Advanced search
ISPE GAMP<sup>&#xae;</sup> Guide: Records and Data Integrity cover image

ISPE GAMP® Guide: Records and Data Integrity

Published:March 2017

Pages:152

The ISPE GAMP® Guide: Records and Data Integrity provides principles and practical guidance on meeting current expectations for the management of GxP regulated records and data, ensuring that they are complete, consistent, secure, accurate, and available throughout their life cycle.

This Guide is intended as a stand-alone ISPE GAMP® Guide aligned with the ISPE GAMP® 5: A Risk-Based Approach to Compliant GxP Computerized Systems. It has been designed so that it may be used in parallel with guidance provided in ISPE GAMP® 5 and other ISPE GAMP® Good Practice Guides. Although the scope of this document is wider, it replaces the previous ISPE GAMP® Good Practice Guide: A Risk-Based Approach to Compliant Electronic Records and Signatures.

This Guide has been developed by ISPE's GAMP® Community of Practice (CoP), a world-wide community of practitioners and subject matter experts who have been developing internationally accepted guidance on risk-based approaches to safeguard patient safety, product quality, and data integrity for more than twenty-five years.

This Guide has been produced with significant input and review from regulators worldwide, including key specialists from leading regulatory authorities such as MHRA and WHO, that work in this area.

The Guide is intended to be a complete and comprehensive single point of reference covering the requirements, expectations, and principles of pharmaceutical data integrity. Topics covered include regulatory focus areas, the data governance framework, the data life cycle, culture and human factors, and the application of Quality Risk Management (QRM) to data integrity. As such, it is of great interest to anyone with a responsibility for ensuring data integrity, including:

  • Executives and managers
  • Process and data owners and data stewards
  • Technical system owners
  • System developers, maintainers, and users
  • Quality Assurance and Quality Control
  • Clinical, manufacturing, and laboratory personnel
  • Validation and compliance specialists
  • Suppliers of systems and services
  • IT and engineering professionals

Readers will gain an invaluable insight into the pressing hot topic of pharmaceutical data integrity, an in-depth understanding of the key requirements and principles, and an awareness of practical approaches and techniques to effectively address data integrity challenges. The Guide will help regulated companies and their suppliers to achieve the high level of data integrity expected by regulatory authorities worldwide.

Key benefits of the ISPE GAMP® Guide: Records and Data Integrity:

  1. Data integrity requirements, critical areas of regulatory focus and concern, and key concepts
  2. Framework for data governance and the importance of human factors
  3. Complete data life cycle approach as part of a Quality Management System (QMS), from creation to destruction
  4. Further information on how to apply the Quality Risk Management (QRM) approach from ISPE GAMP® 5 to record and data integrity
  5. More detailed information, including “how to” guidance for specific topics, in a series of management, development, and operation appendices

Below is a detailed comparison of the content in the ISPE GAMP Good Practice Guide: A Risk-Based Approach to Compliant Electronic Records and Signatures compared to the new replacement guide, ISPE GAMP Guide: Records and Data Integrity:

 

Electronic Records and Signatures Good Practice Guide Section/Topics

Records and Data Integrity GAMP Guide Mapping

1

Introduction

  • Overview
  • Purpose
  • Scope
  • Benefits
  • Objectives
  • Structure of this Guide
  • Key Concepts
  • Current Regulatory Situation

Section 1 Introduction

  • Background
  • Purpose
  • Scope
  • Structure of this Guide
  • Key Concepts
  • Regulatory Focus

 

2

Risk Management Process

  • Overview
  • Process Steps
  • Points to Consider

Section 5 Quality Risk Management

  • Introduction
  • Process Risk Assessment
  • Quality Risk Management Approach
  • Product and Process Context

3

Applying the Risk Management

Process

  • Corporate level Activities
  • Applying the process to New/Existing Systems
  • Previously assessed Systems

Section 5 Quality Risk Management

Appendix M1: Corporate Data Integrity Program

4

Controls

  • Electronic Record Controls
  • Electronic Signature Controls
  • Hybrid Records
  • User/Supplier Responsibilities
  • Technical and procedural controls and requirements
  • Section 5 Quality Risk Management
  • Appendix D3: Risk Control Measures for Records, Data, and Electronic Signatures
  • Appendix O2: Paper Records and Hybrid Situations
  • Appendix D1: User Requirements

 

Appendix 1 – Validation
  • Validation of GxP Computerized Systems is covered in GAMP 5.
  • The need for validation of systems for intended use related to Data Integrity is covered in RDI Section 2 Regulatory Focus.
 

