ISPE GAMP<sup>&#xae;</sup> RDI Good Practice Guide: Data Integrity &#x2013; Manufacturing Records cover image

ISPE GAMP® RDI Good Practice Guide: Data Integrity – Manufacturing Records

Published:May 2019

Pages:156

Manufacturing systems, with their link to the physical process, have an obvious impact on patient safety and product quality. Careful consideration of data integrity risks, alongside all other risk types, provides a more complete assessment of the GMP risks associated with the system. In addition, there has been an increase in recent years of data integrity citations relating to manufacturing data. This Guide addresses the expectations for data integrity in a GMP environment to aid companies in meeting regulatory requirements.

The ISPE GAMP® RDI Good Practice Guide: Data Integrity – Manufacturing Records provides practical and pragmatic advice on areas such as regulated records, data flows, and risk management approaches, with particular focus on process control systems, manufacturing execution systems, and the interfaces and relationship between them. Additionally, system-specific examples of topics such as segregation of duties and critical validation activities to support data integrity are discussed. Included are “quick wins” – suggestions that can create considerable improvement in the integrity of manufacturing system data with only modest resources.

This Guide is positioned under the ISPE GAMP® Guide: Records and Data Integrity and is aligned with ISPE GAMP® 5: A Risk-Based Approach to Compliant GxP Computerized Systems.

