Professional Documents
Culture Documents
01 3316 R01 Global Data Integrity Policy Training Copy 1594985
01 3316 R01 Global Data Integrity Policy Training Copy 1594985
Revision: 01
TRAINING COPY
Effective Date: 24-Feb-2023
Revision 01
Release Date
TRAINING COPY
Effective Date: 24-Feb-2023
CONTENTS
PURPOSE ................................................................................................................. 3
SCOPE...................................................................................................................... 3
DEFINITIONS / GLOSSARY ..................................................................................... 3
ROLES AND RESPONSIBILITIES ............................................................................ 5
REFERENCES .......................................................................................................... 7
PROCEDURE ........................................................................................................... 8
REVISION HISTORY .............................................................................................. 19
TRAINING COPY
Effective Date: 24-Feb-2023
PURPOSE
The purpose of this policy is to provide guidance on data integrity principles and define the expectations
for the implementation of these principles within Mundipharma Manufacturing entities undertaking GxP
activities.
This document describes the requirements and responsibilities to ensure Data Integrity (DI) of records
used for GxP purposes. The principles within this policy are applicable for all stages throughout the
product lifecycle.
To ensure that data integrity requirements are clearly defined and met appropriately, in line with current
legislation and best practice guidelines.
SCOPE
This policy applies to GxP electronic, paper-based and hybrid records.
The methodologies and principles defined in this document apply to Global GxP Computerised Systems
that are registered in the Global IT CMDB (Configuration Management Database in ServiceNow) and
Manufacturing Sites in the Mundipharma Organization.
DEFINITIONS / GLOSSARY
Facts, figures, and statistics are collected for reference or analysis. All original
records and true copies of original records, including source data and metadata and
Data all subsequent transformations and reports of these data, are generated, or
recorded at the time of the GxP activity and allow full and complete reconstruction
and evaluation of the GxP activity.
DI is the degree to which data are complete, consistent, accurate, trustworthy, and
Data Integrity reliable and that these characteristics of the data are maintained throughout the data
life cycle.
The arrangements to ensure that data, irrespective of the format in which they are
Data Governance generated, are recorded, processed, retained, and used to ensure the record
throughout the data lifecycle.
All phases in the life of the data from generation and recording through processing
Data Life Cycle (including analysis, transformation, or migration), use, data retention,
archive/retrieval, and destruction.
TRAINING COPY
Effective Date: 24-Feb-2023
Metadata is data that describe the attributes of other data and provides context and
meaning. Typically, these are data that describe the structure, data elements, inter-
Meta Data relationships, and other characteristics of data e.g., audit trails. Metadata also
permits data to be attributable to an individual (or if automatically generated, to the
original data source).
Raw data is defined as the original record (data) which can be described as the first
Raw Data capture of information, whether recorded on paper or electronically. Information that
is originally captured in a dynamic state should remain available in that state.
Regulated Data Information used for a regulated purpose or to support a regulated process.
The first or source capture of data or information e.g., original paper record of
manual observation or electronic raw data file from a computerized system, and all
Original record
subsequent data required to fully reconstruct the conduct of the GXP activity.
Original records can be Static or Dynamic.
A copy (irrespective of the type of media used) of the original record that has been
verified (i.e., by a dated signature or by generation through a validated process) to
True copy
have the same information, including data that describe the context, content, and
structure, as the original.
