Data Integrity in Computer Systems - CBI | Powering ... · Data Integrity in Computer Systems ... •The ability to generate accurate and complete copies of records in both human

Data Integrity in Computer

Systems

Data Integrity Validation Europe

28 March 2017

Presented by:

Chris Wubbolt, BS, MS

Objectives

www.QACVConsulting.com 2

Understand the Data Integrity Lifecycle

What is Data Security?

What is Electronic Record/Electronic Signatures (ER/ES)?

Controls for Electronic Data

Current Regulatory Requirements

and Guidance


March 2015

• MHRA -GMP Data Integrity

Definitions and

Guidance for Industry

September 2015

• WHO -Guidance on Good Data and Record

Management Practices

April 2016

• FDA – Data Integrity

Guidance and

Compliance with CGMP

Current Regulatory Requirements

and Guidance


July 2016

• MHRA - GxPData Integrity

Definitions and

Guidance for Industry

August 2016

• PIC/S - Good Practices for

Data Management and Integrity in Regulated GMP/GDP

Environments

August 2016

• EMA – Data Integrity

Guidance Q&A




• What are electronic data controls?

• Where are data controls required?

• Learn how to implement data controls

• Apply controls to the computer systems

What is Data Integrity?


Data Integrity

Completeness, consistency, and accuracy of data.

Attributable

Legible

Contemporaneous

Original

Accurate

Enduring

Complete

Consistent

Available

(or true copy)

ALCOA


Attributable Person completing activity or recording data is identified.

Legible Data can be read.

Contemporaneous Data is recorded when the date/time that the task was

completed.

Original The original record or document where the data is recorded.

Accurate The data has validity.

Original Records & True Copies


21 CFR 211.180 (d)

• Records required under this part may be retained either as original records or as true copies such as photocopies, microfilm, microfiche, or other accurate reproductions of the original records.

Complete Records


21 CFR 211.188

• Batch production and control records shall be prepared for each batch of drug product produced and shall include complete information relating to the production and control of each batch.

21 CFR 194 (a)

• Laboratory records shall include complete data

Complete and Accurate


•Define data for each system, including each file type.

Chromatography Systems

• Raw Data File

• Integration Parameters

• Quantitation

• Sequence File

Other Laboratory Instruments

• Raw Data File

• Separate Audit Trail Log

FDA Guidance


•It is not acceptable to record data on pieces of paper that will be discarded after the data are transcribed to a permanent laboratory notebook.

Similarly, it is not acceptable to store data electronically in temporary memory, in a manner that allows for manipulation, before creating a permanent record.

Electronic data that are automatically saved into temporary memory do not meet CGMP documentation or retention requirements.

Data Integrity - Paper

Accurate and Complete

Attributable


Legible

Original

Contemporaneous


Data Integrity - Electronic


Accurate and CompleteAttributableLegible

Original

Contemporaneous


Data Integrity - Electronic

Event User ID Previous Value New Value Date Time Reason

Data Entry DOCon NA 94.7 1/17/2007 10:42 EST NA

Approval Cwubb NA NA 1/18/2007 09:45 EST NA

Data Change DOCon 94.7 95.1 1/19/2007 8:45 EST Calculation Error

Approval Cwubb NA NA 1/19/2007 9:33 EST NA


Accurate and Complete

Attributable

Legible

Original

Contemporaneous


Generate ModifyReview / Approve

UseRetain / Retrieve

Destroy

What does data integrity

lifecycle mean?


What does data integrity

lifecycle mean?


Control Measures

Access to clocks for recording timed events.

Accessibility of records at

locations where activities take

place so ad hoc data recording

and later transcription to

official records is not necessary.

‘Free access’ to blank paper

forms for raw/source data recording should

be controlled where this is appropriate.

Reconciliation may be

necessary to prevent

recreation of a record.

User access rights that

prevent (or audit trail)

unauthorized data

amendments.

Automated data capture or

printers attached to equipment

such as balances.

Control of physical

parameters (time, space,

equipment) that permit

performance of tasks and

recording of data as required.

Access to raw data for staff

performing data checking activities.




Destroy

Specify

Design

Configure

Verify


ALCOAAttributable

EDC System

• How long of a delay? 2-3 hours, sometimes next day

• Issue – system response is slow at times

• Cause – batch jobs being run cause slow system response

• Type of batch jobs? Principle Investigator approval of eCRFS

• What date/time is applied for electronic signature?

• Answer: When batch is run.

• Data integrity issue – date and time stamp is not the same as

when PI entered electronic signature user ID and password.