Appendix 2 – Audit Trail and Data Security
  • Appendix M4: Data Audit Trail and Audit Trail Review
  • Appendix D1: User Requirements
  • Appendix D3: Risk Control Measures for Records, Data, And Electronic Signatures
 

Appendix 3 – Record Retention, Archiving, and Migration

Appendix O1: Retention, Archiving, And Migration
 

Appendix 4 – Copies of Records
  • Section 4 Data Life Cycle
  • Appendix M6: Inspection Readiness

 

Appendix 5 – 21 CFR Part 11 Legacy Systems

Appendix M1: Corporate Data Integrity Program

 

Appendix 6 – Examples of Records and Signatures Required by GxP Regulations

Excerpts of regulations no longer included in Guidance. Refer to primary regulatory sources

 

Appendix 7 – Case Studies

Case study information to be published separately or as input to proposed future Guidance and Practical Approaches to Records and Data Integrity document

 

Appendix 8 – Copy of GAMP 4, Appendix M3 Guideline for Risk Assessment

Section 5 Quality Risk Management

 

Appendix 9 – Example Template Form for Risk Assessment and Identification of Controls

Appendix D3: Risk Control Measures for Records, Data, And Electronic Signatures

[Guide does not include template forms].

 

Appendix 10 – Form for Previously Assessed 21 CFR Part 11 Systems

Appendix M1: Corporate Data Integrity Program

[Guide does not include template forms].

 

Appendix 11 – Current Regulatory Situation

Section 2 Regulatory Focus.

 

Appendix 12 – Glossary

Glossary

 

