Good practices for data management and data integrity in regulated GMP/GDP Environments (PIC/S)

3 PURPOSE

1.1 This document was written with the aim of:

1.1.1 Providing guidance for Inspectorates in the interpretation of GMP/GDP requirements in relation to good data management and the conduct of inspections. 

1.1.2 Providing consolidated, illustrative guidance on risk-based control strategies which enable the existing requirements for data to be valid, complete and reliable as described in PIC/S Guides for GMP2 and GDP3 to be implemented in the context of modern industry practices and globalised supply chains.

1.1.3 Facilitating the effective implementation of good data management elements into the routine planning and conduct of GMP/GDP inspections; to provide atool to harmonise GMP/GDP inspections and to ensure the quality of inspections with regards to data integrity expectations.

1.2 This guidance, together with Inspectorate resources such as aide memoire, should enable the inspector to make an optimal use of the inspection time and an optimal evaluation of data integrity elements during an inspection. 

1.3 Guidance herein should assist the Inspectorate in planning a risk-based inspection relating to good data management practices.

1.4 Good data management has always been considered an integral part of GMP/GDP. Hence, this guide is not intended to impose additional regulatory

burden upon regulated entities, rather it is intended to provide guidance on the interpretation of existing GMP/GDP requirements relating to current industry data management practices.   

1.5 The principles of data management and integrity apply equally to paperbased, computerised and hybrid systems and should not place any restraint upon the development or adoption of new concepts or technologies. In accordance with ICH Q10 principles, this guide should facilitate the adoption of innovative technologies through continual improvement. 

1.6 The term “Pharmaceutical Quality System” is predominantly used throughout this document to denote the quality management system used to manage and achieve quality objectives. While the term “Pharmaceutical Quality System” is used predominantly by GMP regulated entities, for the purposes of this guidance, it should be regarded as interchangeable with the term “Quality System” used by GDP regulated entities.

1.7 This guide is not mandatory or enforceable under law. It is not intended to be restrictive or to replace national legislation regarding data integrityrequirements for manufacturers and distributors of medicinal products and actives substances (i.e. active pharmaceutical ingredients). Data integrity deficiencies should be referenced to national legislation or relevant paragraphs of the PIC/S GMP or GDP guidance.

2 SCOPE

2.1 The guidance has been written to apply to on-site inspections of those sites performing manufacturing (GMP) and distribution (GDP) activities. The principles within this guide are applicable for all stages throughout the product lifecycle. The guide should be considered as a non-exhaustive list of areas to be considered during inspection. 

2.2 The guidance also applies to remote (desktop) inspections of sites performing manufacturing (GMP) and distribution (GDP) activities, although this will be limited to an assessment of data governance systems. On-site assessment is normally required for data verification and evidence of operational compliance with procedures.

2.3 Whilst this document has been written with the above scope, many principles regarding good data management practices described herein have applications for other areas of the regulated pharmaceutical and healthcare industry.

2.4 This guide is not intended to provide specific guidance for “for-cause” inspections following detection of significant data integrity vulnerabilities where forensic expertise may be required.

3 DATA GOVERNANCE SYSTEM 

3.1 What is data governance? 5.1.1 Data governance is the sum total of arrangements which provide assurance of data integrity. These arrangements ensure that data, irrespective of the process, format or technology in which it is generated, recorded, processed, retained, retrieved and used will ensure an attributable, legible, contemporaneous, original, accurate, complete, consistent, enduring, and available record throughout the data lifecycle. While there may be no legislative requirement to implement a ‘data governance system’, its establishment enables the manufacturer to define, prioritise and communicate their data integrity risk management activities in a coherent manner. Absence of a data governance system may indicate uncoordinated data integrity systems, with potential for gaps in control measures.

3.1.2 The data lifecycle refers to how data is generated, processed, reported, checked, used for decision-making, stored and finally discarded at the end of

the retention period. Data relating to a product or process may cross various boundaries within the lifecycle. This may include data transfer between paper-based and computerised systems, or between different organisational boundaries; both internal (e.g. between production, QC and QA) and external (e.g. between service providers or contract givers and acceptors).

3.2 Data governance systems

3.2.1 Data governance systems should be integral to the Pharmaceutical Quality System described in PIC/S GMP/GDP. It should address data ownership throughout the lifecycle, and consider the design, operation and monitoring of processes and systems in order to comply with the principles of data integrity, including control over intentional and unintentional changes to, and deletion of information. 

3.2.2 Data governance systems rely on the incorporation of suitably designed systems, the use of technologies and data security measures, combined with specific expertise to ensure that data management and integrity is effectively controlled. Regulated entities should take steps to ensure appropriate resources are available and applied in the design, development, operation and monitoring of the data governance systems, commensurate with the complexity of systems, operations, and data criticality and risk.

3.2.3 The data governance system should ensure controls over the data lifecycle which are commensurate with the principles of quality risk management.

These controls may be:

 Organisational

> procedures, e.g. instructions for completion of records and retention of completed records;

> training of staff and documented authorisation for data generation and approval;

> data governance system design, considering how data is generated, recorded, processed, retained and used, and risks or vulnerabilities are controlled effectively;

> routine (e.g. daily, batch- or activity-related) data verification; o periodic surveillance, e.g. self-inspection processes seek to verify the effectiveness of the data governance system; or

> the use of personnel with expertise in data management and integrity, including expertise in data security measures.

 Technical

> computerised system validation, qualification and control;

> automation; or

> the use of technologies that provide greater controls for data management and integrity

3.2.4 An effective data governance system will demonstrate Senior management’s understanding and commitment to effective data governance practices including the necessity for a combination of appropriate organisational culture and behaviours (section 6) and an understanding of data criticality, data risk and data lifecycle. There should also be evidence of communication of expectations to personnel at all levels within the organisation in a manner which ensures empowerment to report failures and opportunities for improvement. This reduces the incentive to falsify, alter or delete data. 

3.2.5 The organisation’s arrangements for data governance should be documented within their Pharmaceutical Quality System and regularly reviewed.