk Assessment
 Coordinate the creation and review of the global DI policy, procedures,
and training programs
 Provide DI guidance to the organization
 Ensure that all systems within the scope of this policy, have an identified
Process / System Owner
 Utilize the Internal Audit program to verify that DI requirements
described in this policy have been implemented and are being followed
effectively
 Ensure that personnel are trained in DI principles and issues as it relates
to their job functions
 Ensure that GxP computer systems remain validated for DI

 Ensure that systems are supported and maintained such that they are
fit for the intended business use, and support DI
 Ensure that DI risks are identified and controlled to acceptable levels
System / Process
 Ensure that computer systems remain validated for DI
Owners
(GxP Functions)  Be responsible for the implementation of systems and procedures to
minimize the potential risk to DI, and for identifying the residual risk at
their responsible department
 Be responsible for identifying the systems that require audit trail review.
Be responsible for incorporating elements required for audit trail and
data review into applicable department procedures.

COMPANY CONFIDENTIAL Page 5 of 19

 Document Number: 01-3316
Revision: 01

TRAINING COPY
Effective Date: 24-Feb-2023

Role Responsibility

System Support and  Responsible to maintain system access control

Administration  Responsible to maintain internal and external controls over database

 Responsible for the integrity of data generated and managed within their
organization. These responsibilities are to ensure that data is acquired,
secured, transformed, and reported in accordance with defined
procedures
Data Owners
 Typically, a member of the functional unit using the system
 Ultimately responsible for the integrity and compliance of specific data
as per applicable procedures

 Responsible for collecting, analyzing, reviewing, reporting, and using

End User data and information in a manner that accurately, truthfully, and
completely represent what occurred in either paper or electronic format.

 Ensure that system administrators have access aligned with DI principle.

 Contribute to DI Risk Assessments
 Coordinate periodic user access reviews.
 Participate in the validation of computer systems and the maintenance
of the validated state.
IT
 Provide framework and appropriate solutions for archive, backup, and
disaster recovery of computer systems.
 Ensure audit trails are available and maintained for the required record
retention period.
 Ensure that record retention strategies are in place when systems are
upgraded or replaced.
Table1, DI Roles and Responsibilities

COMPANY CONFIDENTIAL Page 6 of 19

 Document Number: 01-3316
Revision: 01

TRAINING COPY
Effective Date: 24-Feb-2023

REFERENCES
GAMP, Good Practice Guide, Data Integrity Key Concept
GAMP, Records and Data Integrity Guide
GAMP5 - A Risk-Based Approach to Compliant GxP Computerized Systems Industry
Guidance
21 CFR Part 11 - Electronic Records; Electronic Signatures (ERES) Regulation
MHRA GMP Data Integrity Definitions and Guidance for Industry; Revision 1 March
2018
PI 041-1 Good Practices for Data Management and Integrity in Regulated GMP /
GDP Environment
Data Integrity and Compliance with CGMP, Guidance for Industry, Draft Guidance
April 2016
EU GMP Annex 11
Guideline on good pharmacovigilance practices (GVP), Module I –
Pharmacovigilance systems and their quality systems
ICH E6(R2) – Good Clinical Practice

COMPANY CONFIDENTIAL Page 7 of 19

 Document Number: 01-3316
Revision: 01

TRAINING COPY
Effective Date: 24-Feb-2023

PROCEDURE

6.1 General Data Integrity Requirements

DI is the degree to which data are complete, consistent, accurate, trustworthy, and
reliable and that these characteristics of the data are maintained throughout the data
life cycle (Ref: MHRA GXP Data Integrity Guidance and Definitions; Revision 1: March
2018). Basic Data Integrity principles applicable to both paper and electronic systems:
 Original data should be protected from accidental modification, intentional
Owner modification, falsification and deletion.
 Data must be presented with all the attributes below, ALCOA+:

Data Integrity
Requirement
Attribute
Data must be attributable to the person or system generating the data
or activity. The need to document who performed the task / function, is
in part to demonstrate that the function was performed by trained and
qualified personnel.
In some cases, ensuring data is attributable may be complicated when
A Attributable
an automated process is started by one shift operator and continues to
run autonomously through other shifts of other operators. Clear
timesheets, or similar records, are needed to document the shift
changes and to maintain a record of which operator made
interventions to the process during that operation.
All records must be legible – the information must be readable to any
use. This applies to all information that would be required to be
Legible and considered Complete, including all original records or entries.
L
permanent Any errors in recording data should be conserved in the original
document with clear identification of the error or reason for the
change, the original data must remain visible.
The evidence of actions, events, or decisions should be recorded as
they take place. This documentation should serve as an accurate
C Contemporaneous
attestation of what was done, or what was decided and why i.e. what
influenced the decision at that time.
The original record can be described as the first-capture of
information, whether recorded on paper (static) or electronically
Original
O (usually dynamic, depending on the complexity of the system).
record/source
Information that is originally captured in a dynamic state should remain
available in that state.
Ensuring results and records are accurate is achieved through many
Accurate no errors
elements of a robust pharmaceutical quality system.
or editing performed
A Users should follow written procedures governing their daily tasks and
without documented
apply their training and skills to ensure that any data they generate is
amendments
accurate.
Complete all data A complete record of data generated electronically includes relevant
including repeat or metadata and an audit trail.
C additional A user must not delete electronic GxP data or destroy GxP paper
supplementary records that are necessary to preserve the data, content or meaning
information as required under regulation rules.
Good Documentation Practices should be applied throughout any
C Consistent process, without exception, including deviations that may occur during
the process. This includes capturing all changes made to data.

COMPANY CONFIDENTIAL Page 8 of 19

 Document Number: 01-3316
Revision: 01

TRAINING COPY
Effective Date: 24-Feb-2023

Data Integrity
Requirement
Attribute
Records must be kept in a manner such that they exist for the entire
period during which they might be needed. This means they need to
E Enduring
remain intact and accessible as an indelible/durable record throughout
the record retention period.
Available Records must be available for review at any time during the required
available/accessible retention period, accessible in a readable format to all applicable
A for review/audit for personnel who are responsible for their review whether for routine
the lifetime of the release decisions, investigations, trending, annual reports, audits or
record inspections.
Table-2, Reference: PI 041-1 Good Practices for Data Management and Integrity in Regulated GMP /
GDP Environment

6.2 Data Life Cycle

DI should be ensured throughout the data life cycle. DI controls for data and records
should ensure that they remain attributable, legible, contemporaneous, original, and
accurate (ALCOA) throughout the data life cycle.

The data life cycle includes all phases from the initial creation of the data, through
processing, use, analysis, store, retention to destruction, as shown in Figure-1.

Figure-1 Data Life Cycle

COMPANY CONFIDENTIAL Page 9 of 19


6.3 Overview of Data Integrity Controls
Table-3, outlines the holistic approach, encompassing People, Process and Technology
considerations essential to support DI key concepts.
Key DI
People
Concept
Risk DI risk management and
Management assessment process
Approach should be in place
Cultural excellence
Data inherent in leadership and
Governance vision with strong
employee engagement
Data Owners trained and
Data Life
in place across the data life
Cycle
cycle for GxP records
DI policy and ALCOA
principles incorporated
within system
ALCOA+ stakeholders, supplier
support services,
contractors job
descriptions
Periodic DI audit process
Critical established with quality
Thinking function, system and
process owners
Supplier/ service provider
assessment and ongoing
GxP
service level agreements.
Computerised
Computerized system
System Life
validated as fit for purpose
Cycle
and all system users
trained
Table-3, Overview of Data Integrity Controls
COMPANY CONFIDENTIAL
Document Number: 01-3316
Revision: 01
TRAINING COPY
Effective Date: 24-Feb-2023
Process
DI risk assessment
documented, approved, and
periodically reviewed for both
systems and records.
System training matrix
includes DI and computer
system validation and
evidence of system
stakeholder training records
System records and data life
cycle defined
System records and data are
classified including primary
records, metadata, master
data, system access,
security, procedures, and
evidence of control practices
in place.
Data audit trail procedure
and routine review practices
in place supporting GxP
decisions and processing
System incident
management procedure in
place including assessment
of accident/ malpractice.
Routine use and system
administration SOPs are in
place and followed.
Technology
System configuration
optimized to reduce DI
risks via automated
scheduling of backups,
audit trails always on, etc.
Granular access controls
limit access to system
functionality according to
responsibility and
competency.
Data audit trails are linked
to GxP data and
operational activities.
System security includes
unique user identification
and passwords with
expiration
Data audit trails can be
accessed and sorted for
review purposes.
Technical system logs are
linked to system update
changes and backups.
System validation status
and testing correctly
reflect system changes,
use, update, and shows
that the system is fit for
purpose.
Page 10 of 19
 Document Number: 01-3316
Revision: 01