  • 1 Introduction
  • 1.1 Background
  • 1.2 Purpose
  • 1.3 Scope
  • 1.4 How to Use This Guide
  • 1.5 Terminology
  • 1.5.1 ANSI/ISA-95 Terminology
  • 1.5.2 Process Control System Terminology
  • 1.5.3 Manufacturing Execution System Terminology
  • 1.5.4 Batch Record Terminology
  • 1.5.5 Audit Trail Terminology
  • 2 Data and Records
  • 2.1 What is Special about Manufacturing Systems?
  • 2.2 What is Regulated Data?
  • 3 Data Flows and Data Lifecycle
  • 3.1 Mapping Data Flows
  • 3.2 Typical GMP Data Flows
  • 3.3 Data Lifecycle
  • 3.3.1 Data Lifecycle – Creation
  • 3.3.2 Data Lifecycle – Processing
  • 3.3.3 Data Lifecycle – Review, Reporting, and Use
  • 3.3.4 Data Lifecycle – Retention and Retrieval
  • 3.3.5 Data Lifecycle – Destruction
  • 4 Risk Management Approaches
  • 4.1 Initial Data Integrity Risk Assessment and Identifying the Impact of Poor Data Integrity Controls
  • 4.2 Identifying Data Flows with Impact on Patient Safety, Product Quality, and Data Integrity
  • 4.3 Performing Functional Risk Assessments and Identifying Controls
  • 4.4 Implement and Verify Appropriate Controls
  • 4.5 Reviewing Residual Risks and Monitoring Controls
  • 5 Detecting Data Integrity Issues
  • 5.1 Data Review Requirements
  • 5.1.1 Define the Process for Data Review in a Procedure
  • 5.1.2 Types of Data to Review
  • 5.1.3 Personnel Factors to Consider in Data Review
  • 5.2 Critical Thinking
  • 5.2.1 Auditing to Detect “Here is Something Suspicious”
  • 5.2.2 Metrics for Data Integrity Issues
  • 6 Preventing Data Integrity Issues
  • 6.1 Data Integrity Culture
  • 6.2 Supplier Management Considerations
  • 6.2.1 General Supplier Management Considerations
  • 6.2.2 Supplier Assessment Considerations
  • 6.2.3 Specific Considerations for Cloud Interfaces
  • 6.2.4 Specific Considerations for System Updates and Data Migration
  • 6.3 Essential Technical Features
  • 6.4 Policies and Procedures
  • 6.5 Access Considerations
  • 6.5.1 Logical Security
  • 6.5.2 Physical Security
  • 6.5.3 Segregation of Duties
  • 6.6 Critical Validation Activities
  • 7 Quick Wins
  • 7.1 Quick Wins for Existing Systems
  • 7.1.1 Quick Wins – Quality of Input Data
  • 7.1.2 Quick Wins – Security and Access
  • 7.1.3 Analytics for Identifying Data Integrity Weaknesses
  • 7.1.4 Quick Wins – Quality of Outputs
  • 7.1.5 Quick Wins – Critical Thinking
  • 7.2 Quick Wins for New Projects
  • 7.2.1 Quick Wins – Working with Suppliers
  • 7.2.2 Quick Wins – Planning for New Systems and Projects
  • 7.3 Quick Wins for Governance
  • 8 Appendix 1 – Process Control System Risk Assessment Example
  • 9 Appendix 2 – Risks to Data Integrity Associated with Specific Data Types
  • 9.1 Automatically Captured Process Data
  • 9.2 Simple Calculated Values
  • 9.3 Manually Entered Process Data
  • 9.4 Process Data Originating in Another System
  • 9.5 Alarms and Events
  • 9.6 Exception Reports
  • 9.7 Images and Image Recognition
  • 9.8 Complex/Statistical Transformations
  • 9.9 Outputs Used Manually by the Operator
  • 9.10 Production Definition Management – Master Recipes
  • 9.11 Production Resource Management – Material Control
  • 9.12 Production Resource Management – Equipment Control
  • 9.13 Production Resource Management – Personnel Control
  • 9.14 Production Dispatching
  • 9.15 Production Execution – Control Recipes and Workflows
  • 9.16 Production Data Collection and Production Tracking
  • 9.17 Production Performance Analysis
  • 9.18 Manufacturing Production Record Review, Release, and Disposition
  • 9.18.1 Contents of the Production Record
  • 9.18.2 Review, Release, and Disposition
  • 10 Appendix 3 – Data Integrity Maturity Factors
  • 11 Appendix 4 – Essential Technical Features
  • 12 Appendix 5 – Policies and Procedures
  • 13 Appendix 6 – Example Segregation of Duties
  • 14 Appendix 7 – Validation Activities
  • 15 Appendix 8 – Data Integrity Citations by Regulators
  • 16 Appendix 9 – References
  • 17 Appendix 10 – Glossary
  • 17.1 Abbreviations and Acronyms
  • 17.2 Definitions
  • John Andrews, Andrews Consulting Enterprises, Ltd., United Kingdom
  • Karen Ashworth, Karen Ashworth Consulting, Ltd., United Kingdom
  • Reetu Chopra, Teva Pharmaceutical Industries, Ltd., United Kingdom
  • Kristina Dimitriadis, Werum IT Solutions GmbH, Germany
  • Brian Frederiksen, NNE, Denmark
  • Željko Granoša, Pliva Croatia, Ltd., Croatia
  • Paul Irving, Northern Life Sciences Ltd., United Kingdom
  • Hilary Mills-Baker, Emerson Automation Solutions, United Kingdom
  • Steve Murray, Werum IT Solutions, USA
  • Gregory Ruklic, Independent Consultant, USA
  • Catherine Smillie, Sharpe Solutions & Compliance Ltd., United Kingdom
  • David Stokes, Convalido Consulting Limited, United Kingdom
  • Rajesh Thempadiyil, Dr. Reddy’s Laboratories, Ltd., India
  • Anders Vidstrup, NNIT A/S, Denmark
  • Lorrie Vuolo-Schuessler (Co-Lead), GlaxoSmithKline, USA
  • Christian Wölbeling, Werum IT Solutions GmbH, Germany
  • Charlie Wakeham (Co-Lead), Waters Corporation, Australia

The importance of achieving and maintaining data integrity cannot be overstated, as data integrity is the essential foundation to safeguarding product quality and patient safety. There are new regulatory citations for data integrity violations nearly every month for pharmaceutical companies worldwide. The diversity and complexity of manufacturing data compounds the data integrity issue. Links between the physical process and electronic sensors, conducting certain activities using paper records as part of a hybrid system, and employing multiple suppliers and systems within the manufacturing process all contribute to the challenges of maintaining the integrity of manufacturing records.

Data integrity relies on:

  • Having the right technical controls for computerized systems used in support of the business process to prevent unauthorized changes to manufacturing data and to preserve the GMP content and meaning of that data as representative of the product quality
  • Creating a culture that promotes and preserves data integrity in support of patient safety and product quality
  • Implementing a review process for meaningful oversight of data regardless of the systems used

This Guide provides practical guidance for data integrity across the manufacturing business process for pharmaceutical companies at all levels of data integrity maturity. It is positioned under the ISPE GAMP® Guide: Records and Data Integrity and is aligned with the principles of ISPE GAMP® 5: A Risk-Based Approach to Compliant GxP Computerized Systems.