Upload
buiduong
View
224
Download
2
Embed Size (px)
Citation preview
Data Integrity in Computer
Systems
Data Integrity Validation Europe
28 March 2017
Presented by:
Chris Wubbolt, BS, MS
Objectives
www.QACVConsulting.com 2
Understand the Data Integrity Lifecycle
What is Data Security?
What is Electronic Record/Electronic Signatures (ER/ES)?
Controls for Electronic Data
Current Regulatory Requirements
and Guidance
www.QACVConsulting.com 3
March 2015
• MHRA -GMP Data Integrity
Definitions and
Guidance for Industry
September 2015
• WHO -Guidance on Good Data and Record
Management Practices
April 2016
• FDA – Data Integrity
Guidance and
Compliance with CGMP
Current Regulatory Requirements
and Guidance
www.QACVConsulting.com 4
July 2016
• MHRA - GxPData Integrity
Definitions and
Guidance for Industry
August 2016
• PIC/S - Good Practices for
Data Management and Integrity in Regulated GMP/GDP
Environments
August 2016
• EMA – Data Integrity
Guidance Q&A
Controls for Electronic Data
www.QACVConsulting.com 5
Controls for Electronic Data
• What are electronic data controls?
• Where are data controls required?
• Learn how to implement data controls
• Apply controls to the computer systems
What is Data Integrity?
www.QACVConsulting.com 6
Data Integrity
Completeness, consistency, and accuracy of data.
Attributable
Legible
Contemporaneous
Original
Accurate
Enduring
Complete
Consistent
Available
(or true copy)
ALCOA
www.QACVConsulting.com 7
Attributable Person completing activity or recording data is identified.
Legible Data can be read.
Contemporaneous Data is recorded when the date/time that the task was
completed.
Original The original record or document where the data is recorded.
Accurate The data has validity.
Original Records & True Copies
www.QACVConsulting.com 8
21 CFR 211.180 (d)
• Records required under this part may be retained either as original records or as true copies such as photocopies, microfilm, microfiche, or other accurate reproductions of the original records.
Complete Records
www.QACVConsulting.com 9
21 CFR 211.188
• Batch production and control records shall be prepared for each batch of drug product produced and shall include complete information relating to the production and control of each batch.
21 CFR 194 (a)
• Laboratory records shall include complete data
Complete and Accurate
www.QACVConsulting.com 10
•Define data for each system, including each file type.
Chromatography Systems
• Raw Data File
• Integration Parameters
• Quantitation
• Sequence File
Other Laboratory Instruments
• Raw Data File
• Separate Audit Trail Log
FDA Guidance
www.QACVConsulting.com 11
•It is not acceptable to record data on pieces of paper that will be discarded after the data are transcribed to a permanent laboratory notebook.
Similarly, it is not acceptable to store data electronically in temporary memory, in a manner that allows for manipulation, before creating a permanent record.
Electronic data that are automatically saved into temporary memory do not meet CGMP documentation or retention requirements.
Data Integrity - Paper
Accurate and Complete
Attributable
www.QACVConsulting.com 12
Legible
Original
Contemporaneous
www.QACVConsulting.com 12
Data Integrity - Electronic
www.QACVConsulting.com 13
Accurate and CompleteAttributableLegible
Original
Contemporaneous
www.QACVConsulting.com 13
Data Integrity - Electronic
Event User ID Previous Value New Value Date Time Reason
Data Entry DOCon NA 94.7 1/17/2007 10:42 EST NA
Approval Cwubb NA NA 1/18/2007 09:45 EST NA
Data Change DOCon 94.7 95.1 1/19/2007 8:45 EST Calculation Error
Approval Cwubb NA NA 1/19/2007 9:33 EST NA
www.QACVConsulting.com 14
Accurate and Complete
Attributable
Legible
Original
Contemporaneous
www.QACVConsulting.com 14
Generate ModifyReview / Approve
UseRetain / Retrieve
Destroy
What does data integrity
lifecycle mean?
www.QACVConsulting.com 15
What does data integrity
lifecycle mean?
www.QACVConsulting.com 16
Control Measures
Access to clocks for recording timed events.
Accessibility of records at
locations where activities take
place so ad hoc data recording
and later transcription to
official records is not necessary.
‘Free access’ to blank paper
forms for raw/source data recording should
be controlled where this is appropriate.
Reconciliation may be
necessary to prevent
recreation of a record.
User access rights that
prevent (or audit trail)
unauthorized data
amendments.
Automated data capture or
printers attached to equipment
such as balances.
Control of physical
parameters (time, space,
equipment) that permit
performance of tasks and
recording of data as required.
Access to raw data for staff
performing data checking activities.
www.QACVConsulting.com 17
Generate ModifyReview / Approve
UseRetain / Retrieve
Destroy
Specify
Design
Configure
Verify
www.QACVConsulting.com 18
ALCOAAttributable
EDC System
• How long of a delay? 2-3 hours, sometimes next day
• Issue – system response is slow at times
• Cause – batch jobs being run cause slow system response
• Type of batch jobs? Principle Investigator approval of eCRFS
• What date/time is applied for electronic signature?
• Answer: When batch is run.
• Data integrity issue – date and time stamp is not the same as
when PI entered electronic signature user ID and password.