Appendix 13 – References

References
  • 1 Introduction
  • 1.1 Background
  • 1.2 Purpose
  • 1.3 Scope
  • 1.4 Structure of this Guide
  • 1.5 Key Concepts
  • 1.5.1 Risk Management Approach
  • 1.5.2 Data Governance
  • 1.5.3 Data Life Cycle
  • 1.5.4 Key Concepts Summarized by ALCOA and ALCOA+
  • 1.5.5 Critical Thinking
  • 1.5.6 GxP Computerized System Life Cycle
  • 1.5.7 Summary of the Key Concepts
  • 1.6 Key Terms
  • 2 Regulatory Focus
  • 2.1 Introduction
  • 2.2 Data Integrity Requirements
  • 2.2.1 Behavioral Steps
  • 2.2.2 Procedural Steps
  • 2.2.3 Technical Steps
  • 3 Data Governance Framework
  • 3.1 Introduction
  • 3.2 Overview
  • 3.3 Elements of the Data Governance Framework
  • 3.3.1 Scope and Objectives
  • 3.3.2 Leadership and Management Responsibility
  • 3.3.3 Organization and Data Ownership
  • 3.3.4 Key Performance Indicators
  • 3.3.5 Roles and Responsibilities
  • 3.3.6 Policies and Standards
  • 3.3.7 Awareness and Training
  • 3.3.8 Technology and Tools
  • 3.3.9 Strategic Planning and Data Integrity Program
  • 3.3.10 Data Life Cycle and Data Management
  • 3.4 Human Factors in Data Integrity
  • 3.5 Data Integrity Maturity Model
  • 4 Data Life Cycle
  • 4.1 Introduction
  • 4.2 Data Creation
  • 4.3 Data Processing
  • 4.4 Data Review Reporting and Use
  • 4.4.1 Data Review
  • 4.4.2 Audit Trail Review
  • 4.4.3 Data Reporting
  • 4.4.4 Data Distribution
  • 4.5 Data Retention and Retrieval
  • 4.5.1 General Requirements
  • 4.5.2 Backup and Restore
  • 4.5.3 Archiving
  • 4.6 Data Destruction
  • 5 Quality Risk Management
  • 5.1 Introduction
  • 5.2 Process Risk Assessment
  • 5.3 Quality Risk Management Approach
  • 5.4 Product and Process ContextManagement Appendices
  • 6 Appendix M1 – Corporate Data Integrity Program
  • 6.1 Introduction
  • 6.2 Is a Corporate Data Integrity Program Required?
  • 6.3 Indicators of Program Scope and Effort
  • 6.3.1 Self-Assessment
  • 6.3.2 Regulatory Inspection
  • 6.3.3 Effort and Resources
  • 6.4 Implementation Considerations
  • 6.4.1 Sponsor
  • 6.4.2 Management Accountability
  • 6.4.3 Knowledge Sharing and Training
  • 6.4.4 Behavioral Factors
  • 6.5 Keys to Success
  • 6.5.1 Technology Controls
  • 6.5.2 Periodic Reviews
  • 7 Appendix M2 – Data Integrity Maturity Model
  • 7.1 Maturity Model
  • 7.2 Data Integrity Maturity Level Characterization
  • 8 Appendix M3 – Human Factors
  • 8.1 Introduction
  • 8.2 Corporate and Local Cultures
  • 8.2.1 Corporate Culture
  • 8.2.2 Local Geographic Culture
  • 8.2.3 Cultural Differences
  • 8.3 Classification of Incidents
  • 8.4 Human Error
  • 8.5 Data Falsification and Fraud
  • 8.5.1 Falsification for Profit
  • 8.5.2 Reducing Fraud
  • 8.6 Impartiality
  • 8.7 Behavioral Controls
  • 8.7.1 Understanding Effective Controls
  • 8.7.2 Corporate Data Integrity Training Program
  • 8.7.3 Improvisation
  • 9 Appendix M4 – Data Audit Trail and Audit Trail Review
  • 9.1 Introduction
  • 9.2 Regulatory Background
  • 9.3 Application and Use of Audit Trails
  • 9.4 Audit Trail Review
  • 9.5 Technical Aspects and System Design
  • 10 Appendix M5 – Data Auditing and Periodic Review
  • 10.1 Introduction
  • 10.2 Auditing for Data Integrity
  • 10.3 Periodic Review
  • 10.4 Other Reviews
  • 10.5 Documenting Review Processes
  • 11 Appendix M6 – Inspection Readiness
  • 11.1 General Procedures
  • 11.1.1 Special Requests
  • 11.1.2 Legal
  • 11.1.3 Access to Computer Systems
  • 11.2 Key Information for Regulatory Inspections
  • 11.2.1 Process Owners and System Owners
  • 11.2.2 Process Owners
  • 11.2.3 System Owners
  • 11.2.4 Monitoring
  • 11.2.5 Personnel Preparedness, Training Records, and Procedures
  • 11.2.6 Internal Data Integrity Investigations
  • 12 Appendix M7 – Integrating Data Integrity into Existing Records Management Processes
  • 12.1 Introduction
  • 12.2 Record Creation
  • 12.3 Active Records
  • 12.4 Semi-active Records
  • 12.5 Inactive Records
  • 12.5.1 Destruction
  • Development Appendices
  • 13 Appendix D1 – User Requirements
  • 13.1 Introduction
  • 13.2 Business Process
  • 13.3 General Data Integrity Requirements
  • 13.3.1 Technical Requirements
  • 13.3.2 Procedural Requirements
  • 14 Appendix D2 – Process Mapping and Interfaces
  • 14.1 Introduction
  • 14.2 Process Flowcharts
  • 14.3 Data Flow Diagrams
  • 14.4 How Much Is Needed?