In cases where data is collected and retained concurrently by more than one
Primary Record method, the record which has primacy should provide the greatest accuracy,
completeness, content and meaning
Reference: MHRA GXP Data Integrity Guidance and Definitions; Revision 1: March 2018
TRAINING COPY
Effective Date: 24-Feb-2023
Role Responsibility
Quality Function and Responsible for independent oversight and review to assure the integrity
CSQA of data throughout the data life cycle
Review and approve the DI Risk Assessment
Coordinate the creation and review of the global DI policy, procedures,
and training programs
Provide DI guidance to the organization
Ensure that all systems within the scope of this policy, have an identified
Process / System Owner
Utilize the Internal Audit program to verify that DI requirements
described in this policy have been implemented and are being followed
effectively
Ensure that personnel are trained in DI principles and issues as it relates
to their job functions
Ensure that GxP computer systems remain validated for DI
Ensure that systems are supported and maintained such that they are
fit for the intended business use, and support DI
Ensure that DI risks are identified and controlled to acceptable levels
System / Process
Ensure that computer systems remain validated for DI
Owners
(GxP Functions) Be responsible for the implementation of systems and procedures to
minimize the potential risk to DI, and for identifying the residual risk at
their responsible department
Be responsible for identifying the systems that require audit trail review.
Be responsible for incorporating elements required for audit trail and
data review into applicable department procedures.
TRAINING COPY
Effective Date: 24-Feb-2023
Role Responsibility
Responsible for the integrity of data generated and managed within their
organization. These responsibilities are to ensure that data is acquired,
secured, transformed, and reported in accordance with defined
procedures
Data Owners
Typically, a member of the functional unit using the system
Ultimately responsible for the integrity and compliance of specific data
as per applicable procedures
TRAINING COPY
Effective Date: 24-Feb-2023
REFERENCES
GAMP, Good Practice Guide, Data Integrity Key Concept
GAMP, Records and Data Integrity Guide
GAMP5 - A Risk-Based Approach to Compliant GxP Computerized Systems Industry
Guidance
21 CFR Part 11 - Electronic Records; Electronic Signatures (ERES) Regulation
MHRA GMP Data Integrity Definitions and Guidance for Industry; Revision 1 March
2018
PI 041-1 Good Practices for Data Management and Integrity in Regulated GMP /
GDP Environment
Data Integrity and Compliance with CGMP, Guidance for Industry, Draft Guidance
April 2016
EU GMP Annex 11
Guideline on good pharmacovigilance practices (GVP), Module I –
Pharmacovigilance systems and their quality systems
ICH E6(R2) – Good Clinical Practice
TRAINING COPY
Effective Date: 24-Feb-2023
PROCEDURE
Data Integrity
Requirement
Attribute
Data must be attributable to the person or system generating the data
or activity. The need to document who performed the task / function, is
in part to demonstrate that the function was performed by trained and
qualified personnel.
In some cases, ensuring data is attributable may be complicated when
A Attributable
an automated process is started by one shift operator and continues to
run autonomously through other shifts of other operators. Clear
timesheets, or similar records, are needed to document the shift
changes and to maintain a record of which operator made
interventions to the process during that operation.
All records must be legible – the information must be readable to any
use. This applies to all information that would be required to be
Legible and considered Complete, including all original records or entries.
L
permanent Any errors in recording data should be conserved in the original
document with clear identification of the error or reason for the
change, the original data must remain visible.
The evidence of actions, events, or decisions should be recorded as
they take place. This documentation should serve as an accurate
C Contemporaneous
attestation of what was done, or what was decided and why i.e. what
influenced the decision at that time.
The original record can be described as the first-capture of
information, whether recorded on paper (static) or electronically
Original
O (usually dynamic, depending on the complexity of the system).
record/source
Information that is originally captured in a dynamic state should remain
available in that state.
Ensuring results and records are accurate is achieved through many
Accurate no errors
elements of a robust pharmaceutical quality system.
or editing performed
A Users should follow written procedures governing their daily tasks and
without documented
apply their training and skills to ensure that any data they generate is
amendments
accurate.
Complete all data A complete record of data generated electronically includes relevant
including repeat or metadata and an audit trail.
C additional A user must not delete electronic GxP data or destroy GxP paper
supplementary records that are necessary to preserve the data, content or meaning
information as required under regulation rules.
Good Documentation Practices should be applied throughout any
C Consistent process, without exception, including deviations that may occur during
the process. This includes capturing all changes made to data.