TRAINING COPY
Effective Date: 24-Feb-2023

6.4 Data Integrity Expectations for Electronic Records

The expectations in this section ensure that data, regardless of the process, format, or
technology in which it is generated, recorded, processed, retained, retrieved, and used,
will be readable, attributable, legible, available, contemporaneous, accurate, complete,
and consistent throughout the data lifecycle.

Electronic Expectations
Records
DI Controls

 Access controls ensure that users have access to only the functionality relevant
to their job role and that their actions can be attributed to them.
 System access should be restricted to authorized users.
 Shared logins or general access should not be used.
 System administrator access should be restricted to the minimum number of
User Access people.
 Administrator rights should not be granted to individuals with a direct interest in
data generation, review, or approval.
 System administrator actions are captured in audit trails and accessible for audit
purposes.
 User accounts should be reviewed periodically.

 GxP Computer Systems Validation procedures should be established to minimize

the potential risk to DI.
 GxP-related computerized systems should be validated.
 Users should be aware that validation alone does not necessarily guarantee that
Computer
records generated are necessarily adequately protected and validated systems
System may be vulnerable to lose and alteration by accidental or malicious means. Thus,
Validation validation should be supplemented by appropriate administrative and physical
controls, as wells as training and education of users
 21 CFR Part 11 regulatory requirements should be included in computer system
user requirements and assessed if the system complies with these requirements.
 These requirements should be traced through the system life cycle.

 Audit trails should be secure from unauthorized changes.

 The use of audit trails confirms that only authorized additions, deletions, or
alterations of GxP relevant electronic records. This is essential to verify the quality
of the data and the DI.

Audit Trails  Computer-generated time-stamped audit trails can also capture information
related to the creation, modification, or deletion of GxP-relevant electronic
records.
 Computer-generated, time-stamped electronic audit trails are the preferred
method of tracking changes to electronic source documentation.
 Audit trails used to capture electronic record activities:

COMPANY CONFIDENTIAL Page 11 of 19

 Document Number: 01-3316
Revision: 01

TRAINING COPY
Effective Date: 24-Feb-2023

Electronic Expectations
Records
DI Controls

 should describe when, by whom, and the reason changes were made to the
electronic record
 must be available and, if necessary, be translated to an understandable form
 must be periodically reviewed at a frequency commensurate with the risk

 Computerized systems should be designed in a way that ensures compliance

with the principles of DI.
Design  User requirements describe what functionality is required and the DI controls that
need to be implemented, depending on the intended use of the computer system.
of Systems
 Mundipharma implements the appropriate systems to ensure that data
management and integrity requirements are considered in the initial stages of
computer system procurement and throughout the system and data lifecycle.

 Records and data protection must be established for all computer systems.
 The computer system owner is the person who is responsible for providing the
data/records protection with suitable controls over the application and network
components.
 Security requirements should be defined in an SOP.
Security  Periodic reviews must be performed after the initial validation.
 Any instances where unauthorized persons attempt to access the computer
system or data storage devices should be recorded.
 Security patches for operating systems and network components should be
applied in a controlled and timely manner according to vendor recommendations
to maintain data security.