Understand the Data Flow

Understand the Data Flow


ELISA Data Process Flow

Data

Flow

LIMSELISA SOftware Company Network

Protocol(.xyz file)

Sample Analysis

Setup Run

Data File(.db file)

Export .txt Data File

Secure Network Location


Save .db Data File

.db File backed up

.txt File backed up

LIMS Database

Import .txt file to LIMS

.db File archived


Backup Location

Data Security


How does data security apply to data integrity?

Know the different types of data security

How data security is a fundamental part of data integrity

Data Security


21 CFR 11.10 (b)

• The ability to generate accurate and complete copies of records in both human readable and electronic form.

21 CFR 11.10 (c)

• Protection of records to enable their accurate and ready retrieval throughout the records retention period.

21 CFR 11.10 (d)

• Limiting system access to authorized individuals.

Data Security


21 CFR 11.10 (g)

• Use of authority checks to ensure that only authorized individuals can use the system, electronically sign a record, access the operation or computer system input or output device, alter a record, or perform the operation at hand.

21 CFR 11.10 (h)

• Use of device (e.g., terminal) checks to determine, as appropriate, the validity of the source of data input or operational instruction.


Data Security – How do you

implement data integrity controls?



Destroy

Specify

Design

Configure

Verify

Validation

Chromatography Data Acquisition System

• User roles tested during initial validation

• Current user roles do not reflect validated system

• No change control for user role changes

• Additional role added that was not included in original validation; no change control

• No User Requirements Specification

• No process to authorize users or disable accounts for terminated users.

• User accounts for personnel no longer employed still active

Data Integrity Issues – Security


Electronic Records/Electronic

Signatures

www.QACVConsulting.com 254/10/2017

• Subpart A: General Provisions

• Subpart B: Electronic Records– Closed systems

– Open systems

– Signature manifestations

– Signature/record linking

• Subpart C: Electronic Signatures– Electronic signature components

and controls

– Controls for identification codes/passwords

Electronic Records/Electronic

Signatures


21 CFR 11.10 (a)

• Validation of systems to ensure accuracy, reliability, consistent intended performance, and the ability to discern invalid or altered records.

Electronic Record

Create

Modify

Archive Retrieve

Distribute

OR

Electronic Recordkeeping System

Maintain


When do you apply E-Records / E-

Signatures?

User

Requirements

Specification

Identify

intended use

Specify, Design,

Implement

SystemSystem

Specifications


Manual Process > Automate

Laboratory Reporting

Setup

Test

Analyze

Sample

Collect

DataAnalyze

Data

Report

Data

Test Plans /

Scripts

Test/Verify that the

System Meets

Specifications

Electronic Signatures

Electronic Signatures

• Non-Biometric

• Digital

• Biometric

Handwritten Signatures

• Applied to paper

• Applied to electronic media

www.QACVConsulting.com 294/10/2017

Signatures


Typical Criteria for Compliant E-sigs

• Password length

• Strong passwords

• Password aging

• Lock account after X invalid attempts

• Date and time stamp controls

• Validated Electronic Recordkeeping System

• Authorized users

• Certifications

Printed Name, Date, Time, Meaning

Record / Signature Linking

User ID / Password Controls

Unique

Written Policies

Verification of Identity

Certification Letter

Individual Certification

Procedural

Technical

Electronic Signature Controls


Are scanned images valid?


Signatures


Adobe Digital/Electronic Signatures

• Claims 21 CFR Part 11 Compliancehttp://www.adobe.com/support/techdocs/323231.html

• “Adobe Acrobat 4.0 and later includes digital

signature functionality, which is provided by an

Adobe-supplied signature framework and

signing method plug-ins from Adobe and third-

party vendors.”

http://www.adobe.com/support/techdocs/323231.html

Considerations when using Adobe


• User ability to create own electronic

signature

– No certification

– No verification of identity



Four Options







• Date/time stamp

controls

• Procedure

– Password aging

– Password length

– Strong passwords

– Locking records

• Authorization









Summary


Reviewed the Data Integrity Lifecycle

Discussed Data Security Requirements

Electronic Record/Electronic Signatures (ER/ES)

Discussed Controls for Electronic Data

Questions


Chris Wubbolt

QACV Consulting, LLC

Telephone: 610-442-2250

E-mail: [email protected]

Documents

Data Integrity in Computer Systems - CBI | Powering ... · Data Integrity in Computer Systems ... •The ability to generate accurate and complete copies of records in both human