TRAINING COPY
Effective Date: 24-Feb-2023
Data Integrity
Requirement
Attribute
Records must be kept in a manner such that they exist for the entire
period during which they might be needed. This means they need to
E Enduring
remain intact and accessible as an indelible/durable record throughout
the record retention period.
Available Records must be available for review at any time during the required
available/accessible retention period, accessible in a readable format to all applicable
A for review/audit for personnel who are responsible for their review whether for routine
the lifetime of the release decisions, investigations, trending, annual reports, audits or
record inspections.
Table-2, Reference: PI 041-1 Good Practices for Data Management and Integrity in Regulated GMP /
GDP Environment
The data life cycle includes all phases from the initial creation of the data, through
processing, use, analysis, store, retention to destruction, as shown in Figure-1.
TRAINING COPY
Effective Date: 24-Feb-2023
Key DI
People Process Technology
Concept
System configuration
DI risk assessment
Risk DI risk management and optimized to reduce DI
documented, approved, and
Management assessment process risks via automated
periodically reviewed for both
Approach should be in place scheduling of backups,
systems and records.
audit trails always on, etc.
System incident
Supplier/ service provider
management procedure in System validation status
assessment and ongoing
GxP place including assessment and testing correctly
service level agreements.
Computerised of accident/ malpractice. reflect system changes,
Computerized system
System Life use, update, and shows
validated as fit for purpose
Cycle Routine use and system that the system is fit for
and all system users
administration SOPs are in purpose.
trained
place and followed.
TRAINING COPY
Effective Date: 24-Feb-2023
Electronic Expectations
Records
DI Controls
Access controls ensure that users have access to only the functionality relevant
to their job role and that their actions can be attributed to them.
System access should be restricted to authorized users.
Shared logins or general access should not be used.
System administrator access should be restricted to the minimum number of
User Access people.
Administrator rights should not be granted to individuals with a direct interest in
data generation, review, or approval.
System administrator actions are captured in audit trails and accessible for audit
purposes.
User accounts should be reviewed periodically.
Audit Trails Computer-generated time-stamped audit trails can also capture information
related to the creation, modification, or deletion of GxP-relevant electronic
records.
Computer-generated, time-stamped electronic audit trails are the preferred
method of tracking changes to electronic source documentation.
Audit trails used to capture electronic record activities:
TRAINING COPY
Effective Date: 24-Feb-2023
Electronic Expectations
Records
DI Controls
should describe when, by whom, and the reason changes were made to the
electronic record
must be available and, if necessary, be translated to an understandable form
must be periodically reviewed at a frequency commensurate with the risk
Records and data protection must be established for all computer systems.
The computer system owner is the person who is responsible for providing the
data/records protection with suitable controls over the application and network
components.
Security requirements should be defined in an SOP.
Security Periodic reviews must be performed after the initial validation.
Any instances where unauthorized persons attempt to access the computer
system or data storage devices should be recorded.
Security patches for operating systems and network components should be
applied in a controlled and timely manner according to vendor recommendations
to maintain data security.
Incident Data errors, improper operation, and interface errors can affect the operation of
a GxP computerized system. These incidents should be tracked and managed
Management
by system owners as per defined procedures.
Business Business continuity ensures continuity in case of system failure or problem. Each
Continuity system should have a defined Business Continuity Plan.
TRAINING COPY
Effective Date: 24-Feb-2023
Electronic Expectations
Records
DI Controls
If data is transferred to another data format or system, the verification of the data
Data Migration migration should include corroboration that data are not altered in value, meaning,
structure, context, and links (e.g., audit trails) or meaning during this migration.
Data backup process should be validated. Storage of data must include the entire
original data and metadata, including audit trails, using a secure and validated
process. If the data is backed up, or copies of it are made, then the backup and
copies must also have the same appropriate levels of controls to prohibit
unauthorized access to, changes to, and deletion of data or their alteration.
Scheduled daily, weekly, monthly. There should be a definition of how many
backups will be retained.