Incident  Data errors, improper operation, and interface errors can affect the operation of
a GxP computerized system. These incidents should be tracked and managed
Management
by system owners as per defined procedures.

Business  Business continuity ensures continuity in case of system failure or problem. Each
Continuity system should have a defined Business Continuity Plan.

 The documentation provided by the supplier must be reviewed by system

owners/process owners to check if the user requirements are fulfilled.
 Mundipharma Contract Givers should conduct regular risk reviews of supply
Suppliers and chains and outsourced activities/services that evaluate the DI controls required
Service with specific provisions for ensuring DI. This may be achieved by setting out
Providers expectations for data governance, and transparent error/deviation reporting
 There must be formal agreements with third parties, suppliers and service
providers, including a clear statement of the responsibilities of that outside
agency.

COMPANY CONFIDENTIAL Page 12 of 19

 Document Number: 01-3316
Revision: 01

TRAINING COPY
Effective Date: 24-Feb-2023

Electronic Expectations
Records
DI Controls

 If data is transferred to another data format or system, the verification of the data
Data Migration migration should include corroboration that data are not altered in value, meaning,
structure, context, and links (e.g., audit trails) or meaning during this migration.

 Data backup process should be validated. Storage of data must include the entire
original data and metadata, including audit trails, using a secure and validated
process. If the data is backed up, or copies of it are made, then the backup and
copies must also have the same appropriate levels of controls to prohibit
unauthorized access to, changes to, and deletion of data or their alteration.
 Scheduled daily, weekly, monthly. There should be a definition of how many
backups will be retained.
Data Backup
 Periodically tested
 Stored data should be accessible in a fully readable format. Companies may need
to maintain suitable software and hardware to access electronically stored data
backups or copies during the retention period
 Systems should allow backup and restoration of all data, including meta-data and
audit trails.

 It should be a validated process

 Archived data is able to restore or recover. Determine the lead time needed to
restore data
Data Archiving
 Archive copies should be physically secured in a separate and remote location
from where backup and original data are stored.
 Periodically tested

 Data and document retention arrangements should ensure the protection of

records from deliberate or inadvertent alteration or loss.
 Secure controls must be in place to ensure the DI of the record throughout the
retention period and validated where appropriate.
Data Retention
 Archive records should be locked such that they cannot be altered or deleted
without detection and audit trail.
 The archive arrangements must be designed to permit recovery and readability
of the data and metadata throughout the required retention period.

 If printouts of electronic records are used to perform GxP decisions or regulated

activities then the design, qualification, and controls of these printouts should be
Printouts made. The reports need to be validated as per applicable procedural control.
 For records supporting the batch release, it should be possible to generate
printouts indicating if any of the data have been changed since the original entry

 Data review process and approval of data should be described in a procedure.

Data Review  Reviews should be based upon original data. Data review should include a review
of GxP data audit trails.

COMPANY CONFIDENTIAL Page 13 of 19

 Document Number: 01-3316
Revision: 01

TRAINING COPY
Effective Date: 24-Feb-2023

Electronic Expectations
Records
DI Controls

 Audit trail review should be established with a documented process.

 Audit trail reviews should be performed by an individual who has an
understanding of the business process and the impact of the actions recorded.
 It is recommended to perform routine review of audit trails for systems that create,
store, and/or transmit data directly associated with activities related to ensuring
product quality, patient safety, or integrity of clinical/PV data
 Process / System Owners are responsible for incorporating elements required for
audit trail review into applicable department procedures.
 Process / System Owners are responsible for identifying the systems requiring
audit trail review. If the identified system is producing data used to support the
batch release of product, the frequency should be routine and occur prior to the
release of the finished product batch.
 The routine audit trail reviewer should not be an individual that performed
activities associated with creating the record.
Audit Trail
Reviews  There are two main types of audit trail review
1. Routine Review: Review of data audit trails as part of normal operational data
review and verification, second person verification and approval, usually
performed by the operational area which has generated the data (e.g., a
laboratory), i.e., using the audit trail routinely.
2. Periodic Review: Review of audit trail functionality (as part of normal periodic
review or audit) to check that they remain enabled and effective, i.e., checking
the audit trail.
 The purpose of reviewing audit trails is to identify potential issues that may result
in loss of DI. Issues may include:
o Erroneous data entry
o Modifications by unauthorized persons
o Data not entered contemporaneously
o Falsification of data
Auditing for DI should be part of internal quality audit. Types of audits required in an
effective DI program include:

 Ongoing internal quality audits of established DI control to ensure continuing

effectiveness and compliance
Audit for DI
 Supplier qualification audits for suppliers creating, modifying, reviewing,
analyzing, transmitting, storing, and/or archiving data on behalf of a regulated
company
 Closeout gap assessment or full audit following (or close to) completion of DI
program implementation

COMPANY CONFIDENTIAL Page 14 of 19

 Document Number: 01-3316
Revision: 01

TRAINING COPY
Effective Date: 24-Feb-2023

Electronic Expectations
Records
DI Controls

 The requirements for electronic signatures are that they have the same impact
as handwritten signatures within MUNDIPHARMA. They should be permanently
linked to the respective record and include the time and date that a signature was
applied
Electronic
Signatures  The decision for the use of electronic signatures for GMP decisions should be
made using a documented assessment
 The use of electronic signature should be compliant with the requirements of
international standards (21CFRPart 11, Annex11)
Table-4, Data Integrity Expectations for Electronic Records

6.5 Data integrity in relation to paper / hybrid systems

Computerized systems may support only a single user login or limited numbers of user
logins or have limited audit trail functionality. Where no suitable alternative computerized
system is available, a paper-based method of providing traceability will be permitted. The
lack of suitability of alternative systems should be justified based on a review of system
design and documented.

6.6 Data Integrity Expectations for Paper Records

The effective management of paper-based documents is a key element of GxP.
Accordingly, the documentation system should be designed to meet GxP local
requirements and ensure that documents and records are effectively controlled to
maintain their integrity.

Procedures outlining good documentation practices and arrangements for document

control should be available within the Quality Management System. These procedures
should specify how DI is maintained throughout the lifecycle of the data, including:

• How master documents and procedures are created, reviewed, and approved for
use.

• Generation, distribution, and control of templates used to record data (master, logs,
forms, etc.);

• Retrieval and disaster recovery processes regarding records

COMPANY CONFIDENTIAL Page 15 of 19

 Document Number: 01-3316
Revision: 01

TRAINING COPY
Effective Date: 24-Feb-2023

Paper Expectations
Records
DI Controls

 Only authorized users should be able to access documentation used for recording
GxP activities, for example, master batch records.
 Access controls should be used to ensure that people have access only to
User Access documentation that is appropriate for their job role.
and Security  Accessibility of GxP relevant documentation should be at locations where activities
take place so that ad-hoc data recording and later transcription to official records are
not necessary.
 Documents should be stored in a manner that ensures appropriate version control.

 Paper records must be controlled and must remain attributable, legible,

ALCOA contemporaneous, original, and accurate, complete, consistent, enduring
(indelible/durable), and available (ALCOA+) throughout the data lifecycle

 GxP relevant documentation used for recording data should be designed in a way
that encourages compliance with the principles of DI.
Design  The document design should provide sufficient space for manual data entries
 All documents should have a unique identification number (including the version
number) and should be checked, approved, signed, and dated

 A procedure should be in place that describes the actions to be taken for when
mistakes or erroneously entered data are recorded on paper records.
Non-
conformances  This procedure should enable data corrections or clarifications to be made in a GxP
compliant manner providing visibility of the original record and audit trailed
traceability of the correction