  • 15 Appendix D3 – Risk Control Measures for Records, Data, and Electronic Signatures
  • 15.1 Introduction
  • 15.2 Record and Data Controls
  • 15.3 Electronic Signature Controls
  • 15.4 Implementation of Record and Data Controls
  • 15.5 Rigor of Controls
  • 16 Appendix D4 – Data Integrity Concerns Related to System Architecture
  • 16.1 Data Resides on a Local Hard Disk
  • 16.2 Internally Managed Central Database
  • 16.3 Internally Managed Distributed Data
  • 16.3.1 Locally Unique Data Accessible Globally
  • 16.3.2 Data Replicated Globally
  • 16.4 Outsourced Managed Services
  • 16.4.1 Internally Managed with Cloud Storage (Infrastructure as a Service (IaaS))
  • 16.4.2 Internally Managed Application with Cloud Based Platform
  • 16.4.3 Software as a Service (SaaS)
  • 17 Appendix D5 – Data Integrity for End-User Applications
  • 17.1 Introduction
  • 17.2 Data Integrity for Spreadsheets
  • 17.2.1 Spreadsheets that are Simple Documents
  • 17.2.2 Spreadsheets that are Templates
  • 17.2.3 Single Use Spreadsheets
  • 17.2.4 Spreadsheets as Databases
  • 17.3 Data Integrity for PC Databases
  • 17.3.1 User Developed and Managed Tools
  • 17.3.2 Centrally Managed PC Databases
  • 17.4 Data Integrity for Statistical Tools
  • Operation Appendices
  • 18 Appendix O1 – Retention, Archiving, and Migration
  • 18.1 Introduction
  • 18.2 Retention Options
  • 18.3 Protection of Records
  • 18.4 Record Aging and Risk
  • 18.5 Archival
  • 18.5.1 Backup
  • 18.6 Hybrid Situations and Archives
  • 18.7 Audit Trail Considerations
  • 18.8 Alternative Systems
  • 18.9 Converting Electronic to Alternative Format or Alternative Media Hybrids
  • 18.9.1 Considerations for Conversion
  • 18.9.2 Changing Repositories without Altering Format
  • 18.9.3 Risk Assessment for Conversion
  • 19 Appendix O2 – Paper Records and Hybrid Solutions
  • 19.1 Paper Records
  • 19.1.1 Introduction
  • 19.1.2 Overview
  • 19.1.3 Management
  • 19.1.4 Use
  • 19.2 Hybrid Situations
  • 19.2.1 Introduction
  • 19.2.2 Controls for Managing Hybrid Situations
  • 19.2.3 Practical Difficulties with Hybrid Situations
  • 19.3 Use of Forms to Enforce Procedures
  • General Appendices
  • 20 Appendix G1 – References
  • 21 Appendix G2 – Glossary
  • 21.1 Acronyms and Abbreviations
  • 21.2 Definitions
  • Chris Clark, TenTenTen Consulting, United Kingdom
  • Colin Jones, Conformity Limited, United Kingdom
  • Tony Margetts, Factorytalk Co., Ltd., Thailand
  • Mark Newton, Eli Lilly and Company, USA
  • Arthur “Randy” Perez, Novartis (retired), USA
  • Nigel Price (Co-Lead), QCDI Ltd., United Kingdom
  • Chris Reid, Integrity Solutions Ltd., United Kingdom
  • Mike Rutherford (Co-Lead), Eli Lilly and Company, USA
  • Lorrie Vuolo-Schuessler, GlaxoSmithKline, USA
  • Charlie Wakeham, Waters Australia Pty. Ltd., Australia
  • Christopher White, Alexion Pharmaceuticals, USA
  • Guy Wingate, GlaxoSmithKline, United Kingdom
  • Sion Wyn (Co-Lead), Conformity Limited, United Kingdom

The importance of data integrity is reflected in recent guidance, citations, and public comments of Regulators and Health Agencies. A number of companies have suffered serious regulatory and financial consequences as a result of unacceptable data integrity practices.

Patient safety is affected by the integrity of critical records, data, and decisions, as well as those aspects concerned with physical attributes of the product. That the phrase “patient safety, product quality, and data integrity” is commonly used in regulatory and industry guidance underlines this point.

The use of information technology and computerized systems in all aspects of life sciences continues to grow and has resulted in the generation of more data to support the development and manufacture of products. Key decisions and actions are routinely being made based on this data, and the integrity of the data, whether in electronic or paper form, is of paramount importance to the industry, the regulatory agencies, and ultimately the patient.

Industry will benefit from clear guidance on ensuring that the management of records and data forms an integral part of the Quality Management System, and is compliant with GxP requirements. This Guide intends to provide such guidance and is aligned with ISPE GAMP® 5: A Risk-Based Approach to Compliant GxP Computerized Systems.