Data Backup
Periodically tested
Stored data should be accessible in a fully readable format. Companies may need
to maintain suitable software and hardware to access electronically stored data
backups or copies during the retention period
Systems should allow backup and restoration of all data, including meta-data and
audit trails.
TRAINING COPY
Effective Date: 24-Feb-2023
Electronic Expectations
Records
DI Controls
TRAINING COPY
Effective Date: 24-Feb-2023
Electronic Expectations
Records
DI Controls
The requirements for electronic signatures are that they have the same impact
as handwritten signatures within MUNDIPHARMA. They should be permanently
linked to the respective record and include the time and date that a signature was
applied
Electronic
Signatures The decision for the use of electronic signatures for GMP decisions should be
made using a documented assessment
The use of electronic signature should be compliant with the requirements of
international standards (21CFRPart 11, Annex11)
Table-4, Data Integrity Expectations for Electronic Records
• How master documents and procedures are created, reviewed, and approved for
use.
• Generation, distribution, and control of templates used to record data (master, logs,
forms, etc.);
TRAINING COPY
Effective Date: 24-Feb-2023
Paper Expectations
Records
DI Controls
Only authorized users should be able to access documentation used for recording
GxP activities, for example, master batch records.
Access controls should be used to ensure that people have access only to
User Access documentation that is appropriate for their job role.
and Security Accessibility of GxP relevant documentation should be at locations where activities
take place so that ad-hoc data recording and later transcription to official records are
not necessary.
Documents should be stored in a manner that ensures appropriate version control.
GxP relevant documentation used for recording data should be designed in a way
that encourages compliance with the principles of DI.
Design The document design should provide sufficient space for manual data entries
All documents should have a unique identification number (including the version
number) and should be checked, approved, signed, and dated
A procedure should be in place that describes the actions to be taken for when
mistakes or erroneously entered data are recorded on paper records.
Non-
conformances This procedure should enable data corrections or clarifications to be made in a GxP
compliant manner providing visibility of the original record and audit trailed
traceability of the correction
Data generated in paper format may be retained for example by scanning, if there is
a process in place to ensure that the copy is verified to ensure its completeness.
Completed and in-process GxP documentation should be stored in locations within
the facility that protect the records from deliberate or inadvertent alteration or loss.
Data Archive arrangements should be in place for long-term retention of GxP
Retention, documentation and must be designed to permit recovery and readability of the data
Storage, and metadata through the required retention period.
Archive Off-site archive locations that are used to store documentation should have been
qualified to ensure that the integrity of records is safeguarded.
Consideration should be given to the risk of potential water and fire damage
alongside a review of suitable access and security measures of the facility.
The re-qualification of such archive locations should be carried out periodically.
TRAINING COPY
Effective Date: 24-Feb-2023
For critical data entered manually, there should be an additional check on the
accuracy of the data. The independent verification of the manually entered data can
be performed by a second authorized person.
Data Review
and Accuracy The criticality and the potential consequence of erroneous or incorrectly entered data
recorded should be covered by risk management.
Checks
A procedure should be in place which describes the documented process for the
review and approval of data based upon original data or true copy and actions to be
taken if an error or omission is identified following the principles of ALCOA.
Table-5, Data Integrity Expectations for Paper Records
Systematically describe the data in processes, systems, and equipment through the
data lifecycle
Using critical thinking to identify the risks to DI associated with process and data flows
Determine controls to mitigate and reduce or eliminate DI risks.
DIRA can be applied:
6.7.2. Process Boundaries, Data Mapping, Process and Data Flow Understanding
Initially, the process boundaries for the Data Flow need to be defined. The purpose
of the boundaries is to define the scope of the assessment; what is in scope and
what is out of scope. During the Data Mapping, all GxP critical data are identified.
These are data that are created, processed, reviewed, reported, and retained within
the process. Data Mapping work is not required for simple systems such as
instruments, equipment.
TRAINING COPY
Effective Date: 24-Feb-2023
TRAINING COPY
Effective Date: 24-Feb-2023
REVISION HISTORY