Understand the Data Flow
Understand the Data Flow
www.QACVConsulting.com 19
ELISA Data Process Flow
Data
Flow
LIMSELISA SOftware Company Network
Protocol(.xyz file)
Sample Analysis
Setup Run
Data File(.db file)
Export .txt Data File
Secure Network Location
Secure Network Location
Save .db Data File
.db File backed up
.txt File backed up
LIMS Database
Import .txt file to LIMS
.db File archived
Secure Network Location
Backup Location
Data Security
www.QACVConsulting.com 20
How does data security apply to data integrity?
Know the different types of data security
How data security is a fundamental part of data integrity
Data Security
www.QACVConsulting.com 21
21 CFR 11.10 (b)
• The ability to generate accurate and complete copies of records in both human readable and electronic form.
21 CFR 11.10 (c)
• Protection of records to enable their accurate and ready retrieval throughout the records retention period.
21 CFR 11.10 (d)
• Limiting system access to authorized individuals.
Data Security
www.QACVConsulting.com 22
21 CFR 11.10 (g)
• Use of authority checks to ensure that only authorized individuals can use the system, electronically sign a record, access the operation or computer system input or output device, alter a record, or perform the operation at hand.
21 CFR 11.10 (h)
• Use of device (e.g., terminal) checks to determine, as appropriate, the validity of the source of data input or operational instruction.
www.QACVConsulting.com 23
Data Security – How do you
implement data integrity controls?
Generate ModifyReview / Approve
UseRetain / Retrieve
Destroy
Specify
Design
Configure
Verify
Validation
Chromatography Data Acquisition System
• User roles tested during initial validation
• Current user roles do not reflect validated system
• No change control for user role changes
• Additional role added that was not included in original validation; no change control
• No User Requirements Specification
• No process to authorize users or disable accounts for terminated users.
• User accounts for personnel no longer employed still active
Data Integrity Issues – Security
www.QACVConsulting.com 24
Electronic Records/Electronic
Signatures
www.QACVConsulting.com 254/10/2017
• Subpart A: General Provisions
• Subpart B: Electronic Records– Closed systems
– Open systems
– Signature manifestations
– Signature/record linking
• Subpart C: Electronic Signatures– Electronic signature components
and controls
– Controls for identification codes/passwords
Electronic Records/Electronic
Signatures
www.QACVConsulting.com 26
21 CFR 11.10 (a)
• Validation of systems to ensure accuracy, reliability, consistent intended performance, and the ability to discern invalid or altered records.
Electronic Record
Create
Modify
Archive Retrieve
Distribute
OR
Electronic Recordkeeping System
Maintain
www.QACVConsulting.com 27
When do you apply E-Records / E-
Signatures?
User
Requirements
Specification
Identify
intended use
Specify, Design,
Implement
SystemSystem
Specifications
www.QACVConsulting.com 28
Manual Process > Automate
Laboratory Reporting
Setup
Test
Analyze
Sample
Collect
DataAnalyze
Data
Report
Data
Test Plans /
Scripts
Test/Verify that the
System Meets
Specifications
Electronic Signatures
Electronic Signatures
• Non-Biometric
• Digital
• Biometric
Handwritten Signatures
• Applied to paper
• Applied to electronic media
www.QACVConsulting.com 294/10/2017
Signatures
www.QACVConsulting.com 30
Typical Criteria for Compliant E-sigs
• Password length
• Strong passwords
• Password aging
• Lock account after X invalid attempts
• Date and time stamp controls
• Validated Electronic Recordkeeping System
• Authorized users
• Certifications
Printed Name, Date, Time, Meaning
Record / Signature Linking
User ID / Password Controls
Unique
Written Policies
Verification of Identity
Certification Letter
Individual Certification
Procedural
Technical
Electronic Signature Controls
www.QACVConsulting.com 31
Are scanned images valid?
www.QACVConsulting.com 32
Signatures
www.QACVConsulting.com 33
Adobe Digital/Electronic Signatures
• Claims 21 CFR Part 11 Compliancehttp://www.adobe.com/support/techdocs/323231.html
• “Adobe Acrobat 4.0 and later includes digital
signature functionality, which is provided by an
Adobe-supplied signature framework and
signing method plug-ins from Adobe and third-
party vendors.”
Considerations when using Adobe
www.QACVConsulting.com 34
• User ability to create own electronic
signature
– No certification
– No verification of identity
Considerations when using Adobe
www.QACVConsulting.com 35
Four Options
Considerations when using Adobe
www.QACVConsulting.com 36
Considerations when using Adobe
www.QACVConsulting.com 37
Considerations when using Adobe
www.QACVConsulting.com 38
• Date/time stamp
controls
• Procedure
– Password aging
– Password length
– Strong passwords
– Locking records
• Authorization
Considerations when using Adobe
www.QACVConsulting.com 39
Considerations when using Adobe
www.QACVConsulting.com 40
Considerations when using Adobe
www.QACVConsulting.com 41
Considerations when using Adobe
www.QACVConsulting.com 42
Summary
www.QACVConsulting.com 43
Reviewed the Data Integrity Lifecycle
Discussed Data Security Requirements
Electronic Record/Electronic Signatures (ER/ES)
Discussed Controls for Electronic Data
Questions
www.QACVConsulting.com 44
Chris Wubbolt
QACV Consulting, LLC
Telephone: 610-442-2250
E-mail: [email protected]