 Data generated in paper format may be retained for example by scanning, if there is
a process in place to ensure that the copy is verified to ensure its completeness.
 Completed and in-process GxP documentation should be stored in locations within
the facility that protect the records from deliberate or inadvertent alteration or loss.
Data  Archive arrangements should be in place for long-term retention of GxP
Retention, documentation and must be designed to permit recovery and readability of the data
Storage, and metadata through the required retention period.
Archive  Off-site archive locations that are used to store documentation should have been
qualified to ensure that the integrity of records is safeguarded.
 Consideration should be given to the risk of potential water and fire damage
alongside a review of suitable access and security measures of the facility.
 The re-qualification of such archive locations should be carried out periodically.

COMPANY CONFIDENTIAL Page 16 of 19

 Document Number: 01-3316
Revision: 01

TRAINING COPY
Effective Date: 24-Feb-2023

Paper Records Expectations

DI Controls

 For critical data entered manually, there should be an additional check on the
accuracy of the data. The independent verification of the manually entered data can
be performed by a second authorized person.
Data Review
and Accuracy  The criticality and the potential consequence of erroneous or incorrectly entered data
recorded should be covered by risk management.
Checks
 A procedure should be in place which describes the documented process for the
review and approval of data based upon original data or true copy and actions to be
taken if an error or omission is identified following the principles of ALCOA.
Table-5, Data Integrity Expectations for Paper Records

6.7 Data Integrity Risk Assessment (DIRA) Methodology

This section defines the key requirements for DI Risk Assessment (DIRA).

The main objectives of DIRA are to:

 Systematically describe the data in processes, systems, and equipment through the
data lifecycle
 Using critical thinking to identify the risks to DI associated with process and data flows
 Determine controls to mitigate and reduce or eliminate DI risks.
DIRA can be applied:

 Proactively as part of introducing a new/ changing an existing, process or system (for

example part of initial validation)
 Proactively to an existing process or system in operation (for example part of periodic
review)
 Reactively in response to a process or system where an actual or potential, problem
with DI has been identified
6.7.1. DIRA Prioritization
The criticality of a process/ system and the level of controls in place should be
evaluated and this determines the vulnerability of the overall process. This
evaluation is used to define the prioritisation for completion of Data Integrity Risk
Assessments.

6.7.2. Process Boundaries, Data Mapping, Process and Data Flow Understanding
Initially, the process boundaries for the Data Flow need to be defined. The purpose
of the boundaries is to define the scope of the assessment; what is in scope and
what is out of scope. During the Data Mapping, all GxP critical data are identified.
These are data that are created, processed, reviewed, reported, and retained within
the process. Data Mapping work is not required for simple systems such as
instruments, equipment.

COMPANY CONFIDENTIAL Page 17 of 19

 Document Number: 01-3316
Revision: 01

TRAINING COPY
Effective Date: 24-Feb-2023

6.7.3. Data Integrity Risk Assessment – Identification, Analysis and Evaluation

All DI risks associated with the process & system should be systematically identified;
critical thinking questions to support this. There may be more than one failure mode
or failure effect for each process step. These are logged in the assessment. In every
case the questions asked should consider if you are working with a manual, hybrid,
or automated system, and cover all basic DI requirements (ALCOA+, refer to section
5.1 to 5.6). The answers should consider the procedural and technical controls in
place. Once all these have been identified the analysis can take place to allow ranking
of the risks. Risks should be scored by severity, probability, and detectability, and
mitigate with suitable actions.
6.7.4. Data Integrity Risk Assessment Documentation and Communication
The completed Risk Assessment reports (for Global Computerised System managed
by IT Services) should be reviewed and approved by CSQA and stored in
MasterControl.

COMPANY CONFIDENTIAL Page 18 of 19

 Document Number: 01-3316
Revision: 01

TRAINING COPY
Effective Date: 24-Feb-2023

REVISION HISTORY

Revision Revision Details/Superseded Documents

New Policy
01
04-0782 Data Governance Policy will be retired.

COMPANY CONFIDENTIAL Page 19 of 19